REN-ISAC Update

Doug Pearson, REN-ISAC Technical Director

DICE12 February 2008Athens, Greece

1

REN-ISAC

The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher education and research (R&E) communities, through :•the sharing of actionable information within a private trust community,•the provision of other direct security services, and•serving as the R&E trusted partner within the formal ISAC community.

2

Cooperative Effort

• Direct and in-kind funding:– IU (host organization), LSU, Internet2, EDUCAUSE

• Executive Advisory Group– IU, LSU, Oakland U, Reed College, U Mass, UMBC, U

Montana, Internet2, and EDUCAUSE

• Technical Advisory Group– Cornell, IU, Neustar, MOREnet, Team Cymru, UC Berkeley,

U Mass, U Minn, U Oregon, and WPI

• Microsoft Analysis Team– Colorado, IU, NYU, UIUC

• Major contributors– Buffalo, Brandeis, and WPI (systems), MOREnet (TechBursts)

• And the MEMBERS!3

Membership (the old, and still current plan)

• Membership is open and free to:– institutions of higher education, – teaching hospitals, – research and education network providers, and – government-funded research organizations.

• Membership guidelines are roughly:– must have organization-wide responsibilities for cyber

security protection and response, and– must be permanent staff,– must be vouched-for (trust) by 2 existing members

• Membership includes:– International participation: currently 8 .ca, and 2 .nz– Large .gov-sponsored experiments

• http://www.ren-isac.net/membership.html4

Membership

People

Orgs.

5

In the works:

• Revised membership model– 2-vouch trust community is difficult to scale to reach all of R&E– For sharing the most sensitive information, need to have the

strong community trust that vouching – personal knowledge – brings

– Solution: tiered membership – general and X(extra)-Sec members; General member = appointed by CIO, XSec member = 2-vouched.

– Information sharing policies and guidelines will be structured to work with the tiered model – a certain level of information sharing (benefit) among the general membership, and extended sharing in XSec.

• Business Plan– Formalized organizational framework– Long-term sustainability – Growth– Fee-based membership

6

Information Resources

• REN-ISAC members• Direct reconnaissance• Information sharing relationships• Other sector ISACs• Global Research NOC at IU• Vendors relationships• Network instrumentation and sensors

– Internet2 Abilene network backbone netflow• Arbor Peakflow SP for DDoS discovery

– REN-ISAC darknet– Shared Darknet Project– Global NOC operational monitoring

7

Information Products

• Daily Weather Report provides situational awareness.

• Alerts provide critical and timely information concerning new or increasing threat.

• Notifications identify specific sources and targets of active threat or incident involving member networks.

• Data Feeds provide specific identifying information regarding known active sources of threat.

• Advisories inform regarding specific practices or approaches that can improve security posture.

• TechBurst webcasts provide instruction on technical topics relevant to security protection and response.

• Monitoring views provide aggregate information for situational awareness.

8

Compromised System Notifications to .edu

Unique R&EInstitutions

Botnet Command and Control Hosts

Infected Hosts

9

.EDU Storm Worm Daily Notifications from REN-ISAC

Beginning Feb 21 REN-ISAC source of ongoing intelligence regarding compromised systems

operating in the Storm Worm botnet.

REN-ISAC sends daily notifications identifying the compromised machines to security contacts at the

machine-owning organization.10

Start of the concerted and

successful e-card spamming method.

.EDU Storm Worm Daily Notifications from REN-ISAC

11

Notifications quickly and dramatically blunted the severity of Storm infection in .EDU

.EDU Storm Worm Daily Notifications from REN-ISAC

12

The Microsoft MSRT (Malicious Software Removal Tool) addresses Storm 9/11

.EDU Storm Worm Daily Notifications from REN-ISAC

13

Throughout July and August, utilizing the Internet2 Arbor Networks Peakflow system, REN-ISAC

detected and responded to ~dozen Storm Worm DDoS attacks transiting the Internet2 network. On Sept 9 R-I issued an Alert to the R&E community,

“Storm Worm DDoS Threat to the EDU Sector”

.EDU Storm Worm Daily Notifications from REN-ISAC

14

Projects in Cooperation with Internet2 CSI2

• CSI2 Shared Darknet Project– Information from dispersed, member-based darknet

sensors is combined to a single community resource. Provides notifications of observed scanning sources, reports of aggregate port scanning statistics, with a more complete view of IPv4-based scanning activity than provided by a single, standalone darknet. Working in cooperation with the Internet2 SALSA CSI2 effort.

• CSI2 RENOIR– Research and Education Networking Operational

Incident Repository provides trust community-based sharing of incident information. Working in cooperation with the Internet2 SALSA CSI2 effort.

15

Projects, and Opportunities for Collaboration

• Relationships and information sharing– Linkage to NREN security teams and CSIRTS– Arbor Fingerprint Sharing

• Projects– PDNS – Scanning Service– Shared Darknet– Incident Information Sharing System (RENOIR)– DNS infrastructure monitoring– Federated Model (ANL, et al)

• http://www.anl.gov/it/Cyber_Security/Federations_for_Cyber_Defense/index.html

• Very interested to learn what others are doing wrt IPv6

• Also, interested in L2 infrastructure security services16

Projects, and Opportunities for Collaboration

• REN-ISAC staff at upcoming meetings– 20-21 Feb, X– 28-29 Feb, ISOI IV– 21-23 Apr, Internet2 Spring Meeting– 4-6 May, EDUCAUSE Security Professionals Conference– 6 May, REN-ISAC Annual Member Meeting

17

Priorities for the Coming Year

• Not in order– Membership growth– Implement the revised Membership Model– Business plan– Facilitate various forms of member involvement and

contribution– Develop additional and strengthen existing information

sharing relationships, including the REN-ISAC and Microsoft SCPe

– Assessment of current services and member needs– Cyber Security Registry– Various tool and service projects

18

Contacts

http://www.ren-isac.net 24x7 Watch Desk:

ren-isac@ren-isac.net +1(317)274-6630

Doug Pearson, Technical Directordodpears@ren-isac.net

19