Crowd-sourcing CyberSecurity through the REN- ISAC Community Chris O’Donnell
REN-ISAC Background
MISSION ● Overall – serve the Research and Higher Education space and promote operational security ● CSIRT Role ● Operate a trusted community ● Work with other ISACs and others external parties
FACTS AND FIGURES ▪ Hosted at Indiana University ▪ Board of Directors ▪ Advisory groups ▪ Ad hoc special interest groups and projects ▪ Over 500 member institutions and over 1600 member representatives
Threat Landscape
INFOSEC IS #1 IT ISSUE IN HIGHER ED, 2016 * AND AGAIN IN 2017* * Educause Top 10 IT Issues 2016 and 2017
THREAT TRENDS § Motive? § The threat actor is external to the organization § Time to compromise is < one hour § Time to discover a breach occurred > than one day
90 85 80 82 76 70 60 62 60 57 50 51 47 40 30 33 20 22 19 16 10 0 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 DATA BREACHES IN HIGHER EDUCATION Source: Privacy Rights Clearinghouse
WHERE IS EDUCATION ON THE LIST?
SENSITIVE DATA BREACHES
RANSOMWARE
What Are You Doing to Mitigate the Risk of Ransomware? (N=27) Increasing employee education and awareness efforts 19 (70%) Tightening spam filters on email systems 11 (41%) Accelerating the institutions move to cloud storage 1 (4%) Reminding system administrators to verify/test backups, check schedules 9 (33%) Updating institutional policies / standards 2 (7%) RECENT SURVEY RESULTS
MOBILE § Mobile use is increasing § Lots of older unpatched OSes § 3 rd party app stores § Malicious apps on primary app stores
INSIDER THREAT
PHISHING § Primary attack vector for online crime § Spear-phishing / Whaling
RECENT SURVEY RESULTS
DENIAL OF SERVICE ATTACKS Amplification via vulnerable protocols, e.g. NTP Increasing use of Internet connected devices (IoT)
DENIAL OF SERVICE ATTACKS
COMPROMISED CREDENTIALS
Crowdsourcing Cybersecurity Through the REN-ISAC Community
RELATIONSHIPS § Sector ISAC § Members § 3 rd Parties
CONCERNS
How do we help?
CSIRT for EDU Space
REN-ISAC CSIRT Activity, YTD 2016 Notifications Q1 Q2 Q3 Q4 Compromised machines 23,943 16,911 13,589 12,661 Compromised credentials 13,162 1,037,881 5,094 1,141,653 Spam or Phish 117 86 111 1,995 Vulnerable machines 1 39 2 11 Open recursive DNS resolvers 793 713 607 655 Open mail relays 52 25 37 34 Other 1 3 5 1 Totals 38,069 1,055,658 19,445 1,157,010 SOC ACTIVITY – MOSTLY AUTOMATED
REN-ISAC SOC Activity, YTD 2016 Notifications Q1 Q2 Q3 Q4 Notification Questions 429 626 278 194 Password resets 105 100 75 60 Notifications 51 21 50 38 Other 177 627 477 371 Totals 762 1,374 880 663 Non-interactive tickets 2,060 2,611 3,302 3,026 SOC ACTIVITY - MANUAL
SHARING INTEL
ALERTS, ADVISORIES, AND REPORTS § Advisories on various threats § Daily Watch
COMMUNITY SHARING § Community of trusted cybersecurity staff at R&E member institutions § Confidentiality, Integrity and Availability § Sharing actionable intel for operational protection and response
CIF/SES AUTOMATED THREAT INTELLIGENCE
PASSIVE DNS – WHAT?
My University authoritative ` ` DNS server example.com’s authoritative Global DNS DNS server recursive caching DNS www.example.com server request to resolve www.example.com Global Internet visit www.my.edu
My University authoritative ` ` DNS server example.com’s authoritative where is the DNS server authoritative for example.com? recursive caching DNS www.example.com server Global Internet visit www.my.edu
My University authoritative ` ` DNS server example.com’s authoritative DNS server response recursive caching DNS www.example.com server Global Internet visit www.my.edu
My University authoritative ` ` DNS server example.com’s authoritative Global DNS DNS server query recursive caching DNS www.example.com server Global Internet visit www.my.edu
My University authoritative ` ` DNS server example.com’s authoritative Global DNS DNS server recursive caching response DNS www.example.com server Global Internet visit www.my.edu
My University authoritative ` ` DNS server example.com’s authoritative Global DNS DNS server recursive caching DNS www.example.com server response Global Internet visit www.my.edu
My University authoritative ` ` DNS server example.com’s authoritative Global DNS DNS server recursive caching DNS www.example.com server Whee! Global Internet visit www.my.edu
PASSIVE DNS – WHY?
EDUCATION ▪ Techbursts ▪ Wikis
FUTURE (NOW) THREAT VECTORS ▪ Automated Access Controls ▪ Industrial Control Systems ▪ Internet of Things
Wrap up….
QUESTIONS?
REN-ISAC http://ren-isac.net soc@ren-isac.net (317) 274-7228
Recommend
More recommend