proposal for a new model for information sharing between
play

Proposal for a new model for information sharing between CSIRTs Ir. - PowerPoint PPT Presentation

Proposal for a new model for information sharing between CSIRTs Ir. David Durvaux - Security Analyst Christian Van Heurck Coordinator 24 th annual FIRST conference Malta - 17-22 June 2012 Knowledge is power . Knowledge shared is


  1. Proposal for a new model for information sharing between CSIRTs Ir. David Durvaux - Security Analyst Christian Van Heurck – Coordinator 24 th annual FIRST conference – Malta - 17-22 June 2012

  2. “ Knowledge is power . Knowledge shared is power multiplied.” Robert Noyce 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 2

  3. About CERT.be and us CERT.be The federal cyber emergency team a service of Fedict operated by Belnet 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 3

  4. Agenda 1 Current situation 2 Proposal for a new model for sharing 3 New issues 4 Sharing time = Q & A 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 4

  5. Propagation time • Internet delay: milliseconds 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 5

  6. Propagation time: milliseconds Internet 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 6

  7. Propagation time: Internet 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 7

  8. Propagation time: back to milliseconds Internet 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 8

  9. Propagation time: back to seconds We need to SHARE more efficiently! 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 9

  10. 1 Current situation 24 th Annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 10

  11. Information overflow • Numerous valuable sources • remote • local • near real-time • Processing all the data • how: scripting? • what to treat? 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 11

  12. Lack of large-scale overview 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 12

  13. Contact point issues Whom 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 13

  14. Criminals are organised and DO share 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 14

  15. CSIRTs are like islands 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 15

  16. Legal issues • Allowed? • What? • With whom? • How? 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 16

  17. Political issues 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 17

  18. Technical issues 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 18

  19. 2 Proposal for a new model for sharing 24 th Annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 19

  20. Connecting our islands efficiently 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 20

  21. Creating archipelagoes • European Union .eu • 27 countries already sharing • Why not on incidents? 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 21

  22. Creating archipelagoes • Benelux .be .nl .lu • 3 countries sharing since 1944 • EU sub archipelago 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 22

  23. Creating archipelagoes • Belgium .be • CERT.be proxy • Febelfin • Sectorial CSIRTs • ISP’s • Law Enforcement 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 23

  24. Seeds for archipelagoes • Geo-political decisions / history • Existing organizations • FIRST TF-CSIRT • ENISA • National / governmental CSIRTs • • Fighting a common issue • DCWG.org • Anything that pushes countries to collaborate! Requires TRUST! • 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 24

  25. Decision tree Political Event Legal? Support? yes yes no no Need to Know? no yes yes T oo Sensitive? no Don’t Filter Share Share 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 25

  26. Routing model: top-down Event Archipelago Sub Archipelago Sub Sub Archipelago Concerned Constituent 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 26

  27. Security is no longer an island! Island E Island F Archipelago EF Island A Island Z Island N Island C Island B Archipelago ABC 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 27

  28. How can we share? Jabber Jabber S2S events S2S Only Only e events v e n Island A Island B t s Jabber S2S Only Island C 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 28

  29. What can we share? • Events IP’s (src & dst) – Ports – Protocols • • URL’s • Binaries and/or hashes of malware • • suspicious files • Information on domains, IP’s, AS’s owner • • history (passive DNS) • Binary answer to a question (yes/no) have you seen that IP before? • • Contacts 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 29

  30. Tools already exist … for years! • Phone • mail • chat • FTP • scripts • AbuseHelper • Megatron • fordrop 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 30

  31. ♫ AbuseHelper: the collaborative agents ? Notification Parser Agent Storage Experts Reporting 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 31

  32. Megatron: the central vacuum cleaner 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 32

  33. fordrop: human collaboration 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 33

  34. 3 New issues 24 th Annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 34

  35. Correlated events: rating & feedback Source B Source A Event A Event B Processing A Concerned Correlated Constituent Events 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 35

  36. 4 Conclusion 24 th Annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 36

  37. You can share too Please SHARE and help us do that EFFICIENTLY 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 37

  38. You are in good company CERT .is 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 38

  39. Sharing time! david@cert.be christian@cert.be 24 th annual FIRST conference Proposal for a new model for information sharing between CSIRTs Malta, 17-22 June 2012 39

Recommend


More recommend