Information Sharing Use Cases

Size: px

Start display at page:

Download "Information Sharing Use Cases"

Lesley Sanders
8 years ago
Views:

1 Information Sharing Use Cases Effective Information Sharing: Lessons learned from Operator Experience Kathleen M. Moriarty Global Lead Security Architect EMC Office of CTO 1

2 What s New Text Is Title Case Title Case Is The Capitalization Of Each Word This New Font, Verdana, Is Wider Than The Meta Font Be Aware When Converting Older Presentations The Text May Need To Be Downsized To Fit A Certain Area Verdana Is Standard on PCs and MACs No Special Font Downloads Needed 2

Converting Older Presentations The Text May Need To Be Downsized To Fit A

3 Agenda Continued Problem areas What happens today? Redefining Information Sharing Use cases Who is sharing? What do people share today? What is useful to share? 3

Enterprise Specific Incident data Forensic Incident Response

5 What is happening today? Intelligence Feeds & Information Sharing Informatio n Enterprise Specific Incident data Forensic Incident Response Threat Intel Proprietary Organization Indicators Informatio n Copyright 2013 EMC Corporation. All rights 5

6 Redefining Information Sharing While information sharing has been helpful, I believe we can make much faster progress if we redefine sharing to: A scalable ecosystem for Intelligence Sharing that extends current industry models to leverage existing trusted relationships with vendors and internet service providers so that mitigations controls can be deployed more quickly, broadly and effectively. * Model described in soon-to-be released RSA Whitepaper Copyright 2013 EMC Corporation. All rights 6

trusted relationships with vendors and internet service providers so that mitigations controls can be deployed more quickly,

7 Who is Sharing Data? What is Useful? Small & Medium Organizations Deploying security technologies with expectation of threat mitigation Hidden from user Proprietary Standards Increasing Impact Potential! Large Organizations Deploying security technologies with expectation of threat mitigation Participating in multiple sharing groups Receiving multiple threat intelligence feeds Hidden & Exposed to User Proprietary Ex. IODEF/RID Extensions Analysis Center Analysis for industry focused or other sharing groups National CSIRTs providing information to government, critical infrastructure, etc. Internet Service Providers performing analysis, eliminating/mitigating threats Problem specific analysis groups targeting focused threats (analysis & mitigation) Use case/user group specific Evolved IODEF/RID by problem ARF ecrime owner, may OpenIOC include Malware multiple complimentary STIX schemas Extensions Etc. or ones specific to the problem. 7

Large Organizations Deploying security technologies with expectation of threat mitigation Participating in multiple sharing groups Receiving multiple threat intelligence feeds Hidden & Exposed to

8 Telecommunication Management Forum (TM Forum): Sharing Threat Intelligence to Mitigate Cyber Attacks * TM Forum white paper & threat sharing catalyst using IETF MILE standards, EMC/RSA RID Agent: 8

sharing catalyst using IETF MILE standards, EMC/RSA RID Agent:

Members: Financial sector, vendors, law enforcement, etc.

9 APWG Use Cases Anti-phishing & ecrime APWG hosted clearinghouse of Cybercrime data Formats: RFC5070 (IODEF) + RFC5901 (Anti-phishing ext.) + ecrime ext. Members: Financial sector, vendors, law enforcement, etc. Report Phishing & ecrime APWG Browser Vendor members Members addressing CyberCrime Pervasive deployment of Block Lists Similar model using IODEF for ACDC Botnet work planned 9

10 Abuse Reporting Format (ARF) Murray Kucherawy

11 Summary An -based report structure using the multipart/report media type Developed among ISPs that wanted to exchange abuse reports from users (i.e., spam complaints) Brought to IETF for standardization some time after it was already in use by AOL, Yahoo, etc. Published as RFC5965, with some extensions and use guides (e.g., RFC6449) later

complaints) Brought to IETF for standardization some time after it was already in use

12 Mechanism Participants sign up for feedback loops out-ofband, usually by a web form and an agreement Registers an agent as willing to accept abuse reports for a given domain or network block The agent is confirmed by the feedback provider Abuse associated with that source will be reported to the registered agent by

a given domain or network block The agent is confirmed by the feedback provider

13 Reporting Abuse complaints (e.g., spam reports, virus detection) from users automatically generate ARF messages to the registered responsible agent Agent can handle them manually or set up automated processing into ticketing or alerting/reporting systems

14 Structure Similar to a standard MIME-formatted bounce Consists of: a. A text part for humans to read b. A machine-parseable part containing parameters that describe the important parts of the reported message and envelope c. A part that contains the original message, or at least its header

A machine-parseable part containing parameters that describe the

15 Example From: Date: Thu, 8 Mar :40:36 EDT Subject: FW: Earn money To: abuse@example.net MIME-Version: 1.0 Content-Type: multipart/report; report-type=feedback-report; boundary="part1_13d.2e68ed54_boundary --part1_13d.2e68ed54_boundary Content-Type: text/plain; charset="us-ascii Content-Transfer-Encoding: 7bit This is an abuse report for an message received from IP on Thu, 8 Mar :00:00 EDT. For more information about this format please see --part1_13d.2e68ed54_boundary Content-Type: message/feedback-report Feedback-Type: abuse User-Agent: SomeGenerator/1.0 Version: 0.1 Original-Mail-From: somespammer@example.net Original-Rcpt-To: user@example.com Received-Date: Thu, 8 Mar :00:00 EDT Source-IP: Authentication-Results: mail.example.com smtp.mail=somespammer@example.com; spf=fail Reported-Domain: example.net Reported-Uri: Reported-Uri: mailto:user@example.com Removal-Recipient: user@example.com --part1_13d.2e68ed54_boundary Content-Type: message/rfc822 Content-Disposition: inline <original message here, omitted for brevity> --part1_13d.2e68ed54_boundary

2e68ed54_boundary Content-Type: text/plain; charset="us-ascii Content-Transfer-Encoding: 7bit This is an email abuse report for an email message received from IP 10.67.41.

16 Collective Intelligence Framework (CIF) Ren-ISAC

17 Collective Intelligence Framework (CIF) From:

18 Multinational Alliance for Collaborative Cyber Situational Awareness (MACCSA) Patrick Curry, BBFA

19 MNE7 Access to the Global Commons of Cyber Space Collaborative Cyber Situational Awareness (CCSA) Expanding to 30+ nations mil, ind & gov Multinational Alliance CCSA organisation being developed May EU, Brussels

Expanding to 30+ nations mil, ind & gov Multinational

Collaborative Cyber Situational Awareness (CCSA) NATO ID Strategy, NATO Cyber Strategy, EU Cybersecurity Strategy Police, aerospace & defence, health implementations.

20 Collaborative Cyber Situational Awareness (CCSA) NATO ID Strategy, NATO Cyber Strategy, EU Cybersecurity Strategy Police, aerospace & defence, health implementations. ISO & ITU(T) standards IETF standard <> ENISA 3.2 Information Sharing Framework (ISF) 1 High Assurance Federated Trust 2 Critical Controls (Normality) 3 Incident Operations Taxonomy 4 Cyber SA Triage process 5 Prioritised communications US CERT & NCCIC Proprietary - British Business Federation Authority office@federatedbusiness.org 2

2 Information Sharing Framework (ISF) 1 High Assurance Federated Trust 2 Critical Controls (Normality) 3 Incident Operations

21 ISF Information Exchange Requirements for Taxonomy and Transport International standards Identity, Access Management, and Federation Trust assurance levels and control frameworks Taxonomy/Data exchange formats Transport protocols Hierarchical data formats, extensible and flexible Extensible to meet industry specific requirements Air Traffic Management, Defense, Telecom, Power Public or private extensions to meet specific use cases or to exchange data that is not commonly exchanged Ability to exchange accurate information, meeting the richness requirement for context on shared data 21

22 Lessons Learned from MNE7 LOE One size does not fit all Core cyber security exchanges can be met with international standards efforts Industry specific exchanges may require further development Extend the base data formats to accommodate working closely with the respective industry groups Develop over time, may need to use free form text to determine what data is most helpful to share Strategic level decisions and information sharing may be better suited to the Common Alerting Protocol (CAP) by OASIS and the ITU-T Like IODEF, hierarchical, flexible, and extensible data format 22

23 Improving Information Sharing! 23

24 Documenting Use Cases Please help document effective sharing examples! Let s build on and learn from successful examples. Write-up can be set to MILE directly IODEF Guidance document 24

25 Thank you! 25

Coordinating Attack Response at Internet Scale (CARIS)

Coordinating Attack Response at Internet Scale (CARIS) Overview and Summary Report July 2015 Kathleen Moriarty Security Area Director, IETF Kathleen.Moriarty.ietf@gmail.com Agenda Coordinating Attack Response