session 1 framework security threat responsibility and policy architecture response flow preparation
TRANSCRIPT
Session 1 Framework
Security Threat
Responsibility and Policy
Architecture
Response Flow
Preparation
Three Key Threat Categories• Reconnaissance
Unauthorized discovery and mapping of systems, services, or vulnerabilities
• Access
Unauthorized data manipulation, system access, or privilege escalation
• Denial of Service
Disable or corrupt networks, systems, or services
How do these impact ISPs?
• Reconnaissance – Happens all the time. It is part of
the “attack noise” of the Internet (along with low level
attacks and backscatter).
• Access – Break-ins on the edge of an ISP’s network
(I.e. customer CPE equipment) can impact the ISP’s core.
• DOS – The core threat to an ISP – knocking out
customers, infrastructure, and services.
Reconnaissance Methods
• Common commands and administrative utilities nslookup, ping, netcat, telnet, finger, rpcinfo, File Explorer, sr
vinfo, dumpacl
• Public tools Sniffers, SATAN, SAINT, NMAP, custom scripts
Denial of Service Methods• Resource Overload Disk space, bandwidth, buffers, ...
Ping floods, SYN flood, UDP bombs, ...
• Software bugs Out of Band Data Crash: Ping of death, fragmentation…
• Toolkits TRINOO, Tribal Flood Net and friends
• Distributed attacks for amplification
DoS type• Resource Overload
Disk space, bandwidth, buffers, ...
Ping floods, SYN flood, UDP bombs, ...
• Out of Band Data Crash
Ping of death, ...
• Routing Capacity
Fill up packet buffers, queues, flow tables, and processing capabilities.
DDOS Attack Characteristics• DDOS Arrays (handlers and agents) a maintenance i
ntensive. Take time and effort to create.• Launching attacks from an agent can be considered
a one shot weapon. Once the attack is launched, there is a risk of traceback. If someone traces back to the agent, they could watch and wait to see if the perpetrator returns to the agent.
Incident Response Team A Computer Security Incident Response Team (CSIR
T) is a team that performs, coordinates, and supports the response to security incidents that involve sites within a defined constituency.
ISP Security
ISP need to:
• Protect themselves• Help protect their customers from the Internet• Protect the Internet from their customers• At any given time there are between 20 to 40 DOS/DDOS attacks on the Net
Policy• Avoid extensive damage to data, systems and networks
due to not taking timely action to contain an intrusion
• Minimize the possibility of an intrusion affecting multiple systems both inside and outside an organization because staff did not know who to notify and what actions to take.
• Avoid negative exposure in the news media that can damage an organization’s public image and reputation.
• Avoid possible legal liability and prosecution for failure to exercise due care when systems are inadvertently or intentionally used to attack others.
Preparing to Respond
• Create an archive of original media, configuration files, and security-related patches for all router and host operating systems and application software versions
• Ensure that backup tools and procedures are working
• Create a database of contact information
• Select and install tools to use when responding to intrusions
Preparing to Respond (Cont.)
• Develop a plan and process to configure
isolated test systems and networks when
required
• Keep response plans, procedures and tools up
to date
• Consider performing a practice drill to test tools
and procedures
CERT Infrastructure
• Information Platform ( Website )• Tel, Mail• Event Processing System• Traffic Monitoring System• Intrusion Detection System
Security System Security System Architecture
Infra
structu
re
Identity Authen
Clock Synchronization
Security Monitoring System
Traffic Collection
Traffic Analyse and Account
emergency response service system
information issue system
Event
CooperationLeak Scan
Distributing IDS
IP info
CCERT Framework
CERNET Committee of Experts
Center CCERT
Regional CCERT
CCERT Expert Team
Campus CCERT
R&D Secretariat
Interprovincial CCERT
Response Flow
0
10
20
30
40
50
60
70
80
90
1st Qtr 2nd Qtr 3rd Qtr 4th Qtr
helpdesk
Investigation
NOC
Traffic analyzing and monitoring
Signature based IDS
CERNETmanagement CNCERT/CC
OtherIRTs
UsersAdministrators
toolspatches
Attacksignature
Incident database
Whois info advisories
Common Event
Important Event
Components of Response
Analyze the event
Contain the incident
Eliminate intruder access
Restore operations
Update procedures based on lessons learned
Analyze Event
• What systems were used to gain access
• What systems were accessed by the intruder
• What information assets were available to those systems?
• What an intruder did after obtaining access
• What an intruder is currently doing
Contain the Intrusion
• Gain control of the systems involved
• Attempt to deny an intruder access to prevent
further damage
• Monitor systems and networks for subsequent
intruder access attempts
Eliminate Intruder Access
• Change all passwords on all systems accessed
• Restore system and application software and data, as needed
• What other systems might be vulnerable?
Restore Operations
• Validate the restored system
• Monitor systems and networks
• Notify users and management that systems are
again operational
Other• Build the Communications Channels to your Peers
and Customers• Build the Communications Channels to your Vendor
s
Preparation
• Securing the Router and the Management Plane
• Securing the Network and Data Plane
• Securing the Routing Protocol and Control Plane
• Anycast as a Security Tool
• Using IP Routing as a Security Tool