17/06/2012
1
GT-CSIRT: RedCLARA CSIRT Working Group
Liliana SolhaCSIRT-WG Coordinator
2nd Academic CSIRT MeetingJune 17, 2012Hilton, Malta
Agenda
• About RedCLARA
• GT-CSIRT Initiative
• LA-1: Malicious Activity Monitoring
• LA-2: Security Incident Handling
• LA-3: CSIRT Assistance
17/06/2012
2
About RedCLARA
� Latin American Research, Education andDevelopment network.
� Association of NRENs (National Researchand Education Networks).
� Academic and Research community:
� Universities and Higher Education
Schools
� Technology Centers
� Research Centers and Institutions
� etc
� Million of Internet users!
About RedCLARA (cont)
� Argentina (INNOVA-RED)
� Bolivia (ADSIB)
� Brazil (RNP)
� Chile (REUNA)
� Colombia (RENATA)
� Costa Rica (CONARE)
� Ecuador (CEDIA)
� El Salvador (RAICES)
� Guatemala (RAGIE)
� Mexico (CUDI)
� Panamá (REDCYT)
� Paraguay (ARANDU)
� Peru (RAAP)
� Uruguay (RAU)
� Venezuela (REACCIUN)
RedCLARA Members:
17/06/2012
3
GT-CSIRT Initiative
• Established in August, 2011 (duration: 2 years)
• GT-CSIRT Mission
Build CSIRT capabilities in each NREN and promote collaborative actions among the ones already established.
• Different approach
– 03 Action Lines:1. LA-1: Malicious Activity Monitoring
2. LA-2: Security Incident Handling
3. LA-4: CSIRTs Assistance
– Pilot � All NRENs
GT-CSIRT Initiative (cont)
• WG Members
Institution NREN Name
INICTEL RAAP José Luis Quiroz
INICTEL RAAP Javier Richard Quinto
CEDIA CEDIA Claudio Chacón
CEDIA CEDIA Mabel Mendez
RAU RAU Sergio RamirezRAU RAU Mónica Soliño
REUNA REUNA Claudia Inostroza
RNP RNP Frederico CostaRNP RNP Carla Freitas
UTPL CEDIA Rebeca Pilco
UTPL CEDIA Julia Pineda
• Coordinator: Liliana Solha (CAIS/RNP)• Vice-coordinator: Carlos Córdova (UTPL/CEDIA)• Assistant: Rildo Souza (CAIS/RNP)
17/06/2012
4
LA-1: Malicious activity monitoring
• The SurfIDS Tool
- Distributed IDS (D-IDS) developed by SurfNET
– http://www.surfnet.nl/
– http://ids.surfnet.nl
- Model for enviroments where network usage ispoor controlled (as some NRENs)
- Focused on worm detection, non-authorized accessattempts and other type of malicious traffic.
- Advantages: Easy installation, low rate of false positives, easy updating process.
LA-1: Malicious activty monitoring (cont)
SurfIDS: Modus operandi
17/06/2012
5
LA-1: Malicious activty monitoring (cont)
LA-1: Malicious activty monitoring (cont)
17/06/2012
6
LA-1: Malicious activty monitoring (cont)
+ +
LA-1: Malicious activty monitoring (cont)
Web interface
17/06/2012
7
LA-1: Malicious activty monitoring (cont)
FUTURENREN 1
NREN X
• Event correlation infrastructure:
• Security incident statistics for
LAC
• incidents correlation among
NRENs
• attack trends analysis
• malware database for LAC
RedClara
•••
LA-2: Incident Handling
• Incident Handling Process
– Incidents reception (sources): • Monitoring (GT-CSIRT “LA-1: Malicious Activity Monitoring”)
• Incident feeds/files from different sources– Shadowserver, zone-h, spamcop, specific agreements, etc.
• Notifications from CSIRTs, sysadmins, regular users.
IncidentReception
Triage andAnalysis
Contention/Mitigation
RecoveringPost-
incident
17/06/2012
8
LA-2: Incident Handling (cont)
• RNP experience
– High amount of reported incidents (NREN)
– Most of them followed a standarized form
– Some organizations required to receive theincidents on a batch.
– Non-documented and non-standarized scripts
– Hard to update the security PoCs database.
GENICS ���� RedCLARA!
LA-2: Incident Handling (cont)
• RNP experience
– High amount of incidents (NREN)
– Most of them followed a standarized form
– Some organizations required to receive theincidents on a batch.
– Non-documented and non-standarized scripts
– Hard to update the security PoCs database.
GENICS
GENICS ���� RedCLARA!
17/06/2012
9
LA-2: Incident Handling (cont)
GENICS: Modus operandi
I
N
P
U
T
Filter (ID)
Parsers DB
File
Parser OUTPUT Sending
Security contacts DB
C
O
N
S
T
I
T
U
E
N
C
Y
LA-2: Incident Handling (cont)
Homepage
17/06/2012
10
LA-2: Incident Handling (cont)
Control panel – Security PoCs manager
LA-2: Incident Handling (cont)
Contacts Manager – NREN
17/06/2012
11
LA-2: Incident Handling (cont)
Contacts Manager: NREN Details
LA-2: Incident Handling (cont)
• About Security Point-of-Contacts
– RFCs 2142
• sec_poc1@nren_domain, sec_poc2@nren_domain
• security@nren_domain, abuse@nren_domain
– Whois database update (abuse-c)
– Ex: Equatorian NREN (CEDIA)
AS27841 and blockIP 190.15.128/20
Results from LACNIC now:
nic-hdl: SCN3
person: Security CEDIA NREN
e-mail: [email protected]
address: Av. 12 de Abril Universidad Cuenca - Edif. Lab. Tecnologicos piso 3, s/n, AgustinCueva address: EC010112 - Cuenca – AZ
country: EC
phone: +593 07 4051000 [4220]
created: 20120524
17/06/2012
12
LA-2: Incident Handling (cont)
Control Panel: Incidents Manager
LA-2: Incidents Handling (cont)
Incidents Manager: Parsers
17/06/2012
13
LA-2: Incidents Handling (cont)
Incidents Manager: Parser details
LA-3: CSIRT Assistance
– Since NRENs have implemented:
• Malicious activity monitoring infraestructure
• Incident handling infraestructure
Are they already acting as CSIRTs? Not yet, but they are close to that.
– CSIRT WG developed a “CSIRT Establishment Checklist”
• Pilot: UTPL CSIRT + RNP CSIRT supporting the future CEDIA CSIRT
• CSIRT Establishment Training (July, 2012)
17/06/2012
14
Next steps
– CLARA-TEC: Incident Handling Training for NRENs
• July, 2012 – Lima, Peru
– LA-1: Malicious activity monitoring
• Finalize the pilot with 2 sensor/NREN (June, 2012)
• Prepare the course material (June, 2012)
• Spread out the monitoring solution (August, 2012 – July, 2013)
– LA-2: Incident handling
• Finalize the pilot (June, 2012)
• Prepare the course material (June, 2012)
• Spread out the incident handling solution/model (August, 2012 – July, 2013)
– Develop a program for supporting NREN CSIRTs (August 2012 – July2013)
• Looking for funding and partnerships!
Questions
Liliana Velásquez Solha