Collaborative Data-Driven Security for High Performance Networks
Questions/Comments to email@example.com
AGENDA / PRESENTATIONS
|Tuesday, August 17th|
|7:15-8:25|| Registration and Breakfast
|8:30-8:55|| Welcome, Housekeeping Items and Background/Introduction
WUSTL representative welcome and brief remarks
Background on The Data Driven Collaborative Security Approach, including a brief recap of the first DDCSW
|9:00-9:25|| Presentation #1: Stefan Frei, Secunia
The security of end-user PCs -- an empirical analysis [pdf]
In this presentation we look at the evolution of the security threat posed by vulnerabilities in the programs of typical end-user PCs over the last five years, and provide an outlook for 2010 based on the data of the first six months of this year. The study is based on data from more than 2.6 million private users of the Secunia Personal Software Inspector (PSI), which provides unique insights into the distribution and types of programs typically present on end-user PCs. Further data analysis shows an alarming development - vulnerabilities affecting the portfolio of the Top-50 programs typically present on end-user PCs almost doubled from 2005 to 2009; and an almost four-fold increase is expected to the end of this year. A breakdown of the vulnerability contributions by operating system, Microsoft programs, and 3rd party programs (non-Microsoft) clearly identifies the primary source of the increased trend, and quantifies the complexity of keeping an average PC secure.
|9:30-9:55|| Presentation #2: Manos Antonakakis, Damballa
Building a Dynamic Reputation System for DNS [pdf]
The Domain Name System (DNS) is an essential protocol used by both legitimate Internet applications and cyber attacks. For example, botnets rely on DNS to support agile command and control infrastructures. An effective way to disrupt these attacks is to place malicious domains on a "blocklist" (or "blacklist") or to add a filtering rule in a firewall or network intrusion detection system. To evade such security countermeasures, attackers have used DNS agility, e.g., by using new domains daily to evade static blacklists and firewalls. In this paper we propose Notos, a dynamic reputation system for DNS. The premise of this system is that malicious, agile use of DNS has unique characteristics and can be distinguished from legitimate, professionally provisioned DNS services. Notos uses passive DNS query data and analyzes the network and zone features of domains. It builds models of known legitimate domains and malicious domains, and uses these models to compute a reputation score for a new domain indicative of whether the domain is malicious or legitimate. We have evaluated Notos in a large ISP's network with DNS traffic from 1.4 million users. Our results show that Notos can identify malicious domains with high accuracy (true positive rate of 96.8%) and low false positive rate (0.38%), and can identify these domains weeks or even months before they appear in public blacklists.
|10:00-10:25|| Presentation #3: John S. Quarterman, Quarterman Creations
Data, Reputation, and Certification Against Spam [pdf]
Incentives are needed for collective action to counter the illicit economy of spammers and bot herders. Email providers (from ISPs to universities) care about their reputation: nobody wants to be branded a spam haven. A reputation system showing how providers rank daily can convert outbound spam from an economic externality to an internal incentive.
Just as John Moody began by collecting, aggregating, and interpreting huge amounts of data on a variety of companies, the IIAR project at the McCombs Business School of UT Austin has been collecting, reducing, and analysing spam blocklist data for more than a year, working up elements of such a reputation system.
This talk is about the scope (the entire Internet as viewed by half a dozen blocklists), consistency (daily), variety (hosts, volume, botnets, selected by registrar, country, or ASN, ranked raw or normalized by size, etc.), and applicability of this data, with graphical depictions of rankings and example events.
Deployment will involve establishing organization structures, which may separate the daily publication of high level rankings (the RS) from a certification authority (CA) to certify providers in classes analogous to bond ratings. Sources of income in production may range from subscriptions for more detailed rankings to custom drilldowns and analyses.
At the business level, the project is studying how to use certification to turn cheap talk (as in a provider says its doing good security, but how does a customer know whether to believe that) into effective communication between providers and customers, thus producing a more effective market. Or as Scott Adams puts it, turning a confusopoly into a transparent market.
|10:30-10:45||Morning Coffee Break and Sign Up For Evening BoFs|
|10:50-11:55|| Breakout Session #1 (choose option A or B)
|12:00-12:20|| Data Flea Market
Facilitator: Jose Nazario
This session is meant to provide an opportunity for attendees to introduce themselves to the attendees and to take no more than 3 minutes each to talk about:
Participants making a 3 minute announcement during the
Data Flea Market may wish to continue discussions during
lunch or during an evening BoF.
|12:25-1:45||Lunch (and chance for breakout session leaders to prep for their report-out session after lunch)|
|1:50-2:10|| Reports from the Morning Breakout Sessions
(brief 10 minute summaries from each breakout leader)
|2:15-2:45||Panel: Data Driven Security and IPv6
Participants: Bill Darte, John Kristoff, Joe St Sauver
Current best estimates are that IANA will exhaust its pool of unallocated IPv4 addresses on 17-Jun-2011, just ten months from now, with the RIRs running out some eight months after that. Are we ready for a data collection and analysis environment that will continually have more and more reliance on IPv6 (and IPv4 address-conserving strategies such as NAT)? Are our tools and databases ready for a dual stack environment? What will we do when techniques we used in IPv4 (such as block lists) don't port well to IPv6? How will we attribute abuse in an environment where stateless autoconfiguration, RFC3041 privacy addresses and poorly instrumented networks frustrate attempts at accountability?
|2:50-3:15||Presentation #4: Ken Klingenstein, Internet2
Update on Internet identity and access controls [pdf]
This talk will fly through current developments in Internet identity and trust, including federated identity, OpenId and NSTIC, etc. It will then fly through expected developments in integration of federated identity to non-web apps, user privacy and consent, etc. It will then spend more time challenging the audience to think of ways to leverage this emerging infrastructure in their work and their approaches to security.
|3:40-4:15|| Presentation #5: Eric Ziegast, ISC
NMSG (ftp://ftp.isc.org/isc/nmsg) is a flexible, extensible, open source, high-performance, scalable data transport used at ISC's Security Information Exchange (SIE). During this presentation we will learn the reasons for its creation, understand its concepts and methods, and see examples of how it is used in production.
|4:20-4:35||Presentation #6: Eric Ziegast, ISC
DNS RPZ [pdf]
Eric Ziegast from ISC will touch upon the recently released DNS Response Policy Zones (RPZ) - what they are, how the technology works, and may even have some examples to share. The policy considerations surrounding this new technology are similar to sharing analysis feeds and may be worth of discussion in that context.
|4:40-5:05|| Presentation #7: Wes Young, REN-ISAC
Collective Intelligence, security intel is living, social data. [pdf]
Collective Intelligence is a social problem. Ultimately data comes from people, whether it's from an IDS sensor with a particular ruleset that a person chose or a forensics investigation. At some point along the way, someone within a particular context found something worth sharing from within their particular bias. They see, present and store their data from a specific point of view based on everything from their sociological perspective to their field expertise. The Collective Intelligence Framework ("CI-Framework") is geared to normalize higher level security intelligence (malware, infrastructure, url's, etc). This framework provides an open-source foundation for translating both public and private intelligence into a native perspective using a "schema-less data" theory. This allows for analysts to focus on the analytics and applications (the 'real value') of the data rather than the mechanics of collection and storage. It's also geared to standardize the mechanics of knowledge transfer within large heterogeneous federations, lowering the barrier to sharing.
Last year we showed how the Security Event System "SES" normalized and correlated machine driven security event messages. This next phase we will show how to normalize machine driven correlations with public and private data regardless of data structure in an effort to rapidly deploy mitigation and reputation analysis based on multiple intelligence sources.
|5:10-5:30|| PGP Key Signing Event
Coordinator: John Kristoff
Immediately before dinner with colleagues on your own, there will be a PGP key signing. To join in prepare the following in advance:
For more information about the key signing event, please contact John Kristoff <firstname.lastname@example.org>
|5:30-9:00||Dinner with colleagues on your own|
|7:00-9:00|| Evening BoFs (optional)
|Wednesday, August 18th|
|7:15-8:25||Registration (for anyone joining us on the 2nd day) Breakfast|
|8:30-8:55|| Presentation #8: Beth Young, MOREnet
BHDNS at MOREnet [pdf]
Way back when, MOREnet Security was using null routes to block members from going to the bad places on the Internet but our null routes were both too aggressive and not aggressive enough. We were blocking legitimate sites but people were still getting infected. We decided that with the advances of malware and fast-flux that the better way to protect users was to set up a Blackhole DNS server. Originally, we were using the zone file from Malwaredomains.com but they were not fast enough with their updates and weren't as thorough as we would have liked them to be. In January 2010, we started generating our own zone file with malicious domains. We still use the feed from malwaredomains but it isn't our primary feed anymore. This presentation will talk about how our list is put together and maintained. It will also discuss our efforts to proactively block new malware domains as they are registered instead of waiting until they are actively serving malware.
|9:00-9:25||Presentation #9: Seth Hall, Paul Tatarsky, John Kristoff
The Dragon Research Group (DRG) Volunteers Development Update [pdf]
The DRG will present a brief overview and update of the all new volunteer organization before covering some of the major projects underway including the DRG Distro, a UNIX-based custom insight & analysis platform that is being deployed throughout the world. We will highlight some of the technical capabilities and challenges in deploying and managing the distro as well as highlight some of the recent insight such as SSH password authentication attacks, HTTP probes and DNS lame delegations. We will also briefly enumerate some other ongoing and future work such as SQL injection attack monitoring, IPv6 monitoring and the next major release of the DRG Distro.
|9:30-9:55|| Presentation #10: Nick Byers/Pat Finn, NCFTA
Internet Fraud Alert (IFA)
After compromised data is found what is normally done with the information? If you give it to the proper organization did it make it to the right person? Did the person get the data quick enough to mitigate the risk? It is the intention of the IFA project to become an international clearinghouse and alerting mechanism to solve these issues and more. We will cover in this talk the goals of IFA, the process flow for data, the work flow for the IFA system and some of the current hurdles facing the young project.
We hope that this will bring more people to the table, if not to submit data, at least to express opinions and ideas on a problem that has vexed a large number of people.
|10:00-10:25|| Presentation #11: Tom Grasso, FBI
Botnet Threat Focus Cell
The FBI has made the investigation of botnets one of its top priorities. Botnet activities have been linked by FBI investigations to numerous illegal Internet operations, such as distributed denial of service attacks (DDoS), spam campaigns, extortion, propagation of malware, clickfraud, and identity theft schemes. Damages from botnet activities are well in the billions of dollars from reported losses. To address the threat botnets pose to the United States, the FBI has formed the Botnet Threat Focus Cell (BTFC). The BTFC is a working group comprised of law enforcement, other government agencies, and private sector participants whose mission is to identify and neutralize priority botnet threats. The cell has developed a list of fifteen priority/high-threat botnets based on the threat they pose to the U.S. telecommunications infrastructure and economy.
|10:50-11:55|| Breakout Session #2 (Choose option C or D)
If users operate within a captive web framework, such as
a proprietary webmail interface, it may be possible to
integrate a "report abuse" button to automatically handle
the mechanics of abuse report submission, including
screening for timeliness, properly structuring the report,
and delivering it to the right entity, but obviously not all
sites, users or types of abuse incidents are covered by
that sort of approach. Are there other things we should be
doing to insure that we can easily get timely and correctly
formatted incident reports from all our users? For example,
should we be promoting browser toolbars/add-ins to tackle
detection and reporting of web-based malware and phishing?
|12:00-12:55||Lunch (and chance for breakout session leaders to prep for report out after lunch)|
|1:00-1:20||Report Back From Breakout Session #2 (10 minutes per breakout session)|
|1:25-1:50|| Presentation #12: Brian Allen, Washington University
FastNMAP Scanning, a Case Study at Washington University [pdf]
Nmap has added many additions and improvements in the last few years and is quickly becoming an excellent tool for vulnerability and application scanning in addition to its exceptional port scanning ability. Unlike vulnerability scanners and IDS/IPS systems, Nmap is also excellent as post-intrusion-detection when other security layers let a compromise slip through.
Nmap scanning can be hard to scale for large networks but with fastnmap.pl and npwn.pl the process of scanning and analysis is mostly automated.
This presentation will cover a brief review of nmap, then discuss how fastnmap.pl works and how to scan an entire large network with it, and finally look at a case study of using fastnmap.pl at Washington University in St. Louis.
|1:55-2:25|| Lightning Talks
Lightning talks are a tradition we've co-opted from the Internet2/ESNet Joint Techs meetings (see http://jointtechs.es.net/ if you're not familiar with Joint Techs). Lightning talks last five minutes, and are delivered by interested participants on a topic relevant to this workshop.
If you would like to give a lightning talk at DDCSW, please send your proposal to email@example.com by close of business Tuesday.
|2:30-3:00||Day 2 and Workshop As a Whole Wrapup|