crowd-sourcing cybersecurity through the ren- isac community · 2017-03-22 · crowd-sourcing...

Crowd-sourcing CyberSecurity through the REN-ISAC Community

Chris O’Donnell

REN-ISAC Background

MISSION

● Overall – serve the Research and Higher Educationspace and promote operational security

● CSIRT Role● Operate a trusted community● Work with other ISACs and others external parties

FACTS AND FIGURES

▪ Hosted at Indiana University▪ Board of Directors▪ Advisory groups ▪ Ad hoc special interest groups and projects▪ Over 500 member institutions and over

1600 member representatives

Threat Landscape

INFOSEC IS #1 IT ISSUE IN HIGHER ED, 2016 *AND AGAIN IN 2017*

* Educause Top 10 IT Issues 2016 and 2017

THREAT TRENDS

§ Motive?§ The threat actor is external to the

organization§ Time to compromise is < one hour§ Time to discover a breach occurred >

than one day

DATA BREACHES IN HIGHER EDUCATION

62

8582

76

5157

47

60

33

2216

19

0

10

20

30

40

50

60

70

80

90

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Source: Privacy Rights Clearinghouse

WHERE IS EDUCATION ON THE LIST?

SENSITIVE DATA BREACHES

RANSOMWARE

RECENT SURVEY RESULTS

Increasing employee education and awareness efforts 19 (70%)Tightening spam filters on email systems 11 (41%)Accelerating the institutions move to cloud storage 1 (4%)Reminding system administrators to verify/test backups, check schedules 9 (33%)Updating institutional policies / standards 2 (7%)

What Are You Doing to Mitigate the Risk of Ransomware? (N=27)

MOBILE

§ Mobile use is increasing§ Lots of older unpatched OSes§ 3rd party app stores§ Malicious apps on primary app stores

INSIDER THREAT

PHISHING

§ Primary attack vector for online crime§ Spear-phishing / Whaling

RECENT SURVEY RESULTS

DENIAL OF SERVICE ATTACKS

�Amplification via vulnerable protocols, e.g. NTP

�Increasing use of Internet connected devices (IoT)

DENIAL OF SERVICE ATTACKS

COMPROMISED CREDENTIALS

Crowdsourcing Cybersecurity Through the REN-ISAC Community

RELATIONSHIPS

§ Sector ISAC

§ Members

§ 3rd Parties

CONCERNS

How do we help?

CSIRT for EDU Space

SOC ACTIVITY – MOSTLY AUTOMATED

Notifications Q1 Q2 Q3 Q4Compromisedmachines 23,943 16,911 13,589 12,661Compromisedcredentials 13,162 1,037,881 5,094 1,141,653SpamorPhish 117 86 111 1,995Vulnerablemachines 1 39 2 11OpenrecursiveDNSresolvers 793 713 607 655Openmailrelays 52 25 37 34Other 1 3 5 1

Totals 38,069 1,055,658 19,445 1,157,010

REN-ISACCSIRTActivity,YTD2016

SOC ACTIVITY - MANUAL

Notifications Q1 Q2 Q3 Q4NotificationQuestions 429 626 278 194Passwordresets 105 100 75 60Notifications 51 21 50 38Other 177 627 477 371

Totals 762 1,374 880 663Non-interactivetickets 2,060 2,611 3,302 3,026

REN-ISACSOCActivity,YTD2016

SHARING INTEL

ALERTS, ADVISORIES, AND REPORTS

§ Advisories on various threats

§ Daily Watch

COMMUNITY SHARING

§ Community of trusted cybersecurity staff at R&E member institutions

§ Confidentiality, Integrity and Availability§ Sharing actionable intel for operational

protection and response

CIF/SESAUTOMATED THREAT INTELLIGENCE

PASSIVE DNS – WHAT?

`

example.com’sauthoritative

DNS server

www.example.com

Global Internet

`

Global DNS

authoritativeDNS server

recursivecachingDNS server

My University

visitwww.my.edu

request to resolvewww.example.com

`

example.com’sauthoritative

DNS server

www.example.com

Global Internet

`authoritativeDNS server

recursivecachingDNS server

My University

visitwww.my.edu

where is the authoritative for example.com?

`

example.com’sauthoritative

DNS server

www.example.com

Global Internet

`authoritativeDNS server

recursivecachingDNS server

My University

visitwww.my.edu

response

`

example.com’sauthoritative

DNS server

www.example.com

Global Internet

`authoritativeDNS server

recursivecachingDNS server

My University

visitwww.my.edu

query

Global DNS

`

example.com’sauthoritative

DNS server

www.example.com

Global Internet

`authoritativeDNS server

recursivecachingDNS server

My University

visitwww.my.edu

response

Global DNS

`

example.com’sauthoritative

DNS server

www.example.com

Global Internet

`

Global DNS

authoritativeDNS server

recursivecachingDNS server

My University

visitwww.my.edu

response

`

example.com’sauthoritative

DNS server

www.example.com

Global Internet

`

Global DNS

authoritativeDNS server

recursivecachingDNS server

My University

visitwww.my.edu

Whee!

PASSIVE DNS – WHY?

EDUCATION

▪ Techbursts

▪Wikis

FUTURE (NOW) THREAT VECTORS

▪ Automated Access Controls▪ Industrial Control Systems▪ Internet of Things

Wrap up….

QUESTIONS?

� REN-ISAC

� http://ren-isac.net

� soc@ren-isac.net

� (317) 274-7228