critical national infrastructure what is attacking your network, and how do you know? by frode rein...
TRANSCRIPT
![Page 1: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/1.jpg)
Critical National InfrastructureWhat is attacking your network,
and how do you know?
By
Frode Rein
ICT Manager, The Norwegian Parliament – Stortinget
(Nigel Beighton, Symantec, Advance Threat Research)
ECPRD Nicosia 6.th November 2003
![Page 2: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/2.jpg)
What is CNI
“CNI” is an initiative to prepare and protect a country’s critical organisations and infrastructure
The “CNI project” is a community based early warning and reporting capability currently in development as a pilot by Symantec and selected organisations
We need early warning to be prepared & alerts for all our community.
![Page 3: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/3.jpg)
Attacks in August
0
500
1000
1500
2000
2500
3000
3500
Att
acks
Mo
nit
ore
d Blaster
Welchia
Sobig.F
![Page 4: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/4.jpg)
Events over last 7 days
![Page 5: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/5.jpg)
Governments
need to protect
Experience
“…need time to be prepared”
“…interested in benchmarking”
Trends
Increase speed and severity of hit
Sector targeting
Organisations
Services
CNI
Where did it come from?
Newresearch
![Page 6: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/6.jpg)
Change in Exploitability of Vulnerabilities
0 %
10 %
20 %
30 %
40 %
50 %
60 %
Exploit Available No Exploit Available No Exploit Required
Jan-Jun 2002
Jan-Jun 2003
“..its easy”
“..in theory”
“..it can be done”
![Page 7: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/7.jpg)
Patch, patch, patch
Averaging 90 serious/critical vulnrabilities a month !
Organisations can not constantly patch – emergency patches are only tested against the vulnrability
• Not all vulnerabilities lead to attacks
• Will this vulnerability become the next Blaster?– Watch them try it, build exploits, test it and start it
• Need to prioritise which patch to do, when and where
• You need time to be prepared
![Page 8: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/8.jpg)
The Changing Threat Picture
targeted
they try it, they test it
![Page 9: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/9.jpg)
Blaster Milestones
July 16
Buffer Overflow vulnerability discovered
Microsoft Patch
Released
22 23 25 August 7 11 13 Aug 16
Sample Exploit code circulating in
the hacking community
Symantec sees increase in TCP
port 135 scanning
Exploit code captured & made
public
Automated tools observed start of
exploiting vulnerability on a large scale
Symantec discover the W32.Blaster worm. virus
updates released.
Blaster hit the headlines with reported
spread affecting 188,000 systems
worldwide.
Microsoft delisted windows
update.com website and
averted denial of service attack.
CNI Members contacted
directly about Blaster
CNI Members advised
31
Broadcast media to comment on
Blaster
CNI CORe team begin specific
monitoring
![Page 10: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/10.jpg)
Blaster worm
30,000
15,000
Time
Unique Source IPs
0July 20 July 27 August 3 August 10
CNI Customers advised of potential issue
CNI Customers contacted directly re
Blaster
Broadcast media comment on Blaster
![Page 11: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/11.jpg)
Less time to react
Vulnerability Release Date v Time to Active Exploitation
0
50
100
150
200
250
300
350
1-Oct-00 19-Apr-01 5-Nov-01 24-May-02 10-Dec-02 28-Jun-03
Date
Day
s
W32.BlasterWorm
![Page 12: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/12.jpg)
Where does the data come from?
• Symantec’s 20,000 internet and private network sensors (180 countries)
• 200+ pop-up honey-pots• Security Focus Bugtraq• Virus response team (and their
zoo!)– 100M submitting AV systems
• Internet community (black_hat & white_hat)
• External authorities
Directly monitored averagesper day*:
Logs/alerts imported
400M
Triggered events
250,000
Severe events
300
Correlated with5.5B events
40M attacking IP addresses
Directly monitored averagesper day*:
Logs/alerts imported
400M
Triggered events
250,000
Severe events
300
Correlated with5.5B events
40M attacking IP addresses
*Ex. virus!
![Page 13: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/13.jpg)
CommunityMonitor & Alert
CommunityMonitor & Alert Early WarningEarly Warning
CommunityKnowledge
CommunityKnowledge
Analysis & Reporting
Analysis & Reporting
![Page 14: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/14.jpg)
What do we get
CommunityMonitor & Alert
CommunityMonitor & Alert
Early WarningEarly Warning
Community KnowledgeCommunity Knowledge AnalysisAnalysis
• Security device monitoring
• Community specific alerting
• Online threat reporting.
• Deep probe activity report (weekly)
• Online technology vulnerability alerting
• Analysis & trend tracking events (quarterly)
• Online community forum
• Online threat reporting
• Online regulatory and standard industry benchmarking
• Custom reporting and analysis
![Page 15: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/15.jpg)
Important notes
CNI will provide “observations”, “probables”, “potentials” – this needs to be treated accordingly.
Do not have all data on all companies in all segments – it grows with the community
(Public) Device data is initially processed in the US (Alexandria central SOC) – now moving to European only processing.
It is a pilot (experimental) – development input is essential
Q. How accurate?Q. How accurate?
![Page 16: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/16.jpg)
What is the Pilot?
• 6 months• Up to 8 sensors
Monitored• Deepsight access• Early warning• Shared data
(Anonymised)
• 6 months• Up to 8 sensors
Monitored• Deepsight access• Early warning• Shared data
(Anonymised)
.. and involvement• Sensor data• Workshops• Feedback• Ideas
… and an understand of the information basis..
PilotCustomers
AdvanceRelease
Customers
FullLaunchPhase 1
Phase 2
now Feb 04 April 04
![Page 17: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/17.jpg)
Our experiences
• A pilot is a pilot– Pros
• High attention from vendor• State of the art technology
– Cons• Deficient routines• Reports still in development• State of the art technology• Time-consuming for the customer• No community parliament warning (We are alone )
![Page 18: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/18.jpg)
Options – data sensitivity
• Option2 – outside IDS collector only
• Option1 – multi devices
NIDS
FirewallsInternet
secure log data
NIDS
FirewallsInternet
secure log dataIDS Collector
• Multi-dimensional analyses• Internal & External• Comprehensive• (Not acceptable)
• External only• Less comprehensive• Acceptable
![Page 19: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/19.jpg)
LANStortinget Internet
ManHunt IDSFirewall
Pilot infrastructure
![Page 20: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/20.jpg)
Our Home page
![Page 21: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/21.jpg)
Reports
• Weekly Event Digest
• Emerging Threat Notifications
• Community Watch Report
• Deep Sight Alert Service
![Page 22: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/22.jpg)
People – our greatest resource
• This technology/concept is very interesting, but without dedicated people within your organization this concept will fail
• Heavy use of internal personal resources– Incident handling,routines, reports, monitoring
• Well-educated personnel– High requirements for internal IT security and
networking skills
![Page 23: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/23.jpg)
Responsibility
• In the end; you cannot transfer responsibility to the vendor– Still you have to keep up the high focus on IT
security
![Page 24: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/24.jpg)
Internal handling of CNI information
• Daily routines and procedures
• Incident management– Incident Response Team
• Who is doing what in a crisis– Who is pulling the plug– Who is handling the press– Who is responible for handling forensic evidence
![Page 25: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/25.jpg)
Controversials
• You have to give something before you get something
• Collecting data from the parliament– IDS’ and Firewalls– Inside or outside the Firewall?– What do the MP’s say if we tell them that an
american company are collecting data from IDS’s and FW within their local network
![Page 26: Critical National Infrastructure What is attacking your network, and how do you know? By Frode Rein ICT Manager, The Norwegian Parliament – Stortinget](https://reader036.vdocuments.us/reader036/viewer/2022062718/56649e925503460f94b97eb2/html5/thumbnails/26.jpg)
Why join this concept?
• Parliamentary community– European Parliamentary IRT– A large community gives high attention from
the vendor– More reliable data from a large community – Benchmarking within the community– Community warning– A problem shared is a problem halved