csirt-tiws-enisa workshop on botnets v2
TRANSCRIPT
![Page 1: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/1.jpg)
Telefonica International Wholesale ServicesComputer Security Incidence Response TeamTelefonica Research & Development
Telefonica IWS CSIRT
March 10th, 2011
Once upon a time…
![Page 2: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/2.jpg)
1
Once upon a time… who we are
![Page 3: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/3.jpg)
2
About TIWS CSIRTAbout TIWS CSIRTAbout TIWS CSIRTAbout TIWS CSIRT
Network Security
Carlos Olea
CSIRT TIWSInternal Security
Technical Support
Network Systems
Network Technology IT Legal BU IP SD
Telefonica Group Relationships
Research Spain Latam O2
External Relationships
Gov International
Coo1
![Page 4: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/4.jpg)
Diapositiva 3
Coo1 weicoo01; 28/12/2010
![Page 5: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/5.jpg)
3
Network AbuseNetwork AbuseNetwork AbuseNetwork Abuse
Network SecurityNetwork SecurityNetwork SecurityNetwork Security
CSIRT TIWSCSIRT TIWSCSIRT TIWSCSIRT TIWS
Security Incidences related to Telefonica Services or customers.
Security incidences or threats that can impact to our services or customers.
Single Point of contact for security and coordination
Network abuse and security are managed with a proper team to be sure that external communications are forwarded and handled by the right people inside Telefonica.
The CSIRT e-mail have a different team to coordinate security issues in TIWS and in Telefonica Group.
In CSIRT e-mail account we provide PGP facility to encrypt all the communications and newsletters.
About TIWS CSIRTAbout TIWS CSIRTAbout TIWS CSIRTAbout TIWS CSIRTSecurity Forums
CSIRT | Telefónica Computer Security Incidence Response Team
Distrito C West 1 Building, 3th Floor | Ronda de la Comunicación s/n, 28050 Madrid, Spain
[email protected] | Tel +34 914 83x xxx
PGP ID : 0xB405ED13 | PGP FingerPrint : 05E9 8A22 CA41 1341 17EA 6768 D4AB 8A99 B405 ED13
![Page 6: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/6.jpg)
Telefonica Wholesale is positioned as a Tier 1 Telefonica Wholesale is positioned as a Tier 1 Telefonica Wholesale is positioned as a Tier 1 Telefonica Wholesale is positioned as a Tier 1 Carrier in the international arena... Carrier in the international arena... Carrier in the international arena... Carrier in the international arena...
+45,000km
fiber optic,
18 Landing
stations
20 billion
Minutes intl. voice,
300 direct
destination
Best Data
Network
capillarity
in Latam
2 International
Control Centers
and POPs in +40
Countries
International
MPLS
Network
Tier 1 IP
Backbone
+500
professionals
in 33
countries
Security
Services
DoS
Shield
![Page 7: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/7.jpg)
5
Argentina: 21.9 million
Brazil: 67.0 million
Central America: 6.3 million
Colombia: 11.2 million
Chile: 10.7 million
Ecuador: 3.8 million
Mexico: 17.7 million
Peru: 15.9 million
Uruguay: 1.6 million
Venezuela: 11.8 million
Wireline market rank
Mobile market rank
21
12
21
11
2
2
11
1
2
2
Notes:
- Central America includes Guatemala, Panama, El Salvador and Nicaragua
- Total accesses figure includes Narrowband Internet accesses of Terra Brasil and Terra Colombia, and
Broadband Internet accesses of Terra Brasil, Telefónica de Argentina, Terra Guatemala and Terra México.
Data as of December ‘09
Total Accesses
168.6 million
Telefonica is a leader in the Latin American
Telco market 9
![Page 8: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/8.jpg)
6
Spain: 46.8 million
UK: 21.9 million
Germany: 17.1 million
Ireland: 1.7 million
Czech Republic: 7.8 million
Slovakia: 0.6 million
1
21
11
4
2
3
Data as of December ‘09
... enjoys a significant footprint in Europe 9
Wireline market rank
Mobile market rank
Total Accesses
96.0 million
![Page 9: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/9.jpg)
7
External Activities: … just to clarify the threat picture
![Page 10: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/10.jpg)
200,000
400,000
100,000
300,000
500,000
2003 2004 2005 20062000 2001 2002 2007Source: McAfee Labs
Virus and Bots PUP Trojan
ExternalExternalExternalExternal ActivitiesActivitiesActivitiesActivitiesSome yearly figures I
![Page 11: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/11.jpg)
2003 2004 2005 20062000 2001 2002 2007
400,000
800,000
200,000
600,000
1,000,000
1,200,000
1,400,000
1,600,000
1,800,000
2,000,000
2,200,000
Virus and Bots PUP Trojan
2008Source: McAfee Labs
External ActivitiesSome yearly figures II
![Page 12: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/12.jpg)
2008
Virus and Bots PUP Trojan
2,400,000
2,600,000
2,800,000
3,000,000
3,200,000
400,000
800,000
200,000
600,000
1,000,000
1,200,000
1,400,000
1,600,000
1,800,000
2,000,000
2,200,000
2009Source: McAfee Labs
External ActivitiesSome yearly figures III
![Page 13: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/13.jpg)
11
External ActivitiesSometimes size matters
![Page 14: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/14.jpg)
Make Money using our networksActivities impacting our services and customers
12
![Page 15: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/15.jpg)
13
TheTheTheThe challengechallengechallengechallenge talkingtalkingtalkingtalking aboutaboutaboutabout BotnetsBotnetsBotnetsBotnetsMalware Infection Cycle, the untouchables
![Page 16: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/16.jpg)
14
Local Activities… just to clarify the Business
![Page 17: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/17.jpg)
15
BRAS
Network Centre
ADSL
Enterprise workers
GGSN
NodoB
RAS
OLT
DSLAM
ONT
FTTH
Basic Users
RTC
RDSI
Hot spot
SGSN
RNC
OB Local/Regional
VPN
STB
VPN User
BTS
BSC
PE
2G/3G
Subscribers
MacroLAN
Mobile UserNodoB
FemtonodosCore IP
Access Network
& Agregation
MSC
MGW
RR
BG
OB
OB
Transport
STP
PE
RA
PE
ICX
ICX
ICX
PE
X25
ATM
External Cloud(SS7, X25, ATM,
PSTN)
External Cloud(GRX, OMVs)
TIWSRTC
HLR
RADIUS
LDAP DNS
CG
ALTAMIRA
Services
Web
SMSC MMSC
SVAs
DMZ
Intranet
DNS
Domestic Services country basisDomestic Services country basisDomestic Services country basisDomestic Services country basis
� How much money and time do you need?
� We are still fighting or resolving the root cause?
� All the problems are in your network / services?
� Who are the target for customer claims?
Fraud1.604
Hacking20.047
Copyright violations2.011.998
Spam3.709.114
Virus1581
Insults, abuses232
![Page 18: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/18.jpg)
16
WelcomeWelcomeWelcomeWelcome back back back back totototo thethethethe BotnetsBotnetsBotnetsBotnetsMalware Infection Cycle, the untouchables
![Page 19: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/19.jpg)
17
DDoSDDoSDDoSDDoS, , , , SpamSpamSpamSpam, , , , PhisingPhisingPhisingPhising, , , , FarmingFarmingFarmingFarmingWe are under attack
Transit Peer
TIWS
Customer 1 Customer 2
Botnet Master
BotnetBotnet
Botnet
Victim
Saturation
![Page 20: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/20.jpg)
18
What initiatives?… Let's take a look at the framework
![Page 21: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/21.jpg)
19
Policies Operations
TechnologyResearch
![Page 22: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/22.jpg)
PoliciesPoliciesPoliciesPolicies
20
CORPORATE SECURITY POLICY
FAIR USE POLICY
TERMS OF SERVICE
Illegal Activities�
�
�
�
�
�
•
Illegal Activities�Child Pornography�Spam�Fraud�Intellectual Property Rights�Hacking and similar activities�Service disruption•…
Security Commitments
Warranties
Claim Procedures
Termination of Services
Security Commitments
Warranties
Claim Procedures
Termination of Services
![Page 23: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/23.jpg)
21
Yes, we have tools for SecurityYes, we have tools for SecurityYes, we have tools for SecurityYes, we have tools for Security
![Page 24: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/24.jpg)
22
A A A A stepstepstepstep forwardforwardforwardforwardManaging Data
Network
Traffic
Preprocessing
WhiteList
WatchList
Scan
Spam / Phising
Binary Download
Activity
Response
Detection
Message Response
Detection
Incoming
PRIVMSG Analyzer
Outgoing
PRIVMSG Analyzer
Activity LogHTTP
P2P
Protocol
Matcher
IRC
DNS Logs
Reports
Correlation
Engine
SAQQARA
Connection Records
� Phising Sites
� Web Pages to log Bot Status
� Malware Download Sites
� Spyware Data Drop off sites
� Bot command and control sites
� Spam Flows
� FQDN via DNS
List Detail
![Page 25: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/25.jpg)
23
Internet Internet
TIWS
Customer 1 Customer 2
Botnet
Master
Security
CnC
iBGP
iBGP
iBGP
BotnetBotnet
Botnet
ip route 3.3.3.3 255.255.255.255 null 0 tag 1
Victim
3.3.3.3
WithWithWithWith informationinformationinformationinformation taketaketaketake actionsactionsactionsactions!!!!
� Black Hole Routing
� Web Page
redirection
� Flow Inspection
� Profile Management
� Bot CnC Block
� Spam Flows
![Page 26: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/26.jpg)
Domestic Services
MultiNational Services
Domestic Services
Domestic Services
Domestic Services
Customer
SMC
CSIRT ModelCSIRT ModelCSIRT ModelCSIRT ModelAlways starting
Wholesale Services
International ManagedServices
TIWS
� Single Point of Contact
� Quick Response
� International Coordination
24
![Page 27: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/27.jpg)
CSIRT ScopeCSIRT ScopeCSIRT ScopeCSIRT ScopeThe mess inside
MANAGEMENTMANAGEMENTMANAGEMENTMANAGEMENT
Risk Reports
Problem Support Security Director Plan
Strategy for Security Technology
AUDITORYAUDITORYAUDITORYAUDITORY Ethic Hack
Auditory Methodology
Security Compliance
Risk
Management
TechnologyTechnologyTechnologyTechnology
Security Innovation
Technology Observer
Secure Development
Security Lab
Knowledge management
Provider Selection
PlanningPlanningPlanningPlanning
Standards
Methodology
Security Certifications
Technology Plan
Budget prioritization
EngineeringEngineeringEngineeringEngineering
Design Criteria
Procedure Definition
Best Practices
Tests on Field
Change Management
FOAs
OperationsOperationsOperationsOperations
User Management
CSIRT
SOC/monitorization
Maintenance
Support
Incidence Management
Business needs
25
![Page 28: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/28.jpg)
26
Research Activities… Collaborative Security is trendy
![Page 29: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/29.jpg)
Three ISPs working with the industry in a research project to Three ISPs working with the industry in a research project to Three ISPs working with the industry in a research project to Three ISPs working with the industry in a research project to fight botnets… in a collaborative wayfight botnets… in a collaborative wayfight botnets… in a collaborative wayfight botnets… in a collaborative way
![Page 30: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/30.jpg)
Our Research trend: Collaborative SecurityOur Research trend: Collaborative SecurityOur Research trend: Collaborative SecurityOur Research trend: Collaborative Security
�GOAL: to share securityinformation to enhance thedetection and themitigation
�How to do that?- Placing the monitoring activity close to the
network edge
- Advanced applications to let us detect morecomplex, distributed attacks. For instance:advanced correlation engines.
- Collaborative Security Services: such ascollectors sharing their alarms and usingimported alarms from to draw a widerpicture of the threats.
- Inter-domain information sharing: proposingcontrolled security information sharing withother Operators/ISPs
�Ongoing project: FP7 DEMONS(co-funded by the EC)
28
![Page 31: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/31.jpg)
DEMONS VISIONDEMONS VISIONDEMONS VISIONDEMONS VISION
29
Probe
Probe
ProbeProbe
and MediatorProbe
Probe
Mediator
and Collector
Mediator
and Collector
Mediator
and Collector
Mediator
and Collector
Mediator
and Collector
Mediator
and Collector
Mediator
and Collector
Mediator
and Collector
Innovation pillars
In-network processing and distributed intelligence
Application-tailored data reduction and protection
Resilient autonomic monitoring overlay
Cross-domain interworking
Target Impact
Scalability
Privacy preservation
Flexibility and resilience
Cross-domain threat detection and mitigation
Overlay of in-network monitoring devices
From data-gathering probes to collaborative P2P computing and filtering devices
![Page 32: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/32.jpg)
A SAMPLE OF DEMONS COLLABORATIVE A SAMPLE OF DEMONS COLLABORATIVE A SAMPLE OF DEMONS COLLABORATIVE A SAMPLE OF DEMONS COLLABORATIVE APPROACHAPPROACHAPPROACHAPPROACH
30
![Page 33: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/33.jpg)
31
… let’s look again at what we are doing
![Page 34: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/34.jpg)
32
Security PoliciesSecurity PoliciesSecurity PoliciesSecurity Policies
Fair Use PolicyFair Use PolicyFair Use PolicyFair Use PolicyPolicies
Network AbuseNetwork AbuseNetwork AbuseNetwork Abuse
Network SecurityNetwork SecurityNetwork SecurityNetwork Security
CSIRT TIWSCSIRT TIWSCSIRT TIWSCSIRT TIWS
Operations
Security PlatformsSecurity PlatformsSecurity PlatformsSecurity Platforms
Network SecurityNetwork SecurityNetwork SecurityNetwork Security
SOCsSOCsSOCsSOCs
TechnologyCollaborative SecurityCollaborative SecurityCollaborative SecurityCollaborative Security
Research
![Page 35: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/35.jpg)
33
And a call to action
...Collaborative Security
![Page 36: CSIRT-TIWS-ENISA Workshop on Botnets v2](https://reader031.vdocuments.mx/reader031/viewer/2022012015/615a16fc9387c91477114f6d/html5/thumbnails/36.jpg)