Information Sharing Use Cases

(1)

Information Sharing

Use Cases

Effective Information Sharing:

Lessons learned from Operator

Experience

Kathleen M. Moriarty

Global Lead Security Architect

EMC Office of CTO

(2)

What’s New



Text Is Title Case

–

Title Case Is The Capitalization Of Each Word



This New Font, Verdana, Is Wider Than The

Meta Font—Be Aware When Converting Older

Presentations—The Text May Need To Be

Downsized To Fit A Certain Area



Verdana Is Standard on PCs and MACs—No

(3)

Agenda

Continued



Problem areas



What happens today?



Redefining Information Sharing



Use cases

–

Who is sharing?

–

What do people share today?

(4)

What are we trying to solve?

Information

Denial

of

Service

(5)

What is happening today?

Enterprise

Specific

Incident

data

Informatio

n

Threat

Intel

Indicators

Informatio

n

Proprietary

Intelligence Feeds & Information Sharing

Forensic Incident

Response

Organization

(6)

Redefining Information Sharing

While information sharing has been helpful, I believe we

can make much faster progress if we redefine sharing to:

―A scalable ecosystem for Intelligence

Sharing that extends current industry models

to leverage existing trusted relationships

with vendors and internet service providers

so that mitigations controls can be deployed

more quickly, broadly and effectively.‖

* Model described in soon-to-be released RSA Whitepaper

(7)

Who is Sharing Data? What is

Useful?

Small &

Medium

Organizations

•Deploying security technologies with expectation of threat mitigation

Large

Organizations

•Deploying security technologies with expectation of threat mitigation

•Participating in multiple sharing groups

•Receiving multiple threat intelligence feeds

Analysis Center

•Analysis for industry focused or other sharing groups

•National CSIRTs providing information to government, critical infrastructure,

etc.

•Internet Service Providers performing analysis, eliminating/mitigating threats

•Problem specific analysis groups targeting focused threats (analysis &

mitigation)

Increasing

Impact

Potential!

Proprietary

Standards

Hidden from user

Proprietary

Ex. IODEF/RID

Extensions

Hidden & Exposed to User

Malware

IODEF/RID

_eCrime

Use case/user group specific

STIX

ARF

OpenIOC

Extensions

Etc.

Evolved by problem owner, may include

multiple complimentary schemas or

(8)

Telecommunication Management Forum (TM Forum):

Sharing Threat Intelligence to Mitigate Cyber Attacks

* TM Forum white paper & threat sharing catalyst using IETF MILE standards,

EMC/RSA RID Agent:

(9)

APWG Use Cases



Anti-phishing & eCrime



APWG hosted clearinghouse of Cybercrime data



Formats:

–

RFC5070 (IODEF) + RFC5901 (Anti-phishing ext.) + eCrime ext.



Members: Financial sector, vendors, law enforcement, etc.

APWG

Report

Phishing

&

eCrime

Browser

Vendor

members

Members

addressing

CyberCrime

Pervasive

deployment

of Block

Lists

(10)

Abuse Reporting Format (ARF)

Murray Kucherawy

(11)

Summary

• An email-based report structure using the

multipart/report media type

• Developed among ISPs that wanted to exchange

abuse reports from users (i.e., spam complaints)

• Brought to IETF for standardization some time

after it was already in use by AOL, Yahoo, etc.

• Published as RFC5965, with some extensions

(12)

Mechanism

• Participants sign up for “feedback loops”

out-of-band, usually by a web form and an agreement

–

Registers an agent as willing to accept abuse reports

for a given domain or network block

• The agent is confirmed by the feedback provider

• Abuse associated with that source will be

(13)

Reporting

• Abuse complaints (e.g., spam reports, virus

detection) from users automatically generate

ARF messages to the registered responsible

agent

• Agent can handle them manually or set up

automated processing into ticketing or

alerting/reporting systems

(14)

Structure

• Similar to a standard MIME-formatted email

bounce

• Consists of:

a.

A text part for humans to read

b.

A machine-parseable part containing parameters

that describe the important parts of the reported

message and envelope

c.

A part that contains the original message, or at least

its header

(15)

Example

• From: [email protected] Date: Thu, 8 Mar 2005 17:40:36 EDT Subject: FW: Earn money

To: [email protected] MIME-Version: 1.0

Content-Type: multipart/report; report-type=feedback-report; boundary="part1_13d.2e68ed54_boundary”

--part1_13d.2e68ed54_boundary

Content-Type: text/plain; charset="US-ASCII” Content-Transfer-Encoding: 7bit

This is an email abuse report for an email message received from IP 10.67.41.167 on Thu, 8 Mar 2005 14:00:00 EDT. For more information about this format please see http://www.mipassoc.org/arf/. --part1_13d.2e68ed54_boundary Content-Type: message/feedback-report Feedback-Type: abuse User-Agent: SomeGenerator/1.0 Version: 0.1 Original-Mail-From: [email protected] Original-Rcpt-To: [email protected]

Received-Date: Thu, 8 Mar 2005 14:00:00 EDT Source-IP: 10.67.41.167

Authentication-Results: mail.example.com [email protected]; spf=fail Reported-Domain: example.net Reported-Uri: http://example.net/earn_money.html Reported-Uri: mailto:[email protected] Removal-Recipient: [email protected] --part1_13d.2e68ed54_boundary Content-Type: message/rfc822 Content-Disposition: inline

<original message here, omitted for brevity> --part1_13d.2e68ed54_boundary—

(16)

Collective Intelligence Framework (CIF)

(17)

Collective Intelligence Framework (CIF)

(18)

Multinational Alliance for Collaborative

Cyber Situational Awareness (MACCSA)

(19)

MNE7 – Access to the Global Commons

of Cyber Space

Collaborative Cyber

Situational Awareness

(CCSA)

Expanding to 30+ nations – mil, ind & gov

Multinational Alliance CCSA organisation being developed 28-29 May 13 @ EU,

Brussels

(20)

Collaborative Cyber Situational

Awareness (CCSA)

2

0 Proprietary - British Business Federation Authority –

[email protected]

3.2 – Information Sharing Framework

(ISF)

1 – High Assurance Federated Trust

2 – Critical Controls (Normality)

3 – Incident Operations Taxonomy

4 – Cyber SA Triage process

5 – Prioritised communications

ISO & ITU(T) standards

IETF standard <> ENISA

NATO ID Strategy, NATO Cyber

Strategy, EU Cybersecurity

Strategy

US CERT & NCCIC

Police, aerospace & defence,

health implementations ….

(21)

ISF Information Exchange

Requirements for Taxonomy and Transport



International standards

–

Identity, Access Management, and Federation

–

Trust assurance levels and control frameworks

–

Taxonomy/Data exchange formats

–

Transport protocols



Hierarchical data formats, extensible and flexible

–

Extensible to meet industry specific requirements

▪ Air Traffic Management, Defense, Telecom, Power

–

Public or private extensions to meet specific use cases or to

exchange data that is not commonly exchanged



Ability to exchange accurate information, meeting

(22)

Lessons Learned from MNE7 LOE

One size does not fit all



Core cyber security exchanges can be met with

international standards efforts



Industry specific exchanges may require further

development

–

Extend the base data formats to accommodate working closely

with the respective industry groups

–

Develop over time, may need to use free form text to

determine what data is most helpful to share



Strategic level decisions and information sharing may be

better suited to the Common Alerting Protocol (CAP) by

OASIS and the ITU-T

(23)

(24)

Documenting Use Cases



Please help document effective sharing

examples! Let’s build on and learn from

successful examples.



Write-up can be set to MILE directly



IODEF Guidance document

–

http://datatracker.ietf.org/doc/draft-ietf-mile-iodef-guidance/

(25)

(26)