Coordinating Attack Response at Internet Scale (CARIS) Workshop Report
draft-moriarty-carisreport-00
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Replaced".
|
|
|---|---|---|---|
| Authors | Kathleen Moriarty , Mat Ford | ||
| Last updated | 2015-10-19 | ||
| Replaced by | draft-iab-carisreport, RFC 8073 | ||
| RFC stream | (None) | ||
| Formats | |||
| Additional resources | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-moriarty-carisreport-00
Network K. Moriarty
Internet-Draft EMC Corporation
Intended status: Informational M. Ford
Expires: April 18, 2016 Internet Society
October 16, 2015
Coordinating Attack Response at Internet Scale (CARIS) Workshop Report
draft-moriarty-carisreport-00
Abstract
The Internet Architecture Board (IAB) and the Internet Society (ISOC)
hosted a day-long Coordinating Attack Response at Internet Scale
(CARIS) workshop which took place 18 June 2015 in coordination with
the Forum for Incident Response and Security Teams (FIRST) Conference
in Berlin. The workshop included members of the FIRST community,
attack response working group representatives, network & security
operators, RIR representatives, researchers, vendors, and
representatives from standardisation communities. Key goals of the
workshop were to improve mutual awareness, understanding, and
coordination among the diverse participating organizations. The
workshop also aimed to provide greater awareness of existing efforts
to mitigate specific types of attacks, and greater understanding of
the options available to collaborate and engage with these efforts.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 18, 2016.
Copyright Notice
Copyright (c) 2015 IETF Trust and the persons identified as the
document authors. All rights reserved.
Moriarty & Ford Expires April 18, 2016 [Page 1]
Internet-Draft CARIS October 2015
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
1.1. Sessions and Panel Groups . . . . . . . . . . . . . . . . 4
1.2. Coordination between CSIRTs and Attack Response
Mitigation Efforts . . . . . . . . . . . . . . . . . . . 4
1.3. Scaling Response to DDoS and Botnets Effectively and
Safely . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4. DNS & RIRs: Attack Response and Mitigation . . . . . . . 8
1.5. Trust Privacy and Data Markings Panel . . . . . . . . . . 9
1.6. Workshop Themes . . . . . . . . . . . . . . . . . . . . . 10
1.7. Next Steps . . . . . . . . . . . . . . . . . . . . . . . 11
1.8. RIR and DNS Provider Resources . . . . . . . . . . . . . 11
1.9. Education and Guidance . . . . . . . . . . . . . . . . . 11
1.10. Transport Options . . . . . . . . . . . . . . . . . . . . 11
1.11. Updated Template for Information Exchange Groups . . . . 12
2. Security Considerations . . . . . . . . . . . . . . . . . . . 12
3. References . . . . . . . . . . . . . . . . . . . . . . . . . 12
3.1. Normative References . . . . . . . . . . . . . . . . . . 12
3.2. Informative References . . . . . . . . . . . . . . . . . 12
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12
Appendix B. Workshop Attendees . . . . . . . . . . . . . . . . . 13
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 13
1. Introduction
The Internet Architecture Board (IAB) and the Internet Society (ISOC)
hosted a day-long Coordinating Attack Response at Internet Scale
(CARIS) workshop which took place 18 June 2015 in coordination with
the Forum for Incident Response and Security Teams (FIRST) Conference
in Berlin. The workshop included members of the FIRST community,
attack response working group representatives, network & security
operators, RIR representatives, researchers, vendors, and
representatives from standardisation communities. Key goals of the
workshop were to improve mutual awareness, understanding, and
coordination among the diverse participating organizations. The
workshop also aimed to provide greater awareness of existing efforts
Moriarty & Ford Expires April 18, 2016 [Page 2]
Internet-Draft CARIS October 2015
to mitigate specific types of attacks, and greater understanding of
the options available to collaborate and engage with these efforts.
The day-long workshop included a mix of invited and selected speakers
with opportunities to collaborate throughout, taking full advantage
of the tremendous value of having these diverse communities with
common goals in one room. There were approximately 50 participants
engaged in the CARIS workshop.
Attendance at the workshop was by invitation only. Prior to the
workshop, existing attack-mitigation working groups were asked to
complete a survey. The data gathered through this questionnaire,
including how others can participate or contribute to the attack-
mitigation working group, was shared with all of the participants at
the workshop to better enable collaboration. Attendees were also
selected from submissions of 2-page research papers that included
some key insight or challenge relevant to the broader group. Paper
topics included research topics around attack mitigation or
information sharing/exchange, success stories, lessons learned, and
deep dives on specific topics such as privacy or trust.
25 papers were received and 20 template submissions. The template
submissions will be maintained at the Internet Society web site and
as a result of the workshop will be amended to provide additional
value to the computer security incident response teams (CSIRTs) and
attack response communities/operators on their information exchange
activities. The CARIS participants found the template submissions to
be very useful in coordinating their future attack mitigation
efforts. This is a new initiative and is open for the global
community and hosted in a neutral location. All submissions are
available online and linked from the agenda.
The workshop talks and panels involved full participation from
attendees who were required to read all other submissions. The
panels were organized to spur conversation between specific groups to
see if we could further progress towards more efficient and effective
attack mitigation efforts. See paper and blog series for additional
information on possible approaches to accomplish more effective
attack response and information exchanges with methods that require
fewer analysts.
The workshop was run under the Chatham House Rule as a result of the
often sensitive information involved with incident response. As
such, there was no recording, but minutes were taken and used to aid
in the generation of this report. Comments will not be attributed to
any particular attendee, nor will organizations be named in
association with any discussion topics that were not made public
Moriarty & Ford Expires April 18, 2016 [Page 3]
Internet-Draft CARIS October 2015
through submission templates or papers by the submitter and
organization.
1.1. Sessions and Panel Groups
1. Stage Setting and Goals of the Workshop
2. Coordination between CSIRTs and attack response mitigation
efforts
3. Scaling response to DDoS and Botnets effectively and safely
4. Infrastructure: DNS and RIR providers and researchers
5. Trust and Privacy with the exchange of potentially sensitive
information
6. IAB wrap up for architecture next steps
1.2. Coordination between CSIRTs and Attack Response Mitigation Efforts
The first panel session on Coordination between CSIRTs and attack
mitigation efforts included representatives from several
organizations that submitted templates describing attack mitigation
efforts. This panel was purposefully a cross section of
organizations attending to see if there were opportunities to
collaborate and improve efficiency and better scale attack
mitigation. The panelists described their efforts with the following
questions in mind:
o Describe your use case?
o Where they are focusing?
o How can others engage with them?
o Who participates?
For each of the following organizations, additional information can
be found in their template submissions:
https://internetsociety2.wufoo.com/reports/caris-workshop-template-
submissions/
The following summaries are to be read in the context of the workshop
and not as stand alone descriptions for each organization as these
summaries are a result of the workshop discussions.
Moriarty & Ford Expires April 18, 2016 [Page 4]
Internet-Draft CARIS October 2015
While ENISA provides support for the community in the form of
education, training and collaboration on security and attack
mitigation, it does not offer a service for attack response or
mitigation.
The APWG offered examples of operator driven exchanges focused on
specific use cases that involve hundreds of participating
organizations daily. The APWG operates a data clearinghouse and
provides infrastructure to support meaningful data exchanges and
maintains a current set of data through these interactions. More can
be learned on the APWG web site in addition to their template
submission.
Ren-ISAC represents an interesting operational model that scales well
through automation, exchanging actionable information between 500
universities automatically implementing controls. They leverage a
small number of analysts to accomplish the task of protecting many
universities, understanding the scarcity of resources, since many
universities cannot respond in real-time without this automation.
The key to the success of their project is actualization with tools
that allow organizations to make use of data operationally. They are
currently working to develop open-source tools to track metrics
formally.
CERT.br is the Brazilian CERT and they have made impressive progress
in a short amount of time. CERT.br is the national focal point for
incident reporting, collection and dissemination of threat and attack
trend information in Brazil. CERT.br works to increase awareness and
incident-handling capabilities in country as well as assisting to
establish new CSIRTs. In addition to providing training and
awareness campaigns, they distribute honeypots and have a primary
focus on network monitoring. CERT.br requires active participation
to collaborate and exchange data with them.
MyCERT's mission is to address security concerns of Malaysian
Internet users and reduce the probability of successful attacks.
They have been operational since 1997. MyCERT is responsible for
incident handling on intrusions, identity theft, and handling DDoS
attacks, etc. MyCERT assists with CSIRT incident help in Malaysia,
provides malware research, and technical coordination. In addition
to incident response and coordination activities, MyCERT members
provide talks, training, as well as local and regional security
exercises. MyCERT also provides incident alerts, advisories on
vulnerabilities, breaches, etc.
CERT/CC has been operational since 1998 on an international and
national scale. They have long been known for their software
vulnerability work and the national vulnerability database in the US
Moriarty & Ford Expires April 18, 2016 [Page 5]
Internet-Draft CARIS October 2015
(CVEs) and informing organizations of vulnerabilities. CERT/CC helps
to coordinate between vendors and researchers for improved
collaborations. CERT/CC assists with guidance on plans to deal with
the aftermath, risk assessment practice, bug bounties, and other
incident related areas.
Highlighted points from the panel discussion:
o Passive surveillance has impacted incident response activities
o Government involvement in exchange efforts hasn't been productive,
lots of talk without useful exchanges
o More interest in consuming feeds of information rather than
sharing information
o Ego has been a big issue as is reputation concerns for data shared
(impact your own reputation) or with data received
o There is a perception of weakness around organizations who do
share attack information in some regions
o Sharing alone doesn't help, must lead to operational ROI
o Language barriers have been an issue for some national CSIRTs
o Sharing too much information leads to capacity and resource issues
for receiving organizations. Organizations directly receiving
feeds often results in mis-interpretation of the data and thinking
they are under attack when it is not the case. Operational models
preferred where there is an impact from exchanges and efficiencies
gained using a small number of analysts to impact many.
o Privacy regulations restricting some from sharing IP address
information has had an impact on effectiveness of exchanges.
ENISA is currently running a study on this impact (raised by
several attendees).
o Too many efforts are using data just for blocking attacks and not
operational mitigation and elimination as part of incident
response. Note: Operational efforts stand out in that they do
eliminate threats and update data warehouses.
o Involvement of vendors is needed to better scale attack response.
This is not seen as a need by all groups, just some sharing groups
with an operational focus looking for improved efficiency to
leverage the small number of analysts. Analysts are a limited
resource in this technical area of expertise.
Moriarty & Ford Expires April 18, 2016 [Page 6]
Internet-Draft CARIS October 2015
o Enterprises don't want another security box as they don't have the
resources to manage them, so involving vendors doesn't mean
deploying more equipment, but improving automated controls and
elimination of threats where possible. False positives are still
an issue, which can be problematic for some automation activities.
1.3. Scaling Response to DDoS and Botnets Effectively and Safely
The introductory talk provided an interesting history of Distributed
Denial of Service (DDoS) attacks and the evolution of Botnets as well
as methods to combat these threats. The paper by Dave Dittrich is
available to learn more of this history: this section of the report
will focus on the workshop discussion in an effort to benefit from
the discussions concerning how to better scale response to these
threats.
Key points from the discussion:
o Of the attack types discussed, DDoS and Botnets appear to be the
furthest along in terms of efficient and effective response.
Other efforts can learn from this experience. There has not been
any interaction between these two attack types that may benefit
from information exchange tied to remediation activities since
Botnets can be the source of DDoS attacks.
o There is a disparity between short-term mitigation goals and
actual eradication of DDoS and Botnet threats. The question was
raised: how do we normalize the same data in different ways to
serve different goals? In other words, DDoS traffic is often the
result of Botnets, but the data is not shared between the service
providers and vendors responding to DDoS threats and those
actively mitigating and eradicating Botnets.
o There are ad-hoc trust groups within the OpSec community today:
CRAG is one example.
o Filtering and triage is an issue, but this is a solvable problem.
o The IETF DOTS working group was discussed and compared to a
previous effort, Real-time Inter-network defense (RID) [RFC6545].
It was stated that the two are similar, except DOTS makes use of
current data formats and protocols and has the support of multiple
DDoS vendors. One of the goals of DOTS is to have this solution
be the "glue" between vendors to communicate shared data using
standard formats and protocols developed in open source tools.
o The IETF I2NSF effort was discussed to see if there is a way to
leverage infrastructure to combat DDoS attacks.
Moriarty & Ford Expires April 18, 2016 [Page 7]
Internet-Draft CARIS October 2015
o Vendors discussed existing capabilities for DDoS mitigation, while
sharing exchange groups discussed their mitigation activities
related to Botnets (see paper submissions).
o Trust and reputation of data sources is still a concern.
o One of the exchange groups has a goal of "automated takedowns" for
Botnets. However, they think they will always have a need for
manual intervention.
o The need for multiple levels of trust seemed to be prevalent among
those participating in the panel discussion. Intelligence
agencies erode trust (this was also mentioned in the first panel
in terms of surveillance activities from governments).
o Although trust was discussed in this panel and there are concerns,
it was noted that trust is not as big a barrier in these attack
spaces likely due to the operational experience of participants.
1.4. DNS & RIRs: Attack Response and Mitigation
This session was a shift from other sessions in the day as the
panelists were infrastructure providers for those combating attacks.
This session was of interest to see how attack and incident
responders could better collaborate with DNS infrastructure
organisations and RIRs. These groups have not interacted in the past
and it was interesting to see the collaboration opportunities since
the workshop participants rely on these services to do their jobs.
From the panelists perspective, DNS and RIRs are separate worlds,
where they spend a lot of time trying to educate policymakers about
how they work together to make the Internet work.
Key discussion points:
o The use of passive DNS in attack mitigation was described.
o RIRs discussed the data they maintain and provide including
worldwide BGP update data and root DNS server data. These data
sets are available to share with researchers and could be of
interest to those working on attack response. The current way the
data is made available does not scale and ideas were discussed in
the workshop to improve the scalability should this become a more
widely used resource.
o Some of the global RIRs already actively coordinate with incident
responders in their region. In some cases they do facilitate
information sharing as well as provide education and training.
Data shared out by RIRs is anonymized.
Moriarty & Ford Expires April 18, 2016 [Page 8]
Internet-Draft CARIS October 2015
o A concern was raised regarding overlapping efforts and a request
was made for the IETF and ISOC to pay attention to this and help.
This workshop was one step toward that in bringing together this
diverse community. The participants wish to see this type of even
repeated for future cross area collaboration between the diverse
set of groups that often only meet within their silo.
o Standards for APIs to access data consistently from RIRs and
scoring methods were discussed as possible ways to scale trust.
Questions were raised as to how this might be possible. One might
receive unverifiable data about a network. They may be able to
verify the source's identity, verify route origins, but won't be
able to verify provenance of data.
1.5. Trust Privacy and Data Markings Panel
Why don't organizations share data? It seems to be a mix of privacy,
legal, technical/mundane, cultural, and communication issues. There
are also concerns about sharing proprietary data with competitors.
Having said that, most of these reasons are bogus according to
operationally focused participants of the workshop. Lawyers need
contextual education for the intersection of law and technology.
Sensitive data is still an issue as one can't control what others do
with data once it is shared. They don't know what others might do
with the data and who might receive it indirectly.
Key points from the panel discussion:
o Operationally focused groups do retain/rate/re-mark confidence
levels based upon the submitter reputation.
o The Traffic Light Protocol (TLP) was discussed. While this is
useful to some groups who exchange data, others find that it is
not granular enough for their needs.
o In many cases when data is shared the user never knows, and there
is no way to manage that disclosure.
o Trust is personal. When sharing circles get too large, trust
breaks down. The personal relationship aspect of information
sharing communities was emphasized by several who are actively
exchanging data and for a number of years. This is a very
prevalent theme.
o A point of comparison was made that consumer goods and trademarks
are a byproduct of the Industrial Revolution. Advertising is a
large-scale trust model and can we learn from this, does trust
need branding?
Moriarty & Ford Expires April 18, 2016 [Page 9]
Internet-Draft CARIS October 2015
o Participants observing noted that there appear to be cabals
operating the groups based on the current trust notions. This was
not disputed.
o Transparency is vital to maintain trust.
o Participants working on automation have found a need to share with
organizations of all sizes as well as a need to share both
synchronously and asynchronously. In an automated model, they
must ensure data sources are 'authorized' and these efforts have
encountered questions about anonymization as well as regional
regulatory perspectives as they vary.
o Another automation effort found that people have different upper
limits for trust group scale, which is sometimes based on
individualized knowledge of other participants and having a
comfort level with them. Social interaction (beer) is a common
thread amongst sharing partners to build trust relationships. The
relationships are formed between individuals and not necessarily
between organizations.
o It's rare for any single piece of information to be clearly
identifiable as private or public. Temptation is to say info
isn't personally identifiable information (PII). In aggregate,
however, non-PII can become PII.
o There was common agreement that reputation is fundamental.
1.6. Workshop Themes
Better scaling attack response through improvements to the efficiency
and effectiveness of information exchanges.
1. Data exchanges should not be just for the purpose of creating
blacklists that could be redundant efforts.
2. Involving service providers and vendors to better coordinate and
scale response is key.
Information security practitioners are a scarce resource.
1. Training and education was discussed to improve this gap, both to
train information security professionals and others in IT on
basic network and system hygiene.
2. Leveraging resources to better scale response, using fewer
resources is critical.
Moriarty & Ford Expires April 18, 2016 [Page 10]
Internet-Draft CARIS October 2015
1.7. Next Steps
1.8. RIR and DNS Provider Resources
Workshop participants expressed an interest in expanded information
on the resources and assistance offered by the RIRs and DNS
providers. Participants are going to define what is needed.
1.9. Education and Guidance
Another reccurring theme was the lack of knowledge by the community
of basic security principles such as ingress and egress filtering
explained in BCP38. The CSIRTS, operators, and vendors of attack
mitigation tools found this particularly frustrating. As a result,
follow up activities may include determining if security guidance
BCPs require updates or to determine whether there are opportunities
to educate on these basic principles already documented by the IETF.
1.10. Transport Options
One of the more lively discussions was the need for better transports
for information exchange. Real-time Inter-network Defense (RID) was
written more than 10 years ago. While the patterns established in
RID still show promise, there are updated solutions being worked on.
One such solution is in the IETF DOTS working group, that has an
approach similar to RID with updated formats and protocols to meet
the demands of todays DDoS attacks. While TAXII (another transport
option) is just in transition to OASIS, its base is similar to RID in
its use of SOAP-like messaging, which will likely prevent it from
scaling to the demands of the Internet. Vendors also cited several
interoperability challenges in TAXII in discussions. Alternatively,
XMPP-Grid has been proposed in the IETF SACM working group and it
offers promise as the data exchange protocol. XMPP inherently meets
the requirements for today's information exchanges with features such
as publish/subscribe, federation, and use of a control channel.
XMPP-grid is gaining traction with at least 10 vendors using it in
their products with several more planning to add support. Review and
discussion of this draft would be helpful as it transitions to the
MILE working group as an outcome of the workshop. REST was also
brought up as a needed interface because of the low barrier to use.
The IETF MILE Working Group has a draft detailing a common RESTful
interface (ROLIE) that could be used with any data format and may be
of interest.
Moriarty & Ford Expires April 18, 2016 [Page 11]
Internet-Draft CARIS October 2015
1.11. Updated Template for Information Exchange Groups
One of the submission options was for organizations actively
exchanging data to submit a form describing their work to reduce
attacks. The CSIRTs, in particular, liked having access to this
information in a neutral location like the Internet Society.
However, they would like to see changes to the form to ensure it's
usefulness. There was a desire to have this used by additional
exchange groups, creating a living library to better understand how
to become a member, benefit from, or contribute to the success of the
attack response and CSIRT exchange platforms.
2. Security Considerations
The CARIS workshop was focused on security and methods to improve the
effectiveness and efficiency of attack response to enable better
scaling. This report provides a summary and identifies outcomes to
improve security. As such, no additional considerations are needed
in this section.
3. References
3.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/
RFC2119, March 1997,
<http://www.rfc-editor.org/info/rfc2119>.
3.2. Informative References
[RFC2827] Ferguson, P. and D. Senie, "Network Ingress Filtering:
Defeating Denial of Service Attacks which employ IP Source
Address Spoofing", BCP 38, RFC 2827, DOI 10.17487/RFC2827,
May 2000, <http://www.rfc-editor.org/info/rfc2827>.
[RFC6545] Moriarty, K., "Real-time Inter-network Defense (RID)", RFC
6545, DOI 10.17487/RFC6545, April 2012,
<http://www.rfc-editor.org/info/rfc6545>.
Appendix A. Acknowledgements
Thank you to the members of the program committee (in alphabetical
order) for your efforts to make this workshop possible and a
productive session with cross area expertise. Matthew Ford, Internet
Society, UK Ted Hardie, Google, USA Joe Hildebrand, Cisco, USA Eliot
Lear, Cisco, Switzerland Kathleen M. Moriarty, EMC Corporation, USA
Andrew Sullivan, Dyn, USA Brian Trammell, ETH Zurich, Switzerland
Moriarty & Ford Expires April 18, 2016 [Page 12]
Internet-Draft CARIS October 2015
Thank you to the CARIS workshop sponsors!
o FIRST provided a room and excellent facilities in partnership with
their annual conference in Berlin.
o The Internet Society hosted the social event, a boat ride through
the canals of Berlin.
o EMC Corporation provided lunch, snacks and coffee throughout the
day to keep us going.
Appendix B. Workshop Attendees
In alphabetical order by first name, workshop attendees were: Adli
Wahid, Alexey Melnikov, Andrew Sullivan, Arnold Sykosch, Brian
Trammell, Chris Morrow, Cristine Hoepers, Dario Forte, Dave Cridland,
Dave Dittrich, Eliot Lear, Foy Shiver, Frank Xialiang, Graciella
Martinez, Jessica Stienberger, Jim Duncan, Joe Hildebrand, John Bond,
John Graham-Cummings, John Kristoff, Kathleen Moriarty, Klaus
Steding-Jessen, Linda Dunbar, Marco Obiso, Martin Stiemerling, Mat
Ford, Merike Kaeo, Michael Daly, Mio Suzuki, Mirjam Kuehne, Mr. Fu
TianFu , Nancy Cam-Winget, Nik Teague, Pat Cain, Roland Dobbins,
Roman Danyliw, Rosella Mattioli, Sandeep Bhatt , Scott Pinkerton,
Sharifah Roziah Mohd Kassim, Stuart Murdoch, Takeshi Takahashi, Ted
Hardie, Tobias Gondrom, Tom Millar, Tomas Sander, Ulrich
Seldeslachts, Valerie Duncan, Wes Young
Authors' Addresses
Kathleen M. Moriarty
EMC Corporation
176 South Street
Hopkinton, MA
United States
Email: Kathleen.Moriarty@emc.com
Mat Ford
Internet Society
Galerie Jean-Malbuisson 15
Geneva
Switzerland
Email: ford@isoc.org
Moriarty & Ford Expires April 18, 2016 [Page 13]