Critical National InfrastructureWhat is attacking your network,

and how do you know?

By

Frode Rein

ICT Manager, The Norwegian Parliament – Stortinget

(Nigel Beighton, Symantec, Advance Threat Research)

ECPRD Nicosia 6.th November 2003

What is CNI

“CNI” is an initiative to prepare and protect a country’s critical organisations and infrastructure

The “CNI project” is a community based early warning and reporting capability currently in development as a pilot by Symantec and selected organisations

We need early warning to be prepared & alerts for all our community.

Attacks in August

0

500

1000

1500

2000

2500

3000

3500

Att

acks

Mo

nit

ore

d Blaster

Welchia

Sobig.F

Events over last 7 days

Governments

need to protect

Experience

“…need time to be prepared”

“…interested in benchmarking”

Trends

Increase speed and severity of hit

Sector targeting

Organisations

Services

CNI

Where did it come from?

Newresearch

Change in Exploitability of Vulnerabilities

0 %

10 %

20 %

30 %

40 %

50 %

60 %

Exploit Available No Exploit Available No Exploit Required

Jan-Jun 2002

Jan-Jun 2003

“..its easy”

“..in theory”

“..it can be done”

Patch, patch, patch

Averaging 90 serious/critical vulnrabilities a month !

Organisations can not constantly patch – emergency patches are only tested against the vulnrability

• Not all vulnerabilities lead to attacks

• Will this vulnerability become the next Blaster?– Watch them try it, build exploits, test it and start it

• Need to prioritise which patch to do, when and where

• You need time to be prepared

The Changing Threat Picture

targeted

they try it, they test it

Blaster Milestones

July 16

Buffer Overflow vulnerability discovered

Microsoft Patch

Released

22 23 25 August 7 11 13 Aug 16

Sample Exploit code circulating in

the hacking community

Symantec sees increase in TCP

port 135 scanning

Exploit code captured & made

public

Automated tools observed start of

exploiting vulnerability on a large scale

Symantec discover the W32.Blaster worm. virus

updates released.

Blaster hit the headlines with reported

spread affecting 188,000 systems

worldwide.

Microsoft delisted windows

update.com website and

averted denial of service attack.

CNI Members contacted

directly about Blaster

CNI Members advised

31

Broadcast media to comment on

Blaster

CNI CORe team begin specific

monitoring

Blaster worm

30,000

15,000

Time

Unique Source IPs

0July 20 July 27 August 3 August 10

CNI Customers advised of potential issue

CNI Customers contacted directly re

Blaster

Broadcast media comment on Blaster

Less time to react

Vulnerability Release Date v Time to Active Exploitation

0

50

100

150

200

250

300

350

1-Oct-00 19-Apr-01 5-Nov-01 24-May-02 10-Dec-02 28-Jun-03

Date

Day

s

W32.BlasterWorm

Where does the data come from?

• Symantec’s 20,000 internet and private network sensors (180 countries)

• 200+ pop-up honey-pots• Security Focus Bugtraq• Virus response team (and their

zoo!)– 100M submitting AV systems

• Internet community (black_hat & white_hat)

• External authorities

Directly monitored averagesper day*:

Logs/alerts imported

400M

Triggered events

250,000

Severe events

300

Correlated with5.5B events

40M attacking IP addresses

Directly monitored averagesper day*:

Logs/alerts imported

400M

Triggered events

250,000

Severe events

300

Correlated with5.5B events

40M attacking IP addresses

*Ex. virus!

CommunityMonitor & Alert

CommunityMonitor & Alert Early WarningEarly Warning

CommunityKnowledge

CommunityKnowledge

Analysis & Reporting

Analysis & Reporting

What do we get

CommunityMonitor & Alert

CommunityMonitor & Alert

Early WarningEarly Warning

Community KnowledgeCommunity Knowledge AnalysisAnalysis

• Security device monitoring

• Community specific alerting

• Online threat reporting.

• Deep probe activity report (weekly)

• Online technology vulnerability alerting

• Analysis & trend tracking events (quarterly)

• Online community forum

• Online threat reporting

• Online regulatory and standard industry benchmarking

• Custom reporting and analysis

Important notes

CNI will provide “observations”, “probables”, “potentials” – this needs to be treated accordingly.

Do not have all data on all companies in all segments – it grows with the community

(Public) Device data is initially processed in the US (Alexandria central SOC) – now moving to European only processing.

It is a pilot (experimental) – development input is essential

Q. How accurate?Q. How accurate?

What is the Pilot?

• 6 months• Up to 8 sensors

Monitored• Deepsight access• Early warning• Shared data

(Anonymised)

• 6 months• Up to 8 sensors

Monitored• Deepsight access• Early warning• Shared data

(Anonymised)

.. and involvement• Sensor data• Workshops• Feedback• Ideas

… and an understand of the information basis..

PilotCustomers

AdvanceRelease

Customers

FullLaunchPhase 1

Phase 2

now Feb 04 April 04

Our experiences

• A pilot is a pilot– Pros

• High attention from vendor• State of the art technology

– Cons• Deficient routines• Reports still in development• State of the art technology• Time-consuming for the customer• No community parliament warning (We are alone )

Options – data sensitivity

• Option2 – outside IDS collector only

• Option1 – multi devices

NIDS

FirewallsInternet

secure log data

NIDS

FirewallsInternet

secure log dataIDS Collector

• Multi-dimensional analyses• Internal & External• Comprehensive• (Not acceptable)

• External only• Less comprehensive• Acceptable

LANStortinget Internet

ManHunt IDSFirewall

Pilot infrastructure

Our Home page

Reports

• Weekly Event Digest

• Emerging Threat Notifications

• Community Watch Report

• Deep Sight Alert Service

People – our greatest resource

• This technology/concept is very interesting, but without dedicated people within your organization this concept will fail

• Heavy use of internal personal resources– Incident handling,routines, reports, monitoring

• Well-educated personnel– High requirements for internal IT security and

networking skills

Responsibility

• In the end; you cannot transfer responsibility to the vendor– Still you have to keep up the high focus on IT

security

Internal handling of CNI information

• Daily routines and procedures

• Incident management– Incident Response Team

• Who is doing what in a crisis– Who is pulling the plug– Who is handling the press– Who is responible for handling forensic evidence

Controversials

• You have to give something before you get something

• Collecting data from the parliament– IDS’ and Firewalls– Inside or outside the Firewall?– What do the MP’s say if we tell them that an

american company are collecting data from IDS’s and FW within their local network

Why join this concept?

• Parliamentary community– European Parliamentary IRT– A large community gives high attention from

the vendor– More reliable data from a large community – Benchmarking within the community– Community warning– A problem shared is a problem halved