ICANN’s  Internet  Iden-fier  SSR:  Roles,  Rela-onships,  Remit  

Dave  Piscitello  VP  Security  and  ICT  Coordina-on  

ICANN  

Roles  and  Remit  

ICANN    IDENTIFIER    SYSTEM  SSR  

2  12/1/16

DNS  Abuse  for  LE  DNS  OA&M  DNSSEC  Secure  Registry  ops  

Global    OpSec  

Global  Cybersec  

APWG  IPC  MAAWG  ISOI  

DNS  OARC  …  

CCI  GCSP  OCSE  OECD  …  

Iden-fier  Metrics  • Registry  “CVEs”  • Root  System  analy-cs  • DNS  Hijacking  •  Security  threat  repor-ng  •  Internet  health  indicators  

Threat  Intelligence  

Coordinated  Response  (Center)  

CVD  Response    Facilita-on  

Trust  networks  FIRST/CERTs  

Internet  Iden-fier  SSR:  Scope  &Remit  

Europol  Interpol  RIRs  …  

Iden-fier    Threat  

Awareness  &  Preparedness  

SSR    Analy-cs  

Capability  Building  Outreach  

Internet  Iden-fier  SSR  

3  12/1/16

Iden-fier  Systems  Threat  Awareness  

•  Exchange  of  threat  intelligence  rela-ng  to  security  events  of  global  nature  involving  iden-fier  systems  

•  Par-cipa-on  (o[en  as  facilitator)  in  response  to  threats  or  a\acks  against  iden-fier  systems    

Iden-fier    Threat  

Awareness  &  Preparedness  

Threat  Intelligence  

Coordinated  Response  (Center)  

Vulnerability  Response    Facilita-on  

Trust  networks  FIRST/CERTs  

4  12/1/16

Iden-fier  System  SSR  Analy-cs  

•  Develop  metrics  and  analy-cs  for  iden-fier  systems,  e.g.,    –  Root  system  measurements,  analysis  –  Security  threat  repor-ng:  census  of  threat  ac-vity  across  top  level  domains  

–  Abuse  measurements  aspects  of  ICANN’s  broader  Internet  Health  Indicator  project  

– Metrics  and  analy-cs  proofs  of  concept    

SSR    Analy-cs  

Iden-fier  Metrics  • Registry  “CVEs”  • Root  System  analy-cs  • DNS  Hijacking  • Security  threat  repor-ng  • Internet  health  indicators  

5  12/1/16

Capability  Building  

•  Capability  building  programs  for  registry  operators  –  IS  SSR  team,  contracted  3rd  par-es  

•  Iden-fier  Systems  centric  training  for  public  safety  community  engaged  in  global  abuse  inves-ga-ons  –  IS  SSR  team  

•  “Train  the  trainers”  programs  –  CERTs,  law  enforcement  agencies  

Capability  Building  

DNS  Abuse  for  LE  DNS  OA&M  DNSSEC  Secure  Registry  Opera-ons  

•  Global  Cybersecurity  coopera-on  –  Coordinate  engagement  through  GSE  –  Coordinate  cybersecurity  message  with  GSE  

•  Global  Security  &  Opera-ons  –  Daily  interac-on  on  DNS  abuse/misuse  ma\ers  with  first  responders,  law  enforcement,  operators  

–  Complement  ICANN  Compliance  –  Coopera-on  with  a  global    Internet  abuse  mi-ga-on  community  

Outreach  

Global    SecOps  

Global  Cybersec  

APWG  IPC  MAAWG  ISOI  

DNS  OARC  …  

CCI  OECD  …  

Outreach  

7  12/1/16

ICANN  COMMUNITY  

PSWG    

GAC    

Law  

Enforcement  

OPERATIONAL  AND    

SECURITY  (OPSEC)  

ICANN  ORGANIZATION  

IS  SSR  

Private  Sector  

Interveners  

GNSO  

 

RR,  RY  

Corporate  abuse  response  staff,  abuse  inves-gators,    reputa-on  service  providers,  brand,  service,  product  protec-on  (FB,  eBay,  Apple…)    

DNS  OPERATORS  (DNSOARC,  too)  

Academia  &  Research  (DNS)  

Internet  Abuse  Mi-ga-on  Communi-es  

8  12/1/16

ICANN  COMMUNITY  

PSWG    

GAC    

Law  

Enforcement  

OPERATIONAL  AND    

SECURITY  (OPSEC)  

ICANN  ORGANIZATION  

IS  SSR  

Private  Sector  

Interveners  

GNSO  

 

RR,  RY  

DNS  OPERATORS  (DNSOARC,  too)  

Academia  &  Research  (DNS)  

Vic-ms  of  Abuse  

(As  registrant  o

r  user,  

Actual  or  Poten

-al)  

Internet  Users  

Coopera-on  serves  self-­‐preserva-on  

9  12/1/16

OPSEC,  OSINT,  Training  

ABUSE    MITIGATION    ACTIVITIES  

10  12/1/16

IS  SSR  Team:  OPSEC,  OSINT  

•  Subject  ma\er  experts  or  par-es  to  inves-ga-ons  where    –  Iden-fier  systems  abuse  is  prominent  – Facilita-ng  interac-ons  among  OpSec,  domain  name,  or  addressing  communi-es  is  cri-cal  for  success  

•  Open  Source  Intelligence?  – Publicly  accessible  DNS  or  addressing  informa-on  (zone  data,  registra-on  data)  are  important  kinds  of    OSINT  shared  among  inves-gators  

11  12/1/16

Training:  DNS  Abuse  for  Inves-gators  

•  Half,  full-­‐day,  or  mul--­‐day  training  sessions    – Use  of  strategies,  techniques  and  tools  to  iden-fy  abuses  of  the  Domain  Name  System  (DNS),  malicious  registra-ons  of  domain  names,  addresses  or  hos-ng  

– Lecture,  demonstra-ons,  and  hands-­‐on  exercises  – At  request  of  host,  Regional  Internet  Registry  staff  accompany  IS  SSR  Team  for  addressing  and  rou-ng  training  

12  12/1/16

Syllabus  

•  Domain  Name  System  opera-on  and  ecosystem  •  Taking  ac-on  

–  Challenges  of  dis-nguishing  criminal  from    legi-mate  use  of  DNS  

– Dealing  with  domain  seizures  

•  How  to  gather  informa-on  – DNS,  domain  registra-on,  IP  addressing  – Hos-ng  loca-on  and  hosted  data  

•  OSINT  collabora-on  and  threat  intelligence    

13  12/1/16

ü Recent  domain  registra-on  crea-on  date    ü Ques-onable  Whois  contact  data  ü Privacy  protec-on  service  ü Suspicious  values  in  DNS  Zone  data  (e.g.,  TTL)  ü Spoofing  or  confusing  use  of  a  brand  ü Known  DGA  or  malware  control  point  ü Hosted  on  suspicious/notorious  name  servers    ü High  frequency/volume  of  name  errors  ü Suspicious  (notorious)  hos-ng  loca-on  ü Suspicious  (notorious)  service  operator  ü Base  site  content  is  non-­‐existent  or  bad  ü Linked  content  is  suspicious  or  bad  ü Suspicious  mail  headers,  sender,  or  content  

Collecting Evidence of DNS Abuse/Misuse

http://www.flickr.com/photos/vincealongi/

Analogs:  •  Number  of  matching  minu5ae  

•  Body  of  evidence  

12/1/16   14  

12/1/16   15  

Domain takedown Content�

takedown

Block listing

Taking Action Against Domains, Hosts, or Content

The  course  explains  how  these  ac-ons  

accomplish  different  things  and  

have  different  consequences    

12/1/16   16  

What  Hinders  Mi-ga-on  or  Prosecu-on?    JURISDICTION    

 What  is  the  prevailing  jurisdicPon  of  content  hosPng,  DNS  hosPng,  domain  registraPon,  alleged  perpetrators?    

 LAW    

 Is  this  a  criminal  ac-vity  in  all  relevant  jurisdic-ons?    

 CONTRACT,  INTERPRETATION  

 Is  a  contracted  party  in  breach  of  an  obliga-on?  According  to  whose  interpreta-on?    

•  Who  is  the  target  of  your  ac-on?  –  Registrant    –  Hos-ng  operator  (Web,  Mail,  DNS…)  –  Network  (ISP)  –  Registrar  (or  reseller),    –  Registry  Operator  

•  What  is  the  goal  of  the  ac-on?  •  When  will  you  act?  In  synchrony  with  others?  •  Where  in  the  world  are  the  people,  content,  networks,  or  systems  

that  you’re  targe-ng?  –  Many  inves-ga-ons  involve  par-es  or  criminal  assets  in  several  

jurisdic-ons  •  How  will  you  take  ac-on?  

–  Court  order,  acceptable  use,  compliance  viola-on  

12/1/16   17  

Who?  What?  When?  Where?  How?  

12/1/16   18  

1.  Collect  evidence  of  abuse  A.  The  purpose  of  this  course  is  to  show  ways  to  do  this  

2.  Determine  hos-ng  provider  or  registrar  A.  Is  there  a  reseller  of  that  registrar  involved?  

3.  Contact  hos-ng  provider  or  registrar  abuse  desk  A.  Provide  evidence  of  abuse  B.  Point  out  registra-on  or  content  problems  C.  Ask  if  a  TOS,  ICANN,  ccTLD  registry  domain  

suspension  policy  applies  4.  No  success?    Contact  registry  

A.  Same  suppor-ng  info  as  registrar  5.  Escalate  

A.  Sharing/intel  networks  B.  Na-onal  CERT  or  local  LE  C.  Whois  Data  Problem  Repor-ng  System  D.  ICANN  compliance  

Steps to investigate domains

If  you  are  looking  at  a  suspicious  domain,  someone  else  is,  too.  

12/1/16   19  

Domain  Name  

Zone  Data  

MX  records  

NS  records  

Address  

records  

Passive  DNS  

DomainWhois  

IP,  ASN  Whois  

IP  address  

MX  records  

NS  records  

Address  records  

MX  records  

NS  records  

Address  records   …  

Related  names  and  addresses  

Social  media  data  

POC  data  

Registrar  

NS  

POC  data  

Netname  

Alloca-ons  Handles  

Friends  Profiles  Loca-ons  Assets  

Addi-onal  registra-ons  and  POCs  

Iden-fier  Systems  Intel  is  part  of  OSINT  Use  cases  

explain  how  to  leverage  OSINT  

ques-ons?  

12/1/16 20  

DAVE  PISCITELLO  DAVE.PISCITELLO@ICANN.ORG  @SECURITYSKEPTIC