ICANN’s’InternetIden-fier’SSR:’ Roles,’Relaonships,’Remit · Social’ media data...
Transcript of ICANN’s’InternetIden-fier’SSR:’ Roles,’Relaonships,’Remit · Social’ media data...
ICANN’s Internet Iden-fier SSR: Roles, Rela-onships, Remit
Dave Piscitello VP Security and ICT Coordina-on
ICANN
Roles and Remit
ICANN IDENTIFIER SYSTEM SSR
2 12/1/16
DNS Abuse for LE DNS OA&M DNSSEC Secure Registry ops
Global OpSec
Global Cybersec
APWG IPC MAAWG ISOI
DNS OARC …
CCI GCSP OCSE OECD …
Iden-fier Metrics • Registry “CVEs” • Root System analy-cs • DNS Hijacking • Security threat repor-ng • Internet health indicators
Threat Intelligence
Coordinated Response (Center)
CVD Response Facilita-on
Trust networks FIRST/CERTs
Internet Iden-fier SSR: Scope &Remit
Europol Interpol RIRs …
Iden-fier Threat
Awareness & Preparedness
SSR Analy-cs
Capability Building Outreach
Internet Iden-fier SSR
3 12/1/16
Iden-fier Systems Threat Awareness
• Exchange of threat intelligence rela-ng to security events of global nature involving iden-fier systems
• Par-cipa-on (o[en as facilitator) in response to threats or a\acks against iden-fier systems
Iden-fier Threat
Awareness & Preparedness
Threat Intelligence
Coordinated Response (Center)
Vulnerability Response Facilita-on
Trust networks FIRST/CERTs
4 12/1/16
Iden-fier System SSR Analy-cs
• Develop metrics and analy-cs for iden-fier systems, e.g., – Root system measurements, analysis – Security threat repor-ng: census of threat ac-vity across top level domains
– Abuse measurements aspects of ICANN’s broader Internet Health Indicator project
– Metrics and analy-cs proofs of concept
SSR Analy-cs
Iden-fier Metrics • Registry “CVEs” • Root System analy-cs • DNS Hijacking • Security threat repor-ng • Internet health indicators
5 12/1/16
Capability Building
• Capability building programs for registry operators – IS SSR team, contracted 3rd par-es
• Iden-fier Systems centric training for public safety community engaged in global abuse inves-ga-ons – IS SSR team
• “Train the trainers” programs – CERTs, law enforcement agencies
Capability Building
DNS Abuse for LE DNS OA&M DNSSEC Secure Registry Opera-ons
• Global Cybersecurity coopera-on – Coordinate engagement through GSE – Coordinate cybersecurity message with GSE
• Global Security & Opera-ons – Daily interac-on on DNS abuse/misuse ma\ers with first responders, law enforcement, operators
– Complement ICANN Compliance – Coopera-on with a global Internet abuse mi-ga-on community
Outreach
Global SecOps
Global Cybersec
APWG IPC MAAWG ISOI
DNS OARC …
CCI OECD …
Outreach
7 12/1/16
ICANN COMMUNITY
PSWG
GAC
Law
Enforcement
OPERATIONAL AND
SECURITY (OPSEC)
ICANN ORGANIZATION
IS SSR
Private Sector
Interveners
GNSO
RR, RY
Corporate abuse response staff, abuse inves-gators, reputa-on service providers, brand, service, product protec-on (FB, eBay, Apple…)
DNS OPERATORS (DNSOARC, too)
Academia & Research (DNS)
Internet Abuse Mi-ga-on Communi-es
8 12/1/16
ICANN COMMUNITY
PSWG
GAC
Law
Enforcement
OPERATIONAL AND
SECURITY (OPSEC)
ICANN ORGANIZATION
IS SSR
Private Sector
Interveners
GNSO
RR, RY
DNS OPERATORS (DNSOARC, too)
Academia & Research (DNS)
Vic-ms of Abuse
(As registrant o
r user,
Actual or Poten
-al)
Internet Users
Coopera-on serves self-‐preserva-on
9 12/1/16
OPSEC, OSINT, Training
ABUSE MITIGATION ACTIVITIES
10 12/1/16
IS SSR Team: OPSEC, OSINT
• Subject ma\er experts or par-es to inves-ga-ons where – Iden-fier systems abuse is prominent – Facilita-ng interac-ons among OpSec, domain name, or addressing communi-es is cri-cal for success
• Open Source Intelligence? – Publicly accessible DNS or addressing informa-on (zone data, registra-on data) are important kinds of OSINT shared among inves-gators
11 12/1/16
Training: DNS Abuse for Inves-gators
• Half, full-‐day, or mul--‐day training sessions – Use of strategies, techniques and tools to iden-fy abuses of the Domain Name System (DNS), malicious registra-ons of domain names, addresses or hos-ng
– Lecture, demonstra-ons, and hands-‐on exercises – At request of host, Regional Internet Registry staff accompany IS SSR Team for addressing and rou-ng training
12 12/1/16
Syllabus
• Domain Name System opera-on and ecosystem • Taking ac-on
– Challenges of dis-nguishing criminal from legi-mate use of DNS
– Dealing with domain seizures
• How to gather informa-on – DNS, domain registra-on, IP addressing – Hos-ng loca-on and hosted data
• OSINT collabora-on and threat intelligence
13 12/1/16
ü Recent domain registra-on crea-on date ü Ques-onable Whois contact data ü Privacy protec-on service ü Suspicious values in DNS Zone data (e.g., TTL) ü Spoofing or confusing use of a brand ü Known DGA or malware control point ü Hosted on suspicious/notorious name servers ü High frequency/volume of name errors ü Suspicious (notorious) hos-ng loca-on ü Suspicious (notorious) service operator ü Base site content is non-‐existent or bad ü Linked content is suspicious or bad ü Suspicious mail headers, sender, or content
Collecting Evidence of DNS Abuse/Misuse
http://www.flickr.com/photos/vincealongi/
Analogs: • Number of matching minu5ae
• Body of evidence
12/1/16 14
12/1/16 15
Domain takedown Content�
takedown
Block listing
Taking Action Against Domains, Hosts, or Content
The course explains how these ac-ons
accomplish different things and
have different consequences
12/1/16 16
What Hinders Mi-ga-on or Prosecu-on? JURISDICTION
What is the prevailing jurisdicPon of content hosPng, DNS hosPng, domain registraPon, alleged perpetrators?
LAW
Is this a criminal ac-vity in all relevant jurisdic-ons?
CONTRACT, INTERPRETATION
Is a contracted party in breach of an obliga-on? According to whose interpreta-on?
• Who is the target of your ac-on? – Registrant – Hos-ng operator (Web, Mail, DNS…) – Network (ISP) – Registrar (or reseller), – Registry Operator
• What is the goal of the ac-on? • When will you act? In synchrony with others? • Where in the world are the people, content, networks, or systems
that you’re targe-ng? – Many inves-ga-ons involve par-es or criminal assets in several
jurisdic-ons • How will you take ac-on?
– Court order, acceptable use, compliance viola-on
12/1/16 17
Who? What? When? Where? How?
12/1/16 18
1. Collect evidence of abuse A. The purpose of this course is to show ways to do this
2. Determine hos-ng provider or registrar A. Is there a reseller of that registrar involved?
3. Contact hos-ng provider or registrar abuse desk A. Provide evidence of abuse B. Point out registra-on or content problems C. Ask if a TOS, ICANN, ccTLD registry domain
suspension policy applies 4. No success? Contact registry
A. Same suppor-ng info as registrar 5. Escalate
A. Sharing/intel networks B. Na-onal CERT or local LE C. Whois Data Problem Repor-ng System D. ICANN compliance
Steps to investigate domains
If you are looking at a suspicious domain, someone else is, too.
12/1/16 19
Domain Name
Zone Data
MX records
NS records
Address
records
Passive DNS
DomainWhois
IP, ASN Whois
IP address
MX records
NS records
Address records
MX records
NS records
Address records …
Related names and addresses
Social media data
POC data
Registrar
NS
POC data
Netname
Alloca-ons Handles
Friends Profiles Loca-ons Assets
Addi-onal registra-ons and POCs
Iden-fier Systems Intel is part of OSINT Use cases
explain how to leverage OSINT