The big world
What are Operational Security Communities?
"Collaborating globally for a more secure digital world"
Inter Network Cooperation
Merike Kaeo
merike@doubleshotsecurity.com
https://nsrc.org/workshops/2014/apricot14-security/raw-attachment/wiki/Agenda/4-2-2.inter-network-cooperation.pdf
2012 is Cyber Security's turning point
Barry Greene
bgreene@senki.org
http://www.maawg.org/system/files/M3AAWG-Malware-Greene-Seg4-Turning-Point.pdf
There are effective Private Industry
“Operational Security” Communities
- Effective Incident Response, Cyber-Risk Management, and Investigations require active participation and collaboration in these“Operational Security Communities.”
- These communities have rules, expectations, “trust networks,” and paranoia that makes it hard to find and hard to gain access.
The following are some example which will provide you a
tool and context of the types of groups.
- Some are open to all.
- Some are personality driven
- Some are interest driven
- Some are highly peer vetted
- Some are peer meshed – where only the best of the best are involved (definition of best varies on who you talk to)
Specializations
- Situational Consultation: OPSEC Trust’s Main Team
- Big Back Bone Security and IP Based Remediation: NSP-SEC
- DNS System Security: DNS-OARC
- Anti SPAM, Phishing, and Crime: MAAWG & APWG
- Many other Confidential Groups specializing into specific areas, issues, incidents, and vulnerabilities.
The Real Security Problem
- how to find their security colleagues in their directly attached peers?
- how to find security engineers in providers two hops away ?
- how to find any security engineers in the big providers ?
Operations Security Engineers can
- Find their security colleagues in their direct peers and a huge range if global ISP/SPs
- Work with each other via E-mail, chat, iNOC Phone, and POTs to collectively mitigate attacks and incidents on the Internet
- Execute Inter-provider Tracebacks and Mitigation
- Proactive measures to prepare for projected attacks
Aggressive Collaboration is the Key
Principles of Collaboration
- Chain of Trust
- Sphere of Trust
- Need to Know
- Chain of Action
Chain of Trust
If I trust you and you trust him, then I can also trust him.
Sphere of Trust
The group together can be see as
a sphere, realm, zone, of
trust.
Need to Know in Operation Security
I trust you. You are someone I can depend on, but you don’t really need to know about the details of this incident.
Not being in a Need to Know Sphere does not mean you are not trusted.
Sphere of Action
- Sphere of Action is a new concept for vetting peers into operational communities.
- You trust someone, but will they be able to do something, be responsive, and/or make something happen?
- Some communities would like to just know something will happen.
I've been working an attack against XXX.YY.236.66/32 and XXX.YY. 236.69/32. We're seeing traffic come from <ISP-A>, <ISP-B>, <IXP-East/ West> and others. Attack is hitting both IP's on tcp 53 and sourced with x.y.0.0. I've got it filtered so it's not a big problem, but if anyone is around I'd appreciate it if you could filter/trace on your network. I'll be up for a while :/
Expectation of Action
- “Lurking” is bad behavior on Operational Security Communities.
- There is an expectation of action – where you use the information to do something within your span of control & influence to fight the badness.
- Inability to meet expectations erodes trust and your reputation of someone who acts.
Community’s Integrity
- Maintaining integrity is common sense
- Never ever forward information posting within a operational security group without the explicit permission of the person who posted the information
- Each individual is accountable to be a steward of the information posted and discussed within the community
Violation of trust,
such as forwarding information
that required explicit permission of sharing
and the permission was not asked,
results in breach of trust
and violates the integrity of the community
Size does matter
you don’t need to be part of everything,
you need to trust the bigger team to take action.
face-to-face in-persons meetings are critical
for creating and maintaining trust relationships
don't translate that to
"must drink beer with each other" :)
it is OK to have small focused groups to break off
and work on a specific issue/case/investigation/reaction
it is A-OK for groups to fade away
as new groups evolve and branch out.
NSP-SEC
NSP-SEC was created by several ISP/SP Security
Engineers as a means to meet the following
objectives:
- Provide a means for ISP/SP Security Engineers to find their colleagues
- Create a potential forum for ISP/SP Security Engineers to work on DOS attacks, incidents, and other activities
Membership in nsp-sec is restricted to those actively
involved in mitigation of NSP Security incidents. Therefore,
it will be limited to operators, vendors, researchers, and
people in the community working to stop NSP
Security incidents. That means no press and (hopefully)
none of the "bad guys.“
Being a “Security Guru” does not qualify for NSP-SEC Membership.
Being “from the Government” does not qualify for NSP-SEC Membership.
You need to be someone who touches a router in a ISP/SP
backbone, can tell someone to touch a router, offer some
service to the forum, or develop BCPs for the community.
If you do not contribute, you do not get to participate.
http://puck.nether.net/mailman/listinfo/nsp-security
DNS Operations
An open public forum for informal reporting, tracking,
resolving, and discussing DNS operational issues including
outages, attacks, errors, failures, and features. Note that
discussion of non-ICANN root systems is explicitly off-topic.
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
OPSEC Trust
Operations Security Trust (or "Ops-T") forum is a highly vetted community of security professionals focused on the operational robustness, integrity, and security of the Internet. The community promotes responsible action against malicious behavior beyond just observation, analysis and research. Ops-T carefully expands membership pulling talent from many other security forums looking for strong vetting
Operations Security Trust (or "Ops-T") members are in a position to directly affect Internet security operations in some meaningful way. The community's members span the breadth of the industry including service providers, equipment vendors, financial institutions, mail admins, DNS admins, DNS registrars, content hosting providers, law enforcement organizations/agencies, CSIRT Teams, and third party organizations that provide security-related services for public benefit (e.g. monitoring or filtering service providers). The breadth of membership, along with an action plus trust vetting approach creates a community which would be in a position to apply focused attention on the malfeasant behaviors which threaten the Internet.
Ops-T does not accept applications for membership.
New candidates are nominated by their peers who are actively working with them on improving the operational robustness, integrity, and security of the Internet.
https://ops-trust.net/
Takeaways
Aggressive Private Industry to Private Industry Collaboration
is critical before any successful “public – private partnership”.
Effective Incident Response, Cyber-Risk Management, and
Investigations requires active participation and collaboration
in these “Operational Security Communities.”
These communities have rules, expectations, “trust
networks,” and paranoia that makes it hard to find and hard
to gain access. The investment in Trust does turn into
results.
“trust groups” have “community life cycles.”
Being “from the Government”
does not qualify ;-(
BEING “FROM THE CERT” DOES NOT QUALIFY ALSO
2020 Frg wrote
I gave a lot of thought to some virtual 'meeting',
but in the end decided that XXX was really meant to be an
but in the end decided that XXX was really meant to be an
in-person meet-up in spirit & practice,
and so it shall be so into the future. :-)
There should be plenty of (other) opportunities for folks to meet-up and interact virtually, and I encourage that, but not for an XXX meeting.
..many internet companies and internet organizations and also from law enforcement agencies, are taking part secretly in massive violation of privacy laws in countries worldwide ..
https://www.ripe.net/ripe/mail/archives/members-discuss/2020-July/004151.html
The big world What are Operational Security Communities? "Collaborating globally for a more secure digital world"
The big world
By Hillar Aarelaid
The big world
What are Operational Security Communities?
- 1,229
