The big world


What are Operational Security Communities? 

"Collaborating globally for a more secure digital world"

Inter Network Cooperation 

Merike Kaeo 
merike@doubleshotsecurity.com

https://nsrc.org/workshops/2014/apricot14-security/raw-attachment/wiki/Agenda/4-2-2.inter-network-cooperation.pdf


2012 is Cyber Security's turning point 

Barry Greene 

bgreene@senki.org

http://www.maawg.org/system/files/M3AAWG-Malware-Greene-Seg4-Turning-Point.pdf

There are effective Private Industry 

“Operational Security” Communities 


  • Effective Incident Response, Cyber-Risk Management, and  Investigations require active participation and collaboration in these“Operational Security Communities.” 
  • These communities have rules, expectations, “trust networks,” and paranoia that makes it hard to find and hard to gain access


The following are some example which will provide you a 
tool and context of the types of groups. 
  • Some are open to all. 
  • Some are personality driven 
  • Some are interest driven 
  • Some are highly peer vetted 
  • Some are peer meshed – where only the best of the best are involved (definition of best varies on who you talk to)

Specializations


  • Situational Consultation: OPSEC Trust’s Main Team
  • Big Back Bone Security and IP Based Remediation: NSP-SEC
  • DNS System Security: DNS-OARC 
  • Anti SPAM, Phishing, and Crime: MAAWG & APWG 
  •  Many other Confidential Groups specializing into specific areas, issues, incidents, and vulnerabilities.

The Real Security Problem


  • how to find their security colleagues in their directly attached peers? 
  • how to find security engineers in providers two hops away ? 
  • how to find any security engineers in the big  providers ?

Operations Security Engineers can

  • Find their security colleagues in their direct peers and a huge range if global ISP/SPs
  • Work with each other via E-mail, chat, iNOC Phone, and POTs  to collectively mitigate attacks and incidents on the Internet 
  • Execute Inter-provider Tracebacks and Mitigation 
  • Proactive measures to prepare for projected attacks




Aggressive Collaboration is the Key

Principles of Collaboration


  • Chain of Trust
  • Sphere of Trust 
  • Need to Know 
  • Chain of Action 

Chain of Trust 


If I trust you and you trust him, then I can also trust him. 

Sphere of Trust 


The group together can be see as 
a sphere, realm, zone, of  
trust. 

Need to Know in Operation Security



I trust you. You are someone I can depend on, but you don’t really need to know about the details of this incident. 

Not being in a Need to Know Sphere does not mean you are not trusted.

Sphere of Action 

  • Sphere of Action  is a new concept for vetting peers into operational communities. 
  • You trust someone, but will they be able to do something, be responsive, and/or make something happen? 
  • Some communities would like to just know something will happen. 


I've been working an attack against XXX.YY.236.66/32 and XXX.YY.
236.69/32. We're seeing traffic come from <ISP-A>, <ISP-B>, <IXP-East/
West> and others. 
Attack is hitting both IP's on tcp 53 and sourced with x.y.0.0. 
I've got it filtered so it's not a big problem, but if anyone is around I'd 
appreciate it if you could filter/trace on your network. I'll be up for a 
while :/

Expectation of Action



  • “Lurking” is bad behavior on Operational Security Communities. 
  • There is an expectation of action – where you use the information to do something within your span of control & influence to fight the badness. 
  • Inability to meet expectations erodes trust and your reputation of someone who acts. 

Community’s Integrity

  • Maintaining integrity is common sense 
  •  Never ever forward information posting within a operational security group without the explicit permission of the person who posted the information 
  • Each individual is accountable to be a steward of the information posted and discussed within the community




Violation of trust, 

such as forwarding information 

that required explicit permission of sharing 

and the permission was not asked, 

results in breach of trust

and violates the integrity of the community

Size does matter


you don’t need to be part of everything, 

you need to trust the bigger team to take action.



face-to-face in-persons meetings are critical 

for creating and maintaining trust relationships


don't translate that to

"must drink beer with each other" :)


it is OK to have small focused groups to break off 

and work on a specific issue/case/investigation/reaction


it is A-OK for groups to fade away 

as new groups evolve and branch out.

NSP-SEC


NSP-SEC was created by several ISP/SP Security 
Engineers as a means to meet the following 
objectives:
  • Provide a means for ISP/SP Security Engineers to find their colleagues 
  • Create a potential forum for ISP/SP Security Engineers to work on DOS attacks, incidents, and other activities 


Membership in nsp-sec is restricted to those actively 
involved in mitigation of NSP Security incidents. Therefore, 
it will be limited to operators, vendors, researchers, and 
people in the community working to stop NSP 
Security incidents. That means no press and (hopefully) 
none of the "bad guys.“ 


Being a “Security Guru” does not qualify for NSP-SEC Membership. 
Being “from the Government” does not qualify for NSP-SEC Membership. 

You need to be someone who touches a router in a ISP/SP 
backbone, can tell someone to touch a router, offer some 
service to the forum, or develop BCPs for the community. 

If you do not contribute, you do not get to participate. 


http://puck.nether.net/mailman/listinfo/nsp-security 

DNS Operations 

An open public forum for informal reporting, tracking, 
resolving, and discussing DNS operational issues including 
outages, attacks, errors, failures, and features. Note that 
discussion of non-ICANN root systems is explicitly off-topic.



https://lists.dns-oarc.net/mailman/listinfo/dns-operations 

OPSEC Trust 


Operations Security Trust (or "Ops-T") forum is a highly vetted community of security professionals focused on the operational robustness, integrity, and security of the Internet. The community promotes responsible action against malicious behavior beyond just observation, analysis and research. Ops-T carefully expands membership pulling talent from many other security forums looking for strong vetting 


Operations Security Trust (or "Ops-T") members are in a position to directly affect Internet security operations in some meaningful way. The community's members span the breadth of the industry including service providers, equipment vendors, financial institutions, mail admins, DNS admins, DNS registrars, content hosting providers, law enforcement organizations/agencies, CSIRT Teams, and third party organizations that provide security-related services for public benefit (e.g. monitoring or filtering service providers). The breadth of membership, along with an action plus trust vetting approach creates a community which would be in a position to apply focused attention on the malfeasant behaviors which threaten the Internet.


Ops-T does not accept applications for membership. 

New candidates are nominated by their peers who are actively working with them on improving the operational robustness, integrity, and security of the Internet.


https://ops-trust.net/

Takeaways 

Aggressive Private Industry to Private Industry Collaboration 
is critical before any successful “public – private partnership”. 

Effective Incident Response, Cyber-Risk Management, and 
Investigations requires active participation and collaboration 
in these “Operational Security Communities.” 

These communities have rules, expectations, “trust 
networks,” and paranoia that makes it hard to find and hard 
to gain access. The investment in Trust does turn into 
results.


“trust groups” have “community life cycles.” 

Being “from the Government” 

does not qualify ;-(




BEING “FROM THE CERT” DOES NOT QUALIFY  ALSO

2020 Frg wrote


I gave a lot of thought to some virtual 'meeting',
but in the end decided that XXX was really meant to be an 
in-person meet-up in spirit & practice, 
and so it shall be so into the future. :-)

There should be plenty of (other) opportunities for folks to meet-up and interact virtually, and I encourage that, but not for an XXX meeting. 

 ..many internet companies and internet organizations and also from law enforcement agencies, are taking part secretly in massive violation of privacy laws in countries worldwide ..


https://www.ripe.net/ripe/mail/archives/members-discuss/2020-July/004151.html
Made with Slides.com