MAAWG Training Video Series – Techniques, Tools, and Processes to help service providers clean malware from subscriber systems.

This is one of six segment security workshop from the training course Barry Greene presented at the M3AAWG meeting in October 2012. Download the slides for this session from the in the linked below. This workshop was tuned with the recommendations from the US FCC’s CSRIC III. It provide tools for the service providers to “tune” their remediation policies for their customers who get violated with malware. https://www.m3aawg.org/activities/training/cleaning-malware-videos.

1. Segment 1 – Top SP Security Essential Technique (Video) (Slides)
2. Segment 2 – Types of Malware Problems ISPs Encounter (Video) (Slides)
3. Segment 3 – Understanding the Threat: A Cyber-Criminal’s Work Day & Cyber-Criminal Behavior Drivers (Video)  (Slides)
4. Segment 4 – Turning Point – Strategy for Change (Video) (Slides)
5. Segment 5 – Remediating Violated Customers (Video) (Slides)
6. Segment 6 – US FCC’s Anti-Botnet Code of Conduct (ABC’s for ISPs) – Overview & Code on a Shoestring Budget (Video) (Slides)

Security Workshop Description

Governments and societal norms are creating new requirements and expectations that service providers take action to protect their customers by remediating malware infections and helping them recover from cyber-criminal victimization. In this six-part video, Barry Raveendran Greene reviews the current best practices for service providers to find, contain and remediate the malware and bots infecting their customers. It includes several use cases providing a range of options and demonstrating that cost effective and deployable approaches exist that can be implemented today.

The workshop also covers expectations placed on service providers by the FCC’s U.S. Anti-Bot Code of Conduct for Internet Service Providers (ABCs for ISPs), Australia, Singapore’s IDA Master Security Plan, Japan’s Cyber Cleaning Center, the European Union’s new requirements, and new guidelines from the ISO and ITU. The objective is to provide participants with enough information to start their own “malware remediation” plan for their customers.

Barry Greene has over 30 years of industry experience including having served as president of the ISC (Internet Systems Consortium). He is a pioneer in service provider security and operational security reaction teams. Barry is currently a participant on the U.S. Federal Communications Commission’s (FCC’s) Communications Security, Reliability and Interoperability Council (CSRIC).

 

Background Materials

The following papers are suggested for further reading.

• CSRIC WG 7 Draft Report March 2012.pdfUS FCC’s Anti-Bot Code of Conduct (ABCs) for Internet Service Providers (ISPs)
• Recommendations for the Remediation of Bots in ISP Networks (http://tools.ietf.org/html/rfc6561)
• Comcast’s Web Notification System Design (http://tools.ietf.org/html/rfc6108)
• Japan Cyber Clean Center (CCC) (https://www.ccc.go.jp/en_ccc/)
• German Anti-Botnet (https://www.botfrei.de/en/index.html)
• Australia IIA (http://www.security.iia.net.au/)
• ENISA’s Botnets: Detection, Measurement, Disinfection & Defence (http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-applications/botnets/botnets-measurement-detection-disinfection-and-defence)
• ENISA’s BOTNET’s – 10 Tough Questions (http://www.enisa.europa.eu/activities/Resilience-and-CIIP/critical-applications/botnets/botnets-10-tough-questions/at_download/fullReport)

Homework & Action

Sitting through a class may be informative, but impact against BOTNETs require action. The following are some examples of immediate action. 

Short Term Action (This Week)

1. Shadowserver.org Reports. Subscribe your networks to Shadowserver’s “ASN & Netblock Alerting & Reporting Service.” This is a public service and provides a 3rd party view of violations on you and your customer’s systems.
2. ISC DNSDB User Interface. Start taking back DNS from the cyber-criminals by using DNSDB – the Passive DNS tool used by the good guys to track “reverse engineer” the criminals DNS activity.
3. Talk to your peers at MAAWG to find out which Operational Security Group is appropriate for you and your team.

Medium Term Action (This Month)

1. Configure your DNS Resolvers for Passive DNS – review Join The Global Passive DNS (pDNS) Network Today & Gain Effective Tools To Fight Against Cyber Crime This will help everyone detect cyber-criminal activity that is targeting your customers. The approach protects the privacy of the victim while uncovering the activities of the criminal. This step will allow an ISP to say they comply with the “collaboration” part of the CSRIC ABCs.
2. Set up your DNS Resolvers for DNS RPZ or equivalent from Xerocole or other commercial products.