What Botnets do

Source : PCWorld© Leaders in Security – LSEC, 2014, for ACDC – public , p 2

But who cares? – Business ? – not really

Source : LSEC, Innovations, Websense, 09/13© Leaders in Security – LSEC, 2014, for ACDC – public , p 3

Carna Botnet : 420.000 bots – a research project

Source : LSEC, ACDC, Cyberdefcon 03/2013© Leaders in Security – LSEC, 2014, for ACDC – public , p 4

Relevance for ETSI Members : Global Threat Map Today

Europe is target and host

Source : Hostexploit, September 2013© Leaders in Security – LSEC, 2014, for ACDC – public , p 5

Why ETSI Members should have interest in Botnets• Spambots : spam can result in extra cost for the ISPs in terms of wasted

network, server, or personnel resources, among many other potential costs

and side effects

• Reputation : can also negatively affect the reputation of the ISP, their

customers, and the email reputation of the IP address space used by the ISP

(often referred to simply as 'IP reputation').

• Hosting criminal activities : platforms for directing, participating in, or otherwise

conducting attacks on critical Internet infrastructure. Bots are frequently used

as part of coordinated Distributed Denial of Service (DDoS) attacks for

criminal, political, or other motivations.

Source : CSRIC, January 2012 – US ABC – AntiBotnet

criminal, political, or other motivations.

• Role of ISPs :

• attempt to detect and observe botnets operating in their networks.

• may also be in a position to be able to notify their customers of actual,

potential, or likely infection by bots.

• Role of end-users

• being notified they can take steps to remove the bots, resolve any

problems which may stem from the bot infection, and protect themselves

against future threats.

© Leaders in Security – LSEC, 2014, for ACDC – public , p 6

Impact of Botnet Defense

Source : PCWorld, IBM© Leaders in Security – LSEC, 2014, for ACDC – public , p 7

Infected machines vs subscribers per ISP (spam)

<8>

Source : Botnet mitigation and the role of ISPs, TU Delft, March 2013© Leaders in Security – LSEC, 2014, for ACDC – public , p 8

ACDC &

The European Commission's

Cyber Security Strategy

Trust and SecurityDG CONNECT - European Commission

Pan-European Multi-stakeholder approach

10

Source : ENISA, 2012 : DG INFSO CIP PSP

© Leaders in Security – LSEC, 2014, for ACDC – public , p 10

ACDC Partner Spread

ACDC Partner Spread

WP2 Pilot Components & Technology Development

Tools :

(1) Sensors and detection tools for networks

(2) Systems Infections – infected websites analysis

(3) Device Detection and mitigation – multi-purpose tools for end users(3) Device Detection and mitigation – multi-purpose tools for end users

(4) Centralized Data Clearing House and

(5) Pan-European Support Centre,

T2.1: Establishing and Management of Pilot Governance Group. (LSEC) [M01-M27]T2.2 : Developing Technology Framework (ATOS) [M01-M06]T2.3 : Developing Pilot Component Task Forces (LSEC) [M01-M21]T.2.4 : Pilot Component Developments (LSEC, TID) [M03-M23]T2.5 : Change management (LSEC) [M06-M27]T2.6 : Component Development Quality control management (LSEC) [M06-M27]

© Leaders in Security – LSEC, 2013, Private & Confidential, p 11© Leaders in Security – LSEC, 2014, for ACDC – public , p 11

Examples : Telecom Italia Involvement

Telecom Italia Information Technology is in charge to

manage the IT stuff and the security operations for the

TI group.

Within TI-IT, Security Lab has several year of experience

on botnet-fighting:

12

on botnet-fighting:

• Analysis of botnet phenomena, focus on botmasters

behaviors.

• Identification of infected PC through DNS analysis

• Honeynet systems

• Malware domains identifications and monitoring

• Mobile malware analysis

© Leaders in Security – LSEC, 2014, for ACDC – public , p 12

Examples : Telecom Italia Involvement

• Honeynet system:

• Network of sensors on public fixed and mobile

networks

• Nowadays 80 sensors are available

• Opensource technology used for honeypots

• HPFEEDS protocol internally used to

13© Leaders in Security – LSEC, 2014, for ACDC – public , p 13

• HPFEEDS protocol internally used to

convey/distribute information collected by

honeypots

• Internet Background Radiation:

• Collaboration with UK CyberDefcon (Darknet)

• Passive sensors, “black hole”

• Entire x.x.x.0/24, entire class C network dedicated

STIX Aggregator

Operational Detection

CARNet (KR) have produced a network of detection systems which

Identify botnet activity within spam e-mails and network connections.

15© Leaders in Security – LSEC, 2013, for ACDC – public , p 15

Operational Detection

XLAB have produced an Intrusion Detection System for Android smart

phones.

16© Leaders in Security – LSEC, 2013, for ACDC – public , p 16

Data Sharing & Analysis

CARNet creates identified threat information in the STIX format and

sends the information to the ACDC STIX Aggregator

STIX Aggregator

17© Leaders in Security – LSEC, 2013, for ACDC – public , p 17

The XLAB Android IDS infrastructure queries the STIX

Aggregator to obtain threat information provided by

CARNet and blocks access to suspicious sites.

Types of Information Currently Collected

• URLs hosting suspected malware

• Malware samples

• IP Addresses of hosts sending SPAM

• IP Addresses of suspected Command and Control Servers

•…

18© Leaders in Security – LSEC, 2013, for ACDC – public , p 18

Collected from Honeypot Networks, SPAM collection systems and

Custom partner tools.

Expected outcomes for Telecom Italia

• TI, as a telco and ISP provider, is particularly

interested in fighting malware and botnets protecting

its infrastructures and customers

• TI is strongly involved in the ACDC Pilot with a team of

security skilled people, technical measures and tools

that will be integrated into the ACDC framework

19© Leaders in Security – LSEC, 2013, for ACDC – public , p 19

that will be integrated into the ACDC framework

• Information and experience sharing, international

collaboration are nowadays essential for effective

cybersecurity

• ACDC represents a concrete way to improve the

security of the EU cyberspace.

http://www.check-and-secure.com

User Tools & impact

© Leaders in Security – LSEC, 2013, for ACDC – public , p 20 https://www.check-and-secure.com/completion/_de/index.html

https://www.initiative-s.de/de/index.html

User Tools & Impact

© Leaders in Security – LSEC, 2013, for ACDC – public , p 21 https://www.initiative-s.de/de/index.html

Effective Cyber Threat Intelligence

and Information Sharing

Sharing Impact

© Leaders in Security – LSEC, 2013, for ACDC – public , p 22 http://stix.mitre.org/

WP2 Pilot Components & Technology Development

Tools :

(1) Sensors and detection tools for networks

(2) Systems Infections – infected websites analysis

(3) Device Detection and mitigation – multi-purpose tools for end users(3) Device Detection and mitigation – multi-purpose tools for end users

(4) Centralized Data Clearing House and

(5) Pan-European Support Centre,

T2.1: Establishing and Management of Pilot Governance Group. (LSEC) [M01-M27]T2.2 : Developing Technology Framework (ATOS) [M01-M06]T2.3 : Developing Pilot Component Task Forces (LSEC) [M01-M21]T.2.4 : Pilot Component Developments (LSEC, TID) [M03-M23]T2.5 : Change management (LSEC) [M06-M27]T2.6 : Component Development Quality control management (LSEC) [M06-M27]

© Leaders in Security – LSEC, 2013, Private & Confidential, p 23© Leaders in Security – LSEC, 2013, for ACDC – public , p 23

Join ACDC

Building Community Portal, Reaching out to :

industry, research, existing communities, law enforcement

policy makers, isp’s & operators, CERTs, …

Looking for :

1. Detection & Mitigation Tools & Techniques

2. Data Analysis and Botnet Analysis & Prevalence - Deployment

24© Leaders in Security – LSEC, 2013, for ACDC – public , p 24

2. Data Analysis and Botnet Analysis & Prevalence - Deployment

3. Data & Intelligence Sharing

4. Awareness Creation

5. Influencing Policy

NOT THE END

More information and follow-up

www.acdc-project.eu

www.botfree.euwww.botfree.eu

Q or CUlrich Seldeslachts

ulrich@lsec.be

+32 475 71 3602

Paolo de Lutiis

paolo.delutiis@it.telecomitalia.it© Leaders in Security – LSEC, 2013, Private & Confidential, p 25

• Council conclusions on Critical Information Infrastructure Protection

http://register.consilium.europa.eu/pdf/en/11/st10/st10299.en11.pdf

• Commission Communication on Critical Information Infrastructure Protection – "Achievements and next steps: towards global cyber-security" - COM(2011) 163 http://ec.europa.eu/information_society/policy/nis/docs/comm_2011/comm_163_en.pdf

• Digital Agenda for Europe - COM(2010)245 of 19 May 2010http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0245:FIN:EN:PDF

Links to Policy Documents

Digital Agenda for Europe - COM(2010)245 of 19 May 2010http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2010:0245:FIN:EN:PDF

• The EU Internal Security Strategy in Action: Five steps towards a more secure Europe COM(2010)673http://ec.europa.eu/commission_2010-2014/malmstrom/archive/internal_security_strategy_in_action_en.pdf

• Commission Communication on Critical Information Infrastructure Protection – "Protecting Europe from large scale cyber-attacks and disruptions: enhancing preparedness, security and resilience" -COM(2009) 149http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=COM:2009:0149:FIN:EN:PDF

© Leaders in Security – LSEC, 2013, for ACDC – public , p 26