Download PDF - Codenomicon
Download PDF - Codenomicon
Download PDF - Codenomicon
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
8<br />
Automating Abuse Situation<br />
Awareness<br />
By automating the collection and processing of abuse information,<br />
security personnel can handle more information in shorter<br />
time and discover relevant information faster. Automating basic<br />
tasks frees up the security personnel’s time to do the actual<br />
analysis [3]. However, the lack of a common information sharing<br />
standard has been a major hindrance to automating abuse<br />
situation awareness [15]. Security notifications and abuse feeds<br />
come in a variety of formats, including not machine-readable<br />
formats [3]. Especially following external threat information<br />
sources involves sifting through emails, website postings and<br />
other human communications. Instead of waiting for an ideal<br />
information sharing format, organizations should employ practical<br />
security collaboration solutions [15], such as AbuseSA.<br />
Collaboration<br />
The best results are achieved by fully automating the feedersproxies-cleaners<br />
information chain. Through collaboration,<br />
each organization can scale their security expertise, speed up<br />
attack detection and improve remediation [15]. The feeders<br />
are best at discovering Internet abuse [17]. The proxies have<br />
the best expertise and resources for collecting, aggregating<br />
and reporting abuse information provided by the international<br />
security community [17]. Actual attack mitigation needs to be<br />
done by the cleaners, because only they have access to their<br />
networks [17]. However, the availability of actionable abuse<br />
information collected and reported by the feeders and proxies<br />
makes their task a lot easier.<br />
9<br />
Botnet-Inspired Situation<br />
Awareness System (AbuseSA)<br />
Feeders, Proxies and Cleaners<br />
Actors in the abuse situation awareness field can be divided<br />
into three groups: feeders, proxies and cleaners [17]. Feeders<br />
monitor network incidents and provide data for abuse notifications<br />
which can be fed to other organizations [17]. Feeders<br />
are security vendors, industry organizations, government channels<br />
and non-commercial organizations, like Shadowserver,<br />
Zone-H and DShield [17]. The proxies, that is CERTs, ISP abuse<br />
teams and government defense organizations, are in charge of<br />
informing their stakeholders about abuse [17]. The stakeholders<br />
or the cleaners are organizations, enterprises, ISPs, critical<br />
infrastructure providers that are responsible for keeping their<br />
own networks clean [17].<br />
The AbuseSA is a botnet-inspired system for automatically<br />
collecting and sharing abuse situation awareness [17]. Similar<br />
systems have been used by the Finnish and Estonian national<br />
CERTs for automated abuse handling [17]. Before they became<br />
associated with malicious purposes, small software modules,<br />
or bots, were used for administrating Internet relay chat (IRC)<br />
rooms [18]. Administrating chat rooms was time consuming<br />
and bots could be used automate this task [18]. Criminals took<br />
this approach and used it to create huge botnets. By joining<br />
hundreds of thousands of infected PCs to IRC command and<br />
control (C&C) channels the criminals could control their net-<br />
Feeders produce data which AbuseSA users collect, process and report systematically to protect<br />
Abuse Feeds / Intelligence<br />
Proxies<br />
Cleaners<br />
Citizens<br />
• Non-profit and commercial organizations<br />
• Shadowserver, Zone-H, DShield, Abuse.ch,<br />
Malwaredomainlist and tens or more.<br />
• National and Governmental CERTS<br />
• Cyber Defense Organizations<br />
• ISP Abuse Teams<br />
• ISPs<br />
• Critical Infrastructure Providers<br />
• Govermental Organizations<br />
Critical Infra<br />
Figure 5: Feeders, Proxies and Cleaners. [17]