CERT-FI<\/a><\/li>\n<\/ul>\n\u00a0<\/p>\n
Issues<\/strong><\/p>\nProblem: Finland cleans up its own house, but they still end up getting attacked!<\/p>\n
Problem: Most incidents are out of scope in mandated reporting<\/p>\n
Problem: Establishing CERT-FI – no ownership or visibility of network; 3 ppl that in theory are expected to be there 7×24!<\/p>\n
Huge increase in incidents [reported] from 2002-2006. It’s a pretty graph, but it really shows that the CERT-FI workforce increased and that processes were honed<\/p>\n
\u00a0<\/p>\n
How many incidents affect finnish networks?<\/p>\n
How are we compared to neighbors (would love to take a data-driven jab at swedes).<\/p>\n
\u00a0<\/p>\n
So, workforce, regulatory and other constraints & need for actionable data == make automated system.<\/p>\n
\u00a0<\/p>\n
2006: created automated system to capture incident reports (mostly malware) from various monitoring projects around the globe.<\/p>\n
Daily reports, e-mailed, CSV format pre-defined agreed-upon subjects. digitally signed. reported incidents in body.<\/p>\n
\u00a0<\/p>\n
How CERT-FI handles abuse:<\/p>\n
\n- detection<\/li>\n
- reports (e-mail\/phone\/fax) –\u00a0Funny story: one woman printed out all the spam she received and sent to CERT-FI, until asked not to anymore.<\/em><\/li>\n
- Scraping feeds, normalizing\/correlating data<\/li>\n
- Finding owners<\/li>\n
- -Map bad events to netblocks<\/li>\n
- -maintain contact list (& contact prefs!)<\/li>\n
- -manage customer expectations<\/li>\n
- Report out stats, trends, chronic cases<\/li>\n
- Assist in incident response<\/li>\n<\/ul>\n
\u00a0<\/p>\n
There are dozens of projects, data sources, blacklists etc but they vary in format (even timestamps), purpose, channel (IRC, http, ftp)<\/p>\n
\n- data is frequently missed due to downtime, system availability<\/li>\n
- info integrity is difficult to gauge<\/li>\n
- bugs in feeds data & reporting<\/li>\n
- wildly differing frequency of updates (realtime to monthly)<\/li>\n
- taxonomies are diverse<\/li>\n
- detail level not discrete<\/li>\n<\/ul>\n
\u00a0<\/p>\n
Ensuring Focus of CERT-FI<\/strong><\/p>\n\n- What are we not seeing?<\/li>\n
- What should I prepare for?<\/li>\n
- Who is the target of damage & who is just collateral<\/li>\n
- Can the data\/sources be trusted?<\/li>\n<\/ul>\n
\u00a0<\/p>\n
[side-talk: CERT-FI manages intake and the privacy laws make it difficult to delegate collection to the ISPs]<\/p>\n
[side-talk: 5.5 mill population of finland, very high # of folks with internet access, everyone has a cell phone. internet considered a basic human right]<\/p>\n
\u00a0<\/p>\n
CERT-FI shows ISP incident graphs in comparison to other ISPs. \/me: the embarrassment factor is a good motivator<\/p>\n
interesting: conficker is still a problem<\/p>\n
CERT-FI autoreporter can actually report out incidents per broadband customer (trending)<\/p>\n
\u00a0<\/p>\n
Abusehelper:\u00a0http:\/\/code.google.com\/p\/abusehelper\/wiki\/README<\/span><\/p>\nAbuse Helper is toolkit for CERT and Abuse teams. It is a modular, (hopefully) scalable and robust framework to help you in your abuse handling.<\/p>\n
With Abuse Helper you can:<\/p>\n
\n- Retrieve Internet Abuse Handling related information via several sources which are\n
\n- near-real-time (such as IRC)<\/li>\n
- periodic (such as Email reports), or<\/li>\n
- request\/response (such as HTTP).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n