2. #nsw44
How we currently process abuse intel
RTIR
Report comes in
Incident handler is alerted to
new ticket
Script parses data and
creates tickets
Incident handler processes
report using home-grown
script
Data distributed to organisations as
part of ticket creation process
3. #nsw44
How we currently process abuse intel
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
RTIR
Report comes in
Incident handler is alerted to
new ticket
Script parses data and
adds data to existing
ticket
Incident handler
checks ticket for
new data
Incident handler sends data on to site
4. #nsw44
Process review findings
»Shadowserver data delay ~24hrs
»Getting the latest data sent out requires intervention by an
incident handler
»Incomplete data is sometimes sent out making investigations
difficult
»A response is often not required and creates unnecessary work
for both parties
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
5. #nsw44
The landscape is evolving
»Major vulnerabilities are being disclosed
»More open/insecure services reachable via the internet
»Malware is frequently becoming more complex
»Guest networks and BYOD == Larger attack surface!
»Increase in intel data and available feeds = security
teams are processing a substantial amount of data
»This means that we need to automate more!
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
6. #nsw44
We know we can do much better!
»Faster processing
»Timely reporting
»All data should be actionable and relevant
»Must communicate clearly when an acknowledgement or
response is required
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
7. #nsw44
AbuseHelper
»AbuseHelper or AbuseSA automates the collection, processing
and reporting of intelligence and abuse data to help
organisations secure their networks
»Developed by Codenomicon a branch of Synopsys
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
8. #nsw44
AbuseHelper –What is it?
The core of AbuseHelper is a framework to help with
automating the distribution of abuse information in
three steps:
»Input feeds
»Processing
»Output
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
10. #nsw44
AbuseHelper - Processing
Processing the events from these feeds.
»Augmenting
»Sanitizing
»De-duplicating
»Filtering
»Adding additional data
(GeoIP,Whois, CRM, ASN lookups)
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
11. #nsw44
AbuseHelper - Output
Sending out actionable reports to our customers.
Outputs supported by AbuseHelper:
»Direct emails
»XMPP feeds
»Incident handling systems
»Updating firewall rules
»CSV
»JSON In the last couple of weeks
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
12. #nsw44
Options available to you!
»Customers can specify how they want their data
»Reporting style – do you want reports per-IP or aggregated per-
org?
»Reporting frequency is based on reporting style:
› Per-IP = near real time
› Aggregated = every 12 hours or daily
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
14. #nsw44
Input feed
»Each feed bot will frequently poll its source and retrieve data for
ASN786
»Once retrieved, each bot will store the data in an XMPP chat
room
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
16. #nsw44
Data Processing
The processing stage allows us to customise certain aspects of the data we receive from
each feed.
We will:
»Filter out reports with “missing data”
»Remove duplicate entries
»Run whois lookups to find correct contacts
»Run GeoIP lookups on IP address
»Retrieve reporting style for each customer
Once this work has been completed, the report is now ready to
be outputted.
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
18. #nsw44
Data output/distribution
»The output stage is where we send the information to you
»Once the processing stage is complete, what’s left will be an
actionable report with the relevant contact details appended
»An “RTIR bot” will then connect to our RTIR instance and send
out data depending on the reporting style configured
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
19. #nsw44
Customer interaction
»All reports will come from intelligence@csirt.ja.net
»We will no longer require a response to issues from this address
»RTIR reference number included with each report
»Feel free to ask for assistance
»Provide feedback where relevant
(samples, C&C hosts, pcaps, proxy logs)
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
20. #nsw44
How does this improve things for you?
✓Faster processing
✓Timely reporting
✓All data will be actionable
✓Must communicate clearly when an acknowledgement or
response is required
✓Sites will have more information to help secure their networks
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
21. #nsw44
How does this improve things for Janet CSIRT?
Use of automation where possible to enable us to use our time
for:
»Research
»Writing more best practice and advisory documents
»Proactive “hunting”
»Improve existing services and tools
»Develop new services and tools
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
22. #nsw44
Situational Awareness
»AbuseHelper provides a range of visualisation options giving us a
better view and understanding of the state of security on the
Janet network
»We can see where we’ve improved as a network
»Help identify where we could or should focus our efforts
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)
27. #nsw44
Where we are currently
»Around 100 Jisc customers currently receiving AbuseHelper
reporting
»Deployment has been slow due to efforts on other projects
»Currently only processing ShadowServer data
»Feedback from the initial pilot organisations is positive
»Looking for all customers active by June
»If you want to be added sooner please get in contact
24/03/2016 Title of presentation (Insert > Header & Footer > Slide > Footer > Apply to all)