ISP Security BOF @NANOG 39
by Danny McPhersonNANOG 39 is February 4-7, 2007 in Toronto, looking forward to seeing many of you folks there. I’ll again be moderating the ISP Security BOF (a loosely managed gathering of mostly network security operations folk).
We’ve got a couple of discussion topics on the agenda at the moment:
The root of a log: Extracting Intelligence from the Woods
Botnet C&C: Extirpate or Infiltrate?
Much random discussion takes place about whether botnet C&C infrastructure should be immediately taken offline or should be infiltrated in order to identify compromised machines, collect malware, monitor illicit activities, attempt to identify the miscreants involved, or any number of other motivators. There are two pretty well segemented camps when it comes to determining which of these actions is more appropriate, and affiliation may be largely guided by personal or business motivators and resources of those involved. Network operators are clearly in the best position to disrupt botnet C&C transactions, but what are the benefits and offshoots of doing so?
The other topic, “The root of a log” (i.e., log file analysis), while perhaps not quite as sexy, is certainly as relevant. I’ve seen a wide array of tools and techniques employed by service providers to abstract intelligence information from logs of infrastructure associated systems. Heck, there’s a whole industry around this — that’d be SEM, or SIM, or is it SEIM :-), though perhaps not as widely employed by service providers for infrastructure elements. The hope is that network operators discussing what they’re doing with log files today will give other operators ideas about what they may be able to do with the data.
Anyways, perhaps I’ll see you there, and if not, I’ll try to find my way back to the blog to provide a summary of the discussions and my conclusions on the topics.
