Thursday, March 10, 2011

ENISA on Botnets - Ten Tough Questions

Yesterday was the beginning of the "Workshop on Botnet Detection, Measurement, Disinfection & Defence" in Cologne, Germany. ( agenda here )

The tracks for Wednesday were "Anti-Botnet Policy Initiatives" and "Legal and Regulatory Issues" both featuring panelists from the Council of Europe and NATO.

Today's tracks included "Anti-Botnet Policy Initiatives Part 2," "State of the Art on Measurements, Countermeasures, and Botnets," "Industry View on Fighting Botnets," "Research and Academia on Fighting Botnets." Some great speakers are on the agenda, including Peter Kruse and Dennis Rand from CSIS Security Group, Mikko Hypponen from F-Secure, and Vitaly Kamluk from Kaspersky.

Two significant documents were released at the conference this morning that pretty much need to go on the Must Read list for anyone interested in Botnets:

Botnets: Detection, Measurement, Disinfection & Defence

After a keynote address by Professor Dr. Udo Helmbrecht, the executive director of ENISA (European Network and Information Security Agency), Daniel Plohmann and Dr. Giles Hogben shared a presentation of ENISA's 154 page document called "Botnets: Detection, Measurement, Disinfection & Defence", editor Dr. Giles Hogben, which you may find on their website here:

The document calls attention to the highest priorities that we should collectively address:
- Mitigation of existing botnets
- Prevention of new infections
- Minimizing the profitability of botnets and cybercrime

In the first of these, there is a call for a new model of engaging, encouraging, and incentivizing Internet Service Providers to be an asset in the botnet fight. Current business models and in some cases current laws both reduce the effectiveness of ISPs in helping to fight botnets. Other MITIGATION issues encourage improved botnet identification and monitoring, increased information sharing, and bringing cybercrime laws into harmony internationally. Other advice had to do with making sure the entire botnet can be killed before attempting a "partial shutdown."

Under the PREVENTION category, public awareness, and improvements to software defenses are encouraged.

Under the PROFITABILITY category, it is necessary to improve anti-fraud mechanisms, and to address the social level of the crimes rather than only the technological level, by increasing deterrence through tougher prosecution and sentencing of offenders.

Specific guidance is provided for Regulators, End-users, Research Institutions, and
any information holders.

With regards to the Research Institutions, the recommendation was that they should be "more strongly integrated, and where appropriate, empowered in the fight against botnets. Research should focus on techniques which can be implemented in large-scale operations environments subject to typical cost constraints. They should be supported in studying methods for the detection of botnets and the analysis of malware, in order to provide efficient tools to reduce the reaction time when dealing with complex and sophisticated malware threats. As the results of research may be of interest for ongoing investigations, the process of publishing these results should reflect the responsibility associated with them." (extracted from the Executive Summary, p. 7)

Towards that end, I want to mention that the Anti-Phishing Working Group is trying to encourage this level of interaction between Researchers, Law Enforcement, and Industry through events such as next week's "eCrime Researchers Sync-Up." My colleague, Kent Kerley, and I will be attending from the University of Alabama at Birmingham to work on building these international relationships, not just among EU nations, but around the world. APWG sponsors the eCrime Researchers Summit, the eCrime Operations Summit, and now the eCrime Researchers Sync-up to try to encourage exactly the types of interactions described in this report. To learn more about APWG events, visit the APWG eCrime Research page.

Botnets: Ten Tough Questions

Second, ENISA's document called "Botnets: 10 Tough Questions" which is an 18 page summary of some of the major issues facing us regarding Botnets.

Botnets: Ten Tough Questions.

The Ten Tough Questions document is described as a document that "distills the major issues which need to be understood and addressed by decision-makers in all groups of stakeholders."

Here's a list of the Questions to whet your appetite. I highly recommend consuming both documents!

Q1. How much trust to put in published figures?

Q2. What are the main challenges associated with jurisdiction?

Q3. What should be the main role of the EU/National Governments?

Q4. Which parties should take which responsibilities?

Q5. Where to invest money most efficiently?


Q6. What are key incentives for cooperative information sharing?

Q7. What are key challegnes for cooperative information sharing?

Q8. Are there unseen/undetected botnets?

Q9. Which aspects are still missing in the fight against botnets?

Q10. What are future trends?

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.