Working Group 7: Botnet Remediation Status Update

1
Working Group 7 Botnet RemediationStatus
Update
September 12, 2012 Michael OReirdan (MAAWG) -
Chair Peter Fonash (DHS) Vice-Chair
2
WG 7 Objectives

• Working Group 7 Botnet Remediation
•  Description This Working Group will review the
  efforts undertaken within the international
  community, such as the Australian Internet
  Industry Code of Practice, and among domestic
  stakeholder groups, such as IETF and the
  Messaging Anti-Abuse Working Group, for
  applicability to U.S. ISPs.  Building on the work
  of CSRIC II Working Group 8 ISP Network
  Protection Practices, the Botnet Remediation
  Working Group shall propose a set of agreed-upon
  voluntary practices that would constitute the
  framework for an opt-in implementation model for
  ISPs. The Working Group will propose a method for
  ISPs to express their intent to op-into the
  framework proposed by the Working Group.
• The Working Group will also identify potential
  ISP implementation obstacles to the newly drafted
  Botnet Remediation business practices and
  identify steps the FCC can take that may help
  overcome these obstacles.
• Finally, the Working Group shall identify
  performance metrics to evaluate the effectiveness
  of the ISP Botnet Remediation Business Practices
  at curbing the spread of botnet infections.

3
WG 7 Members
Name Organization
Michael O'Reirdan (Chair) MAAWG
Peter Fonash (Vice Chair) DHS
Robert Thornberry (Editor) Alcatel-Lucent
Uma Chandrashekhar Alcatel-Lucent
Michael Little Applied Communication Sciences
Alex Bobotek ATT
John Denning Bank of Amer.
Neil Schwartzman (Secretary) CAUCE
Chris Lewis CAUCE
Michael Glenn CenturyLink
Paul Diamond (Editor) CenturyLink
Jay Opperman Comcast
Matt Carothers Cox
Name Organization
Gunter Ollmann Damballa
Brian Done DHS
Daniel Bright EMC Inc
Mats Nilsson Ericsson
Kurian Jacob FCC
Vern Mosley FCC
Bill McInnis IID
Chris Sills IID
Tim Rohrbaugh Intersections
Barry Greene ISC
Merike Kaeo ISC
Ed White McAfee
Kevin Sullivan Microsoft
Jon Boyens NIST
Craig Spiezle OTA
Bill Smith PayPal
Gabe Iovino REN-ISAC
Name Organization
Johannes Ullrich SANS Institute
Adam O'Donnell Sourcefire
Alfred Huger Sourcefire
Greg Holzapfel Sprint
James Holgerson Sprint
Michael Fiumano Sprint
Kevin Frank Sprint
Maxim Weinstein StopBadware
Patrick Gardner Symantec
Tice Morgan T-Mobile
John Griffin TCS
Chris Roosenraad TWC
Joe St Sauver (Glossary) Univ of Oregon/Internet 2
Robert Mayer USTelecom Assoc.
Eric Osterweil Verisign
John St. Clair Verizon
Timothy Vogel Verizon
3
4
Work Plan

• Phase 1 Produce initial Code of Conduct
• Phase 2 Identify Barriers to Code Participation
  
• Phase 3 Develop Bot Metrics

5
Status

• Phase 1 U.S. Anti-Bot Code of Conduct
  (ABCs) for Internet Service Providers (ISPs)
  completed
• ISPs representing 86 of the U.S. residential
  subscriber market are either currently
  participating, or have agreed to participate, in
  the Code
• Efforts underway to outreach to the smaller ISPs
  to increase awareness and participation

6
Status (Cont.)

• Phase 2 Barriers to Code Participation
• Identified five dimensions that can represent
  obstacles, in various degrees, depending upon
  individual guidelines
• Technology
• Consumer/Markets
• Operations
• Legal/Regulatory
• Financial
• Working Group members are providing substantive
  input as part of a worksheet matrix that will
  evolve over time as additional implementation
  guidance is identified and proven effective

7
Status (Cont.)

• Phase 2 Barriers to Code Participation
  (Cont.)
• Lower threshold initiatives will be identified
  in the December Final Report which should provide
  mid- and small-size ISPs greater latitude to
  adopt selected guidelines
• December Final Report will include Barriers
  Worksheet Matrix along with a snap-shot of
  current information
• On-going analysis of the barriers may be the
  basis for an IETF RFC

8
Status (Cont.)

• Phase 3 Bot Metrics
• In the process of querying ISPs to identify
  performance metrics to evaluate the effectiveness
  of following the voluntary U.S. Anti-Bot Code of
  Conduct for ISPs at curbing the spread of botnet
  infections
• Encountering extreme challenges
• Most ISPs are reluctant to share, are collecting
  information in different ways, and the
  information is not comparable from one company to
  the next
• Australian iCode is only now starting work on
  developing metrics after two years of operation
• Likely outcome is a work plan for developing
  metrics

8
9
WG7 Effort is Part of Multi-Stakeholder Approach
to Cybersecurity

• ISPs are in a position to detect botnets
  operating within their networks and notify
  end-users of suspected bot infections
• Other members of the Internet ecosystem have
  equally important roles to fulfill
• A multi-stakeholder approach is necessary in
  order to fully combat the botnet threat

9
10
Next Steps

• Continue Phase 2 - Identification of Barriers to
  Code Participation
• Continue Phase 3 Identification of Bot Metrics
• Deliver Final Report on Anti-Bot Code of Conduct
  - Barriers and Metrics in December 2012