SlideShare a Scribd company logo
Who is “Shadowserver?”
A security service for every Network!
Barry Greene - Shadowserver Volunteer
bgreene@shadowserver.org
2
Shadow Who?
The Shadowserver Foundation is an Internet Critical not-for-profit
organization (NPO) working to make the Internet more secure for everyone.
They are the low-key, Cyber-Civil Defence service that is at the center of the
push against Threat Actors on the Internet.
Unique insight into network security, a global
vantage point and proven TRUSTED partnerships:
● National Computer Security Incident Response Teams
(nCSIRTs)
● Law Enforcement
● Industry and security researchers world-wide
Shares information with Internet defenders at no cost to mitigate vulnerabilities, detect malicious
activity and counter emerging threats.
Why is Shadowserver One of the Top Sources?
… and most people do not know about the free
services the Shadowserver Alliance provides
to the community.
Ask your teams “How are you leveraging
Shadowserver’s Tools & Reports?”
Ask your vendors, “Are you part of the
Shadowserver Alliance? Are you helping to
push back against the threat, or just making
money from the threat?”
Ask your ISPs, Telcos, and Cloud Operators, “Are
you working with Shadowserver to mitigate the
threats on your network?”
An unparalleled combination of position, trusted information and 20 years
of proven community partnerships enables Shadowserver to perform a
critical role in Internet security - the world’s largest provider of free cyber
threat intelligence.
Shadowserver’s “trust” is built on execution, confidentiality, & unique expert
cybersecurity experience.
4
Shadowserver Providing the Tools
Honeynets CSP Feeds
Botnet Infiltration
Malware Analytics
Takedown Opera=ons
Malware Sinkholes
Global Scans
Daily Reports
Subscribers
Email, API & CVF
Malware-Binary Sample
Analytics (MBSA)
+100 Report Types
Vulnerability Notifications
5
DDoS API
Investigative Teams
Shadowserver Alliance
Joint Operations &
Partnerships
Network
Team
Security
Team
Product
Team
NOC/SOC
Teams
Better than any “Attack Surface” Commercial Solution!
The latest reports ….
6
Shadowserver’s Dashboard
7
Alliance Investment = Community Defense
8
Alliance investors include Philanthropist Craig
Newmark who is “putting his money where his mouth
is” by supporting a broad coalition of organizations
dedicated to educating and protecting Americans
amid escalating cybersecurity threats.
Cyber-Civil Defense helps the community,
the customers, the business, and everyone
on the Internet. Protect your country’s
interest by investing and the Shadowserver
Alliance and commissioning work that
benefits your constituents. Anything you do
for your constituents helps everyone on the
Internet!
Using the Daily Reporting to
Reduce your Security Risk
9
The Simple things Make a Big Difference
Security Best Common Practices (BCPs) are not hard, they are
not expensive. They take time, persistence, and consistency.
• You do not need to pay to subscribe to any “security threat
service.”
• You do not need to buy expensive scanning services.
• You have access to the most advanced “surface area” security
service to let you know what the “bad guy” threat actors can see.
10
All of this is free and a public service that provides daily reports on your
ASN, IP Blocks, and Domain Names. The reports are delivered via email or
APIs.
Example - No Budget for Security
● Recruited two “fresh out of college” graduates to
directly report to me (other VPs didn’t the workload
of “new people.”)
● Had them pick one Shadowserver report a week.
● Their job was to track down the issues, find out how
to fix the risk, document a process to minimize
repeat, and then seek out and hunt for “how threat
actors would have abused.”
2012 walking into a large Indonesian Cell Phone Company. There is no
cybersecurity budget or team.
Step-by-Step: We found the Nation State and Cyber Criminal threat actors
and pushed them off our network. Each step built our resiliency, skills,
capabilities, and capacity …. All using open source and public cyber civil
defence tools!
New Network Report types
added by Community Action
● New network reports are added with
each new category of incident
● Each network report type includes
details of the source and
recommended actions
● Over 90 network report types and
growing!
Network Reports Highlight Actionable Risk
12
Network Report Details (example)
13
Daily workflow with Shadowserver Reports
Pick a new
Shadowserver
Report
Review
the Risk
Mitigate
Risk
Document
Preventive
Policy
Could
someone
have
exploited the
risk?
Deeper
Investigation
Take a break before the next day
We have +50 reports with hundreds of issues! Where to we start?
Don’t panic! Start daily action. Work with few of the
simplistest first, then shift to reports that are
CRITICAL and HIGH severity.
Example of the Daily - SNMP
15
Each of these devices have SNMP ports open to the Internet.
They are exposed for abuse.
https://www.shadowserver.org/what-we-do/network-reporting/open-snmp-report/
Example of the Daily - SNMP
16
The Shadowserver reports using geolocation to
provide the region and city.
Notice the “public” SNMP Community
Preventive Maintenance Inspection is Critical to the Mission. Any
organization who needs to be always ready will alway inspect the
daily habits of “PMI”
Back to Basics - Do something - consistently every day!
Example using Shadowserver’s Reports::
1. Organization with little to no security
budget.
2. Grab new engineers right out of college.
3. Have them pick a Shadowserver report,
hunt the problem, figure out how to
sustainably fix, then act.
Reflect, learn, and repeat.
Each security issue found by Shadowserver is an “leading indicator of risk!
Watch for the Incident Reporting
Shadowserver alerts their constituents and the Internet on critical
ACTIVE EXPLOITATION!
Shadowserver gives you the ability to quickly review the risk on your
network and fix the vulnerability before it gets exploited.
Use the Exploited Vulnerabilities List
19
https://dashboard.shadowserver.org/statistics/honeypot/monitoring/vulnerability/?category=monitoring&statistic=unique_ip
s
Focus on US CISA’s KEV List
20
CISA provides the KEV list as a tool to help
organizations focus REDUCING RISK!
Shadowserver provides a public service to have an
“outside-in” assessment of your network.
Example: Are you Protecting your BGP Session?
Networks that think they are “DDoS resilient” get surprised when
their BGP Sessions go down from an easily crafted DDoS.
BGP port (179) is left open to the Internet and is an easy target for
a low-level attack that will knock down your BGP session.
Shodan’s BGP Report 325,082 open port 179 instances (June
2023). That is 325,082 organizations whose BGP sessions are at
risk
What Happened?
NZITF Bi-Weekly
Threat Briefing
Check Shodan Run a Validation Test
Peer Review with a
Couple of Operators
with Labs
Ask Shadowserver
for Validation
Reporting
Bring BGP Session
Risk to FIRST NetSec
SIG
Craft advisory for the
FIRST Community
Peer Review the
Advisory
Publish to the FIRST
Membership
And now we wait - as all teams are totally saturated with a sandstorm of
security risk throw at them every day.
Check Shadowserver’s New BGP Reports
Shadowserver has made it easy for organizations with two new reports:
Accessible BGP service report: https://shadowserver.org/what-we-do/network-reporting/accessible-bgp-
service-report/
Open BGP service report: https://shadowserver.org/what-we-do/network-reporting/open-bgp-service-report/
Malaysia’s Current Risk
24
Malaysia’s
ASNs & IPs More than 700 open BGP port 179
session exposed to low level DDoS.
Summary
25
Shadowserver’s Non-Profit Mission, Community Trust, and
provides any organization with data to minimize their cybersecurity
risk.
✓ The Daily Network Reporting is a free - public service to
organizations with a ASN, IP addresses, and domain names.
✓ These reports are delivered via Email or APIs - allowing for
easy integration with your current security tools.
✓ You can ask your “MSSPs” and “Managed Security” vendors to
leverage these reports.
✓ Organizations have only used the Shadowserver Reports to
build a security rhythm of action that uncovered & fixed risk in
their organization.
@shadowserver
contact@shadowserver.org
dashboard.shadowserver.org shadowserver.org/partner
Remember to Sign Up
26
Extras!
How to Sign Up and Get Started
Shadowserver’s Daily Reports
Plugging into the Shadowserver Alerts
Open to everyone:
Public@mail.shadowserver.org
https://mail.shadowserver.org/mailman/listinfo/public
Public Mailing List: https://mail.shadowserver.org/mailman/listinfo/public
X/Twitter: https://twitter.com/Shadowserver
Linkedin: https://www.linkedin.com/company/the-shadowserver-foundation/
Shadowserver Alliance Members: Will get pre-alerts, new report crafting, and ability
to directly consult with the Shadowserver teams and fellow peers on as the public
reporting is being curated (via the Alliance Mattermost).
Shadowserver Youtube Channel
30
https://www.youtube.com/@Shadowserver-
Foundation
Who Are you?
Your name
Your organization
Your role within the organization
Your email address
Your phone number
Your PGP key (for an encrypted reply)
Subscribing to the Daily Network Reports
https://www.shadowserver.org/what-we-do/network-reporting/get-reports/
Your Network?
Your ASNs and Customer ASNs
Your CIDR Blocks
Your Domain Names
If you are a national CERT, list your
country.
If you are doing this on behalf of a another
network, please explain.
How do we Trust?
List of Emails to send the reports
List of references whom can vouch for
you. Enter the name and contact
information for one or more individuals in
your organization, ideally someone listed
on the whois for your network space. This
will help us verify your identity.
31
Subscribing to the Daily Network Reports
Network
details
E-mail address where reports or
download links will be sent
It’s really
free!
32
h=ps://www.shadowserver.org/what-we-do/network-reporHng/get-reports/
General Theme - You only get free daily remediation reports
for the networks or country(ies) that you can prove your
authority (by ASNs, CIDRs, DNS Zones and national
authorities).
Any organization may use any of the data that Shadowserver
provides to them for free each day concerning their own network
space, without any restrictions - we consider the data to be theirs,
to do with as they want. We do not give Google’s data to Microsoft,
or US data to the UK. We only give each network’s data to that
network’s owner (plus their responsible national CERT/CSIRT and
LE agencies).
Shadowserver’s Data Sharing Principles
Privacy & Terms has further details: https://www.shadowserver.org/privacy-and-terms/
A
B
C
D
B only gets
B’s data!
33
Nationals CERTs with Legitimate Authority can request
access to Country Data
Shadowserver offers National CSIRTs a clear view of what’s
happening on their networks, providing personalized support
to interpret the data and leverage its impact. Whether you’re
responsible for a specific set of networks or every network in
your region, together we can make a positive impact on
Internet security.
Shadowserver’s Data Sharing Principles
Privacy & Terms has further details: https://www.shadowserver.org/privacy-and-terms/
34
• E-mail (must always be provided, even if only
for notifications)
• Report file download links
• Webspace with report files
• API with report files
• Delta mode option (report changes only)
Different Forms Of Data Access
Reports are always files in CSV format
35
https://www.shadowserver.org/what-we-do/network-reporting/api-reports-query/
Open Source Threat Intel Tool
36
IntelMQ is a solution for IT security teams (CERTs &
CSIRTs, SOCs, abuse departments, etc.) for collecting
and processing security feeds (such as log files) using
a message queuing protocol.
It's a community driven initiative called IHAP (Incident
Handling Automation Project) which was
conceptually designed by European CERTs/CSIRTs
during several InfoSec events.
Its main goal is to give to incident responders an easy
way to collect & process threat intelligence thus
improving the incident handling processes of CERTs.
https://github.com/certtools/intelmq
Example of an API Tools (Akamai)
37
Shadowserver’s API Tools allow for organization
to build your own tools to leverage the security
risk identified to you by Shadowserver.
Akamai gets daily update reports on all ASNs,
IPv4, IPv4, and domain names …. All accessible via
API.
Alarms, tools, and other security capabilities can then
be coded to protect Akamai, their customers, and the
Internet.
In this case, Shadowserver’s Sinkhole identified an
Akamai customer who is using their CDN, but their
“origin” datacenter has a Avalanche-NYMAIM infection.
38
Summary & Key Report Pages
Reports overview
• https://www.shadowserver.org/what-we-do/network-reporting/get-reports/
• https://www.shadowserver.org/what-we-do/network-reporting/
Report Updates
• https://www.shadowserver.org/news-insights/
• Twitter @shadowserver or Linkedin: https://www.linkedin.com/company/the-shadowserver-foundation/
• Mailing list access send request to contact@shadowserver.org and request access to public@shadowserver.org
• Or subscribe directly at https://mail.shadowserver.org/mailman/listinfo/public
• Github: https://github.com/The-Shadowserver-Foundation
Reports API
• Request access to contact@shadowserver.org
• https://www.shadowserver.org/what-we-do/network-reporting/api-documentation/
• https://www.shadowserver.org/what-we-do/network-reporting/api-reports-query/

More Related Content

Similar to SHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICE

COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
Pentest-Tools.com
 
Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017
Blueliv
 
Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017
Blueliv
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
Lancope, Inc.
 
INSECURE Magazine - 37
INSECURE Magazine - 37INSECURE Magazine - 37
INSECURE Magazine - 37
Felipe Prado
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
RedhuntLabs2
 
Failed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated RansomwareFailed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated Ransomware
IBM Security
 
0-misp-introduction-to-information-sharing_handout.pdf
0-misp-introduction-to-information-sharing_handout.pdf0-misp-introduction-to-information-sharing_handout.pdf
0-misp-introduction-to-information-sharing_handout.pdf
ThiagoHenrique751166
 
Marlabs cyber threat management
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat management
Rajendra Menon
 
LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014
Ashlie Steele
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
yohansurya2
 
Sourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar -  NEW GENERATION IPSSourcefire Webinar -  NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPS
mmiznoni
 
The malware monetization machine
The malware monetization machineThe malware monetization machine
The malware monetization machine
Priyanka Aash
 
Top 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdfTop 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdf
Dipak Tiwari
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
Scalar Decisions
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa Presentation
Scalar Decisions
 
Alert logic cloud security report
Alert logic cloud security reportAlert logic cloud security report
Alert logic cloud security report
Gabe Akisanmi
 
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docxComprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
Aardwolf Security
 
3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!
NormShield, Inc.
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
Scalar Decisions
 

Similar to SHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICE (20)

COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
 
Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017
 
Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017Blueliv Corporate Brochure 2017
Blueliv Corporate Brochure 2017
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside OutCombating Insider Threats – Protecting Your Agency from the Inside Out
Combating Insider Threats – Protecting Your Agency from the Inside Out
 
INSECURE Magazine - 37
INSECURE Magazine - 37INSECURE Magazine - 37
INSECURE Magazine - 37
 
Asset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt LabsAsset Discovery in India – Redhunt Labs
Asset Discovery in India – Redhunt Labs
 
Failed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated RansomwareFailed Ransom: How IBM XGS Defeated Ransomware
Failed Ransom: How IBM XGS Defeated Ransomware
 
0-misp-introduction-to-information-sharing_handout.pdf
0-misp-introduction-to-information-sharing_handout.pdf0-misp-introduction-to-information-sharing_handout.pdf
0-misp-introduction-to-information-sharing_handout.pdf
 
Marlabs cyber threat management
Marlabs cyber threat managementMarlabs cyber threat management
Marlabs cyber threat management
 
LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014LSI Spring Agent Open House 2014
LSI Spring Agent Open House 2014
 
Corporate threat vector and landscape
Corporate threat vector and landscapeCorporate threat vector and landscape
Corporate threat vector and landscape
 
Sourcefire Webinar - NEW GENERATION IPS
Sourcefire Webinar -  NEW GENERATION IPSSourcefire Webinar -  NEW GENERATION IPS
Sourcefire Webinar - NEW GENERATION IPS
 
The malware monetization machine
The malware monetization machineThe malware monetization machine
The malware monetization machine
 
Top 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdfTop 13 hacking software for beginners.pdf
Top 13 hacking software for beginners.pdf
 
Scalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary PresentationScalar Security Roadshow - Calgary Presentation
Scalar Security Roadshow - Calgary Presentation
 
Scalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa PresentationScalar Security Roadshow - Ottawa Presentation
Scalar Security Roadshow - Ottawa Presentation
 
Alert logic cloud security report
Alert logic cloud security reportAlert logic cloud security report
Alert logic cloud security report
 
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docxComprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
Comprehensive Vulnerability Assessments Process _ Aardwolf Security.docx
 
3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!3rd Party Cyber Security: Manage your ecosystem!
3rd Party Cyber Security: Manage your ecosystem!
 
Scalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver PresentationScalar Security Roadshow - Vancouver Presentation
Scalar Security Roadshow - Vancouver Presentation
 

More from MyNOG

MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIAMEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
MyNOG
 
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s HotspotsMalaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
MyNOG
 
Building a Connected Future: The Power of Interconnection
Building a Connected Future: The Power of InterconnectionBuilding a Connected Future: The Power of Interconnection
Building a Connected Future: The Power of Interconnection
MyNOG
 
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIESCOHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
MyNOG
 
Strategies for Seamless Recovery in a Dynamic Data Landscape
Strategies for Seamless Recovery in a Dynamic Data LandscapeStrategies for Seamless Recovery in a Dynamic Data Landscape
Strategies for Seamless Recovery in a Dynamic Data Landscape
MyNOG
 
SRv6: DEPLOYMENT & USECASES by Aditya Kaul
SRv6: DEPLOYMENT & USECASES by Aditya KaulSRv6: DEPLOYMENT & USECASES by Aditya Kaul
SRv6: DEPLOYMENT & USECASES by Aditya Kaul
MyNOG
 
Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10
MyNOG
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
MyNOG
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier Networks
MyNOG
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New Frontiers
MyNOG
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native Infrastructure
MyNOG
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network Controller
MyNOG
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
MyNOG
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalids
MyNOG
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIX
MyNOG
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in Kubernetes
MyNOG
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
MyNOG
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable Paradigm
MyNOG
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
MyNOG
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
MyNOG
 

More from MyNOG (20)

MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIAMEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
MEASURING THE HEALTH AND RESILIENCE OF THE INTERNET: MALAYSIA
 
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s HotspotsMalaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
Malaysia’s Emerging Trends in Data Center: Identifying Tomorrow’s Hotspots
 
Building a Connected Future: The Power of Interconnection
Building a Connected Future: The Power of InterconnectionBuilding a Connected Future: The Power of Interconnection
Building a Connected Future: The Power of Interconnection
 
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIESCOHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
COHERENT OPTICAL TRANSCEIVERS – CURRENT CAPABILITIES AND FUTURE POSSIBILITIES
 
Strategies for Seamless Recovery in a Dynamic Data Landscape
Strategies for Seamless Recovery in a Dynamic Data LandscapeStrategies for Seamless Recovery in a Dynamic Data Landscape
Strategies for Seamless Recovery in a Dynamic Data Landscape
 
SRv6: DEPLOYMENT & USECASES by Aditya Kaul
SRv6: DEPLOYMENT & USECASES by Aditya KaulSRv6: DEPLOYMENT & USECASES by Aditya Kaul
SRv6: DEPLOYMENT & USECASES by Aditya Kaul
 
Peering Personal MyNOG-10
Peering Personal MyNOG-10Peering Personal MyNOG-10
Peering Personal MyNOG-10
 
Embedded CDNs in 2023
Embedded CDNs in 2023Embedded CDNs in 2023
Embedded CDNs in 2023
 
Edge virtualisation for Carrier Networks
Edge virtualisation for Carrier NetworksEdge virtualisation for Carrier Networks
Edge virtualisation for Carrier Networks
 
Equinix: New Markets, New Frontiers
Equinix: New Markets, New FrontiersEquinix: New Markets, New Frontiers
Equinix: New Markets, New Frontiers
 
Securing the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native InfrastructureSecuring the Onion: 5G Cloud Native Infrastructure
Securing the Onion: 5G Cloud Native Infrastructure
 
Hierarchical Network Controller
Hierarchical Network ControllerHierarchical Network Controller
Hierarchical Network Controller
 
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud PlatformAether: The First Open Source 5G/LTE Connected Edge Cloud Platform
Aether: The First Open Source 5G/LTE Connected Edge Cloud Platform
 
Cleaning up your RPKI invalids
Cleaning up your RPKI invalidsCleaning up your RPKI invalids
Cleaning up your RPKI invalids
 
Introducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIXIntroducing Peering LAN 2.0 at DE-CIX
Introducing Peering LAN 2.0 at DE-CIX
 
Load balancing and Service in Kubernetes
Load balancing and Service in KubernetesLoad balancing and Service in Kubernetes
Load balancing and Service in Kubernetes
 
Cloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKICloud SDN: BGP Peering and RPKI
Cloud SDN: BGP Peering and RPKI
 
SDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable ParadigmSDM – A New (Subsea) Cable Paradigm
SDM – A New (Subsea) Cable Paradigm
 
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDEAI in Networking: Transforming Network Operations with Juniper Mist AIDE
AI in Networking: Transforming Network Operations with Juniper Mist AIDE
 
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
Malaysia Data Center Landscape, Where is the next hotspot to place your fiber...
 

Recently uploaded

UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
FIDO Alliance
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
Priyanka Aash
 
Latest Tech Trends Series 2024 By EY India
Latest Tech Trends Series 2024 By EY IndiaLatest Tech Trends Series 2024 By EY India
Latest Tech Trends Series 2024 By EY India
EYIndia1
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
SubhamMandal40
 
CheckPoint Firewall Presentation CCSA.pdf
CheckPoint Firewall Presentation CCSA.pdfCheckPoint Firewall Presentation CCSA.pdf
CheckPoint Firewall Presentation CCSA.pdf
ssuser137992
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
Brian Pichman
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
DianaGray10
 
What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024
Stephanie Beckett
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
DianaGray10
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
FIDO Alliance
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
Zilliz
 
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
OnBoard
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
Priyanka Aash
 
Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1
DianaGray10
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
ZachWylie3
 
Accelerating Migrations = Recommendations
Accelerating Migrations = RecommendationsAccelerating Migrations = Recommendations
Accelerating Migrations = Recommendations
isBullShit
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
shyamraj55
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
Tech Guru
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
siddu769252
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
KIRAN KV
 

Recently uploaded (20)

UX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business GoalsUX Webinar Series: Aligning Authentication Experiences with Business Goals
UX Webinar Series: Aligning Authentication Experiences with Business Goals
 
Redefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI CapabilitiesRedefining Cybersecurity with AI Capabilities
Redefining Cybersecurity with AI Capabilities
 
Latest Tech Trends Series 2024 By EY India
Latest Tech Trends Series 2024 By EY IndiaLatest Tech Trends Series 2024 By EY India
Latest Tech Trends Series 2024 By EY India
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
 
CheckPoint Firewall Presentation CCSA.pdf
CheckPoint Firewall Presentation CCSA.pdfCheckPoint Firewall Presentation CCSA.pdf
CheckPoint Firewall Presentation CCSA.pdf
 
Uncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in LibrariesUncharted Together- Navigating AI's New Frontiers in Libraries
Uncharted Together- Navigating AI's New Frontiers in Libraries
 
How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...How UiPath Discovery Suite supports identification of Agentic Process Automat...
How UiPath Discovery Suite supports identification of Agentic Process Automat...
 
What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024
 
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision MakingConnector Corner: Leveraging Snowflake Integration for Smarter Decision Making
Connector Corner: Leveraging Snowflake Integration for Smarter Decision Making
 
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
UX Webinar Series: Essentials for Adopting Passkeys as the Foundation of your...
 
The History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal EmbeddingsThe History of Embeddings & Multimodal Embeddings
The History of Embeddings & Multimodal Embeddings
 
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
Mastering Board Best Practices: Essential Skills for Effective Non-profit Lea...
 
Finetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and DefendingFinetuning GenAI For Hacking and Defending
Finetuning GenAI For Hacking and Defending
 
Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1Discovery Series - Zero to Hero - Task Mining Session 1
Discovery Series - Zero to Hero - Task Mining Session 1
 
Camunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptxCamunda Chapter NY Meetup July 2024.pptx
Camunda Chapter NY Meetup July 2024.pptx
 
Accelerating Migrations = Recommendations
Accelerating Migrations = RecommendationsAccelerating Migrations = Recommendations
Accelerating Migrations = Recommendations
 
Integrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecaseIntegrating Kafka with MuleSoft 4 and usecase
Integrating Kafka with MuleSoft 4 and usecase
 
Intel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdfIntel Unveils Core Ultra 200V Lunar chip .pdf
Intel Unveils Core Ultra 200V Lunar chip .pdf
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
 
kk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdfkk vathada _digital transformation frameworks_2024.pdf
kk vathada _digital transformation frameworks_2024.pdf
 

SHADOWSERVER: INTERNET CRITICAL SECURITY AS A PUBLIC SERVICE

  • 1. Who is “Shadowserver?” A security service for every Network! Barry Greene - Shadowserver Volunteer bgreene@shadowserver.org
  • 2. 2 Shadow Who? The Shadowserver Foundation is an Internet Critical not-for-profit organization (NPO) working to make the Internet more secure for everyone. They are the low-key, Cyber-Civil Defence service that is at the center of the push against Threat Actors on the Internet. Unique insight into network security, a global vantage point and proven TRUSTED partnerships: ● National Computer Security Incident Response Teams (nCSIRTs) ● Law Enforcement ● Industry and security researchers world-wide Shares information with Internet defenders at no cost to mitigate vulnerabilities, detect malicious activity and counter emerging threats.
  • 3. Why is Shadowserver One of the Top Sources? … and most people do not know about the free services the Shadowserver Alliance provides to the community. Ask your teams “How are you leveraging Shadowserver’s Tools & Reports?” Ask your vendors, “Are you part of the Shadowserver Alliance? Are you helping to push back against the threat, or just making money from the threat?” Ask your ISPs, Telcos, and Cloud Operators, “Are you working with Shadowserver to mitigate the threats on your network?”
  • 4. An unparalleled combination of position, trusted information and 20 years of proven community partnerships enables Shadowserver to perform a critical role in Internet security - the world’s largest provider of free cyber threat intelligence. Shadowserver’s “trust” is built on execution, confidentiality, & unique expert cybersecurity experience. 4
  • 5. Shadowserver Providing the Tools Honeynets CSP Feeds Botnet Infiltration Malware Analytics Takedown Opera=ons Malware Sinkholes Global Scans Daily Reports Subscribers Email, API & CVF Malware-Binary Sample Analytics (MBSA) +100 Report Types Vulnerability Notifications 5 DDoS API Investigative Teams Shadowserver Alliance Joint Operations & Partnerships Network Team Security Team Product Team NOC/SOC Teams Better than any “Attack Surface” Commercial Solution!
  • 8. Alliance Investment = Community Defense 8 Alliance investors include Philanthropist Craig Newmark who is “putting his money where his mouth is” by supporting a broad coalition of organizations dedicated to educating and protecting Americans amid escalating cybersecurity threats. Cyber-Civil Defense helps the community, the customers, the business, and everyone on the Internet. Protect your country’s interest by investing and the Shadowserver Alliance and commissioning work that benefits your constituents. Anything you do for your constituents helps everyone on the Internet!
  • 9. Using the Daily Reporting to Reduce your Security Risk 9
  • 10. The Simple things Make a Big Difference Security Best Common Practices (BCPs) are not hard, they are not expensive. They take time, persistence, and consistency. • You do not need to pay to subscribe to any “security threat service.” • You do not need to buy expensive scanning services. • You have access to the most advanced “surface area” security service to let you know what the “bad guy” threat actors can see. 10 All of this is free and a public service that provides daily reports on your ASN, IP Blocks, and Domain Names. The reports are delivered via email or APIs.
  • 11. Example - No Budget for Security ● Recruited two “fresh out of college” graduates to directly report to me (other VPs didn’t the workload of “new people.”) ● Had them pick one Shadowserver report a week. ● Their job was to track down the issues, find out how to fix the risk, document a process to minimize repeat, and then seek out and hunt for “how threat actors would have abused.” 2012 walking into a large Indonesian Cell Phone Company. There is no cybersecurity budget or team. Step-by-Step: We found the Nation State and Cyber Criminal threat actors and pushed them off our network. Each step built our resiliency, skills, capabilities, and capacity …. All using open source and public cyber civil defence tools!
  • 12. New Network Report types added by Community Action ● New network reports are added with each new category of incident ● Each network report type includes details of the source and recommended actions ● Over 90 network report types and growing! Network Reports Highlight Actionable Risk 12
  • 13. Network Report Details (example) 13
  • 14. Daily workflow with Shadowserver Reports Pick a new Shadowserver Report Review the Risk Mitigate Risk Document Preventive Policy Could someone have exploited the risk? Deeper Investigation Take a break before the next day We have +50 reports with hundreds of issues! Where to we start? Don’t panic! Start daily action. Work with few of the simplistest first, then shift to reports that are CRITICAL and HIGH severity.
  • 15. Example of the Daily - SNMP 15 Each of these devices have SNMP ports open to the Internet. They are exposed for abuse. https://www.shadowserver.org/what-we-do/network-reporting/open-snmp-report/
  • 16. Example of the Daily - SNMP 16 The Shadowserver reports using geolocation to provide the region and city. Notice the “public” SNMP Community
  • 17. Preventive Maintenance Inspection is Critical to the Mission. Any organization who needs to be always ready will alway inspect the daily habits of “PMI” Back to Basics - Do something - consistently every day! Example using Shadowserver’s Reports:: 1. Organization with little to no security budget. 2. Grab new engineers right out of college. 3. Have them pick a Shadowserver report, hunt the problem, figure out how to sustainably fix, then act. Reflect, learn, and repeat. Each security issue found by Shadowserver is an “leading indicator of risk!
  • 18. Watch for the Incident Reporting Shadowserver alerts their constituents and the Internet on critical ACTIVE EXPLOITATION! Shadowserver gives you the ability to quickly review the risk on your network and fix the vulnerability before it gets exploited.
  • 19. Use the Exploited Vulnerabilities List 19 https://dashboard.shadowserver.org/statistics/honeypot/monitoring/vulnerability/?category=monitoring&statistic=unique_ip s
  • 20. Focus on US CISA’s KEV List 20 CISA provides the KEV list as a tool to help organizations focus REDUCING RISK! Shadowserver provides a public service to have an “outside-in” assessment of your network.
  • 21. Example: Are you Protecting your BGP Session? Networks that think they are “DDoS resilient” get surprised when their BGP Sessions go down from an easily crafted DDoS. BGP port (179) is left open to the Internet and is an easy target for a low-level attack that will knock down your BGP session. Shodan’s BGP Report 325,082 open port 179 instances (June 2023). That is 325,082 organizations whose BGP sessions are at risk
  • 22. What Happened? NZITF Bi-Weekly Threat Briefing Check Shodan Run a Validation Test Peer Review with a Couple of Operators with Labs Ask Shadowserver for Validation Reporting Bring BGP Session Risk to FIRST NetSec SIG Craft advisory for the FIRST Community Peer Review the Advisory Publish to the FIRST Membership And now we wait - as all teams are totally saturated with a sandstorm of security risk throw at them every day.
  • 23. Check Shadowserver’s New BGP Reports Shadowserver has made it easy for organizations with two new reports: Accessible BGP service report: https://shadowserver.org/what-we-do/network-reporting/accessible-bgp- service-report/ Open BGP service report: https://shadowserver.org/what-we-do/network-reporting/open-bgp-service-report/
  • 24. Malaysia’s Current Risk 24 Malaysia’s ASNs & IPs More than 700 open BGP port 179 session exposed to low level DDoS.
  • 25. Summary 25 Shadowserver’s Non-Profit Mission, Community Trust, and provides any organization with data to minimize their cybersecurity risk. ✓ The Daily Network Reporting is a free - public service to organizations with a ASN, IP addresses, and domain names. ✓ These reports are delivered via Email or APIs - allowing for easy integration with your current security tools. ✓ You can ask your “MSSPs” and “Managed Security” vendors to leverage these reports. ✓ Organizations have only used the Shadowserver Reports to build a security rhythm of action that uncovered & fixed risk in their organization.
  • 28. How to Sign Up and Get Started Shadowserver’s Daily Reports
  • 29. Plugging into the Shadowserver Alerts Open to everyone: Public@mail.shadowserver.org https://mail.shadowserver.org/mailman/listinfo/public Public Mailing List: https://mail.shadowserver.org/mailman/listinfo/public X/Twitter: https://twitter.com/Shadowserver Linkedin: https://www.linkedin.com/company/the-shadowserver-foundation/ Shadowserver Alliance Members: Will get pre-alerts, new report crafting, and ability to directly consult with the Shadowserver teams and fellow peers on as the public reporting is being curated (via the Alliance Mattermost).
  • 31. Who Are you? Your name Your organization Your role within the organization Your email address Your phone number Your PGP key (for an encrypted reply) Subscribing to the Daily Network Reports https://www.shadowserver.org/what-we-do/network-reporting/get-reports/ Your Network? Your ASNs and Customer ASNs Your CIDR Blocks Your Domain Names If you are a national CERT, list your country. If you are doing this on behalf of a another network, please explain. How do we Trust? List of Emails to send the reports List of references whom can vouch for you. Enter the name and contact information for one or more individuals in your organization, ideally someone listed on the whois for your network space. This will help us verify your identity. 31
  • 32. Subscribing to the Daily Network Reports Network details E-mail address where reports or download links will be sent It’s really free! 32 h=ps://www.shadowserver.org/what-we-do/network-reporHng/get-reports/
  • 33. General Theme - You only get free daily remediation reports for the networks or country(ies) that you can prove your authority (by ASNs, CIDRs, DNS Zones and national authorities). Any organization may use any of the data that Shadowserver provides to them for free each day concerning their own network space, without any restrictions - we consider the data to be theirs, to do with as they want. We do not give Google’s data to Microsoft, or US data to the UK. We only give each network’s data to that network’s owner (plus their responsible national CERT/CSIRT and LE agencies). Shadowserver’s Data Sharing Principles Privacy & Terms has further details: https://www.shadowserver.org/privacy-and-terms/ A B C D B only gets B’s data! 33
  • 34. Nationals CERTs with Legitimate Authority can request access to Country Data Shadowserver offers National CSIRTs a clear view of what’s happening on their networks, providing personalized support to interpret the data and leverage its impact. Whether you’re responsible for a specific set of networks or every network in your region, together we can make a positive impact on Internet security. Shadowserver’s Data Sharing Principles Privacy & Terms has further details: https://www.shadowserver.org/privacy-and-terms/ 34
  • 35. • E-mail (must always be provided, even if only for notifications) • Report file download links • Webspace with report files • API with report files • Delta mode option (report changes only) Different Forms Of Data Access Reports are always files in CSV format 35 https://www.shadowserver.org/what-we-do/network-reporting/api-reports-query/
  • 36. Open Source Threat Intel Tool 36 IntelMQ is a solution for IT security teams (CERTs & CSIRTs, SOCs, abuse departments, etc.) for collecting and processing security feeds (such as log files) using a message queuing protocol. It's a community driven initiative called IHAP (Incident Handling Automation Project) which was conceptually designed by European CERTs/CSIRTs during several InfoSec events. Its main goal is to give to incident responders an easy way to collect & process threat intelligence thus improving the incident handling processes of CERTs. https://github.com/certtools/intelmq
  • 37. Example of an API Tools (Akamai) 37 Shadowserver’s API Tools allow for organization to build your own tools to leverage the security risk identified to you by Shadowserver. Akamai gets daily update reports on all ASNs, IPv4, IPv4, and domain names …. All accessible via API. Alarms, tools, and other security capabilities can then be coded to protect Akamai, their customers, and the Internet. In this case, Shadowserver’s Sinkhole identified an Akamai customer who is using their CDN, but their “origin” datacenter has a Avalanche-NYMAIM infection.
  • 38. 38 Summary & Key Report Pages Reports overview • https://www.shadowserver.org/what-we-do/network-reporting/get-reports/ • https://www.shadowserver.org/what-we-do/network-reporting/ Report Updates • https://www.shadowserver.org/news-insights/ • Twitter @shadowserver or Linkedin: https://www.linkedin.com/company/the-shadowserver-foundation/ • Mailing list access send request to contact@shadowserver.org and request access to public@shadowserver.org • Or subscribe directly at https://mail.shadowserver.org/mailman/listinfo/public • Github: https://github.com/The-Shadowserver-Foundation Reports API • Request access to contact@shadowserver.org • https://www.shadowserver.org/what-we-do/network-reporting/api-documentation/ • https://www.shadowserver.org/what-we-do/network-reporting/api-reports-query/