WEBVTT 00:00:02.008 --> 00:00:05.055 >> Brian: Welcome to the AMA Conference Center in New York City 00:00:05.055 --> 00:00:09.074 and for those following us on line, my name is Brian Cute. 00:00:09.074 --> 00:00:12.082 I am the CEO of Public Interest Registry. 00:00:12.082 --> 00:00:17.005 Public Interest Registry or PIR is the operator of the dot org, 00:00:17.005 --> 00:00:19.007 top level domain on the internet. 00:00:19.007 --> 00:00:25.005 We, along with New York Tech, a New York City based Technology Industry Association 00:00:25.005 --> 00:00:28.075 and the Internet Society, New York Chapter want to welcome you 00:00:28.075 --> 00:00:35.008 to today's event Mitigating DDoS Attacks, Best Practices for an Evolving Threat Landscape. 00:00:35.008 --> 00:00:42.004 For those of you online, today's event is being webcast at the iSock Live Stream Channel 00:00:42.004 --> 00:00:44.098 and on that channel you can also post questions. 00:00:44.098 --> 00:00:50.041 We welcome questions from our online audience to bring into the Q&A session today. 00:00:50.041 --> 00:00:58.001 You can also follow the event at the hashtag DDoS and with that, 00:00:58.001 --> 00:01:01.053 let me introduce today's session, Mitigating DDoS Attacks, 00:01:01.053 --> 00:01:05.048 Best Practices for an Evolving Threat Landscape. 00:01:05.048 --> 00:01:09.009 Distributed denial of service attacks are deliberate attempts 00:01:09.009 --> 00:01:15.013 to make internet connected machines or network resources unavailable to their intended users 00:01:15.013 --> 00:01:20.098 by temporarily or indefinitely interrupting or suspending DNS service. 00:01:20.098 --> 00:01:27.047 Unfortunately DDoS attacks are an all to-common reality across today's internet landscape. 00:01:27.047 --> 00:01:31.087 Examples abound, most recently large-scale attacks have been directed 00:01:31.087 --> 00:01:36.023 at major U.S. banks since September of 2012. 00:01:36.023 --> 00:01:41.007 Online service providers and corporations around the world are often targeted. 00:01:41.007 --> 00:01:46.015 DDoS attacks have been directed against Government websites and it's quite possible 00:01:46.015 --> 00:01:50.001 that some attacks were at least condoned by governments. 00:01:50.001 --> 00:01:55.064 Why a DDoS attack is motivated by criminal intent, like Cyber Extortion or is executed 00:01:55.064 --> 00:01:58.067 as an extreme form of free expression, 00:01:58.067 --> 00:02:03.006 the resulting service interruptions can have wide ranging effects. 00:02:03.006 --> 00:02:08.009 Today's program will explore the motives behind and targets of DDoS attacks. 00:02:08.009 --> 00:02:13.063 We will address ways attacks are carried out, as well as mitigation techniques 00:02:13.063 --> 00:02:16.022 and the importance of collaboration. 00:02:16.022 --> 00:02:23.015 We will also explore the risks of unintended consequences related to DDoS attacks. 00:02:23.015 --> 00:02:26.016 Now before I introduce our esteem panelists, 00:02:26.016 --> 00:02:31.069 I wanted to note that PIR recently conducted a survey in the United States 00:02:31.069 --> 00:02:36.043 to test the public's awareness of DDoS attacks, this very important 00:02:36.043 --> 00:02:39.043 and growing problem on the internet. 00:02:39.043 --> 00:02:42.091 Among the results, we found that 85% 00:02:42.091 --> 00:02:47.007 of the respondents did not know what AD DDoS Attack was. 00:02:47.007 --> 00:02:48.082 00:02:48.082 --> 00:02:53.052 When asked, what would you do if you were made aware that DDoS attacks were taking place? 00:02:53.052 --> 00:02:59.064 Among the very revealing responses were, "Call the geek squad," 00:02:59.064 --> 00:03:04.083 which is a technical service organization that comes to fix your home computer. 00:03:04.083 --> 00:03:10.005 "Call my spouse, or go to Google." 00:03:10.005 --> 00:03:13.094 And while we're very happy to have a Google Representative here on the panel today, 00:03:13.094 --> 00:03:19.091 I think these answers reveal the depth and breadth of misunderstanding and lack 00:03:19.091 --> 00:03:23.023 of awareness about this very important problem in the public. 00:03:23.023 --> 00:03:28.013 So today we're going to try to begin to chip away and provide some awareness 00:03:28.013 --> 00:03:30.063 about the important problem of DDoS attacks 00:03:30.063 --> 00:03:34.015 and how we collectively can address them effectively. 00:03:34.015 --> 00:03:38.019 So with that, let me get on to the introduction of today's panelists. 00:03:38.019 --> 00:03:42.047 Today's panelists represent a variety of organizations that operate 00:03:42.047 --> 00:03:45.008 at various points in the internet ecosystem. 00:03:45.008 --> 00:03:49.051 Their wealth of experiences and insights from industry, government, 00:03:49.051 --> 00:03:55.037 and civil society perspectives should help us better understand the challenges of DDoS attacks 00:03:55.037 --> 00:03:58.093 and identify mitigation practices. 00:03:58.093 --> 00:04:03.033 First, at the far-end, we have Mr. Jeff Greene. 00:04:03.033 --> 00:04:07.082 Jeff serves as a senior policy council at Symantec. 00:04:07.082 --> 00:04:12.077 Jeff focuses on cyber security, identity management, and privacy issues 00:04:12.077 --> 00:04:16.079 and works extensively with industry and government organizations. 00:04:16.079 --> 00:04:21.095 Prior to joining Symantec, Jeff was a senior staffer on both the U.S. Senate, 00:04:21.095 --> 00:04:25.065 and House Homeland Security Committees and before that was an Attorney 00:04:25.065 --> 00:04:28.072 with the Washington D.C. law firm. 00:04:28.072 --> 00:04:30.079 Next we have Ram Mohan. 00:04:30.079 --> 00:04:36.045 Ram is the Executive Vice President and Chief Technology Officer at Afilias Limited. 00:04:36.045 --> 00:04:41.001 Ram oversees key strategic management and technology choices for the Dublin, 00:04:41.001 --> 00:04:44.069 Ireland based provider of internet infrastructure services. 00:04:44.069 --> 00:04:49.083 Ram also serves as a Director and Key Advisor to the Internet Corporation for Assigned Names 00:04:49.083 --> 00:04:56.098 and Numbers or ICANN, The Internet Society, and the Anti-Phishing Working Group. 00:04:56.098 --> 00:05:01.000 Next, we have Dr. Damian Menscher. 00:05:01.000 --> 00:05:06.081 Damian is a Security Engineer at Google where he leads the DDoS Defense Team. 00:05:06.081 --> 00:05:11.074 Damian uses his front-line experience defending today's largest attacks to design defenses 00:05:11.074 --> 00:05:15.025 that will automatically mitigate future attacks. 00:05:15.025 --> 00:05:20.082 He also reduces botnet sizes by directly informing users of infections on their machines 00:05:20.082 --> 00:05:23.041 that are targeted messaging on Google. 00:05:23.041 --> 00:05:25.004 Previously, Damian gained experience 00:05:25.004 --> 00:05:31.085 in large-scale data analysis while completing his PhD in Computational Particle Physics. 00:05:31.085 --> 00:05:33.062 I could barely say that. 00:05:33.062 --> 00:05:35.072 Next is Miguel Ramos. 00:05:35.072 --> 00:05:41.038 Miguel is Senior Product Manager at NewStar Inc, responsible for NewStar site project, 00:05:41.038 --> 00:05:45.008 a leading cloud-based DDoS Mitigation Service. 00:05:45.008 --> 00:05:51.019 Mr. Ramos has extensive experience in product management, marketing and technology. 00:05:51.019 --> 00:05:55.000 Previously Miguel was a Product Manager in charge of hosting and email product lines 00:05:55.000 --> 00:06:00.084 at Network Solutions, a leading domain registrar and online services provider. 00:06:00.084 --> 00:06:05.066 We were also to have Wout DeNatris from the Netherlands. 00:06:05.066 --> 00:06:11.066 Unfortunately Wout is here in New York but came down with a sudden illness of food poisoning. 00:06:11.066 --> 00:06:13.086 We regret deeply that he's not here with us today. 00:06:13.086 --> 00:06:18.006 He was very eager to be here with you and we wish him a swift recovery. 00:06:18.006 --> 00:06:22.019 Next on the panel is Danny McPherson. 00:06:22.019 --> 00:06:26.005 Danny is the Chief Security Officer for Verisign, the trusted provider 00:06:26.005 --> 00:06:31.045 of key internet infrastructure services including two of the root servers, 00:06:31.045 --> 00:06:34.053 and the dot com and dot net name spaces. 00:06:34.053 --> 00:06:38.037 Danny is responsible for strategic direction, research and innovation 00:06:38.037 --> 00:06:40.094 in infrastructure and information security. 00:06:40.094 --> 00:06:45.053 He currently serves on the internet architecture board, ICANN security 00:06:45.053 --> 00:06:51.006 and stability advisory council, the FCCs communication security reliability 00:06:51.006 --> 00:06:55.044 and interoperability council and several other industry forum. 00:06:55.044 --> 00:06:59.093 And finally, on the near-end, we have Miss Jillian York. 00:06:59.093 --> 00:07:06.023 Jillian is a Director for International Freedom of Expression at Electronic Frontier Foundation 00:07:06.023 --> 00:07:11.028 where she specializes in free speech issues and the effects of corporate intermediaries 00:07:11.028 --> 00:07:13.084 on freedom of expression and anonymity, 00:07:13.084 --> 00:07:17.072 as well as the disruptive power of global, online activism. 00:07:17.072 --> 00:07:23.063 Prior to joining EFF, Jillian spent 3 years at Harvard University's Berkman Center for Internet 00:07:23.063 --> 00:07:29.053 and Society, where she worked on several projects including the open net initiative. 00:07:29.053 --> 00:07:32.073 Thank you all for coming, we appreciate your time. 00:07:32.073 --> 00:07:36.078 Now the way we're going to structure today's event and discussion is 00:07:36.078 --> 00:07:42.006 that I will do a first round of introductory remarks from each of the panelists. 00:07:42.006 --> 00:07:45.000 We'll keep it brief and we're basically going to try 00:07:45.000 --> 00:07:49.075 to set the stage, the background on DDoS attacks. 00:07:49.075 --> 00:07:56.011 Now before I get there, I just want to offer a little reaction from the common man. 00:07:56.011 --> 00:07:58.019 "I've been in the industry myself for 10 years. 00:07:58.019 --> 00:08:02.097 I have a familiarity with DDoS attacks and internet infrastructure, 00:08:02.097 --> 00:08:07.065 but in approaching this event and preparing for it, I went on line and pretended 00:08:07.065 --> 00:08:10.006 to be an average guy from Columbus, Ohio. 00:08:10.006 --> 00:08:16.021 What would I find if I'm trying to educate myself online about this serious problem? 00:08:16.021 --> 00:08:23.078 And in doing that, what jumped out to me is an issue of nomenclature, an issue of language, 00:08:23.078 --> 00:08:27.079 an issue of understanding, potentially barriers to understanding and awareness." 00:08:27.079 --> 00:08:33.016 So I'm going to ask Jeff Greene to start painting the picture of what DDoS attacks are 00:08:33.016 --> 00:08:36.029 and while we have a number of brilliant engineers on this panel, 00:08:36.029 --> 00:08:40.078 let me suggest that when one goes online as the average guy from Columbus, Ohio, 00:08:40.078 --> 00:08:51.043 he runs into things such as, dos, DDoS, DRDoS, Smurf attacks, SYN floods, ping of death, 00:08:51.043 --> 00:08:56.068 attacks that are perpetrated by Trojans and Zombies, attacks that are combated 00:08:56.068 --> 00:09:01.004 through techniques like Black-holing, sink-holing, and intrusion protection. 00:09:01.004 --> 00:09:06.002 Our job today is to utilize the expertise of these brilliant folks on our panel 00:09:06.002 --> 00:09:11.029 to help translate all of these very intimidating words around attacks on the internet 00:09:11.029 --> 00:09:13.001 so that we can raise the awareness for the public. 00:09:13.001 --> 00:09:17.047 So, Jeff if you wouldn't mind kicking this off for us. 00:09:17.047 --> 00:09:19.097 >> Jeff: Sure, thanks again for having me and thanks for including me 00:09:19.097 --> 00:09:22.065 with such a great group of folks up here. 00:09:22.065 --> 00:09:28.033 I thought I'd give a little background on what are some trends we're seeing at Symantec 00:09:28.033 --> 00:09:35.047 in DDoS attacks, motivations also, and hopefully set the table for the conversation. 00:09:35.047 --> 00:09:40.054 The first thing I would start by saying is, when you're thinking about a DDoS attack, 00:09:40.054 --> 00:09:44.059 don't conceptualize it as a single event or a siloed activity. 00:09:44.059 --> 00:09:49.087 You really need to think about it as potentially part of a larger effort directed at you 00:09:49.087 --> 00:09:52.001 or directed at an entity organization. 00:09:52.001 --> 00:09:55.064 It can still be a one-off but more often now days, it is not. 00:09:55.064 --> 00:10:01.096 In terms of motives, they can run the gamut, it can be harassment, political, it could mischief, 00:10:01.096 --> 00:10:06.053 you know there's probably still some 15-year-old hackers in the basement somewhere. 00:10:06.053 --> 00:10:09.064 It could be someone you know, annoyed, 00:10:09.064 --> 00:10:14.046 frustrated with a particular company or entity and going after them. 00:10:14.046 --> 00:10:16.084 It really runs anything. 00:10:16.084 --> 00:10:22.013 It could extortion, simple "pay me" type activity, or more common now 00:10:22.013 --> 00:10:28.048 or what we're seeing more of what we're calling multi-frank attacks and transitioning to talk 00:10:28.048 --> 00:10:31.006 about some of trends, we'll start there. 00:10:31.006 --> 00:10:36.031 If you folks saw, I think it was in October, Defense Secretary Panetta was talking 00:10:36.031 --> 00:10:40.051 about cyber security and one of the things he mentioned were these frank attacks 00:10:40.051 --> 00:10:46.083 and DDoS is certainly a part of them and has become less of a blunt-force attack to more 00:10:46.083 --> 00:10:50.045 of a sophisticated diversionary attack; I should say it can be. 00:10:50.045 --> 00:10:59.066 The goal, basically being drawing attention and resources away from standard security to focus 00:10:59.066 --> 00:11:03.008 on this response and leaving perhaps yourself open to other activity. 00:11:03.008 --> 00:11:10.054 One example that we talked about at a conference earlier this year, DDoS was a big part of it 00:11:10.054 --> 00:11:16.018 but the DDoS attack happened actually at the end of the activity. 00:11:16.018 --> 00:11:18.095 This particular effort was directed to mid-sized banks. 00:11:18.095 --> 00:11:22.088 It began with spear-phishing and other efforts 00:11:22.088 --> 00:11:25.076 to compromise some IT administrators at the bank. 00:11:25.076 --> 00:11:31.036 Once that is successful, the bad guys will then spend their time figuring out what they need 00:11:31.036 --> 00:11:36.028 and they want and it was at this point that the DDoS attack was launched in one 00:11:36.028 --> 00:11:38.032 of the cases that our folks talked about. 00:11:38.032 --> 00:11:43.064 It was done on a Friday afternoon when staffing was light, nationally resources were directed 00:11:43.064 --> 00:11:49.093 at responding to the denial service attack which then left other activities perhaps unmonitored, 00:11:49.093 --> 00:11:52.057 and that's when the criminal enterprise 00:11:52.057 --> 00:11:57.034 or individual actually began the more sophisticated attack and actually traded a lot 00:11:57.034 --> 00:12:02.067 of information that allowed them to clone ATM Debit and Credit Cards. 00:12:02.067 --> 00:12:08.072 There press reports about one bank having lost 9 million dollars over the next 48 hours. 00:12:08.072 --> 00:12:11.031 So again, the DDoS was a big part of it 00:12:11.031 --> 00:12:16.014 because it had really facilitated the ability to conduct a larger crime. 00:12:16.014 --> 00:12:21.002 Another trend we're seeing is crowd sourcing of DDoS attack. 00:12:21.002 --> 00:12:28.008 You may be familiar with operation payback, which is something that Anonymous was behind. 00:12:28.008 --> 00:12:34.032 Initially started as a response to some antipiracy efforts and worked into a response 00:12:34.032 --> 00:12:39.048 when the wikileaks became very press-worthy in terms 00:12:39.048 --> 00:12:45.029 of some companies responding to the wikileaks. 00:12:45.029 --> 00:12:53.013 So social networking facilitates the crowd sourcing essentially why do you need to go build 00:12:53.013 --> 00:12:58.009 up or acquire your own botnet to engage in attack when you could get 100 00:12:58.009 --> 00:13:01.022 or 1,000 like-minded friends who will happily do that thinking 00:13:01.022 --> 00:13:03.079 that they're doing something for the greater good. 00:13:03.079 --> 00:13:09.024 And I would also suggest that the criminal enterprises are fully aware of this 00:13:09.024 --> 00:13:15.094 and why should they expose themselves or spend their resources if they can gin up some real 00:13:15.094 --> 00:13:20.038 or imagined front by a company they're trying to penetrate and get people 00:13:20.038 --> 00:13:23.069 to unwittingly support their efforts. 00:13:23.069 --> 00:13:27.029 Another trend is application layer attacks. 00:13:27.029 --> 00:13:31.028 More sophisticated, generally you get more bang-for-your-buck, 00:13:31.028 --> 00:13:34.059 you can have more impact with less resources. 00:13:34.059 --> 00:13:37.058 It takes a little more work, but it is something 00:13:37.058 --> 00:13:40.008 that you will see more of, we suspect going forward. 00:13:40.008 --> 00:13:45.005 Two more things, one insider threat, not strictly DDoS 00:13:45.005 --> 00:13:46.076 but it is certainly can be a part of it. 00:13:46.076 --> 00:13:52.001 What we're seeing generally with intrusions is an increasing number of compromised insiders. 00:13:52.001 --> 00:13:55.059 Again, often through use of social media, social media is wonderful. 00:13:55.059 --> 00:13:59.083 So it allows folks to figure out just how to get at someone 00:13:59.083 --> 00:14:02.034 and a compromising insider facilitates the effort and again, 00:14:02.034 --> 00:14:05.038 often the DDoS is part of the culmination of it there. 00:14:05.038 --> 00:14:08.067 Finally I would say it's getting easier than ever. 00:14:08.067 --> 00:14:15.062 There are attack kits, there's malware out there that you can buy, optimized for DDoS attacks. 00:14:15.062 --> 00:14:17.078 As all the attack kits out there, 00:14:17.078 --> 00:14:20.062 they're becoming much easier for less sophisticated users. 00:14:20.062 --> 00:14:24.008 You don't have to have a lot coding expertise to get some of these up and running 00:14:24.008 --> 00:14:29.018 and have yourself an ongoing criminal enterprise. 00:14:29.018 --> 00:14:32.005 So, circling back to where I began, I would say that, you know we're here talking 00:14:32.005 --> 00:14:37.048 about DDoS attacks but I think it's important in this conversation not to put it in a box 00:14:37.048 --> 00:14:41.006 and isolate it from other malicious activities that going on and other vulnerabilities 00:14:41.006 --> 00:14:46.051 and intrusions because the bad guys don't think about it that way so we really, 00:14:46.051 --> 00:14:51.001 as we're talking about responding to it, make sure that we don't do the same. 00:14:51.001 --> 00:14:54.085 >> Brian: Thank you Jeff, so in listening I'm hearing that I have more things 00:14:54.085 --> 00:14:56.084 to be concerned about, more things to be afraid of, 00:14:56.084 --> 00:14:59.079 something called spear-phishing, I'm not sure what that is. 00:14:59.079 --> 00:15:06.007 That this is a broader attack profile against the internet that there's numerous points 00:15:06.007 --> 00:15:13.042 of attack and it's part a simple attack that is designed to provide misdirection 00:15:13.042 --> 00:15:15.018 so a secondary attack can happen. 00:15:15.018 --> 00:15:21.049 So clearly, this is a troubling landscape that I'm trying to sort through. 00:15:21.049 --> 00:15:27.047 Ram, as Afilias Registry Operator on the internet, you provide technical services 00:15:27.047 --> 00:15:30.096 for dot org, on the internet and other top-level domains. 00:15:30.096 --> 00:15:36.066 From the Registry Operators perspective, what is the scope of this problem? 00:15:36.066 --> 00:15:41.032 >> Ram: Thank you Brian and thanks for having me here. 00:15:41.032 --> 00:15:44.004 I guess the very first thing is, if you're a Registry Operator, 00:15:44.004 --> 00:15:49.001 really what you're doing is you're providing a targeted answer 00:15:49.001 --> 00:15:53.003 for where the main names are on the internet. 00:15:53.003 --> 00:15:58.088 You're in a target of directory, to a large extent and that's the biggest job that you do 00:15:58.088 --> 00:16:04.051 as Registry and you get information from people who want to buy domain names 00:16:04.051 --> 00:16:06.054 or who want to get a website going. 00:16:06.054 --> 00:16:09.092 You get information from them, store it into a large database, 00:16:09.092 --> 00:16:15.006 and the biggest thing you do is propagate it instantaneously everywhere around the world. 00:16:15.006 --> 00:16:21.057 And what that means, is that your browser, typing in redcross.org when it's sitting here 00:16:21.057 --> 00:16:28.005 or on your mobile phone, typing in redcross.org when your perhaps in another part of the world, 00:16:28.005 --> 00:16:34.087 they all translate to get to the actual Red Cross site, and that translation is done 00:16:34.087 --> 00:16:36.099 by the registry, by the directory. 00:16:36.099 --> 00:16:45.013 So that makes it a really interesting place to attack because after all if you can compromise 00:16:45.013 --> 00:16:50.015 or if you can take down the authoritative directory for every dot or, 00:16:50.015 --> 00:16:53.064 the main-name in the world, there are more than 10 million dot org domain names. 00:16:53.064 --> 00:16:56.011 There are more than 10 million dot org websites in the world. 00:16:56.011 --> 00:17:03.003 If you can take down the provider who is giving the information that says to every computer 00:17:03.003 --> 00:17:08.062 in the world, hey for a given dot org, which computer should I go to? 00:17:08.062 --> 00:17:09.052 Where should I go to? 00:17:09.052 --> 00:17:15.014 If you can take them down, that's not only a coo, but that also is a global event. 00:17:15.014 --> 00:17:19.098 It gets you noticed, there are many motivations but that's certainly one of them, right? 00:17:19.098 --> 00:17:26.059 And that makes the order of registry, a [inaudible] of what we run a regular target. 00:17:26.059 --> 00:17:32.033 Up on the screen you see, this is some data from earlier in the year, 00:17:32.033 --> 00:17:36.009 gives you an idea of the scaling, the kinds of attacks that come through. 00:17:36.009 --> 00:17:46.078 So that's 2012, February and from 2012 February, to 2012 June, this is the number of queries, 00:17:46.078 --> 00:17:53.031 the number of a requests coming into the servers that we run worldwide asking for information 00:17:53.031 --> 00:17:56.004 about a daughter of domain name right. 00:17:56.004 --> 00:18:03.035 And much of this comes from DDoS so, the foundation for DDoS is very simple, right? 00:18:03.035 --> 00:18:09.046 It's a denial of service so all these computers around the world do it, they send a request 00:18:09.046 --> 00:18:16.018 in to our server saying hey, tell me where a particular daughter of domain name is. 00:18:16.018 --> 00:18:21.063 And before you even respond they're gone and they come back again and they say tell me where. 00:18:21.063 --> 00:18:28.005 And they do this hundreds of millions of times in, it used to be a very short timeframe, 00:18:28.005 --> 00:18:31.061 but as you can see here, it's an extended timeframe. 00:18:31.061 --> 00:18:35.047 Now what we saw earlier in the year was in the space of just a few months, 00:18:35.047 --> 00:18:40.093 February through to June, we had a 3X increase, a 3 times increase 00:18:40.093 --> 00:18:44.021 in the total volume coming in in just 4 months-time. 00:18:44.021 --> 00:18:50.044 But, if you look further, if you look in the next screen, that's not the real story. 00:18:50.044 --> 00:18:56.023 That 3X increase that I showed you earlier, so that was up to 2012, 00:18:56.023 --> 00:19:00.028 June but look at what happened from there through to September. 00:19:00.028 --> 00:19:06.096 That was a 9X increase in total volume coming through to the daughter systems. 00:19:06.096 --> 00:19:14.094 In total, from February through to September, that was an 18 times increase in volume. 00:19:14.094 --> 00:19:18.081 Not the data is interesting. 00:19:18.081 --> 00:19:25.078 The real life importance of this is if as a registry provider, if you're not provisioned 00:19:25.078 --> 00:19:31.058 and if you don't have the measures to boot the [inaudible] attacks are coming and then be able 00:19:31.058 --> 00:19:35.053 to take appropriate counter measures when such attacks are coming. 00:19:35.053 --> 00:19:42.038 You could just go down and going drinking water means that every single dot org website 00:19:42.038 --> 00:19:47.053 in the world, dot org email address, okay every single thing that depends on dot org, 00:19:47.053 --> 00:19:55.002 sooner or later is not accessible on the internet and it's not happened so far, 00:19:55.002 --> 00:20:00.073 but the gap between what do you provision, and what the scale 00:20:00.073 --> 00:20:02.089 of attacks, and who was attacking you. 00:20:02.089 --> 00:20:06.054 It's a continuous cat and mouse game. 00:20:06.054 --> 00:20:16.019 The other thing that I've wanted for you to know about is the DDoS words coming from, 00:20:16.019 --> 00:20:26.018 it's often coming from your PC that is just on at home, connected to your broadband connection. 00:20:26.018 --> 00:20:29.027 Just sitting there, and you probably don't even know it. 00:20:29.027 --> 00:20:34.064 If you have a good ISB, if you have a good internet provider, they probably have ways 00:20:34.064 --> 00:20:38.095 to track it and many of the internet providers these days are putting in measures 00:20:38.095 --> 00:20:45.021 to understand whether they're a DDoS attack, so whether you're part of a botnet. 00:20:45.021 --> 00:20:48.021 But when we say a zombie, that's really what it is. 00:20:48.021 --> 00:20:56.068 Your computer, your computing device somewhere connected online, has been taken over, 00:20:56.068 --> 00:21:06.031 and you don't know it but it's now part of a global group of computers that can be harnessed 00:21:06.031 --> 00:21:10.074 to attack any given target at a moment's notice. 00:21:10.074 --> 00:21:16.049 And that is pretty scary, it's a pretty impressive feat of engineering, 00:21:16.049 --> 00:21:23.077 but it's scary because pulling together 5 million of these is no big deal. 00:21:23.077 --> 00:21:28.079 Pulling together 40 million of these, takes some effort but it's doable. 00:21:28.079 --> 00:21:35.031 And if you have 40 million computers that are just sending a little ping every 00:21:35.031 --> 00:21:40.005 so many milliseconds, asking for information and then just going away, 00:21:40.005 --> 00:21:47.048 that becomes a massive problem and something that you really have to work hard 00:21:47.048 --> 00:21:50.022 to mitigate before it overwhelms you 00:21:50.022 --> 00:21:54.074 because if it becomes a tsunami, it's very hard to overcome. 00:21:54.074 --> 00:21:58.004 >> Brian: Thank you Ram and thank you for giving pictures are worth a million words 00:21:58.004 --> 00:22:02.067 and giving us a sense of the scope of the problem and also in your comments, 00:22:02.067 --> 00:22:07.049 connecting this to the "why should I care" question as an individual 00:22:07.049 --> 00:22:12.047 if all the dot org sites in the world go down, the organization who have that website up, 00:22:12.047 --> 00:22:16.036 whether they're an NGO or not-for-profit trying to do good in their mission 00:22:16.036 --> 00:22:20.075 or whether it's an individual or a company in a dot com, 00:22:20.075 --> 00:22:23.077 having their commercial activities interrupted, that's a very serious impact. 00:22:23.077 --> 00:22:28.005 So as we move through the discussion, connecting the dots to "why should I care", 00:22:28.005 --> 00:22:31.056 the individual at home, and also the interesting thing is 00:22:31.056 --> 00:22:37.057 that I might be an unwitting participant in an attack, my machine on my desk at home, 00:22:37.057 --> 00:22:39.035 and be completely unaware of this. 00:22:39.035 --> 00:22:42.039 I think we're starting to get to those issues of "why I should care". 00:22:42.039 --> 00:22:48.076 So next, let's get to I think, it's Dr. Damian Menscher. 00:22:48.076 --> 00:22:53.067 So we've heard from a Registry Operator now from an online service provider, 00:22:53.067 --> 00:22:57.041 in this case Google, the leading search engine. 00:22:57.041 --> 00:23:03.099 Damian with Google's breadth and depth of technology and reach, this certainly can't be 00:23:03.099 --> 00:23:06.084 that big of a concern for a company the size of Google, right? 00:23:06.084 --> 00:23:09.062 Tell me why I'm wrong. 00:23:09.062 --> 00:23:15.001 >> Damian: Right because we have a team of people that worries about this stuff. 00:23:15.001 --> 00:23:19.007 So, most people don't realize that Google is actually regularly attacked. 00:23:19.007 --> 00:23:24.095 The reasons you'd sort of wonder why would anyone have anything against Google? 00:23:24.095 --> 00:23:27.041 Well it turns out we actually host a lot of user content, 00:23:27.041 --> 00:23:31.097 so blogspy includes random user content from people all over the world. 00:23:31.097 --> 00:23:34.011 Sometimes that's controversial. 00:23:34.011 --> 00:23:38.032 Similarly u-Tube might have a controversial video on it 00:23:38.032 --> 00:23:43.029 and so frequently these sorts of sites do get attacked. 00:23:43.029 --> 00:23:49.000 And it's not just DNSs as previously mentioned, it's you know, we see application layer attacks 00:23:49.000 --> 00:23:54.005 where they'll dispatch the same homepage over and over again at very high rates, 00:23:54.005 --> 00:23:59.007 you know upwards of maybe a million times a second. 00:23:59.007 --> 00:24:03.099 So, you've also probably noticed that we're never actually down so, if you want to talk 00:24:03.099 --> 00:24:06.049 about how we do that, if you go to the first slide. 00:24:06.049 --> 00:24:13.008 So we benefit a lot from economy of scale when you look at most small websites, 00:24:13.008 --> 00:24:16.042 there might be a thousand websites hosted on a single machine 00:24:16.042 --> 00:24:19.003 because they don't get very much traffic. 00:24:19.003 --> 00:24:22.089 We sort of turned that around and we might have a thousand machines hosting one website. 00:24:22.089 --> 00:24:28.089 You know Google.com is a big website, it doesn't fit on a single machine. 00:24:28.089 --> 00:24:32.072 So we do benefit a lot from the economy of scale 00:24:32.072 --> 00:24:36.032 and pooling our defense resources across our various properties. 00:24:36.032 --> 00:24:41.003 But, go to the next slide, you have to be a little bit careful about this 00:24:41.003 --> 00:24:44.058 if you put everything together, you also have some risk. 00:24:44.058 --> 00:24:52.008 So, I wanted to talk briefly about how we deal with this and this also is, 00:24:52.008 --> 00:24:56.017 as Jeff had mentioned, we have to be careful 00:24:56.017 --> 00:24:59.062 that we don't distract our security team when there is a dos attack. 00:24:59.062 --> 00:25:03.096 If we have one team that focuses on all of security, 00:25:03.096 --> 00:25:06.087 then when there's a dos attack we might be looking at that and miss other things. 00:25:06.087 --> 00:25:14.068 So, what we do actually is, go on, we have layered defenses. 00:25:14.068 --> 00:25:18.028 So we have a separate team that focuses on dos attacks so that 00:25:18.028 --> 00:25:21.011 when there's an attack we don't lose sight of the other attacks 00:25:21.011 --> 00:25:24.098 that are happening against us every day. 00:25:24.098 --> 00:25:32.057 And, basically we focus on having layered defenses so; this is a very rough sketch 00:25:32.057 --> 00:25:33.072 of what our network might look like. 00:25:33.072 --> 00:25:37.065 We don't see the internet necessarily as a single cloud. 00:25:37.065 --> 00:25:43.092 We see it as multiple clouds because we peer directly with several major ISPs. 00:25:43.092 --> 00:25:48.004 We go through a layer of load balancing at our network 00:25:48.004 --> 00:25:54.099 so if any particular network device gets overloaded, we can work around that. 00:25:54.099 --> 00:26:01.026 Then we go through a layer of load balancing within our own network to eventually get 00:26:01.026 --> 00:26:05.087 to the backend that are the webservers, serving the actual content. 00:26:05.087 --> 00:26:08.077 And so by doing this, we're able to shift traffic 00:26:08.077 --> 00:26:13.044 around to avoid any damage from the attack traffic. 00:26:13.044 --> 00:26:17.044 We also have many layers of which we can filter out the bad traffic so, 00:26:17.044 --> 00:26:22.064 at the very edge of our network we might be able to filter out some of the more obvious attacks, 00:26:22.064 --> 00:26:30.076 but as you get deeper in or more sophisticated attacks, we filter them at other places. 00:26:30.076 --> 00:26:37.043 Another thing I want to mention though is, this style works really well for a very large company 00:26:37.043 --> 00:26:42.078 like Google, but most of you are probably more interested in how to defend the small site 00:26:42.078 --> 00:26:51.057 and the best advice I have there is that the user comment of going to Google, 00:26:51.057 --> 00:26:54.067 might actually make sense if they host their site on Google, 00:26:54.067 --> 00:26:56.099 they automatically benefit from our defenses. 00:26:56.099 --> 00:26:58.095 They won't even know they're being attacked. 00:26:58.095 --> 00:27:04.053 And we frequently do see cases of organizations that are under a heavy, dos attack 00:27:04.053 --> 00:27:09.085 and they just quickly setup a site on blogger saying, "Hey, we're being attacked. 00:27:09.085 --> 00:27:12.024 We're going to use this for our communication for now." 00:27:12.024 --> 00:27:17.036 That's actually, at one point, the country of Georgia had their ministry 00:27:17.036 --> 00:27:23.095 of foreign affairs host their site on blogger which was entertaining for me to say, like oh, 00:27:23.095 --> 00:27:28.056 what are we going to see as a result of this? 00:27:28.056 --> 00:27:33.062 But the other thing is just making sure that you are pooling your resources with others 00:27:33.062 --> 00:27:40.014 in your organization, there are other cloud based dos mitigation providers that sort 00:27:40.014 --> 00:27:47.053 of aggregate resources from several different clients and can provide good defenses for you. 00:27:47.053 --> 00:27:50.057 >> Brian: Thank you Damian, and love ice. 00:27:50.057 --> 00:27:52.015 It's terrific. 00:27:52.015 --> 00:27:55.086 >> Damian: Also our PR people would want me to say it's not as weak 00:27:55.086 --> 00:27:59.029 as eggs, you know like fortified eggs. 00:27:59.029 --> 00:28:00.076 >> Brian: Boiled eggs. 00:28:00.076 --> 00:28:02.086 [Laughter] No terrific, thank you. 00:28:02.086 --> 00:28:04.075 >> Damian: Each layer is very strong. 00:28:04.075 --> 00:28:08.098 >> Brian: Thank you and you know, fully appreciating your remarks too, 00:28:08.098 --> 00:28:15.023 one thing that jumped out to me is that I think one of the challenges we all share 00:28:15.023 --> 00:28:19.081 in this space is that from the user perspective, and I'm going to try to keep bringing us back 00:28:19.081 --> 00:28:25.058 to the user and the average person at home, is that this problem, there's a low level 00:28:25.058 --> 00:28:30.009 of awareness and one of the reasons is because as very responsible service providers 00:28:30.009 --> 00:28:35.007 like Google and the other's on this panel, you've taken on the challenge and objective 00:28:35.007 --> 00:28:38.002 of staying up and not being taken down by DDoS attack. 00:28:38.002 --> 00:28:44.081 You've been successful to date and as such, users who have their sites on Google, 00:28:44.081 --> 00:28:49.084 the DNS is sometimes thought of like electricity, you know it's just there. 00:28:49.084 --> 00:28:52.014 It's my website is up, the internet is up. 00:28:52.014 --> 00:28:55.004 I only notice it when it goes down. 00:28:55.004 --> 00:28:59.026 I only become aware there's a problem when there's a problem. 00:28:59.026 --> 00:29:03.017 So interesting thought, let's keep coming back to that 00:29:03.017 --> 00:29:05.059 "why should the individual, why should the user care?" 00:29:05.059 --> 00:29:08.042 How do we get this on their radar screen in a meaningful way 00:29:08.042 --> 00:29:10.093 so they can become part of the solution? 00:29:10.093 --> 00:29:14.004 So with that thought let's go to Miguel. 00:29:14.004 --> 00:29:20.011 And Miguel we're going to ask you to focus on specifically corporate responses 00:29:20.011 --> 00:29:25.066 from the perspective of a third-party mitigation service provider. 00:29:25.066 --> 00:29:26.098 >> Miguel: Sure and thank you Brian. 00:29:26.098 --> 00:29:33.013 I'm going to dovetail on some of the things that Damian was saying. 00:29:33.013 --> 00:29:38.019 A lot of organizations and a lot of people don't understand or know about DDoS 00:29:38.019 --> 00:29:42.077 and don't see an issue until it actually happens to them. 00:29:42.077 --> 00:29:46.073 And at that point, a lot of organizations are kind of scrambling, 00:29:46.073 --> 00:29:51.045 trying to figure out what it is that they can potentially do to deal with this issue. 00:29:51.045 --> 00:29:57.042 And they most likely go to Google to try to determine and try to find an answer. 00:29:57.042 --> 00:30:03.018 So, a lot of people don't think about this because they assume that their ISP 00:30:03.018 --> 00:30:07.015 or their hoster is actually going to take care of the problem for them. 00:30:07.015 --> 00:30:13.009 Actually, what tends to happen is that when an organization is under heavy DDoS attack, 00:30:13.009 --> 00:30:17.065 the ISP and the hoster is looking at protecting their own assets 00:30:17.065 --> 00:30:21.023 and will most likely just shut you down. 00:30:21.023 --> 00:30:24.002 And so they might contact you and tell you you're under a DDoS attack 00:30:24.002 --> 00:30:27.015 but they may not help you through it. 00:30:27.015 --> 00:30:33.043 So, there are some things that organizations can do to help mitigate this risk. 00:30:33.043 --> 00:30:37.047 Some organizations look at dealing with the DDoS problem themselves. 00:30:37.047 --> 00:30:39.003 They'll look at buying their own hardware; 00:30:39.003 --> 00:30:42.028 they'll look at provisioning bandwidth, etcetera. 00:30:42.028 --> 00:30:47.003 Unfortunately a lot of organizations don't have the resources to be able to do that. 00:30:47.003 --> 00:30:51.035 And it doesn't necessarily make sense for a lot of organizations because it's sort 00:30:51.035 --> 00:30:56.098 of an arms-race and it's hard to spend your way out of dealing with this problem 00:30:56.098 --> 00:31:01.094 as attacks larger and larger and more complicated and etcetera. 00:31:01.094 --> 00:31:09.061 So, there some third-party options that organizations can look at that I would kind 00:31:09.061 --> 00:31:15.088 of consider to be the infrastructure as a service that can be used on an on-demand basis 00:31:15.088 --> 00:31:19.071 to help organizations deal with DDoS attack when they happen. 00:31:19.071 --> 00:31:26.071 So the idea is simply, you don't necessarily have to over-provision all hardware, 00:31:26.071 --> 00:31:29.042 bandwidth, etcetera to deal with the risk. 00:31:29.042 --> 00:31:36.025 You can potentially use the third-party that has that capacity and capability when you need it. 00:31:36.025 --> 00:31:42.042 And you know at that point you're looking at options like content distribution networks, 00:31:42.042 --> 00:31:47.086 they can potentially help deal with absorbing some of this traffic and keeping 00:31:47.086 --> 00:31:49.078 that traffic away from your network. 00:31:49.078 --> 00:31:55.065 There's also cloud-based providers that specifically focus on the DDoS problem 00:31:55.065 --> 00:31:59.044 and the idea there is if you're under an attack, 00:31:59.044 --> 00:32:03.081 your organization can potentially redirect the traffic over to a cloud-based provider 00:32:03.081 --> 00:32:08.035 that can absorb the traffic that knows how to mitigate and deal 00:32:08.035 --> 00:32:12.083 with [inaudible] service attacks and then sends you basically the clean traffic. 00:32:12.083 --> 00:32:19.029 It's sort of kind of putting a shield in front of your infrastructure on a non-demand basis 00:32:19.029 --> 00:32:21.035 when you're dealing with these attacks. 00:32:21.035 --> 00:32:28.087 So, infrastructure as a service is something that is more affordable for organizations 00:32:28.087 --> 00:32:32.019 and something that organizations are starting to look at more and more 00:32:32.019 --> 00:32:35.086 as a way to deal with this DDoS issue. 00:32:35.086 --> 00:32:38.002 And certainly, there's a lot of information about that 00:32:38.002 --> 00:32:42.008 on Google and it's key to become informed. 00:32:42.008 --> 00:32:46.074 >> Brian: Thanks Miguel, so we're beginning to get a clear picture of the scope of the problem 00:32:46.074 --> 00:32:52.059 from a number of different perspectives and in addition to service providers such as Google 00:32:52.059 --> 00:32:58.025 and Afilias, Verisign and NewStar maintaining their services in a way that keeps them 00:32:58.025 --> 00:33:01.027 up 24/7 and addresses these attacks. 00:33:01.027 --> 00:33:06.034 There are 4 certain organizations specific resources available if needed 00:33:06.034 --> 00:33:11.055 and that's interesting as we're beginning to, after setting the scene, 00:33:11.055 --> 00:33:16.043 now let's transition towards those solutions as mitigation efforts, the services that are 00:33:16.043 --> 00:33:20.066 out there to design specifically to provide additional protection. 00:33:20.066 --> 00:33:28.006 As we transition, Danny I want you to help the audience understand some domestic initiatives 00:33:28.006 --> 00:33:32.054 such as the anti-botnet work undertaken by CSIRC and help us to begin 00:33:32.054 --> 00:33:38.017 to understand how we can begin to collectively come together to address this problem. 00:33:38.017 --> 00:33:39.006 >> Danny: Yes sir thanks Brian. 00:33:39.006 --> 00:33:43.055 So there have been a large number of clamber of efforts between public 00:33:43.055 --> 00:33:50.041 and private sector related to botnet infections, compromised machines, male code proliferation, 00:33:50.041 --> 00:33:55.084 virulence of threats on the internet, just this broad swath of malicious activity. 00:33:55.084 --> 00:34:01.005 It's a nontrivial problem to solve because the ISPs for example, a lot of folks point fingers 00:34:01.005 --> 00:34:05.007 at the ISPs, but the ISPs don't [inaudible] systems, their [inaudible] system in particular, 00:34:05.007 --> 00:34:10.044 the broadband ISP user residential consumers that acquire service from the ISP, 00:34:10.044 --> 00:34:14.008 and the ISP shouldn't be looking at their traffic and you know 00:34:14.008 --> 00:34:17.021 and they have privacy concerns or other things. 00:34:17.021 --> 00:34:21.021 So, what sort of controls the capabilities of the ISPs actually add to help them. 00:34:21.021 --> 00:34:24.015 So a number of efforts have been underway actually. 00:34:24.015 --> 00:34:27.082 One such example is the FCC sizerk3, 00:34:27.082 --> 00:34:31.025 working group 7 recently published something called the ABC for ISPs 00:34:31.025 --> 00:34:36.098 and it's basically the anti-botnet code and they develop with a number of other folks 00:34:36.098 --> 00:34:42.006 in the industry monolog messaging and ANIB's working group as well as some publication 00:34:42.006 --> 00:34:48.036 in the IETF and broader participation, actually internationally from folks from Japan, 00:34:48.036 --> 00:34:53.035 Cyber Clean to Australia, Finland, Germany, other folks and it basically talks 00:34:53.035 --> 00:34:58.017 about some fundamental things that ISPs can do to help educate, protect, notify, 00:34:58.017 --> 00:35:02.009 detect malicious threats associated with their consumers and then activity they might take 00:35:02.009 --> 00:35:04.082 to help to clean that problem or sanitize 00:35:04.082 --> 00:35:07.013 or provide a little better hygiene on their infrastructure. 00:35:07.013 --> 00:35:12.077 So, one pointer there is one of the reports, the ABCs again, for ISPs, 00:35:12.077 --> 00:35:20.041 you can find it on the [inaudible] website or the FCC sizerk3, working group 7 webpage 00:35:20.041 --> 00:35:25.037 that you can find easily via Google and so that's certainly one effort. 00:35:25.037 --> 00:35:27.076 One of the fundamental things, going back to the user, 00:35:27.076 --> 00:35:30.000 is there anyone on the receiving end of a DDoS attack? 00:35:30.000 --> 00:35:33.083 What you should definitely be looking at is sort of what enables your business? 00:35:33.083 --> 00:35:37.001 Most of the folks on this panel, you know network is our business all right, 00:35:37.001 --> 00:35:39.068 we're going to focus on providing network services and availability. 00:35:39.068 --> 00:35:44.001 We're absolutely committed to the security and stability of our infrastructure and services, 00:35:44.001 --> 00:35:47.008 but a lot of folks, network enables their business. 00:35:47.008 --> 00:35:52.042 It enables your email or your web presents or your small business 00:35:52.042 --> 00:35:54.057 or your e-commerce or retail site. 00:35:54.057 --> 00:35:59.003 And so irrespective of what it is, you absolutely need 00:35:59.003 --> 00:36:03.054 to consider what the critical network assets are or the critical assets across the board 00:36:03.054 --> 00:36:11.002 to your organization and you identify those, you say what's the impact of an availability issue 00:36:11.002 --> 00:36:16.061 or security issue or a compromise of information impacting those assets? 00:36:16.061 --> 00:36:21.028 And how might I put controls in place to help mitigate that or to at least have a plan 00:36:21.028 --> 00:36:26.077 to respond if there's a DDoS attack or a breach inside my infrastructure, those sorts of things. 00:36:26.077 --> 00:36:31.059 You know one of the things that I've seen in the past, we did this survey for several years, 00:36:31.059 --> 00:36:35.035 a previous employer of mine, and most of the folks that responded 00:36:35.035 --> 00:36:39.063 to this infrastructure security survey didn't actually even have an incident response team 00:36:39.063 --> 00:36:42.072 in place in their organization even if it's an over-lay team, 00:36:42.072 --> 00:36:44.059 much less an incident response plan. 00:36:44.059 --> 00:36:47.084 And if you don't have an incident response plan, you're certainly not going to exercise that 00:36:47.084 --> 00:36:51.072 and so you really don't want to be on the receiving end of something like a DDoS attack 00:36:51.072 --> 00:36:56.064 and not have a book in someone's hand that says this is the phone number I call for my ISP 00:36:56.064 --> 00:37:01.044 or for my national curator for my vendor that provides a certain service or capability to me, 00:37:01.044 --> 00:37:05.058 so I think it sort of starts with those fundamentals, identifying critical assets, 00:37:05.058 --> 00:37:09.043 understanding what the options are to protect the things that are critical to you. 00:37:09.043 --> 00:37:13.067 If it's moving services to cloud infrastructure, acquiring protection services for those, 00:37:13.067 --> 00:37:16.078 putting your own controls in place, but you definitely need 00:37:16.078 --> 00:37:18.014 to consider that in your environment. 00:37:18.014 --> 00:37:19.037 Consider what the impact would be. 00:37:19.037 --> 00:37:23.031 These are a real risk to your business and your operations and so, 00:37:23.031 --> 00:37:27.000 I think fundamentally that's sort of where I would recommend you start, Brian. 00:37:27.000 --> 00:37:32.091 >> Brian: Thanks Danny, so interesting in your comments, you mentioned ISPs, 00:37:32.091 --> 00:37:37.026 we've got registry operators, you've got online service providers, we've got search engines, 00:37:37.026 --> 00:37:43.018 so we really have a number of different service providers in this community 00:37:43.018 --> 00:37:45.094 that helps keep the internet up in a collaborative way. 00:37:45.094 --> 00:37:52.013 The siezerk effort for ISPs in particular sounds interesting and what we want to get 00:37:52.013 --> 00:37:56.053 at a little bit later in the conversation is a cross this community of service providers 00:37:56.053 --> 00:38:00.028 who I assume have different roles and maybe different responsibilities in some ways, 00:38:00.028 --> 00:38:05.057 how do we build on the collaboration that you've begun to speak about and also interestingly, 00:38:05.057 --> 00:38:09.026 you spoke to the organization and what they should have in place. 00:38:09.026 --> 00:38:14.005 Understanding what enables your business, having a plan in place, and the question that raises 00:38:14.005 --> 00:38:18.068 for me is, well how do organizations know they should have these things 00:38:18.068 --> 00:38:20.087 and how do we educate on that front as well? 00:38:20.087 --> 00:38:27.031 So we'll get to that in a little bit, but to round out the panel, thank you all so far 00:38:27.031 --> 00:38:31.038 for shedding some light on the scope and dimensions of the problem and how we can begin 00:38:31.038 --> 00:38:36.054 to address it, but let me now go to Jillian. 00:38:36.054 --> 00:38:42.024 Jillian, what I'd like you to talk about from your perspective is what are some 00:38:42.024 --> 00:38:47.035 of the unintended consequences related to DDoS attacks and in particular, 00:38:47.035 --> 00:38:51.042 help us start thinking about potential over-reactions to DDoS attacks. 00:38:51.042 --> 00:38:57.021 We know that these attacks are of furious in nature, we know that we have a panelist 00:38:57.021 --> 00:39:02.015 of good guys who are doing what they can and doing everything we think they should, 00:39:02.015 --> 00:39:06.097 but tell us about the unintended consequences both from the malicious attack side 00:39:06.097 --> 00:39:12.085 and when a well-intended operator tries to take mitigation techniques against an attack. 00:39:12.085 --> 00:39:20.082 >> Jillian: Sure, so at the beginning of this I think Jeff referred to, actually I'm sorry, 00:39:20.082 --> 00:39:23.084 Brian referred to sometimes these attacks being used as sort 00:39:23.084 --> 00:39:25.052 of an extreme form of free expression. 00:39:25.052 --> 00:39:27.039 I'm not sure I would classify it as free expression, 00:39:27.039 --> 00:39:32.009 but we could say civil disobedience that's been argued by many and an example of this 00:39:32.009 --> 00:39:36.066 that might resonate a little bit better than say the anonymous attacks against Master Card 00:39:36.066 --> 00:39:41.037 and Visa, would be sympathetic people to the Syrian opposition going 00:39:41.037 --> 00:39:43.009 after Syrian Government websites. 00:39:43.009 --> 00:39:45.056 That's something that a lot of people have sympathized with, 00:39:45.056 --> 00:39:50.004 have considered civil disobedience in a scenario where the government has shut 00:39:50.004 --> 00:39:52.061 down the internet sensor, the internet, etcetera. 00:39:52.061 --> 00:40:00.006 And so nevertheless the vast majority of these attacks are malicious, are directed at, 00:40:00.006 --> 00:40:03.009 not just these big companies and the big networks, but also at the little guy 00:40:03.009 --> 00:40:06.006 and that's kind of where my perspective is coming from. 00:40:06.006 --> 00:40:11.074 A few years ago when I was still at the Berkman Center, we did a study that looked attacks 00:40:11.074 --> 00:40:17.045 on human rights websites and independent media website, and 62% of the respondents 00:40:17.045 --> 00:40:23.066 to that study said that they had experienced a DDoS attack at some point and as Damian said, 00:40:23.066 --> 00:40:26.027 Google is sort of at what would you say, the core of the network. 00:40:26.027 --> 00:40:30.013 Google has resources, they have staff, they own fiber, 00:40:30.013 --> 00:40:36.042 but then you've got these other small organizations 00:40:36.042 --> 00:40:38.009 that are what we would say is at the edge of the network. 00:40:38.009 --> 00:40:42.009 These are organizations that not only are they literally at the edge of the network 00:40:42.009 --> 00:40:46.073 but they also lack the funding and the staff to ward-off an attack. 00:40:46.073 --> 00:40:52.087 They often have fairly insecure hosting, their host might jack-up the cost in an effort 00:40:52.087 --> 00:40:58.005 to help them and so if you are using say, I don't want to throw any specific examples 00:40:58.005 --> 00:41:02.047 out there although I have a couple, but if you're using say a shared hosting provider 00:41:02.047 --> 00:41:08.007 such as Rackspace or Bluehost, I'm not speaking of those companies specifically but, 00:41:08.007 --> 00:41:12.002 if you're using one of those, and you are the victim of an attack, 00:41:12.002 --> 00:41:17.015 your provider could kick you off, they could also raise your costs which for many 00:41:17.015 --> 00:41:19.094 of us would be completely unaffordable. 00:41:19.094 --> 00:41:23.074 And so, when we're looking at the unintended consequences of these, 00:41:23.074 --> 00:41:26.037 I mean I think that there's a couple of different aspects here. 00:41:26.037 --> 00:41:31.022 One is the legal consequences and so I'm not a lawyer and so I should say 00:41:31.022 --> 00:41:37.033 that I should just preface by saying that, but you know these attacks are largely 00:41:37.033 --> 00:41:41.059 by most governments at this point considered hacking and are dealt with as such. 00:41:41.059 --> 00:41:45.015 And so in the U.S. that's governed by the Computer Fraud and Abuse Act 00:41:45.015 --> 00:41:51.015 and in Europe there are other similar conventions, but I think that we need 00:41:51.015 --> 00:41:55.013 to start looking at them as a little bit different, than that. 00:41:55.013 --> 00:41:58.082 I think that you need to look at the sort of the [inaudible] behind the attack, 00:41:58.082 --> 00:42:04.072 we need to look at the consequences of the attack, and I think a great example 00:42:04.072 --> 00:42:09.076 of this is an attack that was conducted against Lufthansa, the German airline back in gosh, 00:42:09.076 --> 00:42:16.054 I'm not going to remember the year, early 2000 I believe where a court actually did determine 00:42:16.054 --> 00:42:22.028 that the intent of that attack was not coercion and was there-- 00:42:22.028 --> 00:42:28.013 I'm not a lawyer so I feel like I'm using the wrong language here, 00:42:28.013 --> 00:42:32.002 but it was dealt with as civil disobedience and so. 00:42:32.002 --> 00:42:34.092 But that's actually not my biggest concern. 00:42:34.092 --> 00:42:39.039 My biggest concern is the unintended consequences on these smaller websites 00:42:39.039 --> 00:42:43.002 and so when we look at the consequences on independent human rights 00:42:43.002 --> 00:42:49.067 and independent media websites, generally these sites go off line and are not able 00:42:49.067 --> 00:42:53.046 to quickly get back up and so we've seen attacks that last a week, 6 weeks, 00:42:53.046 --> 00:42:55.045 or where the site goes down entirely. 00:42:55.045 --> 00:42:58.006 And so some of the suggestions that have already been given are excellent 00:42:58.006 --> 00:43:02.005 and I think actually what Damian said in terms of people moving their sites to Google, 00:43:02.005 --> 00:43:06.082 that's actually one of the suggestions that we give is, if you are a small website, 00:43:06.082 --> 00:43:10.097 sometimes you're just better off hosting your site on a provider like Google 00:43:10.097 --> 00:43:14.082 where you have those resources to back you up. 00:43:14.082 --> 00:43:17.026 We've also, my organization along 00:43:17.026 --> 00:43:21.026 with the tactical technology collective has also developed this guide which is really, 00:43:21.026 --> 00:43:23.034 really basic mitigation techniques. 00:43:23.034 --> 00:43:26.039 We're not even talking about the kinds of things that a corporate website 00:43:26.039 --> 00:43:32.032 or even a large-scale organization would use, but the things that your blogger, 00:43:32.032 --> 00:43:35.021 your independent media site might utilize. 00:43:35.021 --> 00:43:39.009 And this is available, I'll share it after, but it's also available in 9 languages. 00:43:39.009 --> 00:43:46.035 And so just to sum up, I would say that we need to think about these attacks, 00:43:46.035 --> 00:43:52.019 not just how they affect major websites, but also how they affect much smaller organizations. 00:43:52.019 --> 00:43:53.012 >> Brian: Thank you. 00:43:53.012 --> 00:43:54.029 So thank you all. 00:43:54.029 --> 00:43:58.053 We've now set the scene, I hope, and provide some baseline understanding of the nature 00:43:58.053 --> 00:44:00.071 of the attacks, the scope of the attacks. 00:44:00.071 --> 00:44:01.098 We have 2 hours. 00:44:01.098 --> 00:44:08.023 What we're going to do is as follows, we're going to leave 30 minutes at the end for Q&A 00:44:08.023 --> 00:44:11.086 from the folks in the room and from online and we're looking forward to all of your questions. 00:44:11.086 --> 00:44:14.022 We're going to have basically 2 sessions now. 00:44:14.022 --> 00:44:20.061 What I'm going to do now is engage in some Q&A with the panelists and we'll have 45 minutes 00:44:20.061 --> 00:44:26.021 for that and then we have in the second session a scenario that we've built that we want 00:44:26.021 --> 00:44:29.035 to rollout in front of our panelist and ask how they, 00:44:29.035 --> 00:44:33.026 in their respective rolls would react to that particular scenario. 00:44:33.026 --> 00:44:38.098 Now I've got about 7 questions or so, we've got 45 minutes so this isn't rapid-fire 00:44:38.098 --> 00:44:43.051 but let's leave about 5 or 6 minutes for a response to each of these questions. 00:44:43.051 --> 00:44:48.025 This is open to anyone on the panel so let's be dynamic, raise your hand, don't be shy 00:44:48.025 --> 00:44:53.091 and we'll kick it off with the first question which is; let's get specific and both 00:44:53.091 --> 00:44:56.063 from your perspective and from a user's perspective. 00:44:56.063 --> 00:45:00.016 What mitigation techniques are available to us today? 00:45:00.016 --> 00:45:05.032 Both you, as a service provider and the user, how do we stop these things at a basic level? 00:45:05.032 --> 00:45:07.085 Who would like to take that on first? 00:45:07.085 --> 00:45:09.018 Ram. 00:45:09.018 --> 00:45:16.007 >> Ram: Brian this is Ram, let me start; if I was a user, one of the things that I'd want 00:45:16.007 --> 00:45:29.076 to do is if I have a good ISP, then they probably have a botnet mitigation kit 00:45:29.076 --> 00:45:35.063 or something like that, that gets installed in my computing devices and if not, 00:45:35.063 --> 00:45:43.015 I would go to my ISP and ask them for a mitigation kit like that. 00:45:43.015 --> 00:45:45.013 There pretty commonly available. 00:45:45.013 --> 00:45:50.035 They're pretty sophisticated and they give you the first order of protection. 00:45:50.035 --> 00:45:57.096 I just also want to point out; having antivirus software in your computer doesn't protect you 00:45:57.096 --> 00:46:03.008 from your computer getting compromised in a DDoS attack. 00:46:03.008 --> 00:46:03.008 >> Brian: That's interesting. 00:46:03.008 --> 00:46:06.052 Most average users would assume that that addresses that problem. 00:46:06.052 --> 00:46:09.015 Tell us why. 00:46:09.015 --> 00:46:12.006 >> Ram: So earlier, let me give you an example, earlier we were hearing 00:46:12.006 --> 00:46:16.091 about spear-phishing right, so I give you a specific example, 00:46:16.091 --> 00:46:20.098 something that actually happened in one the organizations I work with. 00:46:20.098 --> 00:46:29.069 A high-level executive in this company, it's a pretty small company, got an email 00:46:29.069 --> 00:46:35.086 and the email had a very good subject line, you know it's a photograph of their daughter. 00:46:35.086 --> 00:46:41.015 And it said, took this photograph, she looks great 00:46:41.015 --> 00:46:44.062 and even had the daughter's name on it, right? 00:46:44.062 --> 00:46:49.016 And so the executive got the mail, it looked like a legitimate thing and the, 00:46:49.016 --> 00:46:55.006 from address in the email was kind of somebody he ran into in random, 00:46:55.006 --> 00:46:59.003 but there was enough things in the mail that looked like it was real, you know. 00:46:59.003 --> 00:47:04.064 It was the daughter's name was right, there was actually a photograph and so they double-clicked 00:47:04.064 --> 00:47:10.003 and they opened up the photograph and that compromised their machine and ended 00:47:10.003 --> 00:47:13.008 up compromising the network from there on, right? 00:47:13.008 --> 00:47:18.008 Now that was not a virus in the traditional sense of a virus. 00:47:18.008 --> 00:47:23.073 That was something that was custom crafted just for that one individual 00:47:23.073 --> 00:47:30.059 because the person trying to brake-in had a clear idea who this person was, 00:47:30.059 --> 00:47:35.099 they were trying to penetrate, they understood that that person likely had access 00:47:35.099 --> 00:47:41.085 to other important resources inside of the company's corporate network, got through. 00:47:41.085 --> 00:47:48.036 So, they had antivirus on their computer, but this was not the traditional virus, 00:47:48.036 --> 00:47:54.078 this was an attack just aimed at you, individually. 00:47:54.078 --> 00:47:58.093 >> Brian: Thank you and getting back to the botnet protection package from your ISP, 00:47:58.093 --> 00:48:01.051 at a basic level what does that provide? 00:48:01.051 --> 00:48:06.098 We heard the story of how your own computer can become an unwitting zombie participating 00:48:06.098 --> 00:48:11.084 in a botnet attack, is it designed to present that from happening, or other things? 00:48:11.084 --> 00:48:16.085 That was a follow-up for Ram. 00:48:16.085 --> 00:48:19.089 >> Ram: Oh, for me specifically. 00:48:19.089 --> 00:48:26.008 Okay, yeah there are many things that this piece of software or these pieces of software do, 00:48:26.008 --> 00:48:32.095 but often they look at patterns, they look at where the attacks may be coming from. 00:48:32.095 --> 00:48:38.074 They also look at what's happening on your own device and where it's trying to connect to 00:48:38.074 --> 00:48:41.033 and typically you've got certain patterns. 00:48:41.033 --> 00:48:47.067 You go to a certain set of sites or you send emails, you know you connect to a known set 00:48:47.067 --> 00:48:55.034 of places for the most part and if your device has been compromised, often your device is going 00:48:55.034 --> 00:48:59.011 to places that you normally don't go to 00:48:59.011 --> 00:49:04.073 and your ISP typically has an idea of that stored up over time. 00:49:04.073 --> 00:49:05.004 >> Brian: Thank you. 00:49:05.004 --> 00:49:08.089 So let's dig a little bit deeper on that. 00:49:08.089 --> 00:49:14.057 What was in your answer was, how do we identify where this problem is coming from? 00:49:14.057 --> 00:49:19.076 I think it's an important piece of the puzzle here and you and your service provider capacity, 00:49:19.076 --> 00:49:23.078 let's turn deeper on preventative measures. 00:49:23.078 --> 00:49:27.007 How can we identify where these malicious attacks are coming from? 00:49:27.007 --> 00:49:30.067 Is that an easy thing to solve for, or a harder thing to solve 00:49:30.067 --> 00:49:33.084 for from the service provider perspective and also from the user? 00:49:33.084 --> 00:49:35.092 I think Ram just started to touch on that. 00:49:35.092 --> 00:49:37.064 Anybody want to take that on? 00:49:37.064 --> 00:49:40.015 So, Danny? 00:49:40.015 --> 00:49:44.025 >> Danny: Yeah this is Danny, I'll say something about that and then move on to others, 00:49:44.025 --> 00:49:49.045 but one of the things I think I would touch on initially is that if you're on the receiving end 00:49:49.045 --> 00:49:52.009 of even a moderate sized DDoS attack, 00:49:52.009 --> 00:49:56.009 a lot of some of the bigger networks have the capacity to absorb the attack. 00:49:56.009 --> 00:50:00.098 What many ISPs or services in the infrastructure offer is the capability 00:50:00.098 --> 00:50:05.002 to absorb the large-scale bits of malicious traffic and surgically mitigate 00:50:05.002 --> 00:50:07.074 and preserve the availability of the services 00:50:07.074 --> 00:50:10.063 that someone may be concerned with, so that's sort of one aspect. 00:50:10.063 --> 00:50:16.014 From an ISP side, one of the interesting things is that IP is a sort 00:50:16.014 --> 00:50:23.007 of hop-by-hap packet forwarding paradigm for communications networks and anyone, 00:50:23.007 --> 00:50:29.096 largely anyone on the internet can emit a packet in the infrastructure that has a source address 00:50:29.096 --> 00:50:34.000 of anyone else on that infrastructure and so this is known as IP source address booping. 00:50:34.000 --> 00:50:38.011 And it's a common attack factor, it's not the only attack factor and a lot 00:50:38.011 --> 00:50:41.014 of times spotted hosts don't spoof packets at all, 00:50:41.014 --> 00:50:45.025 but trace back in large networks is fairly complex. 00:50:45.025 --> 00:50:49.077 There are a lot of techniques people use from some things like commercial tools 00:50:49.077 --> 00:50:53.075 that do net-flow and flow-based analysis to trace back to the ingress of their network. 00:50:53.075 --> 00:50:57.025 The problem is you then have to have the capability to say, the upstream 00:50:57.025 --> 00:51:00.018 or the adjacent network that attack flows I'm seeing from you. 00:51:00.018 --> 00:51:01.082 Can you trace these back on your network? 00:51:01.082 --> 00:51:04.004 Hope that they have the same capability and so forth. 00:51:04.004 --> 00:51:08.037 And so it's non-trivial when the fact that any sort of advisory 00:51:08.037 --> 00:51:13.043 on the internet has global projection capability and you could be on the receiving end of a lot 00:51:13.043 --> 00:51:16.015 of packet lull as a result of that, right, you know what I mean, 00:51:16.015 --> 00:51:19.000 and these could be broadly distributed or single-source attacks. 00:51:19.000 --> 00:51:23.012 So, tracing these attacks back is one aspect. 00:51:23.012 --> 00:51:28.000 So you would certainly want to trace back flow-based tools other things and then ideally 00:51:28.000 --> 00:51:31.008 if you could find sources that were participating in an attack, then you could try 00:51:31.008 --> 00:51:35.009 and identify command and control infrastructure that's used a command 00:51:35.009 --> 00:51:41.009 or took control those attack sources or those botnet hosts and then you would step back 00:51:41.009 --> 00:51:46.018 from there, but that's an extremely complex thing and unfortunately what most people do, 00:51:46.018 --> 00:51:50.068 and to Jillian's point actually, is that a lot of the controls some people put in place 00:51:50.068 --> 00:51:54.092 through data mitigate DDoS attacks is actually to effectively complete those attacks. 00:51:54.092 --> 00:51:59.002 It's like hey, there's a large-scale attack of 10 gigabytes per second going toward one 00:51:59.002 --> 00:52:07.011 of the smaller hosts on my network so, what an ISP may do is actually say I'm going 00:52:07.011 --> 00:52:10.007 to drop all the traffic towards that destination at the ingress of my network. 00:52:10.007 --> 00:52:13.023 So they do is effectively complete the attack. 00:52:13.023 --> 00:52:16.056 That's why it's so important to have controls in place to be able to identify 00:52:16.056 --> 00:52:20.056 and surgically mitigate those attacks, before the attacks occur, so anyway. 00:52:20.056 --> 00:52:21.057 >> Brian: Thank you, very interesting. 00:52:21.057 --> 00:52:23.066 Anybody else want to pick-up on this point? 00:52:23.066 --> 00:52:24.076 Miguel. 00:52:24.076 --> 00:52:30.016 >> Miguel: Just adding to what Danny is saying, collaboration to try to figure 00:52:30.016 --> 00:52:34.038 out what the attacks those sources are is key and it's not something 00:52:34.038 --> 00:52:37.025 that happens very well currently. 00:52:37.025 --> 00:52:42.098 It's something that the internet community is trying to improve on but we're nowhere near 00:52:42.098 --> 00:52:48.002 where we need to be and to be able to do some of the things that Danny is referring to, 00:52:48.002 --> 00:52:52.033 you kind of have to have backchannel communications between providers. 00:52:52.033 --> 00:52:56.003 You have to be able to have somebody on the inside, 00:52:56.003 --> 00:53:01.093 somewhere that you can share intelligence with and that's something that's difficult. 00:53:01.093 --> 00:53:07.031 The last thing I'll say about it is that sometimes, 00:53:07.031 --> 00:53:16.015 where are who it is that's doing it is not necessarily that important potentially. 00:53:16.015 --> 00:53:20.001 When these things are happening, a lot of people might be focused 00:53:20.001 --> 00:53:25.085 on getting their infrastructure back online, but you do have to temper that with the fact 00:53:25.085 --> 00:53:30.003 that as Jeff was alluding to earlier, this might be something 00:53:30.003 --> 00:53:34.000 that an organization is doing while they're doing something else. 00:53:34.000 --> 00:53:36.065 It could very well be a diversionary tactic. 00:53:36.065 --> 00:53:41.068 >> Brian: Let me pick-up on one point there Miguel, you know you mentioned the collaboration 00:53:41.068 --> 00:53:45.068 between and across network operators being a challenge. 00:53:45.068 --> 00:53:49.092 Is that a resource challenge, it is a communications challenge, 00:53:49.092 --> 00:53:54.007 is it a technical sophistication challenge, because it is understood from Danny's comment 00:53:54.007 --> 00:53:57.091 that this is complex investigation that has to cross a number 00:53:57.091 --> 00:54:00.072 of different network operators to get to the answer. 00:54:00.072 --> 00:54:02.062 What's the issue there? 00:54:02.062 --> 00:54:10.066 >> Miguel: I would say that there's a corporate privacy challenge that a lot 00:54:10.066 --> 00:54:18.006 of organizations don't really want their technical staff or the staff that are dealing 00:54:18.006 --> 00:54:23.089 with this problem to be collaborating with other operators and that's a significant roadblock. 00:54:23.089 --> 00:54:24.074 >> Brian: Thank you. 00:54:24.074 --> 00:54:26.035 Jillian-- oh go ahead Damian? 00:54:26.035 --> 00:54:29.061 >> Damian: I also wanted to say that I think that the 3 things that you mentioned, 00:54:29.061 --> 00:54:32.009 Brian it being resources and technical issues 00:54:32.009 --> 00:54:38.024 and communication are also significant challenges even if you do get 00:54:38.024 --> 00:54:42.031 through the communication barrier to talking to somebody at the ISP, 00:54:42.031 --> 00:54:46.049 they might not have the technical capability to track it further back 00:54:46.049 --> 00:54:50.079 or they might not have the resources to spend time on spending an hour to track it back. 00:54:50.079 --> 00:54:56.046 Just knowing that it will just go to yet another ISP that won't have time to communicate 00:54:56.046 --> 00:54:59.012 with you or track it back or anything. 00:54:59.012 --> 00:55:00.014 >> Brian: Right, thank you. 00:55:00.014 --> 00:55:00.096 Jillian. 00:55:00.096 --> 00:55:03.002 >> Jillian: Sure, I'm just going to make my point again 00:55:03.002 --> 00:55:05.008 to the sort of smaller organizations. 00:55:05.008 --> 00:55:09.073 I think that it's important for them to sort of assess beforehand, before this is even an issue, 00:55:09.073 --> 00:55:12.047 both what their risk is, if they can do that, 00:55:12.047 --> 00:55:16.011 as well as what their priorities are in the event of a DDoS attack. 00:55:16.011 --> 00:55:20.052 And so, for a lot of these organizations that I'm thinking of, I'm thinking of sort 00:55:20.052 --> 00:55:23.057 of the human right sites in embattled countries. 00:55:23.057 --> 00:55:28.072 A lot of times there priority is just to stay up and to keep their content on the internet 00:55:28.072 --> 00:55:32.009 in the event of an attack and sometimes these attacks are coming during say, election periods, 00:55:32.009 --> 00:55:38.051 or periods of protest and so a lot of times what that means is choosing their host wisely, 00:55:38.051 --> 00:55:43.098 so we talked about that a little bit but knowing what their host can do to mitigate an attack, 00:55:43.098 --> 00:55:47.064 but also if they're high-risk, considering a DDoS Resistant Hosting 00:55:47.064 --> 00:55:49.066 or some programs that are starting to come up. 00:55:49.066 --> 00:55:53.085 Some of these are pretty cost prohibitive for smaller organizations but, there are a couple 00:55:53.085 --> 00:55:56.021 that are a little bit more affordable. 00:55:56.021 --> 00:55:57.044 One of them is called Virtual Road. 00:55:57.044 --> 00:56:02.034 It's hosted by the international-- I forget the acronym-- IMS-- 00:56:02.034 --> 00:56:04.094 forget that but based in Denmark. 00:56:04.094 --> 00:56:08.061 Another thing is to, you know really easy stuff, keep backups of your site. 00:56:08.061 --> 00:56:11.025 I know that seems so simple, but that's something that a lot 00:56:11.025 --> 00:56:15.055 of these sites are not thinking of and so when there site goes down, it goes down forever. 00:56:15.055 --> 00:56:17.072 And then another thing is just mirroring their site. 00:56:17.072 --> 00:56:21.064 If we're talking about a site that's say in Iran that's going to come 00:56:21.064 --> 00:56:26.025 under attack during elections or something like that, you know making sure that that content is 00:56:26.025 --> 00:56:28.043 up somewhere else can be really important. 00:56:28.043 --> 00:56:32.027 You know URLs don't matter as much as they used to, thanks to social media. 00:56:32.027 --> 00:56:36.008 And so just making sure that that content is still up and available is a lot 00:56:36.008 --> 00:56:41.015 of times more important than actually immediately mitigating the attack. 00:56:41.015 --> 00:56:42.081 >> Brian: Jeff? 00:56:42.081 --> 00:56:46.048 >> Jeff: Real briefly, I would say in particular, if you have limited resources, 00:56:46.048 --> 00:56:49.061 figure out what your purpose in tracking back is. 00:56:49.061 --> 00:56:53.091 If there's a technical side of it and as smarter folks up here may appear to have explained it. 00:56:53.091 --> 00:56:58.049 It's very difficult to get to the end but let's say you get through all those hurdles 00:56:58.049 --> 00:57:03.012 and you find out where it's actually coming from, then you walk into a human problem. 00:57:03.012 --> 00:57:04.073 Do you really care what the motivation is? 00:57:04.073 --> 00:57:10.047 I mean, if your goal is to stay up, you may only want to track back far enough to be able 00:57:10.047 --> 00:57:15.097 to protect yourself and even if you get to the end, you know it's a bunch of computers sitting 00:57:15.097 --> 00:57:21.088 in country x, you'd have to get to those people to figure out is it a nation state act, 00:57:21.088 --> 00:57:24.084 is it a bunch of individuals, is it somehow loosely connected? 00:57:24.084 --> 00:57:29.001 So the track back, you know I would say just from my perspective thinking about this 00:57:29.001 --> 00:57:32.075 when I was up on the hill, there is a techno side, but there's very much the political 00:57:32.075 --> 00:57:36.098 and security side and you get into human litigations there which are even harder 00:57:36.098 --> 00:57:41.076 to track back than some of the techno stuff. 00:57:41.076 --> 00:57:42.091 >> Brian: Thank you Jeff. 00:57:42.091 --> 00:57:45.036 Let me ask a slightly different question. 00:57:45.036 --> 00:57:51.095 When an attack is happening, does it matter what the targeted platform is from your perspective 00:57:51.095 --> 00:57:53.056 and how you react to it, how do you manage it? 00:57:53.056 --> 00:57:58.016 For example if it's an attack against the banks as we've been seeing recently, versus an attack, 00:57:58.016 --> 00:58:02.053 versus a social media site or a small-user site. 00:58:02.053 --> 00:58:07.074 Does the nature of the target affect the way you address the problem, 00:58:07.074 --> 00:58:08.094 try to mitigate the problem? 00:58:08.094 --> 00:58:12.014 Can you give us some dimension on that front? 00:58:12.014 --> 00:58:13.054 00:58:13.054 --> 00:58:16.004 Miguel, do you want to go first? 00:58:16.004 --> 00:58:17.047 >> Danny: Yeah, sure. 00:58:17.047 --> 00:58:20.091 Yeah so what I would say is that if you're trying to mitigate an attack, 00:58:20.091 --> 00:58:23.016 what you're really trying to do is preserve the availability 00:58:23.016 --> 00:58:24.065 of the services that you care about. 00:58:24.065 --> 00:58:29.003 And so you've really got to flip and say you know, I really want to scrub out the bad stuff 00:58:29.003 --> 00:58:30.087 and try and be able to absorb this attack. 00:58:30.087 --> 00:58:34.078 One of the interesting things, when you see numbers thrown around on scale, frequency, 00:58:34.078 --> 00:58:39.006 duration, attack factors, all those things, you might see 10 gigabyte per second attack. 00:58:39.006 --> 00:58:45.008 Well what 10 gigabytes per second attack is on a webserver or on a DNS server is very different. 00:58:45.008 --> 00:58:49.054 That means 10 gigabytes per second of transaction servicing capacity. 00:58:49.054 --> 00:58:54.024 Right, that's basically I've got to be able to process 10 gigabytes per second of DNS packets 00:58:54.024 --> 00:58:59.048 or of web-service packets or SSL packets or whatever the service is you're concerned with 00:58:59.048 --> 00:59:02.024 and that's the only way you can preserve the availability of that. 00:59:02.024 --> 00:59:05.053 So when it gets more and more complex, is when you have more stay-based 00:59:05.053 --> 00:59:08.063 and more complex applications 00:59:08.063 --> 00:59:13.004 that more sophisticated attacks become problematic in that manner. 00:59:13.004 --> 00:59:18.016 So I think it absolutely depends on the attack factor. 00:59:18.016 --> 00:59:22.081 One of the challenges is that sort of commodity, off the shelf routers and firewalls 00:59:22.081 --> 00:59:25.043 and those things don't do application [inaudible] mitigation. 00:59:25.043 --> 00:59:27.014 They don't provide certain capabilities. 00:59:27.014 --> 00:59:30.053 On the other hand, if it's some services it may be simpler 00:59:30.053 --> 00:59:34.054 to simply absorb a high-rate per second attack 00:59:34.054 --> 00:59:38.032 or to just drop bad traffic that's not target a production service. 00:59:38.032 --> 00:59:42.005 So, yeah in short the answer is yes to your question, I think. 00:59:42.005 --> 00:59:44.007 >> Brian: Thank you, Miguel. 00:59:44.007 --> 00:59:47.011 >> Miguel: Danny mentioned that the type of infrastructure 00:59:47.011 --> 00:59:50.009 that is being attacked matters, I absolutely agree. 00:59:50.009 --> 00:59:55.002 The type of organization that is being attacked also plays a factor potentially 00:59:55.002 --> 01:00:00.095 and how you're dealing with the problem of mitigating the attack. 01:00:00.095 --> 01:00:04.039 I think Jeff alluded to the fact earlier that there are attacks 01:00:04.039 --> 01:00:06.033 that are potentially, for example extortion. 01:00:06.033 --> 01:00:11.077 There's activist-type attacks; I'll use the activists' example. 01:00:11.077 --> 01:00:15.017 These people that are protesting and attacking your site, 01:00:15.017 --> 01:00:21.001 they're most likely discussing it online, so they're congregating on twitter, on Facebook, 01:00:21.001 --> 01:00:25.029 Payspin, whatever site it is that they're using to IRC relay chip, 01:00:25.029 --> 01:00:31.098 you know internet relay chat rooms, they're discussing attack strategies there. 01:00:31.098 --> 01:00:36.071 So, what kind of an attack it is, and which organization is being attacked, 01:00:36.071 --> 01:00:42.009 it does matter because you do want to factor in how your monitoring social media based 01:00:42.009 --> 01:00:48.091 on the particular attack because it can help you determine what it is that you need 01:00:48.091 --> 01:00:51.069 to do and what you need to focus on. 01:00:51.069 --> 01:00:52.098 01:00:52.098 --> 01:00:54.053 >> Brian: Anyone else? 01:00:54.053 --> 01:00:55.094 01:00:55.094 --> 01:00:58.055 Let me shift gears here. 01:00:58.055 --> 01:01:03.012 I think by now, hopefully we've got a fairly good picture of the dimensions 01:01:03.012 --> 01:01:06.088 of DDoS attacks both from website operator, 01:01:06.088 --> 01:01:10.086 individual user, service provider, civil society. 01:01:10.086 --> 01:01:13.067 It's an important problem. 01:01:13.067 --> 01:01:16.041 It's a growing problem, there's no doubt about that. 01:01:16.041 --> 01:01:19.029 It gets bigger each year, it's a big cat and mouse came, 01:01:19.029 --> 01:01:23.000 we have a hard time identifying the bad guys, tracking them down, 01:01:23.000 --> 01:01:25.081 stopping them from doing what they're doing. 01:01:25.081 --> 01:01:27.078 Who should fix this problem? 01:01:27.078 --> 01:01:29.067 01:01:29.067 --> 01:01:35.006 Private sector, government, how do we fix this problem? 01:01:35.006 --> 01:01:39.022 Collaboration is important, we've heard that but it seems like it's a game 01:01:39.022 --> 01:01:41.056 that we're not necessarily winning. 01:01:41.056 --> 01:01:43.003 Anyone want to take that on? 01:01:43.003 --> 01:01:45.006 Pros and cons, Damian? 01:01:45.006 --> 01:01:46.069 01:01:46.069 --> 01:01:48.043 >> Damian: I'll start off the discussion. 01:01:48.043 --> 01:01:55.085 So I think a lot of the difficulty we have is that nobody feels actually responsible 01:01:55.085 --> 01:02:01.042 so the attacks are often being sourced from compromised machines 01:02:01.042 --> 01:02:04.031 and people are saying well it's not my fault, my machine is compromised. 01:02:04.031 --> 01:02:09.031 You know they don't know it, it's an end user, they don't actually know how 01:02:09.031 --> 01:02:12.057 to secure their machine, they're not even aware 01:02:12.057 --> 01:02:16.027 that there machine is participating in the attack. 01:02:16.027 --> 01:02:19.048 Then it goes from that machine through an ISP and the ISP says well, 01:02:19.048 --> 01:02:24.006 we're just providing network transit to our customers. 01:02:24.006 --> 01:02:26.089 We don't actually look at what that content is. 01:02:26.089 --> 01:02:32.024 And then it might go through multiple ISPs and eventually get to the victim 01:02:32.024 --> 01:02:37.011 who really doesn't have any choice but to just receive this traffic. 01:02:37.011 --> 01:02:43.093 So I think the root issue here is to figure out who you would actually hold responsible 01:02:43.093 --> 01:02:48.069 for these attacks and then maybe figure out in what way they would be held responsible. 01:02:48.069 --> 01:02:52.005 You know clearly, we don't want to hold the home user responsible 01:02:52.005 --> 01:02:58.054 for an attack they weren't aware that they were committing, however, if we could inform them 01:02:58.054 --> 01:03:02.085 and they refuse to fix their machine, maybe after they've had that opportunity 01:03:02.085 --> 01:03:06.086 to fix their machine and they refuse to, or after we inform a hosting provider 01:03:06.086 --> 01:03:10.000 that has compromised webservers that are attacking you. 01:03:10.000 --> 01:03:13.057 If they don't fix those machines after a month and they're still attacking, 01:03:13.057 --> 01:03:16.026 maybe there should be some responsibility there. 01:03:16.026 --> 01:03:20.041 >> Brian: So that's an interesting thought Damian because you all do have terms of service 01:03:20.041 --> 01:03:24.011 and abuse policies that users agree to when they use your service, 01:03:24.011 --> 01:03:25.083 so that's an interesting thought. 01:03:25.083 --> 01:03:30.000 Jeff, I want to throw this to you and I know this is part of your past experience, 01:03:30.000 --> 01:03:34.085 but having been in the Senate and House Committee, can you bring a little bit 01:03:34.085 --> 01:03:37.016 of the government perspective to the question I asked 01:03:37.016 --> 01:03:40.009 of who should be fixing this problem and how? 01:03:40.009 --> 01:03:41.051 >> Jeff: So I guess I would step back 01:03:41.051 --> 01:03:47.047 and say that we can't define this problem as just dos attacks. 01:03:47.047 --> 01:03:50.073 You know you phrase it as, it's not a game of winning, well, 01:03:50.073 --> 01:03:53.009 in my mind it's not a game that will ever end. 01:03:53.009 --> 01:03:58.029 To the extent it's more of a constant race, how far ahead or behind are we 01:03:58.029 --> 01:04:02.035 of the people developing new ways to attack? 01:04:02.035 --> 01:04:08.003 And to my first point about, it's a broader problem, if someone has a computer 01:04:08.003 --> 01:04:12.094 that is being used as part of a botnet for a DDoS attack or something else, 01:04:12.094 --> 01:04:17.028 it's very likely that the folks who are on that computer could do a lot of other things 01:04:17.028 --> 01:04:21.045 with that computer or to that person's identity or steel their banking credentials, 01:04:21.045 --> 01:04:26.007 so it is a much broader problem and I think Damian made a good point is everyone kind 01:04:26.007 --> 01:04:29.048 of pushes it back but at some level it needs to start 01:04:29.048 --> 01:04:34.081 with users taking more control over their computers. 01:04:34.081 --> 01:04:37.062 Not just looking at antivirus but broader protections. 01:04:37.062 --> 01:04:42.097 The government's role from my perspective and that's something that we worked 01:04:42.097 --> 01:04:47.003 on the projects I worked on the hill are much more critical infrastructure focused, 01:04:47.003 --> 01:04:51.043 but if it's true there, I think it's even more true with a much more commercial side. 01:04:51.043 --> 01:04:56.001 It's got to be private sector laden and the government can play a role facilitating 01:04:56.001 --> 01:05:02.049 and educating and punishing and perhaps in some areas where there is significant possibility 01:05:02.049 --> 01:05:06.094 of major national impact requiring some standards, you're not going to do 01:05:06.094 --> 01:05:11.078 that for John Smith who has his computer at home, you're not going to say 01:05:11.078 --> 01:05:15.002 that there is a minimum security [inaudible] that you have to have 01:05:15.002 --> 01:05:17.083 in order to log into the internet. 01:05:17.083 --> 01:05:19.085 Were you even to try that, it would never pass. 01:05:19.085 --> 01:05:24.001 But the government can play a significant role educating folks; 01:05:24.001 --> 01:05:29.013 simple things as patching whatever software applications you have, making it the easiest way 01:05:29.013 --> 01:05:30.028 for someone to get into your computer. 01:05:30.028 --> 01:05:33.095 The patch comes out, someone is out there trying to figure out what was patched 01:05:33.095 --> 01:05:36.046 and how can we take advantage of the people who don't patch. 01:05:36.046 --> 01:05:41.045 So the government, I think the role, sort of hopefully I'm answering the question. 01:05:41.045 --> 01:05:43.085 The role the government is going to play is going to depend on what you're talking about. 01:05:43.085 --> 01:05:46.061 If it's an attack on water, electrical, other systems the government is going 01:05:46.061 --> 01:05:49.071 to have a very active role, hopefully ahead of time, protecting 01:05:49.071 --> 01:05:51.089 and assisting in developing protections. 01:05:51.089 --> 01:05:55.032 The government will also have a role in the backend where possible prosecuting, 01:05:55.032 --> 01:05:57.069 investigating and that's where your earlier question 01:05:57.069 --> 01:06:00.087 about does it matter who is being attacked? 01:06:00.087 --> 01:06:04.001 Maybe it shouldn't, but the government is going to be much more focused when you have a series 01:06:04.001 --> 01:06:08.027 of major banks attacked, looking whether there's another type of attack going on 01:06:08.027 --> 01:06:11.076 or there are more laws that apply [inaudible] after that. 01:06:11.076 --> 01:06:18.051 Then if it is, you're attacking someone's speech on block spy, so the government's role is going 01:06:18.051 --> 01:06:23.026 to vary, I think depending upon where you are but ultimately it can't be government lead 01:06:23.026 --> 01:06:28.065 because it will end up being less effective and more [inaudible], in my view. 01:06:28.065 --> 01:06:29.068 >> Brian: Thank you. 01:06:29.068 --> 01:06:37.048 Let me ask for the service providers, you all run services that are globally accessible. 01:06:37.048 --> 01:06:43.087 You all have network footprints that are global to some extent. 01:06:43.087 --> 01:06:48.001 Specifically, engaging with law enforcement which I'm sure you do, 01:06:48.001 --> 01:06:53.061 you all work for law abiding companies who under the proper circumstances collaborate 01:06:53.061 --> 01:06:57.047 with law enforcement to address legitimate concerns. 01:06:57.047 --> 01:07:02.065 What are you seeing in your interactions with law enforcement 01:07:02.065 --> 01:07:05.084 that provides the good seeds for collaboration? 01:07:05.084 --> 01:07:09.062 What do you think might be missing in your interactions with law enforcement? 01:07:09.062 --> 01:07:13.044 I'd like the service providers to address that point. 01:07:13.044 --> 01:07:18.037 Who wants to go first, Ram? 01:07:18.037 --> 01:07:19.036 >> Ram: Let me start. 01:07:19.036 --> 01:07:24.039 One of the things that is striking in interactions with law enforcement, 01:07:24.039 --> 01:07:30.023 one of the fundamentals here is that this is essential a borderless problem 01:07:30.023 --> 01:07:34.036 and law enforcement has a broader problem. 01:07:34.036 --> 01:07:34.095 >> Brian: Okay. 01:07:34.095 --> 01:07:38.045 >> Ram: Not a problem, they have to work 01:07:38.045 --> 01:07:41.055 within the jurisdictions of the borders that they're in. 01:07:41.055 --> 01:07:46.005 So often when you're collaborating and working on uncovering, 01:07:46.005 --> 01:07:52.072 you know somebody is running a botnet that's got some significant problems behind it 01:07:52.072 --> 01:07:56.032 and if you start to do trace-backs, you'll find that the folks 01:07:56.032 --> 01:08:02.047 in law enforcement would rather work with you informally than formally 01:08:02.047 --> 01:08:10.093 because if they go formal, then you go through a method where you then have 01:08:10.093 --> 01:08:17.001 to involve every law enforcement agency at every boarder that is crossed on the internet. 01:08:17.001 --> 01:08:20.024 It's pretty damn easy to cross those boarders. 01:08:20.024 --> 01:08:27.006 So, that's a, I think that's an essential thing and the real-world hasn't 01:08:27.006 --> 01:08:31.041 yet caught-up to that reality online. 01:08:31.041 --> 01:08:39.035 That attacks come from multiple boarders, from across multiple boarders and the morph 01:08:39.035 --> 01:08:50.048 in real-time, depending what the response looks like, and so that's a very significant factor 01:08:50.048 --> 01:08:58.027 when we work for instance on, a year and a half ago, we worked on pulling together part 01:08:58.027 --> 01:09:06.055 of an industry or in a taskforce on child abuse set of sites that were focused on child abuse 01:09:06.055 --> 01:09:17.009 and they were using that to infect the computers of those who had the bad stuff on it 01:09:17.009 --> 01:09:19.099 to make them part of a zombie network. 01:09:19.099 --> 01:09:28.022 And it got very snarled up in various jurisdictions legal restrictions, 01:09:28.022 --> 01:09:34.047 the necessity to preserve evidence, versus the imperative to solve the problem 01:09:34.047 --> 01:09:37.062 and make sure it doesn't become very large. 01:09:37.062 --> 01:09:38.097 >> Brian: Interesting. 01:09:38.097 --> 01:09:42.001 Anyone else, Danny? 01:09:42.001 --> 01:09:44.099 >> Danny: Yeah so I'll point out again, some of the work that you know 01:09:44.099 --> 01:09:48.063 with public/private sector partnerships, I think that's so important. 01:09:48.063 --> 01:09:51.069 Certainly I don't think you're going to regulate your way out of this, right? 01:09:51.069 --> 01:09:58.001 From a controls perspective there are 869 things that I have to do in my day job just 01:09:58.001 --> 01:10:01.002 to check boxes and those give me marginally more secure, right, 01:10:01.002 --> 01:10:06.000 82% of IT security span goes towards compliance and regulatory controls 01:10:06.000 --> 01:10:08.073 and then people try and get secure on top of that. 01:10:08.073 --> 01:10:13.088 Those sorts of things are like antivirus software and there's 10 new pieces 01:10:13.088 --> 01:10:17.075 of male-code a second on the internet, yet AV is a frontline defense 01:10:17.075 --> 01:10:23.072 to protect the residential user or maybe even a corporate machine, and so I think education 01:10:23.072 --> 01:10:28.065 of the threat vector, some of the very fundamental stuff like patching systems 01:10:28.065 --> 01:10:33.008 and software and collaboration and information sharing and putting these things in place. 01:10:33.008 --> 01:10:36.033 From a law enforcement perspective, I think that some 01:10:36.033 --> 01:10:40.054 of the most successful stuff we've seen involves multilateral teaming agreements 01:10:40.054 --> 01:10:44.009 and collaboration, those sorts of things where there is some coordination 01:10:44.009 --> 01:10:47.099 and some effort in trying to work together. 01:10:47.099 --> 01:10:51.026 In general though, in particular with DDoS attack we've always seen this sort 01:10:51.026 --> 01:10:56.054 of fragmented response where one ISP on the receiving end, or along the projectory 01:10:56.054 --> 01:11:00.009 of an attack will drop all the traffic towards the destination and cause, 01:11:00.009 --> 01:11:02.033 you know effectively completing the attack for that network, 01:11:02.033 --> 01:11:08.051 and another one will security research will infiltrate the command [inaudible] structure 01:11:08.051 --> 01:11:12.005 and law enforcement may be there and then someone will break one of their connections 01:11:12.005 --> 01:11:16.089 to the C&C infrastructure and all of a sudden, you can't even disable the attack 01:11:16.089 --> 01:11:20.029 because you've got all these headless machines out there that are attacking something 01:11:20.029 --> 01:11:23.018 and depending on where those systems reside and where they're coming from. 01:11:23.018 --> 01:11:28.033 I mean we've seen attacks with attack sources in 100s of countries 01:11:28.033 --> 01:11:30.021 and you're breaking lots of laws. 01:11:30.021 --> 01:11:36.006 I mean just if you were to try and disable an attack if you had the keys to the command 01:11:36.006 --> 01:11:39.023 and control infrastructure, that sort of thing. 01:11:39.023 --> 01:11:43.041 So it's really problematic and there needs to be a lot of collaboration and cooperation 01:11:43.041 --> 01:11:47.056 and I don't think regulations a way, but I do think harmonizing and working 01:11:47.056 --> 01:11:52.001 on the international aspects and the information sharing and collaboration, you know those sort 01:11:52.001 --> 01:11:56.017 of things are the only way we're going to be in a better spot collectively. 01:11:56.017 --> 01:12:00.081 We're playing a lot of wackemall today and I'm not sure it's effective. 01:12:00.081 --> 01:12:05.066 >> Brian: Jillian, let me ask you, from your perspective, from a civil society perspective, 01:12:05.066 --> 01:12:11.003 what more should industry and government in their roles, be doing to address this? 01:12:11.003 --> 01:12:16.035 And what in their collaboration would you hope that they avoid? 01:12:16.035 --> 01:12:20.042 >> Jillian: So in terms of what more, I mean I think it's hard for me to say. 01:12:20.042 --> 01:12:24.097 I mean I think one of the problems here is that as others have mentioned, 01:12:24.097 --> 01:12:30.067 law enforcement is going after the folks who are going after the big targets. 01:12:30.067 --> 01:12:34.043 And I understand that, but it's not really ever going to help these smaller targets. 01:12:34.043 --> 01:12:38.055 I mean you don't see law enforcement going after the perpetrators of small attacks and a lot 01:12:38.055 --> 01:12:41.051 of the attacks that I'm looking at are happening in other countries 01:12:41.051 --> 01:12:44.001 where sometimes the perpetrators are in other countries 01:12:44.001 --> 01:12:49.003 and so from my perspective I'm not thinking so much about U.S. law enforcement, 01:12:49.003 --> 01:12:53.065 but in terms of what people can be doing more about and what they should avoid. 01:12:53.065 --> 01:13:01.007 I think that a lot of it is about raising awareness as folks at the other end 01:13:01.007 --> 01:13:05.039 of the table said in the beginning, I think that making people aware, 01:13:05.039 --> 01:13:09.055 not only of what might be going on in their own systems that they can avoid becoming part 01:13:09.055 --> 01:13:17.072 of a botnet, but also what they can be doing as individuals and as organizations 01:13:17.072 --> 01:13:21.066 to mitigate the potential of DDoS attacks. 01:13:21.066 --> 01:13:24.087 And then as far as industry, I think adding that layer 01:13:24.087 --> 01:13:26.096 of civil society is really important as well. 01:13:26.096 --> 01:13:32.058 Making sure that industry is collaborating with civil society to make more 01:13:32.058 --> 01:13:37.002 of these systems available to the smaller user would be great. 01:13:37.002 --> 01:13:42.012 And as far as what law enforcement should avoid, I think a lot of it 01:13:42.012 --> 01:13:47.028 for me is addressing whether DDoS attack are a useful form of civil disobedience. 01:13:47.028 --> 01:13:51.005 I think it kind of comes down to that and my personal opinion, this is really not the view 01:13:51.005 --> 01:13:53.079 of my organization which does not have a stated view on this, 01:13:53.079 --> 01:13:59.042 but it's just that I don't think it's a particularly useful form of civil disobedience. 01:13:59.042 --> 01:14:04.025 I think that in the United States we have many other paths of recourse to protest 01:14:04.025 --> 01:14:07.045 and then I think that when you look at the example like I gave before, 01:14:07.045 --> 01:14:11.079 attacks against Syrian government websites, it's a bit of a different thing. 01:14:11.079 --> 01:14:19.063 But nonetheless, I think that the effect of these attacks on smaller websites is so great 01:14:19.063 --> 01:14:22.042 that we should really sort of try to look at the whole picture 01:14:22.042 --> 01:14:25.001 and realize how much damage this is doing. 01:14:25.001 --> 01:14:29.049 And so I guess in thinking about that, I think that that should also sort of inform 01:14:29.049 --> 01:14:31.074 where we think about law enforcement. 01:14:31.074 --> 01:14:32.006 >> Brian: Thank you. 01:14:32.006 --> 01:14:32.026 Danny [inaudible]? 01:14:32.026 --> 01:14:35.054 >> Danny: Yeah I just wanted to make one other comment, something she touched 01:14:35.054 --> 01:14:39.005 on which I think is really actually is, one of the things we see a lot 01:14:39.005 --> 01:14:42.009 of is the internet itself is inherently multi-tenant. 01:14:42.009 --> 01:14:47.049 And then you see a lot of, in particular a lot of the smaller folks can aggregate 01:14:47.049 --> 01:14:50.092 and there's these really high tenant densities on certain pieces of infrastructure 01:14:50.092 --> 01:14:55.077 and what ends up happening is that someone on the infrastructure gets attacked 01:14:55.077 --> 01:14:58.033 and there's a lot of collateral damage that everybody is impacted. 01:14:58.033 --> 01:15:01.099 Or a really large attack along a trajectory fills some links 01:15:01.099 --> 01:15:06.049 and not only is the intended target impacted but there's collateral damage to other people 01:15:06.049 --> 01:15:07.078 that utilize that infrastructure. 01:15:07.078 --> 01:15:15.046 And most of the attacks that the folks have been on the receiving end of seeing is that it's hard 01:15:15.046 --> 01:15:20.042 for an attacker to gage how much firepower they actually have and to surgically attack a target 01:15:20.042 --> 01:15:26.000 with a DDoS attack on the internet, usually they sort brute-force flood a whole bunch of traffic 01:15:26.000 --> 01:15:29.069 of a particular type and there is collateral damage in that. 01:15:29.069 --> 01:15:32.087 And that's an important artifact that you're highlighting there 01:15:32.087 --> 01:15:36.046 and if you have high-tenant densities on cloud infrastructure 01:15:36.046 --> 01:15:43.016 or lots of people behind small links then it does have a really devastating impact 01:15:43.016 --> 01:15:46.078 and not just on the target, but maybe on other people that utilize that infrastructure. 01:15:46.078 --> 01:15:49.026 And so I think that's important highlight. 01:15:49.026 --> 01:15:50.048 >> Brian: Thank you. 01:15:50.048 --> 01:15:51.023 Damian? 01:15:51.023 --> 01:15:55.042 >> Damian: Yeah just to follow-up on that, Jillian had mentioned 01:15:55.042 --> 01:15:59.005 that law enforcement doesn't go after the very small attacks. 01:15:59.005 --> 01:16:00.071 They tend to focus on the large attacks. 01:16:00.071 --> 01:16:04.019 But I do see the large attacks as the most damaging, 01:16:04.019 --> 01:16:09.001 largely because of what Danny said of, it causes collateral damage. 01:16:09.001 --> 01:16:12.051 If there's collateral damage on other sites that they have no other way to mitigate, 01:16:12.051 --> 01:16:15.034 they will kill the small victim, they'll completely attack 01:16:15.034 --> 01:16:17.053 by just turning off everything to that site. 01:16:17.053 --> 01:16:23.035 So by basically preventing any very large attacks by having law enforcement focus 01:16:23.035 --> 01:16:28.091 on those we at least give the smaller sites a change of getting some dos mitigation service 01:16:28.091 --> 01:16:35.045 to help them and basically that boundary is probably around 10 gigabyte. 01:16:35.045 --> 01:16:41.047 You know once you get up over 100 gig, there's very few organizations that are going to be able 01:16:41.047 --> 01:16:45.018 to help and most are just going to turn off the site. 01:16:45.018 --> 01:16:49.082 >> Brian: So right now on this issue, it's the rule of the submarine captain 01:16:49.082 --> 01:16:54.022 that is the compartment flooding, and their sailors in there shut it off to save the rest. 01:16:54.022 --> 01:16:55.003 And that's where we are. 01:16:55.003 --> 01:16:59.097 So, this is interesting and I think we've all been very polite so far, 01:16:59.097 --> 01:17:03.085 so allow me to play devil's advocate and put your feet to the fire a little bit folks. 01:17:03.085 --> 01:17:09.003 So what I'm hearing at a high level to pull some threads together, is there is some coordination 01:17:09.003 --> 01:17:14.094 across law enforcement which is key to this solution in collaboration, 01:17:14.094 --> 01:17:17.023 but it's not nearly what it needs to be. 01:17:17.023 --> 01:17:21.037 It itself is a barrier to our ability, at least in the industry, 01:17:21.037 --> 01:17:24.013 to work on these problems with law enforcement. 01:17:24.013 --> 01:17:28.005 We're hearing that there is some collaboration across network operators but not as good 01:17:28.005 --> 01:17:32.075 as it needs to be all the way up and down the stream. 01:17:32.075 --> 01:17:40.039 And some lack of sense of responsibility coloring that part of the puzzle. 01:17:40.039 --> 01:17:46.084 We all in this industry trumpet the fact that the internet is critical global infrastructure. 01:17:46.084 --> 01:17:51.061 We all in this industry trumpet the fact that the infrastructure of nations 01:17:51.061 --> 01:17:58.086 of countries have come to rely on the internet, banking systems, electric grids soon, 01:17:58.086 --> 01:18:04.057 governments have a clear interest in this critical infrastructure and if I listen to all 01:18:04.057 --> 01:18:07.057 of this and piece together, I could come at this from, 01:18:07.057 --> 01:18:11.046 this is a fiddling while Rome burns dynamic going on between industry 01:18:11.046 --> 01:18:14.001 and governments and civil society. 01:18:14.001 --> 01:18:20.037 So, putting your feet back to the fire, what needs to happen in terms of collaboration, 01:18:20.037 --> 01:18:27.065 in concrete terms to break through at the industry level, at the government level 01:18:27.065 --> 01:18:31.007 and across those levels and with the civil society perspective. 01:18:31.007 --> 01:18:32.000 Let's get to it. 01:18:32.000 --> 01:18:37.094 Who wants to take it on? 01:18:37.094 --> 01:18:38.011 Pause. 01:18:38.011 --> 01:18:39.061 >> Ram: Sure I'll jump on the grenade. 01:18:39.061 --> 01:18:47.051 Look I think everyone who is here and everyone who is up here is not part of the problem. 01:18:47.051 --> 01:18:51.008 When you take it to the global level of the impact on society 01:18:51.008 --> 01:18:56.064 and the fiddling while Rome burns and the implication that there's an existential or close 01:18:56.064 --> 01:19:03.054 to a threat to us, everyone up here and I assume because you're here, you all get it. 01:19:03.054 --> 01:19:08.066 The problem we have are the sectors that you mentioned that use technology 01:19:08.066 --> 01:19:15.049 but are not technology sectors and going back to my government experiences, often, not always 01:19:15.049 --> 01:19:23.001 but often, the difficulty in those sectors to get nontechnical executives to spend the money 01:19:23.001 --> 01:19:26.073 or the time to put in place the protections. 01:19:26.073 --> 01:19:33.006 You know Danny, I thought talked earlier about the need of a mitigation plan in place. 01:19:33.006 --> 01:19:36.092 If you're under a major denial service attack and you're then figuring oh, 01:19:36.092 --> 01:19:38.062 how do I deal with a denial service attack? 01:19:38.062 --> 01:19:45.047 You're toast, you need to have things in place ahead of time and that's where going back 01:19:45.047 --> 01:19:49.037 to the question about where the government can play a role, my personal view 01:19:49.037 --> 01:19:52.007 and what we were trying to do on the hill was create an environment 01:19:52.007 --> 01:19:58.013 where the truly critical infrastructure systems are required 01:19:58.013 --> 01:20:00.017 to meet some base-level of security. 01:20:00.017 --> 01:20:04.045 Not a technology specific but more if you're talking about computers 01:20:04.045 --> 01:20:07.083 that control big machines, water pumps, electric grids, 01:20:07.083 --> 01:20:09.086 those shouldn't be connected to the internet. 01:20:09.086 --> 01:20:11.013 A lot of them are. 01:20:11.013 --> 01:20:17.091 Some of them are connected with open connections using default passwords available through, 01:20:17.091 --> 01:20:19.083 no offense, Google searches. 01:20:19.083 --> 01:20:26.046 So, what needs to happen, I think is some impetus, some general understanding of the type 01:20:26.046 --> 01:20:33.071 of threat that the country faces both in the digital realm and in the physical realm. 01:20:33.071 --> 01:20:40.074 But again, I think going back to what I said earlier a lot of it starts with the individual 01:20:40.074 --> 01:20:45.013 and I used to be very skeptical as to whether we could actually get most people 01:20:45.013 --> 01:20:50.029 to do basic hygiene things on their computer and then one of the things that we also covered, 01:20:50.029 --> 01:20:54.057 the committee worked on was swine flu and as soon as big bird told everyone to cough 01:20:54.057 --> 01:20:58.085 into their elbows, you have a fast majority of American's, you see people coughing 01:20:58.085 --> 01:21:00.001 or sneezing into their elbows now. 01:21:00.001 --> 01:21:04.058 We change behavior very quickly and I think there can be an education campaign 01:21:04.058 --> 01:21:11.038 that could change enough behavior to help stop the problem, but without some type of push, 01:21:11.038 --> 01:21:14.089 I think that we're all going to keep trying to do what we can, 01:21:14.089 --> 01:21:18.016 but the people who need to make the changes may not. 01:21:18.016 --> 01:21:20.008 >> Brian: Ram, thank you. 01:21:20.008 --> 01:21:25.083 >> Miguel: Thank you, so I'm a bit of a skeptic on these push-measures. 01:21:25.083 --> 01:21:31.014 Folks do push-measures, governments do push-measures all the time and decades go by 01:21:31.014 --> 01:21:35.036 and the basic problems don't get resolved. 01:21:35.036 --> 01:21:38.084 One thing that does seem to work is events. 01:21:38.084 --> 01:21:40.093 Events result in consequences. 01:21:40.093 --> 01:21:47.076 Michael Angelo, the virus got people to install antivirus software, Y2K got people to focus 01:21:47.076 --> 01:21:53.081 on mitigation measures, 9/11 caused a series of responses 01:21:53.081 --> 01:21:58.038 and the Georgian Cyber War caused another set of responses. 01:21:58.038 --> 01:22:04.063 We don't really have a global cyber event, I'm not asking for one, but I'm just saying 01:22:04.063 --> 01:22:09.068 that if you just look at human behavior and you want to affect human behavior and you want 01:22:09.068 --> 01:22:15.035 to get individuals, governments, civil society, public sector, everybody together 01:22:15.035 --> 01:22:22.027 and the private sector together, you need to have something to unify around. 01:22:22.027 --> 01:22:30.028 The threat today doesn't feel real to me until I get attacked and if my friend got attacked, 01:22:30.028 --> 01:22:33.099 I kind of have some sympathy about it but I kind of shrug my shoulders 01:22:33.099 --> 01:22:36.024 and say, "Ain't going to happen to me." 01:22:36.024 --> 01:22:43.059 And there is not the unifying sense of impending doom. 01:22:43.059 --> 01:22:48.083 >> Danny: Can I just, I agree with everything Ram said from the skepticism to the kind 01:22:48.083 --> 01:22:53.069 of work I was also trying to also do the need for an event and we would tell a lot 01:22:53.069 --> 01:22:58.001 of the skeptics who came in is, look you have Congress trying to act proactively. 01:22:58.001 --> 01:23:01.077 It may not fix everything now but when something happens there will be better systems 01:23:01.077 --> 01:23:03.002 in place to respond to it. 01:23:03.002 --> 01:23:06.044 But more importantly, you want government to act proactively 01:23:06.044 --> 01:23:11.008 because when government acts reactively, it acts stupidly and that's why there is a strong effort 01:23:11.008 --> 01:23:17.034 to get some type of performance-based, nontechnology specific standards 01:23:17.034 --> 01:23:21.006 that are limited to really critical stuff in place, so hopefully some things will improve 01:23:21.006 --> 01:23:25.098 and if something happens, we have the framework that is not so regimented that the attempt 01:23:25.098 --> 01:23:28.002 to fix the problem actually enhances it. 01:23:28.002 --> 01:23:32.061 But I'm ultimately, because I'm a cynic I don't think we're going to do anything 01:23:32.061 --> 01:23:39.001 until we have something blowup and that's unfortunate to say the least. 01:23:39.001 --> 01:23:41.044 >> Brian: Danny, oh Damian thank you. 01:23:41.044 --> 01:23:47.058 >> Damian: Sure, yes I also sort of agree with the cyber event being needed. 01:23:47.058 --> 01:23:56.006 Not needed but, [Laughter] if you look at history, we've seen that there's 01:23:56.006 --> 01:24:00.042 like an email worm or virus that comes out approximately once every 6 months 01:24:00.042 --> 01:24:04.054 because that's how long it takes people to forget and start being stupid again. 01:24:04.054 --> 01:24:07.033 And you know click on everything they see but, 01:24:07.033 --> 01:24:09.051 you know once every 6 months everyone gets infected, 01:24:09.051 --> 01:24:11.055 everyone is like oh yeah, I shouldn't do that. 01:24:11.055 --> 01:24:13.061 Fortunately no major damage has been caused. 01:24:13.061 --> 01:24:17.075 Nobody has ever actually-- there haven't been any large-scale cases 01:24:17.075 --> 01:24:19.034 where people have lost data. 01:24:19.034 --> 01:24:24.004 I see this as very similar to how diseases spread. 01:24:24.004 --> 01:24:28.088 If you killed the person instantly, like if someone gets infected 01:24:28.088 --> 01:24:32.021 and you format their hard drive right away, they don't have time to spread. 01:24:32.021 --> 01:24:36.068 They don't have time to pass it on to others and so most of the malware that we've seen 01:24:36.068 --> 01:24:39.022 so far has been fairly benign and that allows it to spread, 01:24:39.022 --> 01:24:41.087 but it also means it doesn't cause much damage. 01:24:41.087 --> 01:24:47.079 I also wanted to say, I think right now laws largely favor the attacker. 01:24:47.079 --> 01:24:54.023 There's a lot of constraints on information sharing, all of the jurisdiction issues, 01:24:54.023 --> 01:24:59.004 and that also means that there's a very slow response. 01:24:59.004 --> 01:25:04.035 If somebody goes to law enforcement, law enforcement might have to sit on it for weeks 01:25:04.035 --> 01:25:07.086 or months before they can actually take action against the attacker, 01:25:07.086 --> 01:25:09.057 if they can even get to the attacker. 01:25:09.057 --> 01:25:15.041 So, some things might need to change in laws to allow the defenders 01:25:15.041 --> 01:25:19.033 to keep up with the pace of the attacks. 01:25:19.033 --> 01:25:23.002 And it's also important to note, you know sometimes the attacker would actually know how 01:25:23.002 --> 01:25:28.005 to shut down the attack, it's just they're not legally able to and so there are a lot 01:25:28.005 --> 01:25:32.001 of inherent delays in the system. 01:25:32.001 --> 01:25:32.085 >> Brian: Thank you, Miguel. 01:25:32.085 --> 01:25:35.022 >> Miguel: Just adding to that, it's worth noting that there's 01:25:35.022 --> 01:25:39.013 such a stigma associated with security incidence. 01:25:39.013 --> 01:25:43.066 Organizations are very unwilling to admit that something has happened. 01:25:43.066 --> 01:25:45.085 They don't want to admit so publically. 01:25:45.085 --> 01:25:52.047 They really, they don't want to collaborate and to be effective, a lot of operators have 01:25:52.047 --> 01:25:55.006 to work, as I mentioned earlier, they have to work through back-channels, 01:25:55.006 --> 01:25:59.073 people they know where the person that you're potentially collaborating 01:25:59.073 --> 01:26:08.047 with would probably get slapped if other people were aware of this collaboration taking place. 01:26:08.047 --> 01:26:15.021 So, that needs to get formalized, potentially more formal protocols 01:26:15.021 --> 01:26:17.029 for collaboration need to be developed. 01:26:17.029 --> 01:26:24.043 And from an international perspective, governments need to do a better job at. 01:26:24.043 --> 01:26:28.029 They haven't caught up to the fact that this is a big issue. 01:26:28.029 --> 01:26:35.008 So, some examples where we, as an operator, we're seeing attacks happening 01:26:35.008 --> 01:26:41.075 on small government websites, Syria's as an example, and you actually want 01:26:41.075 --> 01:26:45.088 to lend your resources and expertise to help these people, 01:26:45.088 --> 01:26:50.061 but because of their own roadblocks, legislation, 01:26:50.061 --> 01:26:55.002 etcetera they actually can't receive the help 01:26:55.002 --> 01:26:57.043 that you are potentially looking at offering them. 01:26:57.043 --> 01:27:04.006 So we've been in situations where we've seen protest attacks during elections, 01:27:04.006 --> 01:27:09.017 for example in smaller countries, and we are willing to help them but then, 01:27:09.017 --> 01:27:13.064 these governments have restrictions on where their data is etcetera while 01:27:13.064 --> 01:27:16.088 at the same time they don't have the infrastructure to deal 01:27:16.088 --> 01:27:21.062 with this problem themselves, but they're handcuffing themselves, so all of that has 01:27:21.062 --> 01:27:24.003 to change for us to be able to be more effective. 01:27:24.003 --> 01:27:25.022 >> Brian: Danny? 01:27:25.022 --> 01:27:30.083 >> Danny: Yeah I think some of this sort of the tragedy of the common sort of thing, 01:27:30.083 --> 01:27:32.057 the sheep on the commons I guess if you will. 01:27:32.057 --> 01:27:36.013 And what's the impact on me or the investment on me? 01:27:36.013 --> 01:27:41.044 Actually the Internet Security Alliance did something not long ago called a CFO's Guide 01:27:41.044 --> 01:27:45.064 to Cyber Risk and in that document they introduced the notion of a digital immigrant 01:27:45.064 --> 01:27:52.033 and they're talking about someone that didn't grow up digital native or wasn't prolific 01:27:52.033 --> 01:27:56.009 with electronic devices and the internet and the capabilities of those 01:27:56.009 --> 01:27:59.013 and they were discussing how in many places, 01:27:59.013 --> 01:28:02.026 they're the ones that control the purse strings or control the investments. 01:28:02.026 --> 01:28:06.006 Like people don't have problems investing in fire suppression systems but if you ask about a, 01:28:06.006 --> 01:28:09.064 DDoS mitigation capability, well nobody is going to invest in that 01:28:09.064 --> 01:28:14.022 until they've been attacked right, or unless you're a very savvy organization 01:28:14.022 --> 01:28:16.017 or have a lot of the right folks that do that. 01:28:16.017 --> 01:28:21.052 And then people even question those investments after a long time of not being attacked. 01:28:21.052 --> 01:28:27.044 So I think definitely looking at what enables your business again or whatever size business, 01:28:27.044 --> 01:28:30.024 because it's all relative right, I mean we've seen things 01:28:30.024 --> 01:28:34.001 from animal rights activists attacking zoos, 01:28:34.001 --> 01:28:42.022 to Jersy Joe's a local sports memorabilia being attacked by a guy across the street 01:28:42.022 --> 01:28:44.034 for a gold watch and a pair of tennis shoes. 01:28:44.034 --> 01:28:46.071 And that's a decade old, right? 01:28:46.071 --> 01:28:49.089 And so, I think understanding what the impact of these things are 01:28:49.089 --> 01:28:51.059 in your business is extremely important. 01:28:51.059 --> 01:28:56.034 I think understanding the constraints today as well, this is a global problem. 01:28:56.034 --> 01:29:02.068 The internet is loosely interconnected network of networks and largely provides any kind 01:29:02.068 --> 01:29:04.025 of activity and that's a fantastic thing. 01:29:04.025 --> 01:29:08.046 You know the fact that you can launch DDoS attack might be considered a success 01:29:08.046 --> 01:29:12.095 of that substraight or that infrastructure, right I don't know. 01:29:12.095 --> 01:29:17.086 And so you certainly don't want over-pivot either and compromise privacy, 01:29:17.086 --> 01:29:22.097 you're a regulator, put controls in place that might impact that global platform. 01:29:22.097 --> 01:29:28.047 That's something important as well, so I think that's why industry partnership, 01:29:28.047 --> 01:29:32.062 private sector with halook and things like information sharing and saying look, 01:29:32.062 --> 01:29:36.006 these things are impacting real people, real organizations 01:29:36.006 --> 01:29:40.091 and law enforcement government needs to go after that and accommodate those as appropriate. 01:29:40.091 --> 01:29:44.007 But at the same time, I think we do have to be careful about over-pivoting as well. 01:29:44.007 --> 01:29:47.007 >> Brian: Thanks, Jillian. 01:29:47.007 --> 01:29:49.029 01:29:49.029 --> 01:29:53.029 >> Jillian: Sure, you know I think I'll just give the civil society perspective what we can 01:29:53.029 --> 01:29:54.002 be doing better. 01:29:54.002 --> 01:29:59.035 For example, my organization has come under several DDoS attacks at different points 01:29:59.035 --> 01:30:04.073 and we do have a big enough team in place to try mitigate those pretty quickly 01:30:04.073 --> 01:30:06.007 and we've mostly been able to do that successfully. 01:30:06.007 --> 01:30:11.083 But I think there's actually a pretty strong lack of information sharing 01:30:11.083 --> 01:30:15.082 across my type of NGO or NGOs in general. 01:30:15.082 --> 01:30:18.048 I'll give you an example of this, and I don't mean to pick on this group, 01:30:18.048 --> 01:30:21.007 but I think it's perfect and quite public example. 01:30:21.007 --> 01:30:25.053 Avaz, which I'm sure you're familiar with, a few months back they came under DDoS attack 01:30:25.053 --> 01:30:29.067 and their first reaction was to send a message out to their members asking for donations. 01:30:29.067 --> 01:30:33.068 But what they didn't do is they didn't share any of the details of the attack, 01:30:33.068 --> 01:30:35.066 not that they necessarily needed to publically 01:30:35.066 --> 01:30:38.063 but they actually straight-up refused to share the details. 01:30:38.063 --> 01:30:42.066 We have a group of technologists who had been asking for that information and I think 01:30:42.066 --> 01:30:46.015 that sometimes that information is actually quite helpful for organizations to share 01:30:46.015 --> 01:30:50.007 with each other so that we can understand what type of attacks our allies 01:30:50.007 --> 01:30:55.052 and friends are coming under and therefore what types of attacks we might be at greater risk of. 01:30:55.052 --> 01:30:59.098 And so I think that that's a really good example of how not to respond. 01:30:59.098 --> 01:31:07.015 In the end they still didn't want to share, and we said okay, fine but I think that just sort 01:31:07.015 --> 01:31:10.076 of going and asking for donations and not kind of collaborating 01:31:10.076 --> 01:31:14.052 with other civil site organization is not a particularly helpful way of responding 01:31:14.052 --> 01:31:18.099 and we'd be much better off if we were clearer with each other. 01:31:18.099 --> 01:31:19.066 >> Brian: Thank you. 01:31:19.066 --> 01:31:21.033 So thank you for that. 01:31:21.033 --> 01:31:23.016 I'm going to draw this part to a close. 01:31:23.016 --> 01:31:27.087 Some takeaways for me in the last round of questions is 01:31:27.087 --> 01:31:32.017 that clearly there are some structural barriers to the level of collaboration 01:31:32.017 --> 01:31:35.056 that everyone seems to believe is important to addressing the problem, 01:31:35.056 --> 01:31:39.032 both at the government level, and at the operator level. 01:31:39.032 --> 01:31:46.002 I guess the understanding at senior management level that investments in the security aspect 01:31:46.002 --> 01:31:49.054 of their business are as critical as any other to their business 01:31:49.054 --> 01:31:51.075 and have to be central to their planning. 01:31:51.075 --> 01:31:56.021 And at the government level, clearly existing legislative structures 01:31:56.021 --> 01:32:01.082 and collaborative barriers between governments need to be broken down if we can get 01:32:01.082 --> 01:32:04.046 to the place where we can be more aggressively 01:32:04.046 --> 01:32:06.099 and effectively collaborating to address the problem. 01:32:06.099 --> 01:32:11.006 So, we all knew that we weren't going to solve this problem with today's panel and I want 01:32:11.006 --> 01:32:15.011 to thank you all for giving us a lot to think about and those are some 01:32:15.011 --> 01:32:18.028 of the takeaways that I've gotten for myself. 01:32:18.028 --> 01:32:26.066 So now, let's take a breath and for the next 35 minutes or so, try to have a little bit of fun, 01:32:26.066 --> 01:32:30.064 make it a little bit more dynamic for the panelists by running through a scenario 01:32:30.064 --> 01:32:34.045 and then we'll have 30 minutes at the end where we want to hear Q&A again from folks 01:32:34.045 --> 01:32:36.057 in the room and from the folks online. 01:32:36.057 --> 01:32:41.011 So, shift your mindset now on the panel, we're going to walk 01:32:41.011 --> 01:32:44.073 through a scenario of a DDoS attack. 01:32:44.073 --> 01:32:49.097 What I'd like you to think about is what your specific role would be 01:32:49.097 --> 01:32:55.091 within the scenario and how would you react? 01:32:55.091 --> 01:33:02.009 What would be the things that would be important to you in addressing your part of the problem? 01:33:02.009 --> 01:33:04.059 There's a clear understanding and appreciation for the fact 01:33:04.059 --> 01:33:10.038 that good security also means not divulging all of your good effective practices. 01:33:10.038 --> 01:33:14.013 So I'm not asking you to say anything that you wouldn't want to say publically. 01:33:14.013 --> 01:33:15.068 Let's get that clear. 01:33:15.068 --> 01:33:20.047 But I want you to take this on as a real-time event and then in your proper role, 01:33:20.047 --> 01:33:24.097 tell the audience what's important to you, what do you need, and in a direction 01:33:24.097 --> 01:33:31.062 of how would you see or design a best practices reaction to this scenario. 01:33:31.062 --> 01:33:34.003 So let's start this part of the program. 01:33:34.003 --> 01:33:39.006 So the scenario we've developed is as follows. 01:33:39.006 --> 01:33:45.086 The citizens of small country A, let's call it the Kingdom of Genovia, 01:33:45.086 --> 01:33:48.084 my 14-year-old daughter insisted that I do that. 01:33:48.084 --> 01:33:54.011 Kingdom of Genovia has been criticizing an economic embargo put in place 01:33:54.011 --> 01:34:04.045 by a regional Hodgeman, let's call it Mordor, against its neighbor, a small country Gilder. 01:34:04.045 --> 01:34:10.009 The citizens of Genovia who have a long standing alliance with Gilder are very upset 01:34:10.009 --> 01:34:12.079 about Mordor's embargo against Gilder. 01:34:12.079 --> 01:34:17.015 Condemnations include mass rallies as well 01:34:17.015 --> 01:34:22.024 as increasingly critical posts on blogs and social media sites. 01:34:22.024 --> 01:34:27.007 While the government of Genovia itself shows no public support for the protestors, 01:34:27.007 --> 01:34:31.013 neither does it criticize them for exercising their freedom of expression rights, 01:34:31.013 --> 01:34:35.002 fueling speculation that it actually condones the protests 01:34:35.002 --> 01:34:38.099 and may even be behind some of them. 01:34:38.099 --> 01:34:43.018 Large-scale DDoS attacks begin against Genovia. 01:34:43.018 --> 01:34:46.089 They are aimed primarily at the social media sites posting the criticisms 01:34:46.089 --> 01:34:50.072 but also at Genovia's financial sector. 01:34:50.072 --> 01:34:57.085 Researchers indicate that the attacks are coming from botnets of comprised end-user machines. 01:34:57.085 --> 01:35:03.057 The financial attacks are perceived to be an attempt to weaken Genovia's economy 01:35:03.057 --> 01:35:08.007 because the core issue, after all is an embargo and that the financial sector has showed itself 01:35:08.007 --> 01:35:14.066 to susceptible to other kinds of security incidence and breaches. 01:35:14.066 --> 01:35:19.048 Traces show the attacks originating primarily in Mordor. 01:35:19.048 --> 01:35:23.091 Some of which could be locations under government control. 01:35:23.091 --> 01:35:27.049 Some however, appear to come from unrelated countries. 01:35:27.049 --> 01:35:31.002 Mordor predictably, denies any responsibility. 01:35:31.002 --> 01:35:37.003 With those facts, in your respective roles and responsibilities, 01:35:37.003 --> 01:35:42.069 start off with what's important to you in your given role and then we'll move 01:35:42.069 --> 01:35:44.041 on to what actions you might take. 01:35:44.041 --> 01:35:50.093 Jeff, do you want to tee it up? 01:35:50.093 --> 01:35:56.032 >> Jeff: I guess the first thing, you know I'm being the least technical guy up here I think, 01:35:56.032 --> 01:36:03.098 you're going to want to really figure out, you know you talked about the attacks originating 01:36:03.098 --> 01:36:08.098 from Mordor, but does that mean the commanding control is there? 01:36:08.098 --> 01:36:11.002 Are the machines all over the place? 01:36:11.002 --> 01:36:18.019 If you're going to respond, you need to figure out first what is your first goal in responding? 01:36:18.019 --> 01:36:21.038 Are you going to try to stabilize your systems or are you going to try 01:36:21.038 --> 01:36:26.022 to somehow get attribution and then seek retribution? 01:36:26.022 --> 01:36:33.015 So, I guess my first council would be look at what you have in place to respond and figure 01:36:33.015 --> 01:36:34.048 out what your ultimate goals are. 01:36:34.048 --> 01:36:37.089 You need to know what you're driving at so you're not wasting resources, 01:36:37.089 --> 01:36:47.059 pursuing answers to questions that don't help you achieve your ultimate goal. 01:36:47.059 --> 01:36:50.009 >> Brian: Thank you, Ram. 01:36:50.009 --> 01:36:51.075 >> Ram: Four things. 01:36:51.075 --> 01:36:55.094 One, get contact lists together because you know people 01:36:55.094 --> 01:36:58.089 but there are other people involved here, so you've got to get that. 01:36:58.089 --> 01:37:01.089 That's in some ways the top thing. 01:37:01.089 --> 01:37:04.065 Second is to setup an analysis stream work. 01:37:04.065 --> 01:37:13.019 Once you identify the scope of the problem, then you need a framework in which to actually work 01:37:13.019 --> 01:37:16.091 as new data comes in and you need a structure. 01:37:16.091 --> 01:37:19.069 So create a structure for it. 01:37:19.069 --> 01:37:27.034 Third thing is to begin working with upstream providers, folks who are connecting you 01:37:27.034 --> 01:37:29.065 and connecting others to the internet. 01:37:29.065 --> 01:37:36.037 Start working with them because you need to have information sharing and also the ability 01:37:36.037 --> 01:37:42.094 to take mitigation measures, to take steps if and when you have to. 01:37:42.094 --> 01:37:51.008 And the fourth is to setup alerts based on pattern recognition or traffic analysis 01:37:51.008 --> 01:37:54.099 that your analytical team is already doing. 01:37:54.099 --> 01:37:58.022 Those are the first four things to do. 01:37:58.022 --> 01:38:01.016 >> Brian: Thank you, Damian. 01:38:01.016 --> 01:38:08.008 >> Damian: So the first thing I would ask about this would be what style of attack is this? 01:38:08.008 --> 01:38:13.005 Depending on some attacks can be spoofed with the sources, some cannot. 01:38:13.005 --> 01:38:19.071 So if the sources are definitively like, you know they're definitively coming from Mordor 01:38:19.071 --> 01:38:25.004 or you know what these sources are, that can help a lot more than if it's an attack 01:38:25.004 --> 01:38:28.052 where you don't really know where it's coming from, you just know-- 01:38:28.052 --> 01:38:32.079 you don't know which machine it's coming from in Mordor. 01:38:32.079 --> 01:38:36.004 You know that it's just coming from that country in general, maybe. 01:38:36.004 --> 01:38:40.005 And I think that's the key thing to focus on here. 01:38:40.005 --> 01:38:44.061 I mean, I agree with what other's said, but I think it's important to start 01:38:44.061 --> 01:38:50.023 by understanding the details of the attack, figuring out what you actually know 01:38:50.023 --> 01:38:54.052 and versus what you are assuming or guessing about the attack. 01:38:54.052 --> 01:39:01.093 And then I would also start thinking about what type of collateral damage is acceptable. 01:39:01.093 --> 01:39:08.073 If you really only care about financial services in Genovia being accessible to people living 01:39:08.073 --> 01:39:15.054 in Genovia, they could at the boarder of their country, just block all traffic from Mordor and 01:39:15.054 --> 01:39:19.043 yet people who happen to be on vacation to Mordor might not be able 01:39:19.043 --> 01:39:22.004 to access their bank account, and that would be pretty bad. 01:39:22.004 --> 01:39:28.001 But you could at least partition the problem and keep your own country up. 01:39:28.001 --> 01:39:31.037 >> Brian: Thanks for that point and just to note, people on vacation in Mordor 01:39:31.037 --> 01:39:34.046 to my understanding, no one walks into Mordor. 01:39:34.046 --> 01:39:35.087 Miguel, please. 01:39:35.087 --> 01:39:40.053 >> Miguel: I might actually repeat some of the things that my colleagues here have said. 01:39:40.053 --> 01:39:45.043 From the perspective of an operator that focuses on mitigation and defense, 01:39:45.043 --> 01:39:50.023 I would probably start by looking at the affected entities. 01:39:50.023 --> 01:39:56.001 Get a good scope on what the targets are, what's being affected. 01:39:56.001 --> 01:39:59.048 Move to start looking at determining what the attack vectors are 01:39:59.048 --> 01:40:01.064 that are being used for this particular attack. 01:40:01.064 --> 01:40:06.053 You can do this in a variety of ways and then I'd probably start focusing 01:40:06.053 --> 01:40:12.029 on starting the mitigation techniques and the defense against these affected systems. 01:40:12.029 --> 01:40:20.001 As Damian said earlier, I'd look at prioritizing and trying to determine or trying to gauge 01:40:20.001 --> 01:40:27.062 which affected resources are acceptable collateral damage which are priorities and need 01:40:27.062 --> 01:40:33.000 to be available and need to be in place. 01:40:33.000 --> 01:40:38.095 I'd be sharing information as much as possible with both, the public and private sector, 01:40:38.095 --> 01:40:42.079 the operators in question that manage the assets that are being attacked. 01:40:42.079 --> 01:40:46.001 So definitely start reaching out to people. 01:40:46.001 --> 01:40:49.066 Another thing that I would be doing is heavily monitoring social media. 01:40:49.066 --> 01:40:59.007 Typically with an attack on Mordor, let's say and suspected political motivations 01:40:59.007 --> 01:41:02.004 for the attack, I would be looking at Facebook, I'd be looking at Twitter, 01:41:02.004 --> 01:41:04.084 I'd be looking at internet relay chat rooms. 01:41:04.084 --> 01:41:10.042 Anywhere where these attackers could potentially congregate to organize, I'd be monitoring that 01:41:10.042 --> 01:41:14.001 and I'd be trying to agleam as much information as I can 01:41:14.001 --> 01:41:16.097 from that activity that is going on online. 01:41:16.097 --> 01:41:19.028 So those are some of the things that I'd be doing. 01:41:19.028 --> 01:41:21.007 >> Brian: Thank you, Danny. 01:41:21.007 --> 01:41:26.084 >> Danny: So yeah I guess there's both a luxury in going last and not having much [inaudible], 01:41:26.084 --> 01:41:29.025 but there are a few things I could offer actually. 01:41:29.025 --> 01:41:31.056 I think these guys are all spot-on with a lot of this. 01:41:31.056 --> 01:41:35.084 I think it certainly, whatever detection capabilities you have for this, 01:41:35.084 --> 01:41:40.073 whether it was a phone call, hopefully not, or an alert or some capability, 01:41:40.073 --> 01:41:43.097 engage your incident response capability which you should have now 01:41:43.097 --> 01:41:45.082 because you've been alerted to that. 01:41:45.082 --> 01:41:49.024 And the figure out what controls for that sort of attack factor, 01:41:49.024 --> 01:41:51.002 right, exactly as these guys have said. 01:41:51.002 --> 01:41:56.081 You certainly want to continue with continuous monitoring and make sure that other devices, 01:41:56.081 --> 01:42:02.023 other things aren't impacted in particular with sort of multi-vector attacks, 01:42:02.023 --> 01:42:05.092 especially such as this which we have seen empirically in the past. 01:42:05.092 --> 01:42:10.081 One of the things that you have to be really careful about and we've actually seen this 01:42:10.081 --> 01:42:15.015 in the past and learned from that, is Genovia should have learned from is that you've got 01:42:15.015 --> 01:42:19.001 to be really careful about what kind of controls you put in place for attacks as well 01:42:19.001 --> 01:42:22.072 because you may say, I'm going to bring everything back into my organization, 01:42:22.072 --> 01:42:25.056 under control and then I'll turn my internet access back up 01:42:25.056 --> 01:42:27.073 or inside my nation, or whatever it is. 01:42:27.073 --> 01:42:31.082 And we've literally seen this at the national level and so you decide you're going 01:42:31.082 --> 01:42:35.028 to break all your connectivity and then you realize you don't have a root name server, 01:42:35.028 --> 01:42:37.091 or you realize your CCTLD is hosted in Mordor. 01:42:37.091 --> 01:42:42.048 Or you realize that your emails over there, your authentication service, 01:42:42.048 --> 01:42:47.054 your CA that issues your searcher there or, some other resource that you need. 01:42:47.054 --> 01:42:49.054 So you really need to numerate those things 01:42:49.054 --> 01:42:53.077 and understand what enables your business before these attacks occur. 01:42:53.077 --> 01:42:59.064 I think I use this statement in the past but kind of goes back to Mike Tyson's, 01:42:59.064 --> 01:43:03.095 "Everyone's got a plan until they get hit," sort of mentality, right. 01:43:03.095 --> 01:43:07.089 And so I think that if you haven't done this and you're on the receiving end 01:43:07.089 --> 01:43:14.036 of a large-scale attack, it could be really problematic so certainly absorbing an attack 01:43:14.036 --> 01:43:18.089 and then refining your controls and mitigating as surgically as possible and then trying 01:43:18.089 --> 01:43:22.029 to move those controls further and further upstream and then collaborate as much 01:43:22.029 --> 01:43:25.096 as possible is pretty much what you can do today 01:43:25.096 --> 01:43:30.017 and then protect any forensics information associated with that for whatever it is 01:43:30.017 --> 01:43:32.098 that you might intend to do with that information. 01:43:32.098 --> 01:43:34.019 >> Brian: Thank you, Jillian. 01:43:34.019 --> 01:43:36.097 >> Jillian: There is almost nothing left for me to add here. 01:43:36.097 --> 01:43:39.028 It is the great thing about going last. 01:43:39.028 --> 01:43:44.036 But since you did ask what my organization might do, I suspect that after the leaks 01:43:44.036 --> 01:43:47.051 to the Mordor times come out that Mordor government officials had something to do 01:43:47.051 --> 01:43:50.024 with the attacks, we would probably condemn the government of Mordor 01:43:50.024 --> 01:43:55.087 for having double standards-- no I'm just kidding, sort of, but yeah, 01:43:55.087 --> 01:44:00.012 nothing that I can add from a technical perspective. 01:44:00.012 --> 01:44:04.012 >> Brian: Okay, well from-- you know what I'm going to reverse order here, so you'll go first 01:44:04.012 --> 01:44:08.029 and Jeff you're going to have to deal with Danny's problem next. 01:44:08.029 --> 01:44:14.043 So this is good and very helpful in terms of the first priorities, the first analytical 01:44:14.043 --> 01:44:19.001 and reaction priorities from your perspectives very clear and interesting-- 01:44:19.001 --> 01:44:22.008 not interesting but a lot of consistency across the board there. 01:44:22.008 --> 01:44:29.034 Now let's take it from the point of view of, if this were an ideal scenario in terms 01:44:29.034 --> 01:44:35.058 of effective mitigation techniques, effective collaboration with network operators, 01:44:35.058 --> 01:44:39.062 effective collaboration with government law enforcement resources. 01:44:39.062 --> 01:44:46.006 Walk us through how you would get to that good outcome from that perspective and Jillian, 01:44:46.006 --> 01:44:48.082 from your own point of view, kick it off. 01:44:48.082 --> 01:44:50.008 >> Jillian: I'm not sure I can kick that one off. 01:44:50.008 --> 01:44:56.005 Like I said, this is a wonderful and probably very likely scenario 01:44:56.005 --> 01:45:00.006 but it's also it's not the level at which we're generally dealing with these things 01:45:00.006 --> 01:45:03.042 and so I'd actually love it if somebody else wants to kick it off 01:45:03.042 --> 01:45:04.047 and I'll keep thinking through that. 01:45:04.047 --> 01:45:07.003 >> Brian: All right, Danny, you're first up. 01:45:07.003 --> 01:45:10.068 >> Danny: Wow, an ideal scenario is that it's not my problem anymore 01:45:10.068 --> 01:45:16.015 and so having the capability to either certainly stop these things from being launched at me 01:45:16.015 --> 01:45:19.073 with some sort of capability or collaboration with law enforcement, 01:45:19.073 --> 01:45:24.026 other folks which in this case might be very problematic so, 01:45:24.026 --> 01:45:28.018 at the sort of ultimate ingress point of your network, putting controls in place 01:45:28.018 --> 01:45:34.004 that minimize collateral damage or even scope the distribution of reachability information 01:45:34.004 --> 01:45:36.084 in a certain place on the infrastructure, that sort of thing 01:45:36.084 --> 01:45:39.009 so that you have some sustainable controls in place 01:45:39.009 --> 01:45:46.035 and you're not continuously simply filling links and absorbing that and causing collateral damage 01:45:46.035 --> 01:45:48.097 to other services or people that may use those links. 01:45:48.097 --> 01:45:55.074 It's really problematic if there inter-media networks with other eyeballs or content 01:45:55.074 --> 01:45:58.019 or other things that you may or may not want on your infrastructure 01:45:58.019 --> 01:46:01.079 and so if it's an adjacent network, it's a lot simpler, right, 01:46:01.079 --> 01:46:06.042 it simply if you've done your homework before and then simply shut those links off 01:46:06.042 --> 01:46:12.071 and you may be fine, but if I'm a smaller network and this is someone, 01:46:12.071 --> 01:46:18.046 somewhere that's nonadjacent to me, it could be much more problematic because I may have to work 01:46:18.046 --> 01:46:22.083 with them to push controls further and further upstream and that's about their capabilities, 01:46:22.083 --> 01:46:26.054 the lulls, what sort of technical or legal framework 01:46:26.054 --> 01:46:29.001 that they operate under, time scales and other things. 01:46:29.001 --> 01:46:38.035 And so, it's sort of all relative to perspective and why the broad variance of attack factors 01:46:38.035 --> 01:46:42.032 that occur today, why it's so problematic to just get your cookie cutter out 01:46:42.032 --> 01:46:46.084 and say this is a solution for that and so, it's nontrivial I think, 01:46:46.084 --> 01:46:49.096 so it entirely depends on vectors and other things. 01:46:49.096 --> 01:46:52.093 I'm not sure if I said anything that was actually useful, but-- 01:46:52.093 --> 01:46:54.097 >> Brian: That's fine, Miguel please. 01:46:54.097 --> 01:46:59.000 >> Miguel: In an ideal scenario where information is being shared, 01:46:59.000 --> 01:47:05.038 where we've quickly been able to determine what the attack vector is, we are looking at ensuring 01:47:05.038 --> 01:47:08.041 that we can put really precise filters in place 01:47:08.041 --> 01:47:12.077 to lob off attack traffic while letting good traffic through. 01:47:12.077 --> 01:47:15.002 It's easier said than done a lot of the time. 01:47:15.002 --> 01:47:19.018 As I said, it's in an ideal situation we understand the attack, 01:47:19.018 --> 01:47:25.023 and we can put the right mitigation strategies in place to deal with it. 01:47:25.023 --> 01:47:31.084 So in that ideal situation, most likely we should be able to get to availability 01:47:31.084 --> 01:47:34.072 within minutes if people are cooperating correctly 01:47:34.072 --> 01:47:37.012 and we have the information that we need. 01:47:37.012 --> 01:47:41.052 The problem is that we don't live in an ideal world 01:47:41.052 --> 01:47:45.096 and beyond that, attackers are smart, right? 01:47:45.096 --> 01:47:54.007 So they try one thing and then you scramble and get the sites available again 01:47:54.007 --> 01:47:58.001 and put the right mitigation strategy in place, 01:47:58.001 --> 01:48:01.017 but then potentially they might start trying something else. 01:48:01.017 --> 01:48:05.068 You know if that's not being effected, they'll go route B and then potentially will go right 01:48:05.068 --> 01:48:14.041 to route C, so it's a cat and mouse game and it's far from ideal and it's starting over again 01:48:14.041 --> 01:48:18.051 in some sense in terms of putting together another mitigation strategy to deal 01:48:18.051 --> 01:48:23.023 with the new attack vector or signature that comes in and unfortunately, 01:48:23.023 --> 01:48:29.066 the ideal scenarios never happen and attackers have gotten smart and they know how 01:48:29.066 --> 01:48:34.003 to [inaudible] it up and do the damage, and put the damage that they need 01:48:34.003 --> 01:48:36.004 to for the people that are unprepared. 01:48:36.004 --> 01:48:38.004 >> Brian: Thank you, Damian just let me interject before you go there. 01:48:38.004 --> 01:48:44.098 So hearing Danny and Miguel, clearly understanding that again, 01:48:44.098 --> 01:48:49.076 the problem of the upstream operator and what their sophistication capabilities are 01:48:49.076 --> 01:48:55.053 in helping you diagnose the problem across networks, if you will you pointed out. 01:48:55.053 --> 01:48:58.043 And also the clear understanding of needing to kind 01:48:58.043 --> 01:49:02.007 of secure your resources and prevent collateral damage. 01:49:02.007 --> 01:49:09.035 But Damian, Ram, Jeff, bring in also how do we work effectively with law enforcement? 01:49:09.035 --> 01:49:13.097 What can they do to help, what can you do together and the good scenario 01:49:13.097 --> 01:49:19.067 when it works well with the upstream provider, what does that look like? 01:49:19.067 --> 01:49:23.087 >> Damian: Yes I'll start by saying without bringing in law enforcement, 01:49:23.087 --> 01:49:28.021 ideally you would be able to work directly with the network operator, they do want to track it 01:49:28.021 --> 01:49:32.053 through their network and stop the attack upstream. 01:49:32.053 --> 01:49:39.034 There are situations as Miguel was saying; sometimes it's a little tricky. 01:49:39.034 --> 01:49:45.072 In this case we don't know if the government of Mordor is behind these attacks. 01:49:45.072 --> 01:49:50.068 So, it's sticking with the scenario it's never going to be entirely idea 01:49:50.068 --> 01:49:56.003 because you don't necessarily want to tell the ISP in Mordor what your fingerprint 01:49:56.003 --> 01:50:01.038 of the attack is which maybe would help them filter it because they might just turn around 01:50:01.038 --> 01:50:04.057 and tell the government, the government will modify the attack to not match 01:50:04.057 --> 01:50:07.042 that fingerprint anymore and then you're in bigger trouble than you were before. 01:50:07.042 --> 01:50:15.024 So, depending on how paranoid you want to be, I'm a security person so I'm paid 01:50:15.024 --> 01:50:21.049 to be paranoid but, you have to be a little cautious about what information you're sharing. 01:50:21.049 --> 01:50:26.044 Try to share information that's useful for stopping the attack but, 01:50:26.044 --> 01:50:30.006 not sharing everything you know about the attack so you can still trace it. 01:50:30.006 --> 01:50:38.021 In terms of law enforcement since we're in the U.S., U.S. CERT is a good resource. 01:50:38.021 --> 01:50:41.054 They have contacts at CERTs. 01:50:41.054 --> 01:50:44.026 CERT is Computer Emergency Response Team. 01:50:44.026 --> 01:50:48.092 They have contacts at CERTs at every other country and so that's very helpful 01:50:48.092 --> 01:50:51.028 because they're sort of a central point. 01:50:51.028 --> 01:50:56.025 They might be able to recognize that you're not the only victim of an attack, 01:50:56.025 --> 01:51:01.092 so they might be able to correlate events that you perhaps were not aware of. 01:51:01.092 --> 01:51:04.009 And they can also assist with language issues. 01:51:04.009 --> 01:51:09.087 You know it's very difficult for me personally to email an ISP in Asia 01:51:09.087 --> 01:51:15.009 because I don't speak any of the Asian languages whereas U.S. CERT probably has the ability 01:51:15.009 --> 01:51:19.069 to handle that translation a little bit better 01:51:19.069 --> 01:51:23.098 than Google Translate which is my fallback option. 01:51:23.098 --> 01:51:24.009 [Laughter] 01:51:24.009 --> 01:51:26.092 >> Brian: Thank you, Ram. 01:51:26.092 --> 01:51:34.067 >> Ram: Thanks, so in this ideal scenario perhaps one of the things that have to be worked 01:51:34.067 --> 01:51:38.025 on is the formation of an alliance for data sharing. 01:51:38.025 --> 01:51:43.077 Especially identifying who the next Genovia might be and you go work 01:51:43.077 --> 01:51:49.094 out who those next Genovia's might be and this kind of an alliance cannot be government 01:51:49.094 --> 01:51:56.093 to governments, it's got to be public, private, a combination of that and that takes time to do 01:51:56.093 --> 01:51:59.001 but this is the time to start doing it [inaudible]. 01:51:59.001 --> 01:52:04.069 The second, you know we're talking about this ideal scenario and there is rapid availability. 01:52:04.069 --> 01:52:08.083 The attack happened, mitigation happened, everything came back 01:52:08.083 --> 01:52:14.091 but remember this might simply Mordor profiling you for a bigger attack to come 01:52:14.091 --> 01:52:20.058 and they've now learned how you countered it and their building counter-measures right now 01:52:20.058 --> 01:52:23.046 for your counters and that's likely to happen 01:52:23.046 --> 01:52:27.067 if this is really a serious act coming up against you. 01:52:27.067 --> 01:52:33.005 So, you may leave everything on the floor at this time 01:52:33.005 --> 01:52:37.035 and you may just get killed really online the next time. 01:52:37.035 --> 01:52:46.028 On the third is law enforcement, this is a case where most often this is a source less crime, 01:52:46.028 --> 01:52:51.034 there is no one to prosecute, there's no one to really go after for the most part. 01:52:51.034 --> 01:52:58.046 Most of the people along the way are in transit and are trying to help to some extent. 01:52:58.046 --> 01:53:02.072 They're just doing their job passing packets along, passing information along 01:53:02.072 --> 01:53:09.075 and they got coopted into something that was initially beyond their understanding 01:53:09.075 --> 01:53:13.046 and eventually beyond their ability to solve individually. 01:53:13.046 --> 01:53:19.026 So you have to start to change a little bit of law enforcement's mindset of who are we going 01:53:19.026 --> 01:53:25.093 after because this is not so much about a counter attack, this is often much more 01:53:25.093 --> 01:53:33.008 about prevention and you have to start thinking about the online equivalence 01:53:33.008 --> 01:53:42.069 of a neighborhood watch and one doesn't really exist in any coordinated way today. 01:53:42.069 --> 01:53:43.033 >> Brian: Thanks, Jeff. 01:53:43.033 --> 01:53:46.009 >> Jeff: I definitely like going last. 01:53:46.009 --> 01:53:50.053 I have more time to think about what I'm going to say and I bounced around with a few ideas 01:53:50.053 --> 01:53:52.074 but you know they say don't fight the scenario 01:53:52.074 --> 01:53:54.072 but I was always the kid who fought the scenario. 01:53:54.072 --> 01:53:58.067 So I guess I would start kind of where Damian went, if you're an ideal scenario 01:53:58.067 --> 01:54:06.039 that means Mordor is helping and helping you willingly and with no ill intent 01:54:06.039 --> 01:54:09.017 in actually wanting to stop their own citizens who [inaudible] 01:54:09.017 --> 01:54:11.038 and probably something they believe in. 01:54:11.038 --> 01:54:16.017 Which leads me to point two, I think Ram hit well, if everything is really going that well, 01:54:16.017 --> 01:54:20.084 that's when you should really start being scared because things never go that well. 01:54:20.084 --> 01:54:23.064 So question everything that worked and try to figure out why it worked 01:54:23.064 --> 01:54:27.002 and is someone just letting you think it worked? 01:54:27.002 --> 01:54:33.048 In terms of what does it look like to be successful on the legal and governmental side, 01:54:33.048 --> 01:54:36.034 there are a lot of things you need to work. 01:54:36.034 --> 01:54:39.073 Governments that are willing to share information, that have relationships, 01:54:39.073 --> 01:54:42.099 that trust each other, but then even beyond that you need laws 01:54:42.099 --> 01:54:47.001 that will allow the information sharing both between the private sector and the government 01:54:47.001 --> 01:54:49.074 within each country and then between the various governments. 01:54:49.074 --> 01:54:52.017 But then you also need laws that protect the privacy 01:54:52.017 --> 01:54:56.083 of the individuals whose information is being shared and assuming you have all that 01:54:56.083 --> 01:55:00.081 and you get the information that allows you to find the actual source of the crime 01:55:00.081 --> 01:55:05.045 which as Ram said is very difficult, you actually have both resources and laws 01:55:05.045 --> 01:55:11.079 that allow prosecution and not in medieval ways of people who are doing these types of acts. 01:55:11.079 --> 01:55:18.017 So going back to, you really need to figure out what your end-goal is 01:55:18.017 --> 01:55:22.064 out of this before you figure out, it would be great 01:55:22.064 --> 01:55:24.033 if you'd actually prosecute the people doing it. 01:55:24.033 --> 01:55:27.049 It would be better if you could get all your systems back up really quickly 01:55:27.049 --> 01:55:32.005 and try to develop better relationships to prevent them in the future. 01:55:32.005 --> 01:55:33.059 >> Brian: So Jeff, just picking up at that point, 01:55:33.059 --> 01:55:38.002 this will be the last round then we'll turn it over to Q&A for the audience 01:55:38.002 --> 01:55:41.014 and Ram mentioned the notion of an alliance. 01:55:41.014 --> 01:55:45.011 Danny the scizrick work that mentioned at the FCC. 01:55:45.011 --> 01:55:52.029 Very interesting industry, government but clearly, just uniquely ISP focused in terms 01:55:52.029 --> 01:55:58.002 of best practices or a potential code of conduct if you will in that exercise. 01:55:58.002 --> 01:56:04.086 Where is this collaboration happening today or the seeds of this collaboration between industry 01:56:04.086 --> 01:56:10.021 and government specifically that clearly has to be globally oriented. 01:56:10.021 --> 01:56:13.055 That has to be cross-cutting across boundaries. 01:56:13.055 --> 01:56:16.038 Where is that happening, where should it begin 01:56:16.038 --> 01:56:19.099 to happen more deeply and how can we make that happen? 01:56:19.099 --> 01:56:21.009 I'll open to the entire panel. 01:56:21.009 --> 01:56:23.001 Danny. 01:56:23.001 --> 01:56:32.018 >> Danny: So yeah there are a lot of national level stuff that I mentioned certainly as some 01:56:32.018 --> 01:56:37.009 of the countries that blazing the trail there from Australia, to Germany, to Finland, 01:56:37.009 --> 01:56:43.094 to the U.S. I mean some of the work that the FCC and others have done which is 01:56:43.094 --> 01:56:46.011 about educating folks and sharing information. 01:56:46.011 --> 01:56:51.054 A lot of this as you'll notice, even though these scenarios comes back to international laws 01:56:51.054 --> 01:56:58.056 or even national laws or disclosure laws or fair disclosure laws, right I mean what is the extent 01:56:58.056 --> 01:57:03.057 of where I can share information and who I can get help from and where can we get collaboration 01:57:03.057 --> 01:57:07.081 from a nation state versus send in a snatch team or not do anything, right? 01:57:07.081 --> 01:57:14.002 And so, what are the kinds of capabilities that you have, and then you'd really like to operate 01:57:14.002 --> 01:57:18.019 in meet space and prosecute people that have real impacts on real businesses 01:57:18.019 --> 01:57:22.055 and break walls internationally, but how do you balance 01:57:22.055 --> 01:57:26.002 that internationally with the privacy for example? 01:57:26.002 --> 01:57:30.006 I mean that's a tough balance because if you can attribute every transaction on the internet, 01:57:30.006 --> 01:57:34.058 then no one has any privacy or [inaudible] and what does that mean 01:57:34.058 --> 01:57:36.015 for censorship or for other things. 01:57:36.015 --> 01:57:39.066 So all these sort of things together is, 01:57:39.066 --> 01:57:43.076 it is definitely needs more leadership from the government. 01:57:43.076 --> 01:57:46.003 I think they've certainly done a humungous amount, 01:57:46.003 --> 01:57:51.039 and from local law enforcement folks we work with, to national level folks, 01:57:51.039 --> 01:57:54.009 and certainly Jeff and some of the places he'd been. 01:57:54.009 --> 01:57:57.074 A lot of the folks looking for ways to collaborate and to put frameworks 01:57:57.074 --> 01:58:05.054 in place allowing information sharing and enable in a sort of protections of private sector 01:58:05.054 --> 01:58:11.004 and industry and you know that the government's got your back for this and that they're going 01:58:11.004 --> 01:58:15.035 to pull the levers and turn the steam valves they to make sure 01:58:15.035 --> 01:58:18.099 that if someone is attacking someone on this infrastructure and have an impact 01:58:18.099 --> 01:58:24.054 that it's having a real impact and represent their citizens wherever they are. 01:58:24.054 --> 01:58:28.004 So I think it sort of goes all the way back to that from the international perspective 01:58:28.004 --> 01:58:32.008 because of the projection capability that advisories have on the internet 01:58:32.008 --> 01:58:39.028 and there are a lot of alliances, a lot are private sector, public sector, partnerships, 01:58:39.028 --> 01:58:42.056 everything from internet security alliance, online trust alliance, stop bad ware. 01:58:42.056 --> 01:58:44.089 I mean there's no shortage. 01:58:44.089 --> 01:58:49.051 I mean a lot of the outreach that we talked about, the work that [inaudible] 01:58:49.051 --> 01:58:53.097 and anti-phishing working group and some of the other folks have done. 01:58:53.097 --> 01:59:00.017 So I think that a lot of this is happening but it certainly, the industry level leadership 01:59:00.017 --> 01:59:05.071 with the recognition by governments that they're captive to this. 01:59:05.071 --> 01:59:07.072 We're all sort of captive to this and the only way we're going 01:59:07.072 --> 01:59:10.004 to get there is if we collaborate. 01:59:10.004 --> 01:59:12.054 >> Brian: Thanks, anybody else? 01:59:12.054 --> 01:59:13.075 01:59:13.075 --> 01:59:17.002 >> You know there are many more acronyms we could throw out there 01:59:17.002 --> 01:59:21.019 about the various public/private collaboration partnerships. 01:59:21.019 --> 01:59:23.041 Some doing great work, some doing work. 01:59:23.041 --> 01:59:29.015 [Laughter] But I want to get back to something I think Miguel touched on earlier 01:59:29.015 --> 01:59:34.007 about information sharing and the need to share information and most folks who would go ahead 01:59:34.007 --> 01:59:35.057 and share will get slapped down for it. 01:59:35.057 --> 01:59:43.021 There are two reasons for it, one corporate strategic secret issues, 01:59:43.021 --> 01:59:45.055 but also the lawyers will often slap you down because, 01:59:45.055 --> 01:59:47.003 well can we really share that information. 01:59:47.003 --> 01:59:53.015 That's an area where I think we need change and we need it soon is changing the laws 01:59:53.015 --> 01:59:58.032 that limit the ability of companies who want to share information with other companies, ECPA, 01:59:58.032 --> 02:00:04.048 Electronic Communication Privacy Act, antitrust laws, all these don't need to be gutted, 02:00:04.048 --> 02:00:07.087 they need to be reformed and frankly we got to a very weird place 02:00:07.087 --> 02:00:10.004 in the [inaudible] legislative cycle this year where you had the head 02:00:10.004 --> 02:00:15.086 of the national security agency and you had privacy groups all saying this is something we 02:00:15.086 --> 02:00:18.001 need to do and here's the framework that we all think actually can work. 02:00:18.001 --> 02:00:23.013 It based our own idea of sharing cyber security information narrowly defined 02:00:23.013 --> 02:00:25.087 for cyber security purposes, narrowly defined, 02:00:25.087 --> 02:00:30.031 but Congress in its infinite wisdom got you have the NSA 02:00:30.031 --> 02:00:34.051 and the privacy groups essentially agreeing, so Congress chose not to act. 02:00:34.051 --> 02:00:38.062 And that is something that I think is not going to solve the problem but would be a step 02:00:38.062 --> 02:00:41.042 in the right direction to allow information sharing 02:00:41.042 --> 02:00:43.044 and maybe breakdown some of those barriers. 02:00:43.044 --> 02:00:49.057 Make it happen 5, 10, 15, minutes an hour soon, sooner or even won't happen at all 02:00:49.057 --> 02:00:53.000 so that's something that within all these groups there are still these limitations 02:00:53.000 --> 02:00:57.077 that are illegal and need to be changed by the politicians. 02:00:57.077 --> 02:00:59.004 >> Brian: Thanks, Damian. 02:00:59.004 --> 02:01:03.062 >> Damian: I wanted to mention there are some ways that collaboration can occur 02:01:03.062 --> 02:01:09.016 without needing to necessarily involve lawyers or worry about user privacy. 02:01:09.016 --> 02:01:14.011 Some of the attacks that we see there's just sharing information and about the fact 02:01:14.011 --> 02:01:17.009 that we're seeking an attack, the size of the attack, 02:01:17.009 --> 02:01:19.007 the type of the attack can be helpful to others. 02:01:19.007 --> 02:01:27.041 So as a recent example the dos attacks that hit the banks recently hit us actually 02:01:27.041 --> 02:01:32.025 about a week before it started hitting all of the banks and we sent a quick heads-up 02:01:32.025 --> 02:01:38.008 to a security list of people just letting them know, 02:01:38.008 --> 02:01:41.005 hey we're getting this surprisingly large attack. 02:01:41.005 --> 02:01:44.036 This is a bit unusual; this is what it looks like. 02:01:44.036 --> 02:01:47.035 You might want to watch out, be prepared. 02:01:47.035 --> 02:01:51.076 Unfortunately two days later, we wrote back and said it just doubled in size, 02:01:51.076 --> 02:01:56.014 but there are things that you can do to give out information. 02:01:56.014 --> 02:02:00.038 We're not giving out necessarily like the IP addresses that it's coming 02:02:00.038 --> 02:02:05.025 from because we have talk to lawyers about the privacy implications of that, 02:02:05.025 --> 02:02:09.088 but even just the basic information about the type of attack that you're getting and the size 02:02:09.088 --> 02:02:16.013 and maybe the general area of the world it's coming from can be very helpful to others. 02:02:16.013 --> 02:02:19.089 >> Brian: Thanks, any last remarks? 02:02:19.089 --> 02:02:22.054 Okay, thank you panelists very much for playing along 02:02:22.054 --> 02:02:25.056 and for the great information you provide with us so far. 02:02:25.056 --> 02:02:30.029 So let's get to the real important folks here today, the audience both here and online. 02:02:30.029 --> 02:02:35.068 At least for the next 30 minutes, we'll have an open mic in the middle of the room. 02:02:35.068 --> 02:02:40.015 I think we have some questions from online, so if you would, 02:02:40.015 --> 02:02:49.066 please [inaudible] we have-- [Pause]-- it doesn't work? 02:02:49.066 --> 02:02:50.076 02:02:50.076 --> 02:02:55.014 Why don't you come up and use this microphone if you would to pose your question. 02:02:55.014 --> 02:02:56.012 [Pause] 02:02:56.012 --> 02:03:03.002 >> David: I'm David Thaumenal [phonetic] President of The Internet Society of New York 02:03:03.002 --> 02:03:07.061 and just as we have software as a service and infrastructure as a service, 02:03:07.061 --> 02:03:13.025 there's now crime-ware as a service so if I'm a bad person, rather than going to all the trouble 02:03:13.025 --> 02:03:16.073 of actually attacking somebody I don't like on the internet, 02:03:16.073 --> 02:03:23.012 I can actually pay a service provider to do it for me 02:03:23.012 --> 02:03:29.057 and they're using a commercial business model so I can have warranties, guarantees of quality 02:03:29.057 --> 02:03:33.031 of service, support contracts and everything else. 02:03:33.031 --> 02:03:41.006 So my question is wouldn't it make sense for whether it's industry or law enforcement 02:03:41.006 --> 02:03:49.077 or whatever to focus on identifying these crime-ware service providers infiltrating them, 02:03:49.077 --> 02:03:55.024 targeting them, purchasing their software and reverse engineering it 02:03:55.024 --> 02:04:01.095 to disable it, that type of thing? 02:04:01.095 --> 02:04:05.088 >> Brian: Anyone on the panel want to take that? 02:04:05.088 --> 02:04:12.007 >> Danny: Absolutely in if you go back to the scenario of an ideal world, 02:04:12.007 --> 02:04:16.071 but a lot of these are happening offshore in countries that aren't particularly mendable 02:04:16.071 --> 02:04:23.005 to working with our law enforcement to arrest or prosecute. 02:04:23.005 --> 02:04:28.095 Reverse engineering I think goes on, but the problem is that the software morph so quickly 02:04:28.095 --> 02:04:33.039 that the signatures old as soon as you know it. 02:04:33.039 --> 02:04:37.035 And there are other efforts, other techniques for protecting against it 02:04:37.035 --> 02:04:41.029 and I think that's actively underway, but in terms of infiltrating, breaking up, 02:04:41.029 --> 02:04:44.067 prosecuting, they'd just go somewhere else. 02:04:44.067 --> 02:04:50.009 >> So I was going to add just there is one aspect to this certainly lots 02:04:50.009 --> 02:04:53.064 of folks are looking at when you try to move it back to meet space and the place 02:04:53.064 --> 02:04:57.095 where law enforcement usually operates in a more productive way and better 02:04:57.095 --> 02:05:04.031 than most information security folks and there has been a lot more work on follow the money 02:05:04.031 --> 02:05:07.094 and use that angle for the attribution side of this. 02:05:07.094 --> 02:05:12.082 I mean some of the recent things you may have seen from spam campaigns to phishing 02:05:12.082 --> 02:05:15.032 and mal-code distribution and those sorts of things. 02:05:15.032 --> 02:05:20.026 Some recent work actually by Steph and Savage and some of the folks at UCSB 02:05:20.026 --> 02:05:25.028 and was particularly enlightening in that area for those of you that haven't seen that. 02:05:25.028 --> 02:05:28.087 And I know that law enforcement is certainly taking note and very good at those kind 02:05:28.087 --> 02:05:37.072 of things and so, I suspect that being aware of that and seeing more 02:05:37.072 --> 02:05:40.005 on that side I would follow the money and work on the attribution 02:05:40.005 --> 02:05:45.003 and the prosecution associated with malicious activity, that sort is certainly something 02:05:45.003 --> 02:05:49.029 that we're going to see more of from a prosecution perspective. 02:05:49.029 --> 02:05:53.027 >> Brian: And the FBI has had some big take downs recently. 02:05:53.027 --> 02:05:57.058 There was one in [inaudible] early this year, late last year. 02:05:57.058 --> 02:05:59.068 >> Last year. 02:05:59.068 --> 02:06:00.039 >> Brian: Thank you. 02:06:00.039 --> 02:06:02.022 I've got two questions from online, 02:06:02.022 --> 02:06:05.062 I'll go to one of them first and then come back to the room. 02:06:05.062 --> 02:06:09.072 From Vanda [phonetic] the reality that people don't think it will happen 02:06:09.072 --> 02:06:11.074 with them is a fact here too. 02:06:11.074 --> 02:06:18.003 So how can I convince people that they need to take preventative measures? 02:06:18.003 --> 02:06:19.023 02:06:19.023 --> 02:06:20.072 Jillian? 02:06:20.072 --> 02:06:25.088 >> Jillian: Sure, so I don't know what "here" means in that sentence 02:06:25.088 --> 02:06:30.052 but nonetheless I would say in thinking about how to convince people, 02:06:30.052 --> 02:06:36.098 there is a wealth of information on what sort of attacks occurred and who they've targeted 02:06:36.098 --> 02:06:40.013 and one of the things that this Berkman Center study found was 02:06:40.013 --> 02:06:43.091 that there's really no associated ideology with attacks. 02:06:43.091 --> 02:06:49.088 There's one example where some conservative Muslim groups outside 02:06:49.088 --> 02:06:52.077 of the U.S. were attacking U.S. Conservative website. 02:06:52.077 --> 02:06:57.096 The U.S. Conservative Groups were then attacking these Muslim websites outside the U.S. And so on 02:06:57.096 --> 02:07:02.053 and so forth and sort of in a circle and so, anyone can be a victim. 02:07:02.053 --> 02:07:07.019 Any type of group, any type ideology and so I think that's where we start looking 02:07:07.019 --> 02:07:13.032 at previous attacks and educating people about those various desperate targets, 02:07:13.032 --> 02:07:15.013 that's another way that we can raise awareness. 02:07:15.013 --> 02:07:20.023 And then like I said just sort of thinking about risk assessments not an easy thing 02:07:20.023 --> 02:07:26.009 in these cases and like I said with having desperate ideologies be the target of attacks, 02:07:26.009 --> 02:07:31.059 it's not easy to really assess what your actual risk is and so to assume 02:07:31.059 --> 02:07:34.097 that you could potentially be a target of an attack is the first thing. 02:07:34.097 --> 02:07:41.071 But then to sort of weigh your risk and figure out what you might want to think about in terms 02:07:41.071 --> 02:07:44.099 of what's important to you and keeping your site up. 02:07:44.099 --> 02:07:46.065 >> Brian: Sure, Miguel. 02:07:46.065 --> 02:07:49.032 >> Miguel: Thank you Brian. 02:07:49.032 --> 02:07:55.077 What the question refers to is sort of how to make the business case for protection 02:07:55.077 --> 02:07:58.065 or mitigation against this kind of a threat. 02:07:58.065 --> 02:08:04.033 Danny actually talked about some of these things previously in the conversation in terms 02:08:04.033 --> 02:08:08.047 of really evaluating your infrastructure and your needs and kind 02:08:08.047 --> 02:08:13.077 of asking yourself some basic questions. 02:08:13.077 --> 02:08:20.043 What would it mean to you if your, let's say for example your website was down? 02:08:20.043 --> 02:08:24.027 What are some of the things that could potentially happen if that was the case 02:08:24.027 --> 02:08:26.086 and what would the impact to you be 02:08:26.086 --> 02:08:30.037 if your infrastructure was down for 12 hours for example? 02:08:30.037 --> 02:08:33.096 I'll use some private sector examples to just kind of illustrate this. 02:08:33.096 --> 02:08:37.085 Maybe obviously there's potentially the revenue component. 02:08:37.085 --> 02:08:39.041 Maybe you're making money off your website 02:08:39.041 --> 02:08:46.012 so there's some tangible result in terms of not having revenue. 02:08:46.012 --> 02:08:51.051 But from a customer service perspective for example, what happens if your website is 02:08:51.051 --> 02:08:53.015 down for a certain amount of time? 02:08:53.015 --> 02:08:58.016 Maybe your call center gets flooded, gets into code red. 02:08:58.016 --> 02:09:03.012 People are waiting an hour-and-a-half to have the phone answered. 02:09:03.012 --> 02:09:07.006 Maybe your email boxes start getting flooded and maybe it's going to take weeks potentially 02:09:07.006 --> 02:09:11.043 to dig yourself out of that hole. 02:09:11.043 --> 02:09:17.039 Another thing to kind of think about is, as you make the business case for this 02:09:17.039 --> 02:09:25.088 or to have some kind of a plan to mitigate the attacks is how long would it actually take you 02:09:25.088 --> 02:09:30.049 to get your core infrastructure or the infrastructure you need to be online, 02:09:30.049 --> 02:09:34.052 back online if something like this happened? 02:09:34.052 --> 02:09:38.008 Potentially it would take you a significant amount of time just to figure 02:09:38.008 --> 02:09:44.058 out what's actually happening let alone figuring out what the path is going to be in terms 02:09:44.058 --> 02:09:47.084 of what the best strategy is to deal with the problem when it happens. 02:09:47.084 --> 02:09:51.088 And then on top of that, after that is once you actually know what to do, 02:09:51.088 --> 02:09:55.002 actually putting the plan in place to do what needs 02:09:55.002 --> 02:09:57.077 to be done to get the threat under control. 02:09:57.077 --> 02:10:01.037 So when you start asking yourself some of these fundamental questions 02:10:01.037 --> 02:10:04.054 and it's not just a private sector thing where you're worried 02:10:04.054 --> 02:10:08.022 about your revenue potentially or your brand equity. 02:10:08.022 --> 02:10:11.015 You know the public sector faces this as well 02:10:11.015 --> 02:10:14.007 because it obviously, there's some tangible stuff. 02:10:14.007 --> 02:10:20.096 It looks really bad when a government website is down or a free speech NGO website is down. 02:10:20.096 --> 02:10:23.098 So there are fundamental questions that you can start asking yourself 02:10:23.098 --> 02:10:28.072 and when you start asking yourself these question and really look 02:10:28.072 --> 02:10:31.089 at what the impact is going to be, both short-term and long-term, 02:10:31.089 --> 02:10:34.014 you really have to think about the long-term impact too. 02:10:34.014 --> 02:10:40.056 At that point you start to look at that and the business case for DDoS protection 02:10:40.056 --> 02:10:45.088 or for having a plan in place to deal with this particular issue if it happens, 02:10:45.088 --> 02:10:50.012 it starts to become quite apparent that this something that is worth doing. 02:10:50.012 --> 02:10:54.082 >> Brian: Sounds like good common sense, anybody else, yeah, Damian. 02:10:54.082 --> 02:11:01.002 >> Damian: So I want to highlight like in addition to just the business financial impact, 02:11:01.002 --> 02:11:03.066 there is a very strong PR impact to going down. 02:11:03.066 --> 02:11:09.045 We saw user comments during the bank attacks, you know comments and articles 02:11:09.045 --> 02:11:13.015 of our users saying things like, if my bank can't handle a dos attack, 02:11:13.015 --> 02:11:16.038 how do I trust that they know how to secure my money? 02:11:16.038 --> 02:11:20.009 They're completely unrelated things but the average person doesn't understand that 02:11:20.009 --> 02:11:24.073 and so there can be a significant PR impact to your organization if it goes down even 02:11:24.073 --> 02:11:29.013 if it doesn't directly affect them like with banking yes, 02:11:29.013 --> 02:11:32.065 some people couldn't do online banking for a day, ATMs were still fine. 02:11:32.065 --> 02:11:40.007 Like there was no actual real risk there but I also want to point out that I think the going 02:11:40.007 --> 02:11:43.065 down is actually a viable option. 02:11:43.065 --> 02:11:48.003 We're all talking about it as if the ultimate goal is to stay online, 02:11:48.003 --> 02:11:52.039 but economically that might not make sense for you and even 02:11:52.039 --> 02:11:54.077 from a PR standpoint it may not make sense. 02:11:54.077 --> 02:11:59.022 If you're a human rights organization and you can get an article in New York Times 02:11:59.022 --> 02:12:02.069 about how you went down due to a dos attack, 02:12:02.069 --> 02:12:04.096 that's the best publicity you can possibly imagine. 02:12:04.096 --> 02:12:09.002 Nobody is thinking about human rights until they see this article. 02:12:09.002 --> 02:12:16.065 So, it's something to keep in mind, staying up at all costs isn't necessarily the end goal. 02:12:16.065 --> 02:12:17.069 >> Brian: Yeah, Danny. 02:12:17.069 --> 02:12:21.078 >> Danny: So I was going to add a little bit to both of what they said actually, 02:12:21.078 --> 02:12:24.058 and to Vanda's question, how do sort of get ahead of these. 02:12:24.058 --> 02:12:27.047 One of the comments that I made earlier is somewhere between 80% 02:12:27.047 --> 02:12:31.082 and 85% of IT securities span goes toward regulatory compliance. 02:12:31.082 --> 02:12:36.004 Things you have to do just to check boxes like these fire suppression systems right, 02:12:36.004 --> 02:12:42.053 and this is the sort of thing where most of the traditional controls that are on our network, 02:12:42.053 --> 02:12:48.023 the 100s and 100s that we have are about keeping private information private and more and more 02:12:48.023 --> 02:12:50.096 so many organizations, particularly for internet facing services, 02:12:50.096 --> 02:12:54.041 the availability of those services, as opposed to just the confidentiality 02:12:54.041 --> 02:12:58.048 of the data contained therein is more and more of an issue 02:12:58.048 --> 02:13:02.018 and so making sure you understand that, to Miguel's point. 02:13:02.018 --> 02:13:07.066 Risk management 101, basic business resilience says take the asset, take what one minute 02:13:07.066 --> 02:13:14.008 of downtime with that asset may cost you, talk about how long a particular outage may be 02:13:14.008 --> 02:13:17.017 and then you come up with your single lost expectancy 02:13:17.017 --> 02:13:19.008 and then take how many times this may occur in a year something known 02:13:19.008 --> 02:13:25.024 as annualize loss expectancy and you multiply annualize rate of occurance 02:13:25.024 --> 02:13:27.007 with single loss expectancy and you know in a year, 02:13:27.007 --> 02:13:30.033 this much downtime could cost you this much in your organization. 02:13:30.033 --> 02:13:34.002 And if you don't do that, and then say okay what are we willing to invest in proactively 02:13:34.002 --> 02:13:40.008 to get residual risk to some level that we [inaudible] or go buy insurance 02:13:40.008 --> 02:13:42.044 or ignore it and hope that it doesn't happen. 02:13:42.044 --> 02:13:44.065 And so you really need to think about this. 02:13:44.065 --> 02:13:49.084 Actually, I'll reference again the internet security lines documents. 02:13:49.084 --> 02:13:53.079 It's a little hefty but it's a really great read for folks asking just that question. 02:13:53.079 --> 02:13:59.009 It's a CFO's guide to cyber risk and it sort of talks about some of these sorts of things. 02:13:59.009 --> 02:14:04.076 I definitely recommend that you have a look at that and try to get ahead of it. 02:14:04.076 --> 02:14:06.004 So, I'm done now so-- 02:14:06.004 --> 02:14:08.068 >> Brian: Okay do we have other questions from inside the room? 02:14:08.068 --> 02:14:10.018 Please, okay. 02:14:10.018 --> 02:14:18.014 >> You were talking about the PR aspect of it and I took Jill's comment to heart earlier 02:14:18.014 --> 02:14:22.004 about she doesn't think it's a good idea and we know 02:14:22.004 --> 02:14:27.093 that Pirate Bay went anonymous [inaudible] the whole Pirate Bay came 02:14:27.093 --> 02:14:33.002 out against it saying they were for free speech and this was against it and I wonder 02:14:33.002 --> 02:14:40.007 about how much embarrassment and the moral argument and basically if you've got governments 02:14:40.007 --> 02:14:43.023 who are doing it, can there be kind of treaties between governments 02:14:43.023 --> 02:14:46.034 that say this is not acceptable behavior. 02:14:46.034 --> 02:14:50.053 And in the activist world, also the same kind of thing 02:14:50.053 --> 02:14:57.075 so [inaudible] technical solutions are where social solutions? 02:14:57.075 --> 02:15:01.062 >> Jillian: Sure so I'll just give my quick two cents because I'm actually more curious 02:15:01.062 --> 02:15:03.065 to hear others responses to this. 02:15:03.065 --> 02:15:08.081 So using our example of Mordor and not getting into real life, let's say that the governor 02:15:08.081 --> 02:15:12.044 of Mordor was partly behind the attacks against Genovia. 02:15:12.044 --> 02:15:17.058 And so in cases like that, it's really difficult. 02:15:17.058 --> 02:15:21.072 I'm assuming that Mordor also prosecutes citizens for hacking 02:15:21.072 --> 02:15:27.052 and for their own DDoS perpitrations and so it's really difficult to look at that 02:15:27.052 --> 02:15:31.023 and say that Mordor has any moral ground to stand 02:15:31.023 --> 02:15:34.006 on when it does prosecute its own citizens for being behind those attacks. 02:15:34.006 --> 02:15:37.066 And I think that we have seen, I'm sure you're aware of them, 02:15:37.066 --> 02:15:39.007 real life examples where this exists. 02:15:39.007 --> 02:15:42.092 Where you know governments are doing one thing with one hand and something with the other. 02:15:42.092 --> 02:15:50.005 But to the point about [inaudible] example is a great one and I agreed with them 02:15:50.005 --> 02:15:53.059 and I think John Perry Barlow one of the founders of [inaudible] said the same thing 02:15:53.059 --> 02:15:57.097 that DDoS attacks are essentially an attack on free expression. 02:15:57.097 --> 02:16:00.033 I do agree with that. 02:16:00.033 --> 02:16:05.044 Like I said I think that there are some circumstances where it's much more difficult 02:16:05.044 --> 02:16:09.098 to condemn and those are circumstances where you're up against a government 02:16:09.098 --> 02:16:15.054 that is stifling its own citizens free expression and so you're getting into sort 02:16:15.054 --> 02:16:21.033 of irregular warfare, online warfare in those cases, but generally speaking I do think 02:16:21.033 --> 02:16:26.014 that it would be a lot easier if we all viewed this as something 02:16:26.014 --> 02:16:28.031 that was not morally acceptable in terms of free expression. 02:16:28.031 --> 02:16:32.056 It would certainly be a lot easier to go after the actual bad guys. 02:16:32.056 --> 02:16:34.047 >> Brian: Others, Jeff? 02:16:34.047 --> 02:16:39.069 >> Jeff: I would say I think that there are things that can be improved 02:16:39.069 --> 02:16:43.031 through international cooperation, potentially international treaties. 02:16:43.031 --> 02:16:47.081 There's a pretty healthy debate over whether that's even possible and enforceable 02:16:47.081 --> 02:16:51.034 and I think we at least have to try. 02:16:51.034 --> 02:16:55.025 Maybe some of that will filter down into day-to-day conduct with people, 02:16:55.025 --> 02:16:59.049 but people still commit crimes all the time even though they're illegal 02:16:59.049 --> 02:17:05.046 so I think there's a limitation to how far that will go to stop the groups that think 02:17:05.046 --> 02:17:08.025 that they're above the law or independent of law 02:17:08.025 --> 02:17:11.089 or have a separate obligation that's different to it. 02:17:11.089 --> 02:17:16.042 But I think you will see more effort in the future to try 02:17:16.042 --> 02:17:23.092 out some negotiated agreements remains to be seen if they're actually verifiable. 02:17:23.092 --> 02:17:25.098 >> Brian: We have an interesting question from online. 02:17:25.098 --> 02:17:27.006 I know we've got another couple from in the room. 02:17:27.006 --> 02:17:29.059 This one is from Mikey. 02:17:29.059 --> 02:17:37.029 What about a global simulation of cyber event with a goal of beginning to build a global, 02:17:37.029 --> 02:17:40.006 who can I call for immediate help type mechanism? 02:17:40.006 --> 02:17:46.072 I know that in certain countries table top exercises take place with a number 02:17:46.072 --> 02:17:50.024 of different participants that create scenarios, what about this idea 02:17:50.024 --> 02:17:53.002 of a global simulated cyber event? 02:17:53.002 --> 02:17:55.008 Is the feasible, would that be helpful? 02:17:55.008 --> 02:17:59.086 02:17:59.086 --> 02:18:01.029 Ram-- oh sorry, Danny. 02:18:01.029 --> 02:18:11.083 >> Ram: I was just going to; I think it was Miguel that quoted Mike Tyson. 02:18:11.083 --> 02:18:19.082 All the simulations are great but reality is often very different so, we'd have to think 02:18:19.082 --> 02:18:22.065 about whether the simulation is actually helpful. 02:18:22.065 --> 02:18:25.031 Certainly it helps to get people to be aware 02:18:25.031 --> 02:18:29.039 of who they should be contacting and who to work with. 02:18:29.039 --> 02:18:34.092 But the real life scenario is probably going to be fairly different. 02:18:34.092 --> 02:18:36.076 >> Brian: Fair enough, Danny. 02:18:36.076 --> 02:18:38.044 >> Danny: Yeah this is working now. 02:18:38.044 --> 02:18:43.063 I would just add there are some multinational simulations today, everything from cyber storm 02:18:43.063 --> 02:18:47.009 to you name it, lots of national level exercises, 02:18:47.009 --> 02:18:50.014 international exercises that sort of thing. 02:18:50.014 --> 02:18:54.026 I think from a global scale perspective, we have those every day, 02:18:54.026 --> 02:18:57.037 [Laughter] so I'm not sure we actually need one. 02:18:57.037 --> 02:19:03.073 Certainly we're on the receiving end of a lot of love and so I think 02:19:03.073 --> 02:19:17.003 that exercising [audio issue] and understanding those sorts of things, 02:19:17.003 --> 02:19:22.096 but [audio issue] final turn of attack vectors. 02:19:22.096 --> 02:19:25.088 >> Brian: Okay in the room, I think we have at least 3 more. 02:19:25.088 --> 02:19:28.076 Okay come on up to the mic-- oh is that one working now Joley? 02:19:28.076 --> 02:19:29.004 >> Joley: No. 02:19:29.004 --> 02:19:31.002 >> Brian: Okay come on up to the mic please 02:19:31.002 --> 02:19:33.092 and if you'd introduce yourself before the question please. 02:19:33.092 --> 02:19:41.036 >> My name is Anthony Bargese [phonetic] and I'm from John J College of Criminal Justice. 02:19:41.036 --> 02:19:48.065 You guys covered some of the parties that DDoS and users and also the government, 02:19:48.065 --> 02:19:54.096 and also the providers and how to be responsible and proactive. 02:19:54.096 --> 02:20:00.044 But what about software vendors or some of the vendors that are putting their products 02:20:00.044 --> 02:20:06.032 out there with all these security holes and that's where it starts and ends 02:20:06.032 --> 02:20:08.066 with the NS providers, the ISP providers 02:20:08.066 --> 02:20:18.011 who sometimes host these command control servers for these DDoS attack. 02:20:18.011 --> 02:20:21.022 Should there be a change of mentality on their side? 02:20:21.022 --> 02:20:29.057 I know that Google does something that's called bug bounties; they offer you money 02:20:29.057 --> 02:20:32.027 if you find a bug on their software. 02:20:32.027 --> 02:20:39.006 Should this be applied across the board for all the software vendors 02:20:39.006 --> 02:20:41.081 and of these providers of products? 02:20:41.081 --> 02:20:43.059 >> Brian: [inaudible] 02:20:43.059 --> 02:20:47.036 >> Damian: I guess I have to start. 02:20:47.036 --> 02:20:57.000 So we do find-- what he was referring to is Google has a program where we actually pay 02:20:57.000 --> 02:21:03.054 for people to find bugs in our products so for security critical bugs. 02:21:03.054 --> 02:21:08.071 So we found that there's a lot of college kids or independent security researchers 02:21:08.071 --> 02:21:12.032 who are very interested in looking for security holes 02:21:12.032 --> 02:21:19.018 and when they previously basically had no option but they could give it to us privately, 02:21:19.018 --> 02:21:24.004 hope that we'd fix it or to whatever vendor of the software was. 02:21:24.004 --> 02:21:28.057 It could be Microsoft or Adobe, and hope that they would fix it, 02:21:28.057 --> 02:21:34.007 but then if the company could just take no action and they could just wait 02:21:34.007 --> 02:21:38.004 and let this vulnerability remain and eventually this kid might say, 02:21:38.004 --> 02:21:42.077 the security researcher would say why am I waiting on this? 02:21:42.077 --> 02:21:46.063 Everyone is vulnerable to this thing and they would publish this exploit 02:21:46.063 --> 02:21:51.019 and then you could see lots of attacks targeting that. 02:21:51.019 --> 02:21:58.073 So what Google has done is basically start offering money for bugs to compensate their time 02:21:58.073 --> 02:22:04.052 in finding them so, if you compromise, if you find a vulnerability in Google Chrome, 02:22:04.052 --> 02:22:10.034 the web browser, we'll pay you for information on that vulnerability with the agreement 02:22:10.034 --> 02:22:13.085 that you're going to keep it quiet until we fix it which could take a few days. 02:22:13.085 --> 02:22:22.047 And that way we're able to protect everyone and also compensate the security researcher. 02:22:22.047 --> 02:22:25.015 >> Brian: Interesting, Miguel. 02:22:25.015 --> 02:22:29.072 >> Miguel: The thing that kind of complicates this a little bit also is that there is a lot 02:22:29.072 --> 02:22:36.056 of the internet runs on open source software which is it gets a little bit more difficult 02:22:36.056 --> 02:22:40.096 to be able to put these mechanisms in place. 02:22:40.096 --> 02:22:47.011 With the recent bank attacks, we saw vulnerabilities exploited 02:22:47.011 --> 02:22:51.038 with open source content management systems that are widely deployed 02:22:51.038 --> 02:22:55.053 like a [inaudible] etcetera at word press. 02:22:55.053 --> 02:23:02.041 These are open source software that is out there that is used significantly 02:23:02.041 --> 02:23:05.003 and so it gets a little bit harder. 02:23:05.003 --> 02:23:11.071 Unfortunately it's difficult for operators necessarily to control the content that is 02:23:11.071 --> 02:23:18.008 on their system, especially the shared hosting operators etcetera and it's hard to push people 02:23:18.008 --> 02:23:24.061 to update their software and as for software developers, as much as they'll try 02:23:24.061 --> 02:23:29.057 to make things as secure as they can, there's always going to be some kind of a bug, 02:23:29.057 --> 02:23:37.031 you can't get it all and it's the fact that there's so much open source software out there, 02:23:37.031 --> 02:23:41.031 it's not like you can point a figure and you are responsible. 02:23:41.031 --> 02:23:43.046 It's quite difficult to do. 02:23:43.046 --> 02:23:45.016 >> Brian: Yeah, Ram. 02:23:45.016 --> 02:23:46.025 02:23:46.025 --> 02:23:53.089 >> Ram: You know one thing that software manufacturers and the developers of software, 02:23:53.089 --> 02:23:59.023 some of them have to start thinking about and changing their mindset is due to come 02:23:59.023 --> 02:24:04.024 to the understanding that many of the devices 02:24:04.024 --> 02:24:09.065 on which the software is running are always on and they're always online. 02:24:09.065 --> 02:24:15.072 There's still a lot of software that does not incorporate automatic updating 02:24:15.072 --> 02:24:18.089 and regular downloads of patches. 02:24:18.089 --> 02:24:24.055 That should be the baseline, that should be the very fundamental thing and that's the kind 02:24:24.055 --> 02:24:29.093 of thing that ought to be taught in schools for folks learning how to write code. 02:24:29.093 --> 02:24:35.021 It's not enough to just learn to do the code, but to have that mechanism in there. 02:24:35.021 --> 02:24:38.096 It ought to be trivial and it ought to become regular. 02:24:38.096 --> 02:24:45.002 Unfortunately, it's more the exception than the norm today and I think if you'd get 02:24:45.002 --> 02:24:51.008 to that point that will solve some part of the problem significantly. 02:24:51.008 --> 02:24:52.038 >> Brian: Danny. 02:24:52.038 --> 02:24:56.067 >> Danny: So yeah I think I would be remiss in not mentioning Versign's, 02:24:56.067 --> 02:25:00.032 I Defense Vulnerability Contribution Program as well and we do something very similar 02:25:00.032 --> 02:25:06.008 for any vulnerability that fall within a very broad spectrum that are multivendor and try 02:25:06.008 --> 02:25:10.016 and do responsible disclosure associated with those. 02:25:10.016 --> 02:25:15.079 To the topic in general, I think bounties are certainly valuable things in general for people 02:25:15.079 --> 02:25:21.017 that want to apply exploits in a positive way and contribute in a positive way to industry. 02:25:21.017 --> 02:25:25.016 I think anybody that's paying attention certainly realizes a lot 02:25:25.016 --> 02:25:30.007 of the commercial vendors while they're always going to be a long way to go, 02:25:30.007 --> 02:25:34.061 are leaps and bounds from where we were with worm able systems 02:25:34.061 --> 02:25:40.048 or even patch management systems of that we were vulnerable of a few years ago. 02:25:40.048 --> 02:25:43.008 And so I think Microsoft is an example, but lots of others as well, 02:25:43.008 --> 02:25:50.036 and so I think we are making progress but, secure coding practices, application, 02:25:50.036 --> 02:25:53.052 software security, those things and all the fundamentals are certainly thing 02:25:53.052 --> 02:25:56.097 that we're going to have to continue to do a much better job at. 02:25:56.097 --> 02:25:59.018 >> Brian: Thank you, I know we've got two more questions in the room. 02:25:59.018 --> 02:26:06.004 Go here first and then please identify yourself. 02:26:06.004 --> 02:26:08.001 >> [Inaudible] New York Technology Council. 02:26:08.001 --> 02:26:10.075 I was wondering if you could put this perspective. 02:26:10.075 --> 02:26:17.038 Are DDoS attacks the one thing we should be focusing, are there other like SYN floods, 02:26:17.038 --> 02:26:24.077 other attacks that are similar in nature that there should be conferences on and keep you 02:26:24.077 --> 02:26:30.001 up at night or is this where most of your energy goes? 02:26:30.001 --> 02:26:38.074 >> Ram: Yeah this, the single biggest thing that keeps me up at night. 02:26:38.074 --> 02:26:48.007 Lots of other things end up becoming part of this much larger stream and it used to be 02:26:48.007 --> 02:26:53.047 that it was a dos attack and then it became a DDoS attack and then you had command and control 02:26:53.047 --> 02:26:59.077 and then you have crowd sourced, it's evolving, it's not the same beast as was many years ago. 02:26:59.077 --> 02:27:04.086 So the definitions from multiple years ago, is not what it is today. 02:27:04.086 --> 02:27:12.005 What really scares me about this is the asymmetric nature of the ability for an attacker 02:27:12.005 --> 02:27:18.000 to mount a significant attack in a very short amount of time and keep it sustained 02:27:18.000 --> 02:27:23.022 for a long period of time and really drain you on the responding side 02:27:23.022 --> 02:27:28.034 of your critical attention resources. 02:27:28.034 --> 02:27:33.067 That really worries me and I think you look at SYN floods or any of those things; 02:27:33.067 --> 02:27:39.029 those kind of are subsumed into the larger scale of this phenomenon 02:27:39.029 --> 02:27:47.043 that left unchecked I think has a significant negative impact. 02:27:47.043 --> 02:27:48.068 >> Brian: Anyone else? 02:27:48.068 --> 02:27:49.003 Yes Jillian. 02:27:49.003 --> 02:27:53.008 >> Jillian: Yeah just I actually agree with what Ram just said. 02:27:53.008 --> 02:27:58.099 I would add to that to say just say, and if you're thinking about the scale, 02:27:58.099 --> 02:28:01.016 the most recent stat that I have off the top of my head is 02:28:01.016 --> 02:28:08.075 that in 2010 Arbor Networks was detecting roughly 1300 attacks per day and I guessing 02:28:08.075 --> 02:28:13.055 that it's much higher than that, the real number and so I do think this is a big concern 02:28:13.055 --> 02:28:15.017 because of the impact that it has. 02:28:15.017 --> 02:28:22.012 I mean there are certainly plenty of other types of attacks but the sort of inability 02:28:22.012 --> 02:28:28.035 to protect oneself, coupled with everything that Ram just said, makes this a much bigger issue 02:28:28.035 --> 02:28:33.083 than some of the other things that we're looking at. 02:28:33.083 --> 02:28:38.068 >> Danny: I was going to add that DDoS the two primary vectors volumetric, 02:28:38.068 --> 02:28:41.092 in other words attacks are getting bigger, more frequent, longer duration, 02:28:41.092 --> 02:28:47.002 so forth but the sophistication of those as well where the right query string could drive a lot 02:28:47.002 --> 02:28:50.038 of backend transactions on the right piece of [inaudible] those sorts of things 02:28:50.038 --> 02:28:55.045 from a denial service perspective is the availability side 02:28:55.045 --> 02:28:57.007 of the information security [inaudible]. 02:28:57.007 --> 02:29:03.036 The other two sides are the integrity of the information on the infrastructure 02:29:03.036 --> 02:29:08.013 and the confidentiality and I think certainly for anyone 02:29:08.013 --> 02:29:13.068 in the information security field persistent attackers, advance attackers, 02:29:13.068 --> 02:29:19.091 even general attackers and mobile devices and bring your own device and sort 02:29:19.091 --> 02:29:24.006 of a squishy perimeter and soft under belly inside an enterprise 02:29:24.006 --> 02:29:25.027 or at Starbucks or whatever. 02:29:25.027 --> 02:29:29.068 All those things for information leakage and so forth certainly is something 02:29:29.068 --> 02:29:33.016 that you should be concerned with as well but the availability side for a lot of folks 02:29:33.016 --> 02:29:37.086 that are in the network services business is a very big piece of that but also the sort 02:29:37.086 --> 02:29:42.095 of more concerted attackers that might want to control the right keyboard as opposed 02:29:42.095 --> 02:29:47.093 to simply disabling is also something that has some pretty far reaching effects. 02:29:47.093 --> 02:29:48.057 >> Brian: Damian. 02:29:48.057 --> 02:29:51.092 >> Damian: So I wanted to say from a defender standpoint, 02:29:51.092 --> 02:29:57.064 yeah DDoS is sort of the largest concern right now but from a global view, 02:29:57.064 --> 02:30:02.033 I think dos attacks are really a symptom of a larger problem which is that there are a lot 02:30:02.033 --> 02:30:04.031 of infected machines on the internet. 02:30:04.031 --> 02:30:09.071 I think at one point I heard an ISP say is they estimated 10% of their customers are infected. 02:30:09.071 --> 02:30:15.082 So when you take that into account, if we could actually stop having so many infected machines 02:30:15.082 --> 02:30:18.056 on the internet or so many vulnerable machines at least, 02:30:18.056 --> 02:30:23.058 then that would largely reduce the scope of these dos attacks 02:30:23.058 --> 02:30:26.019 and for that we basically need what Ram was saying 02:30:26.019 --> 02:30:29.025 of automatic updates have to be the normal thing. 02:30:29.025 --> 02:30:33.051 You should never have any client side software that doesn't automatically update. 02:30:33.051 --> 02:30:34.059 Brian: Thanks, Miguel. 02:30:34.059 --> 02:30:41.004 Miguel: Just adding to one thing that Damian is saying, I absolutely agree with all of that 02:30:41.004 --> 02:30:47.035 in terms of automatic updates and especially for end user computers which form a significant part 02:30:47.035 --> 02:30:50.001 of the botnet paradigm these days. 02:30:50.001 --> 02:30:54.016 When it comes to enterprises, it gets a little bit more difficult. 02:30:54.016 --> 02:31:06.008 I think as much as I would love to say automatically update my production software, 02:31:06.008 --> 02:31:11.052 unfortunately, especially for a large-scale operators, they're running infrastructure 02:31:11.052 --> 02:31:15.054 that services a lot of people, you don't really know what's going to happen 02:31:15.054 --> 02:31:19.021 when you make an update potentially and that has to be very carefully controlled, 02:31:19.021 --> 02:31:20.086 it's got to be regression tested. 02:31:20.086 --> 02:31:27.005 It's got to go through extensive QA and are we ever going to get to a point where it's going 02:31:27.005 --> 02:31:34.011 to be easy for enterprises to be able to push out security fixes? 02:31:34.011 --> 02:31:40.028 The idealist in me says I hope so, but I'm skeptical that that's going to be the case 02:31:40.028 --> 02:31:47.045 because the day-to-day aspects of ensuring business operations, continuity and making sure 02:31:47.045 --> 02:31:52.078 that assets are available are most likely for the foreseeable future, going to trump the need 02:31:52.078 --> 02:31:55.055 to push out updates as quickly as possible. 02:31:55.055 --> 02:31:58.067 Brian: Actually we do have two more questions. 02:31:58.067 --> 02:32:01.052 This gentleman here first and we do have time for two more questions. 02:32:01.052 --> 02:32:06.092 So will you come up please? 02:32:06.092 --> 02:32:07.042 >> I am [inaudible]. 02:32:07.042 --> 02:32:10.083 I run a software company called QCD Systems. 02:32:10.083 --> 02:32:13.026 So the question is actually very similar to the previous one 02:32:13.026 --> 02:32:15.067 but I'll go a little more in detail. 02:32:15.067 --> 02:32:21.072 So when it comes to security, [inaudible] security off of just data itself. 02:32:21.072 --> 02:32:25.021 So there's an attack to intellectual property and then we've heard of cases 02:32:25.021 --> 02:32:28.074 that intellectual property got stolen [inaudible] of that. 02:32:28.074 --> 02:32:32.008 Movie companies always have their trailers leaked and pieces of movies leaked, 02:32:32.008 --> 02:32:35.015 so that's one kind of attack out there. 02:32:35.015 --> 02:32:38.002 Then there's other things; like the phishing kind of thing 02:32:38.002 --> 02:32:39.081 like [inaudible] scams and all that. 02:32:39.081 --> 02:32:43.025 I'm talking about things that effect users and companies. 02:32:43.025 --> 02:32:50.007 And then there's also the risk that your bank account may have been compromised, 02:32:50.007 --> 02:32:53.009 your passwords might have been stolen or is easy to guess. 02:32:53.009 --> 02:32:58.071 So in the scheme of all these different things, where will you place the denial of service 02:32:58.071 --> 02:33:02.077 for a company or for a consumer because they have plenty of things to deal 02:33:02.077 --> 02:33:05.008 with right now when it comes to security? 02:33:05.008 --> 02:33:11.026 So I was just trying to get a perspective on where this distributed denial service, 02:33:11.026 --> 02:33:16.079 where it fits into the larger scheme of things and how relevant it is and the other part is 02:33:16.079 --> 02:33:19.053 where do you see things going let's say five years from now? 02:33:19.053 --> 02:33:23.042 Is this going to be the single biggest thing to worry about or do we have other things also 02:33:23.042 --> 02:33:26.076 that we should be concerned about? 02:33:26.076 --> 02:33:27.086 02:33:27.086 --> 02:33:29.012 >> Brian: Thanks. 02:33:29.012 --> 02:33:29.004 Danny. 02:33:29.004 --> 02:33:34.038 >> Danny: I would just say that you know for your organization it's going 02:33:34.038 --> 02:33:36.014 to be specific to your organization. 02:33:36.014 --> 02:33:38.086 You're going to say here's our risk tolerance for these things, 02:33:38.086 --> 02:33:43.038 for these internet facing properties, this information security or data privacy 02:33:43.038 --> 02:33:47.084 or data retention, or digital rights management, whatever it is you're concerned with. 02:33:47.084 --> 02:33:51.085 I don't think that there's a one size fits all, I think it's all about risk management 02:33:51.085 --> 02:33:53.078 for your organization because if you don't have a lot 02:33:53.078 --> 02:33:56.066 of internet facing services, it may not be a problem. 02:33:56.066 --> 02:33:59.006 More than likely you have some things today. 02:33:59.006 --> 02:34:01.094 You wouldn't be here if you weren't relying on the internet in some way 02:34:01.094 --> 02:34:03.068 so what does that mean to your business? 02:34:03.068 --> 02:34:07.088 As opposed to some piece of information from either your personal bank records 02:34:07.088 --> 02:34:12.058 or your corporate information being actually traded to the wrong person what would that mean? 02:34:12.058 --> 02:34:17.006 So I think it all goes back to what are the critical assets your organization, 02:34:17.006 --> 02:34:21.003 what enables those and how do you balance risk to those assets? 02:34:21.003 --> 02:34:22.008 >> Brian: Yeah, Ram. 02:34:22.008 --> 02:34:29.000 >> Ram: So the way I advise folks or provide some suggestion is, you really have to think 02:34:29.000 --> 02:34:32.027 about this and look at it as a matrix. 02:34:32.027 --> 02:34:35.078 You have to think about, which is further to what Danny is saying, 02:34:35.078 --> 02:34:41.038 you have to worry about confidentiality, or integrity, or availability and you have 02:34:41.038 --> 02:34:45.002 to figure out which of those matter more for you. 02:34:45.002 --> 02:34:51.023 You can't have one versus the other, in many cases you want to have all of the above, 02:34:51.023 --> 02:34:57.043 but you have to decide which of those matter more for you, and then devote your time, 02:34:57.043 --> 02:35:00.052 effort and resources towards that. 02:35:00.052 --> 02:35:03.094 But picking just one, just having great availability, 02:35:03.094 --> 02:35:09.082 DDoS mitigation ensure availability but if you have a site that is running 02:35:09.082 --> 02:35:12.021 on software has not been updated and is prone 02:35:12.021 --> 02:35:15.085 to buffer overflow attacks then all the availability is going 02:35:15.085 --> 02:35:18.073 to be fantastic for you to get hacked. 02:35:18.073 --> 02:35:23.045 [Laughter] So you have to figure out where it is on the spectrum and devote it. 02:35:23.045 --> 02:35:31.054 One reality is that no matter what the budget that is allocated, if you're a corporation, 02:35:31.054 --> 02:35:34.034 if you're an entity, the budget that is allocated to it, 02:35:34.034 --> 02:35:40.048 it seems that it remains the same, it suddenly doesn't reduce 02:35:40.048 --> 02:35:44.005 and you simply reallocate the pie depending 02:35:44.005 --> 02:35:49.043 on what you think your biggest vulnerability is, your biggest risk is. 02:35:49.043 --> 02:35:50.019 >> Brian: Anybody else, Jeff. 02:35:50.019 --> 02:35:54.067 >> Jeff: I would just say you know you asked about what's important to a crump company 02:35:54.067 --> 02:35:56.075 or [inaudible], I mean it totally depends. 02:35:56.075 --> 02:36:01.073 I think Brian talked about some guy from Ohio, more likely to have a problem, 02:36:01.073 --> 02:36:04.088 it may be inconvenienced by DDoS because they can't get to whatever website, 02:36:04.088 --> 02:36:06.079 but they're more likely to have their computer compromised 02:36:06.079 --> 02:36:08.051 or identity stolen or other activity. 02:36:08.051 --> 02:36:14.071 That's going to hit them deeper and for a longer period so it's totally situational. 02:36:14.071 --> 02:36:19.005 In terms of where we going in 5 years, 02:36:19.005 --> 02:36:24.051 my guess is that we'll see new nefarious uses for the same old tools. 02:36:24.051 --> 02:36:29.029 There's some new stuff out there but it's a lot of variations on a theme 02:36:29.029 --> 02:36:35.041 and just find a new creative bad ways to use them for bad purposes or profit. 02:36:35.041 --> 02:36:40.066 So I think the down service attacks are here to stay but how they're used will probably morph 02:36:40.066 --> 02:36:45.012 and change and cycle back, what's old is new again. 02:36:45.012 --> 02:36:46.001 >> Brian: Miguel. 02:36:46.001 --> 02:36:48.088 >> Miguel: The thing that troubles me a little bit about the future when it comes 02:36:48.088 --> 02:36:55.008 to DDoS attack is that there is because it's been in the news a little bit more 02:36:55.008 --> 02:36:59.097 because it's been publicized a little bit more, you look at what happened 02:36:59.097 --> 02:37:04.024 on the bank attacks lately, there's kind of a blueprint now that is out there 02:37:04.024 --> 02:37:09.007 that people can potentially follow to launch these large-scale attacks. 02:37:09.007 --> 02:37:14.054 You've got what happened with the banks recently it's at least at a high level, 02:37:14.054 --> 02:37:22.007 its public knowledge how it was sort of done from a high level, that information is out there 02:37:22.007 --> 02:37:26.026 and those attacks kind of proved yes, it's possible. 02:37:26.026 --> 02:37:31.064 They provide a blueprint for people to follow for doing it again and the fact 02:37:31.064 --> 02:37:35.075 that that was done scares the heck out of me. 02:37:35.075 --> 02:37:38.067 >> Brian: Thank you and we have one final question from the room, please. 02:37:38.067 --> 02:37:41.079 [Pause] 02:37:41.079 --> 02:37:46.003 >> Hi, it's Lucas from [inaudible]. 02:37:46.003 --> 02:37:51.068 Just following up similarly to the previous question, based on the trends that you've seen 02:37:51.068 --> 02:37:56.007 to date, where do you see these attacks heading both from like an attacker perspective as well 02:37:56.007 --> 02:37:57.047 as from a mitigation perspective? 02:37:57.047 --> 02:38:02.017 Do you see one side winning the cat versus mouse game? 02:38:02.017 --> 02:38:03.056 02:38:03.056 --> 02:38:05.072 >> Brian: Great question, Damian? 02:38:05.072 --> 02:38:11.036 >> Damian: Yeah so attacks are basically growing exponentially I think if you look at most 02:38:11.036 --> 02:38:16.082 of the data on this you'll see that the size of the attacks roughly doubles every year. 02:38:16.082 --> 02:38:22.048 I have graphs that track this back like 8 years and it's kind of scary 02:38:22.048 --> 02:38:26.059 that it's actually continuing, that exponential growth but I think it's important to realize 02:38:26.059 --> 02:38:31.061 that that's just the internet is growing exponentially as the consumers, 02:38:31.061 --> 02:38:35.003 as the end users, bandwidth increases, their home, 02:38:35.003 --> 02:38:41.026 the website bandwidth is also increasing so, you can kind of keep up but I think that a lot 02:38:41.026 --> 02:38:47.057 of what we're going to run into is a very small website, you know especially the types of sites 02:38:47.057 --> 02:38:51.088 that Jillian is worried about are simply too small to possibly survive. 02:38:51.088 --> 02:38:56.033 So they're going to be forced to combined their resources and pool with others 02:38:56.033 --> 02:39:00.087 so what I expect is probably going to happen over the next five years is we're going 02:39:00.087 --> 02:39:05.018 to start seeing organizations consolidate into larger and larger pools 02:39:05.018 --> 02:39:08.044 until eventually we're going to have only like maybe five organizations 02:39:08.044 --> 02:39:12.012 that offer DDoS mitigation in the cloud as a service. 02:39:12.012 --> 02:39:16.055 It's just my guess of where the world is headed. 02:39:16.055 --> 02:39:16.082 >> Brian: Ram. 02:39:16.082 --> 02:39:23.012 >> Ram: And my fear is that we get at that point and then they get too big to fail. 02:39:23.012 --> 02:39:26.062 >> Brian: Well, with that thought, we're going to bring this to a close. 02:39:26.062 --> 02:39:27.071 [Laughter] Well done. 02:39:27.071 --> 02:39:32.015 Fear and loathing in New York. 02:39:32.015 --> 02:39:37.091 Public Interest Registry of the New York Technology Council, Internet Society 02:39:37.091 --> 02:39:39.083 and the Internet Society's New York Chapter want 02:39:39.083 --> 02:39:42.047 to offer our sincere thanks to the panelist today. 02:39:42.047 --> 02:39:45.049 Thank you so much for your time, your dedication 02:39:45.049 --> 02:39:50.038 to helping us understand this really critical issue and also to thank the audience here 02:39:50.038 --> 02:39:52.063 and the audience online for following along. 02:39:52.063 --> 02:39:57.064 We hope that today's event has been helpful and that the participants come away 02:39:57.064 --> 02:40:02.072 with a greater appreciation of the scope of this problem, steps that should be taken 02:40:02.072 --> 02:40:08.019 to mitigate DDoS attacks, and the potential for significant unintended consequences. 02:40:08.019 --> 02:40:11.097 DDoS is a serious issue in today's interconnect world, 02:40:11.097 --> 02:40:15.017 one that is not just going to fade away as we've heard. 02:40:15.017 --> 02:40:20.008 Fortunately there are resources available to help us confront the myriad of challenges. 02:40:20.008 --> 02:40:25.095 I would like to specifically thank Joley McFee [phonetic] from iSoc, New York, 02:40:25.095 --> 02:40:30.025 Eric Grimmelman [phonetic] from New York Tech and Paul Brigner [phonetic] from iSoc here 02:40:30.025 --> 02:40:33.058 for helping us make this happen in a real sense. 02:40:33.058 --> 02:40:40.053 Along those lines, we at PIR intend to make the recording of this event available online 02:40:40.053 --> 02:40:45.016 at our website and our social media sites and push that out and we're also going 02:40:45.016 --> 02:40:49.023 to post additional background materials and encourage anyone 02:40:49.023 --> 02:40:52.005 to recommend other helpful tools and information 02:40:52.005 --> 02:40:54.096 like the CFF Guideline to keeping your site alive. 02:40:54.096 --> 02:40:57.065 So again thank you to everyone for joining us today. 02:40:57.065 --> 02:40:59.005 Thank you so much. 02:40:59.005 --> 02:41:01.005 [ Applause ] 02:41:01.005 --> 99:59:59.999