Howdy all, Patrick Greenwell wrote:
Suddenly, the list got very, very quiet. In fact, since I posted that message, there hasn't been a single post to the list. Emperically, this suggests to me that while everyone is quick to spend countless hours expressing an opinion on mailing lists, there is nobody willing to invest in making this happen.
I recently because associated with a security group working out of Dartmouth College. The focus of this group has not only been on internal security but issues that effect the Internet as a whole. The group already has a pretty good amount of funding. I could probably score enough backing and office space for a NOC that could address the issues that are being discussed. While I doubt I could raise the $50M someone suggested earlier, I could probably come up with enough for equipment, a small staff and to maintain a number of guru types on a consulting basis. Let me run though what I'm thinking and ask people to either critique or tell me I'm out in left field. I'm thinking of an organization that has a front end similar to GIAC. If you are unfamiliar with GIAC check out: http://www.sans.org/giac.htm GIAC provides a location for people to submit log entries and intrusion reports. The cool thing is there are a number of analysts (myself included) that volunteer their time to answer questions and help people understand what they are looking at. The important thing here is that people receive immediate (or close to immediate) replies to their queries. If a person has questions regarding some suspicious log entries, they can run it past the team of analysts to see what they think. Anything that looks interesting is then sanitized and recorded. The results are then posted to the Web site for all to review. This gives people a resource to consult when they are trying to figure out who or what is whacking away at their perimeter. The only thing missing at GIAC is a seachable archive which would be cool for referencing source IP addresses and target ports. This would also provide a real time alert mechanism as to what kinds of threats are making the rounds. The real strength in this kind of a setup is the ability to correlate attack patterns from multiple targets. While there are groups doing this today, the information is not made public (at least not that I've been able to find). A while back there where a few posts on the Incident list from a number of ISPs. One or two basically came right out and stated that they get so many incident reports that one or two reports on any individual user does not necessarily mean they will take some kind of action. I'm thinking that if the above collected data is being correlated, we have a much better chance of spotting larger trends and getting the bad guys shut down. I'm also thinking that this organization could act as a central point of contact in responding to events. There was a comment thrown out about how it can be difficult to figure out who to contact during an intrusion. Part of this organization's job could be cataloging these contacts. True the list would probably be outdated is short order, but at least its a starting point in trying to tie together the source and target networks. I don't think it would be necessary to list every ISP, just the major providers. The provider could then take care of dealing with their down stream client. My fear is that if we do not address these issues as a community, government/law enforcement will eventually step in and try and take care of it for us. One way or another these problems have to be addressed, the question is who is going to do it. Comments? I don't have all the answers but I'm wondering if people think this would be a good place to start. Chris -- ************************************** cbrenton@sover.net * Multiprotocol Network Design & Troubleshooting http://www.amazon.com/exec/obidos/ASIN/0782120822/geekspeaknet * Mastering Network Security http://www.amazon.com/exec/obidos/ASIN/0782123430/geekspeaknet