# SICURA: Research and Education Playing as a team <table> <tr> <td> <img src="https://codimd.web.cern.ch/uploads/upload_b6cb1f13a8d19caad02a14bf4990663e.png" alt="image description" style="width: 200px;"/> </td> <td> *SICURA Seguridad e Inteligencia Colaborativa Unida para Redes Académicas </td> </tr> </table> *Collaborative Unified Security and Intelligence for Academic Networks ## Introduction The security strategy is crucial for organizations; however, the shortage of expertise and resources, added to the multi-layered structure of security teams (local, state, national, regional, etc.), makes it a real challenge for many of the research and education (R&E) institutions. In order to protect the members of the community, Latin America and the Caribbean have a common security working group called **eduLACSeg**. This group drives the project SICURA-LAC which extends its benefits not only to its members but also on a global scale. The collaboration with SAFER brings expertise and resources that reinforce the collective efforts. This partnership strengthens the commitment to a united response to cyber threats. ## Members ![](https://codimd.web.cern.ch/uploads/upload_ca460b339819f9ab34737574d2019bf3.png =400x) Regional Network Provider - [RedClara](https://www.redclara.net) National Research and Education Networks - Mexico: [CUDI](https://csirt.cudi.edu.mx) - Ecuador: [CEDIA](https://csirt.cedia.edu.ec) - Guatemala: USAC/[RAGIE](https://www.ragie.org.gt) - Chile: [REUNA](https://reuna.cl) - Uruguay: [RAU](https://www.rau.edu.uy) - Costa Rica: [CONARE](https://www.conare.ac.cr) - Colombia: [RENATA](https://www.renata.edu.co) - Panama: [Network in formation led by SENACYT](https://www.senacyt.gob.pa/en/) - Argentina: [Activities led by ARIU](https://riu.edu.ar) Global Collaborators - [SAFER](https://safer-trust.org) ## Key concepts: - [pDNSSOC](https://github.com/CERN-CERT/pDNSSOC): it is used as both a sender and receiver of DNS logs. When installed on a recursive DNS server, it intercepts DNS traffic, converts it into the DNStab format, and subsequently forwards it. On the other side, when deployed on a distinct instance, the collector listens for data and correlates it with MISP intelligence and triggers alerts. - [MISP](https://www.misp-project.org/): it is an open-source threat intelligence platform that allows organizations to collect, share, and collaborate on cybersecurity threat information. MISP enables the exchange of structured threat data, including indicators of compromise (IOCs), tactics, techniques, and procedures (TTPs), and other relevant information among trusted parties. - NREN: National Research and Education Network - TI: Threat Intelligence - R&E: Research and Education ## Project Objectives The primary objectives of the collaborative security initiative are: - **Optimize resource distribution** for computing and manpower. - Facilitate the **exchange of expertise**, best practices, and threat intelligence among members. - Collaboratively respond to and **mitigate security threats**. ## Core Values The initiative is guided by the following core values: - Collaboration: Foster a spirit of cooperation and mutual support among member institutions, transcending geographical and organizational boundaries. - Transparency: Maintain openness and transparency in all operations and decision-making processes. - Inclusivity: Welcome and encourage participation from a diverse range of institutions. ## Resource Distribution This collaborative security initiative has been marked by milestones and phases. Key components of the project roadmap include: - A security **working group** consisting of representatives from member NRENs. - **Inventory** of computing and manpower resources available across member organizations. - **Define common strategies** to effectively share, consume and produce TI. - **Deploy collaborative tools** to prevent redundant work. - **Global expansion** attracting institutions and individuals to contribute. ## Threat Intelligence (TI) Threat intelligence is the foundation of the community's security operations activities. The commitment to collaboration with international organizations, law enforcement, and private vendors reinforces the capacity to detect and address threats effectively. ### TI Consumtion Efficient information dissemination, particularly concerning threat intelligence, plays a key role in incident response. Through an **automated system that consumes intelligence** for incident detection, we: - Reinforce the community's ability to **stop common attacks** - Ensure the **verification of true positives** - Contribute on the global **pursuit of criminal groups** for prosecution Below, you will find a diagram describing the workflow for transforming the intelligence stored in MISP into actionable data capable of triggering alerts. ![IntelConsume](https://codimd.web.cern.ch/uploads/upload_1510bd8c3a2ad22e0eb80465ca5c8910.png =400x) In the diagram, you can see that MISP serves various systems, either through direct integration, like pDNSSOC, or following a process of assessment (requiring human oversight, as in the case of blacklists) or transformation (to align with endpoint software requirements, such as IDS, EDR, and email filters). #### Community Example SICURA's primary objective is to establish an interconnected and collaborative ecosystem to enable any R&E institution, regardless of their expertise, resources, or availability, to take advantage of the centrally provided security tools. The diagram below illustrates the collaborative effort between universities, and national networks working together to access and efficiently utilize threat intelligence. ![Example](https://codimd.web.cern.ch/uploads/upload_3ce780817ffd131d8c4490fe79d8dedf.png =600x) ### TI Production Beyond the infrastructure for consuming TI, the strength of the community lies in the collective ability to generate highly valuable intelligence. This capability is vital for: - **Protecting our partners** through the sharing of insights. - Amplify the position as a **single, robust point of collaboration** for private vendors and law enforcement. - **Increase the influence** and provide more meaningful partnership. In the diagram below, you'll observe the process of collecting and distributing intelligence. ![IntelCreate](https://codimd.web.cern.ch/uploads/upload_303ac7c42d5c70a077120f95829a1947.png =400x) Starting from the detection systems, is critical to transform alerts into actionable intelligence. This is achieved through the establishment of connectors bridging security products (such as IDS, EDR, and Sandboxes) with our intelligence systems, including MISP and the malware database. #### Community Example The process of intelligence generation needs the development of connectors capable of extracting data from diverse security products and systems, transforming it into actionable insights. While this may seem organization-specific, it holds the potential for broader effort distribution, for example: - Leveraging **common security products** (EDR, Sandbox, honeypot, ...) to facilitate the sharing of scripts and services for data retrieval. - **Encouraging vendors** to enhance their products with features such as MISP connectors, streamlining integration and data exchange. - Collaboratively **maintaining integration connectors** like IntelMQ. ![Example](https://codimd.web.cern.ch/uploads/upload_ef840f09b5e57cd252dbb47e73cb6d19.png =600x) ## Registry Database Efficient security within a community hinges on the need to delineate responsibilities and establish a streamlined process for incident notifications. To address this requirement, we are establishing a shared contact database that centralizes the security contacts of our members and the corresponding institutional assets. This initiative offers several benefits: - Both private vendors and researchers, as well as automated scanning systems (e.g., dark web and data leak monitors), will have the capability to **trigger alerts for compromised accounts or systems**. This is possible because they will have access to the list of domains to monitor and notify. - The tool guarentees **different levels of confidentiality**, allowing to selectively share information with trusted partners. - It can be leveraged for various activities, including communication challenges, ensuring that **information remains up-to-date**. ![Contactsdb](https://codimd.web.cern.ch/uploads/upload_08e37ce2eeeee13edab012477cd007ba.png =600x) ## Status - [x] Deployment MISP in RedClara - [x] RedClara Gitlab available for the Working Group - [ ] Creation of the Working Group communication challenge in Keybase - [ ] Currently: RedCLARA, REUNA, CEDIA, RAU, USAC, ARIU, RENATA, CUDI - [ ] Deployment of MISP to all NRENs - [ ] Currently: REUNA, USAC, CEDIA, CUDI, ARIU, RNP - [ ] Sync MISP with RedCLARA - [ ] Currently: REUNA, USAC, CEDIA, CUDI, ARIU, RNP - [ ] Deployment pDNSSOC in RedClara - [ ] Deployment Malware Processing tool in RedClara ### Meetings - 2024/02/06 17:30 UTC `[RedCLARA] Tácticas Avanzadas con MISP: Estrategias de ciberseguridad en seduLACSeg` - 2024/03/28 16:00 UTC `[SICURA-LAC] Simulación de la respuesta a un incidente en RedCLARA` - 2024/05/16 16:00 UTC `[SICURA-LAC] Fundamentos de Forense en Linux para la Respuesta a Incidentes` ## Challenges - Legal and Regulatory Differences - Heterogeneity between the participating networks, their capacities and availabilities. ## Future Plans - Incident Response: Establish an incident response framework to enable rapid and coordinated responses to security incidents. - Knowledge Exchange Workshops: Regular workshops and training sessions were held to foster knowledge exchange among security experts. - Global Partnerships: Expanding collaborative efforts through partnerships with international organizations and security experts. - Community Outreach: Engaging in outreach programs to raise awareness about cybersecurity and promote responsible digital behavior.