https://getit.orgTransforming the Planet – Energy for all – Communicatons for all

Security Transformation Workshops

CxOs are desperate for meaningful “security partnerships” that transform their organization and mitigates the security risk to their organization. GETIT’s range of security modules are designed to transform the organization. We use a unique approach developed over the past 20 years that has proven to empower individuals and organizations throughout the world. The E-llumine Method has been used with top engineers the worlds largest telecom companies, banks, militaries, and a range of other networked organizations. The E-llumine method works with 1:1 coaching sessions and with very large groups. The materials can be implemented in the following formats:

CxO Coaching Sessions. CxOs need trusted – vendor agnostic consultation from people who have done their job, have the connections in the industry, and are able to help the CxO figure out plans of actions. GETIT’s CxO Coaching extends to the security world, helping CxOs and CISOs have access to a depth and breath of experience that is unique in the industry. These sessions are also mini E-llumine sessions, giving the CxO insider information about the tools and techniques that are not available via any other means.

Executive “Realities of Security” Briefings. Many times organizations have a few hours a week to invest into new knowledge and insights. The Executive Briefings are designed to have 1/2 day engagements that covers one or more security module tuned specifically to that organization. These are normally followed by 1:1 or small team coaching for the last half of the day. These executive “realities of security” briefings are valuable to organizations looking to drive forward progress.

Are you Ready” Security Workshops. These one day workshops are team workshops designed for one organization’s team. The team is guided through knowledge modules, risk assessment techniques, table top exercise, and a “what next” action plan at the end of the day.

“Big Network” Security Bootcamps. The Big Network Security Bootcamps are public workshops that span 2 days to a full week. These boot camps teach a range of real world techniques needed to protect the organizations. The full week bootcamps are hands-on, where participants configure virtual routers to gain the confidence they need to take action in their organizations.

The E-llumine method for security uses a focused modular approach. One size  of security does not fit to every organizations. At the same time, learning modules need to focus on result – empowering new generations of cyber-security professionals. People secure the Internet. Given that Security of one of the big three risk to the Internet’s growth, it is imperative to invest to increase our cyber-security capabilities and capacity. These workshops are taught through paid engagement at organizations, 1:1 with specific CxOs, and via public workshops. Selected materials are presented free of charge at public activities like Internet operations forums, special programs, and other venus that allow for a large number of professions to learn and take action.

Each of the workshop modules are built to be stand alone or work in conjunction with all the other modules. This allows for customized half day, one day, or multi-day workshops to focus on key audiences.

Security Workshop Modules

Understanding the Real Cyber Security Threat and what you can do to protect yourself

The news is full of cyber-security incidents. Mailboxes are full of “threat alerts” for cyber-security vendors. What is the real threat? What is really happening through out the industry? What should an organization do to minimize the risk? This module will “open the curtains” to how cyber-criminals are operating, why cyber-gang from different countries specialize in different types of crime, and how this information can be used to build a “cyber-security risk reduction plan.” When reports say that cyber-crime has a $400 Billion impact on the global economy, how, where, and why is this happening.

More important, this module will provide decision makers with tools to “rethink” their current security and risk practices. The objective is to move beyond FUD and have each participant have key actions they can immediately enact that will instigate a more effective security posture.

Top Security Best Practices that will not cost you millions of dollars

Most likely, a simple open source “exfiltration” monitor tool could have triggered alarms that Sony was violated with a massive APT. Over the years, the top service providers have learned that the most effective security tools in their toolkit are NOT the expensive tools from big “security vendors.” They are open source tools, scripts, and techniques that use the inherent infrastructure of the Internet’s architecture. This module will review the tools the top Service Providers (SPs) in the world have developed. These tools, techniques, and practices that are used daily to mitigate attacks to the network. These tools mostly use the available infrastructure in ways that take advantage of existing investments. Other tools are open source, using the power of collective action and collaborative code to deploy cost effective tools that mitigates the risk to the Internet. This workshop will provide an introduction to each of these best common practices (BCPs) and demonstrate how they can be used in all Internet companies (enterprises, banks, government organizations, on-line service providers, cloud networks, etc). 

At the end of this module, decision makers will be able to meet with their organization and have the information needed to drive deployment of these security tools.

How to really protect yourself from DDOS?

DDOS attacks really Extortion, Retribution, Distractions, and Vandalism. Humans are behind these DDOS attacks. The techniques and approached needed to mitigate DDOS attacks is not just technical. Mitigating DDOS attacks require a comprehensive approach requiring system architecture, network design, attack resistant equipment, DDOS mitigation tools, and comprehensive community involvement. This workshop walks through all these issues and focuses on actions each operator can do now and what they should consider when investigating DDOS “products.”

DNS – The security tool that will save your network.

Everything on the Internet needs an IP address and a record in the Domain Name System (DNS). DNS is the “phone book” of the global telecommunication system (aka the Internet). It is critical to everything we do on-line. Given this “critical nature,” it is a central point that can be used to identify and mitigate security risk. This workshop will review two power tools that have revolutionized security defense in the last five years – DNS RPZ (the DNS Firewall) and Passive DNS. This workshop will provide the audience with an action list of how they can go back to their network and use DNS RPZ now to add new security capabilities today.

Internet Routing Manifesto – Safe Practices that will protect your connection to the Internet.

Connecting to the Internet is connecting to the world that is ruled by Autonomous Systems (ASNs). Connecting to the Internet requires the Boarder Gateway Protocol (BGP). Using BGP to connect to the Internet requires key best common practices (BCPs) that protect the organization’s interest and the Internet’s interest. The Internet Routing Manifesto (see is a group of BCPs that operators will commit to deploy and maintain to safe guard the Internet. This workshop will walk through these BCPs in a way all network engineers can understand and deploy. This is a practice workshop seeking engineers who are ready to learn and deploy the BCPs.

Build Cyber-Security Communities of Trust. Don’t wait!

Mitigating cyber-security attacks are done by people. People inside the organization. People in other organizations. Building effective cross functional and cross organizational teams that trust each other is an art and science. This workshop will review some of the approaches that have been used to build effective security teams using real world examples. Tools will be provided so the participant can use to improve their own cyber-security communities.

Visibility – knowing what is happening on your network and what the bad guys already know about your network.

Who has a better understanding of your network – the your network team or the cyber-criminals targeting your network. Unfortunately, cybercriminals understand the network better than the organizations own staff. Security visibility starts with open source tools that use COT equipment to provide essential visibility. Other open source tools provide the ability to get detailed visibility and big data analysis of the network. These tools provide an experience foundation that would facilitate the appropriate commercial investment. The workshop will explore the open source foundation with practical guidelines that clear the path for deployment.

DNS Security and Resiliency – Protecting your DNS Infrastructure

DNS is the critical “phone book” of the Internet. People take DNS for granted when it is working. People panic when DNS is not working and access to the network stops. This workshop reviews  new architectural models to help network operators build a more resilient and robust DNS infrastructure. This new model builds on the existing DNS residency architecture built into the architecture. The workshop provide direct cost effective advice that uses a combination of open source and commercial tool sets.

What do you do when everything is encrypted?

The Internet’s architecture was not designed with security as the #1 priority. In 2014, the Internet Architecture Board (IAB) has pushed the Internet community to put end-to-end security as an imperative. In a “post Snowden” world with a wave of SSL vulnerabilities, 2014 is the year where the industry has dramatically increased the deployment of end-to-end encryption. What does end-to-end encryption means to a network’s architecture? What will service providers do now that they cannot see inside a packet? What are the big content providers doing now that www proxy caching is not working any more? This workshop will explore the change, what network need to do to security their infrastructure, and what changes are needed to cope with a end-to-end encryption model.

Preparing for the next security attack – building effective table top exercises.

When the network is attacked, the organizations processes and procedures will be stressed. Table top exercises are useful tools to test how the organization will respond during a cyber-attack. It validates that exception of action do not have “paperwork” and “authorizing signatures” in the way of action. This workshop will review the principles of an effective cyber-security table top exercise, provide examples, and walk the participates through a short example table top exercise.

Is Open Source Security, Safe, and Reliable?

Open Source is a power industry transformation vector. Many of the most successful Internet companies (i.e. Facebook and Google) use open source as the core of their operations. What do these companies know that others do not? How can your organization take advantage of the open source movement? What are the security implementations of open source in the network? This workshop will review the policies and practices that organizations use for their open source deployments. It will provide solid examples of deployment, suggested list of open source solutions, and ways to leverage the feature velocity advantages of open source.

How do you know if your vendor’s equipment is really secure?

Vendor A walks into the door and states emphatically, “our equipment is secure!” How do you know? This workshop walks through a checklist to uncover the truth. It will detail what is means to have a secure product, what it means to have a secure solution, and requirements operators can depend to validate their claims.

How to Establish Secure Communications in the Operational Security Community?

Building security communities require secure paths of communications. Pretty Good Privacy (PGP) has been the cornerstone of secure communications between organizations. This public – private key architecture is also used with inter-machine communications, SSL/TLS, and other tools. This workshop will focus on these tools as a means of secure collaboration within the security community. Half the workshop will be tutorial. The last half of the workshop will be practical configuration, signing, and use – with the objective to have the participants actively using once they leave.

How to reduce your organization’s attack surface area?

The “attack surface area” is one of the common “things to do” in a security checklist. What is always missing is a practical check list, process, and planning needed to actually “reduce” the attack surface area. This workshop will cover this checklist, provide examples, and demonstrate how this approach reduces risk in a network. The session will cover some of the critical network/systems architectural changes that will need to be considered when reducing the surface area of attack.

Identifying and Disrupting the Kill Chain of an Attack

The kill chain of the attack is a mis-understood element tool in an incident response team’s toolkit. Done right and the incident responder will be able to mitigate and back trace the attack. Done wrong and the attacker will be alerted – deploying counter measures and even retaliating to the disruption. This workshop will review the fundamentals and current practices.

Building an Incident Response Team

The first step of a security operation center (SOC) is an effective Incident Response Team. This workshop will review the basics, requirements, type of people who are needed to fulfill the role, explain the available certifications, review the public training materials, and walk through the interview process. This workshop will review the role of CERTs and the FIRST community.

IPv6 – We’re stuck. How do we become IPv6 Ready without Impacting the Business?

We’re have hit the threshold. IPv6 deployment has reached a point where the businesses that host content need to add IPv6 to cater to the native IPv6 customers. Sending IPv6 only clients through customer experience impacting protocol translation boxes will hurt the customer’s experience expectations. Executives want their team to have a IPv6 plan of action. This guided workshop creates that plan. The organization’s participants will have a very brief review of IPv6. They will then guided through a set of exercise to determine the network’s readiness, the questions that need to be answered by the vendors, the type of testing to seek, and architectural changes to the services/network to work with native IPv6 clients. The result would be a team built IPv6 plan of action that is tuned specifically  to the business’s unique requirements. The expert mentor guides the team through this journey of exploration and discovery, delivering as a team work that cannot be done by any out side expert who is “parachuted” into the organization.

Managing a Team During a Security Crisis – the Key to Fast Recovery

Many companies get attacked. Data leakages to companies that are hacked happen every day. The key difference between companies that are adversely impacted and those that recover and thrive is the preparation and management of the crisis teams. This workshop will guide the participants through the best practices of running crisis teams. It uses the lessons from participating and leading some of the most critical industry wide “Internet” incident teams.

Tracking Down the Bad Guys – How do you track down the people breaking into your network?

When attacks happen, two things must immediately happen. First, the business operations must be recovered. If the attack has taken down the web site, then that web site must be restored ASPA. The second action is the investigation into who is driving the attack. This second track happens in parallel to the recovery and is critical to resorting the business. Many time the “people” driving the attack will respond to the recovery operations, making the incident a “dance off” between attackers and defenders.

This workshop will review many of the techniques available to track down the tools used for the attack and who might be launching the attacks. This “attribution” is one of the most difficult parts of a security investigation, but it is vital to ability of an organization to effectively respond.

Leveraging the Global Threat Intelligence Community – the essence of “collective security.”

The Internet is a technology of the people for the people. It is no surprise to know that there are communities of “security professionals” who are working together in collectives to gain intelligence on the threats to the Internet. These “global threat intelligence communities” are the core group who lead law enforcement around the world to some of the biggest “cyber-criminal take downs” and arrest. Understanding this community, reviewing the impact of these communities, and then find ways to participate in these communities must be a core part of any CxO’s “security plan.” This module review many of the communities with a public face, how they work, and how and organization’s security professionals can slow gain the trust of these communities to be “vetted” as an active participant.

US FCC’s CSRIC III Recommendations – How to use them in your Organization?

The FCC’s 2012 Communications Security, Reliability and Interoperability Council (CSRIC) III provide organizations around the world with a guideline for what to expect from their telecom service providers in regards to “security.” The CSRIC III guidelines should be reviewed applied by all telecommunications providers and Internet services providers. This workshop review practical ways for operators throughout the world can implement the techniques, enhance the “business opportunities,” and turn a “security cost” into a sustainable revenue stream.

Today and Tomorrow’s Nation-State Threat – What this means to all companies connected to the Internet

Everything has changed since “Snowden,” ISS, and the North Korean attacks. Nation States are using corporate networks as the new “battle space.” Focused, skilled, and directed nation state “cyber-soldiers” will be directed to infiltrate and prepare. At times they will be directed to collect intelligence. That would be confidential company information that would impact the profitability of the organization. At other times, these same cyber-soldiers will make human mistakes, breaking things in attempts to gain access (for example when the US NSA mistakenly crashed a router in Syria taking out the Internet for the country). This module will use attack trees and other risk assessment exercises to example the risk to the organization’s network, why nation-state cyber-soldiers would be interested infiltration, and approaches to mitigate the risk to the organization.

CVSS, CVE, and CWE – what are they and how are they used?

The Common Vulnerability & Exposures (CVE), Common Vulnerability Scoring System (CVSS), and Common Weakness Enumeration (CWE) are three critical tools every mid to large size organization must understand. All three are used to express unique risk to the organization’s network and services. This mini-workshop will review each of these tools, how they are used in the industry, guidelines for using them in the specific organization, and how they should be uses with all vendors with equipment in the network.

Using the US NIST, DISA, IETF, European Union, and other cyber-security guidelines in your network.

Why would I use a security guideline from the United States in my network? Main because there are no other equivalent guidelines. Everyone wants best practices, but best practices take time, effort, and money to build. The best practices must be validated and publicly peer reviewed. That means countries like the US and the European Union are some of the few with the resources to build effective security best practices. This module will review several of these guidelines, how they are developed, and walk through considerations for their use in your operation.

Cyber-Insurance – You need insurance! how much? How to integrate in your plans?

Organizations mitigate the risk of a hurricane or earthquake with insurance. They know the risk is real and take steps to mitigate the impact, but also have insurance. Cyber-security incidents are no different. The threat is real. The chances of them happening are real. All organizations must take steps to militate against the impact, but they also need to consider cyber-security insurance as a tool to mitigate the business impact of that risk. This module will review some of the options for cyber-security insurance, how that would be integrated into the service provider’s security reaction plans, and what can be done to minimize the insurance premiums.

Principles of Attribution – Using Intelligence to Gain Intelligence on the Attackers

Attribution into day’s cyber-battle-space is handicapped by the “cyber-security experts” who fail to “empty the cup” and learn from similar peers. The biggest break through in the industry’s ability to “lock up” cyber-criminals happened when core principle of law enforcement intelligence and defense intelligence (electronic warfare) were merged with modern developments in the malware toolkits used in the attacks. This created ability to seek out human intelligence (HUMNIT) and use it to profile criminal activities internationally. Attribution is not impossible. Attribution is tedious hard work that requires a multi-discipline team approach. This module will review these key principles and review how organizations can build some capacity for their own operations and which groups they might build alliances to expand their attribution capabilities.

The real mobile threat – how State Security and Cyber-Criminals will Attack Mobile Networks

Everything connected to everything will only work if the world uses massive meshes of wireless systems. Given this, it is logical for cyber-criminal and nation state cyber-soldiers to use the limitations in 3GPP, Wireless, and small cell solutions to penetrate, monitor, and wait. This causes two problems. First, the organization would not be confident that is has total control over their infrastructure. Co-lateral damage does happen with groups who have penetrated telecom networks. Second, bad things will happen in a crisis. A nation state now has cyber-attacks as a means of international discourse. As seen with the TV5Mounde attacks, these nation states do not need to be recognize countries. This module will focus on 3GPP architecture and telecom scale WIFI infrastructure. It will cover the areas of attack and walk through details attack trees. Extended versions of this module can have full table top exercises.

Building an Effective Vendor Security Development Lifecycle

One of the challenges all growing start-ups will encounter is how to handle security vulnerabilities with their product. Building an cost effective vulnerability response team and a security development lifecycle (SDL) are essential for any vendor who builds hardware, software, and devices. What we know is that if it is built and connected to the Net, then it will be targeted by the bad guys. This workshop helps a new start-up craft their roadmap for deploying an cost effective vulnerability response team, building effective security testing processes, and updating their engineering development process to include an Agile oriented SDL process.

Vendor Vulnerability Response – How to Create a Team that Creates Customer Confidence?

What do you do when the top of Google News has stories about how your product/service is vulnerable, hacked, and penetrated? Vulnerability and Incident response are business critical. Today’s dual threat vectors from cyber-criminals and cyber-nation state attacks means that your products and services are under constant scans, probes, and attacks. This workshop teaches the fundaments of vulnerability and incident response from someone with direct leadership experience with some of the nastiest vulnerabilities and Internet wide incidents seen in the history of the Internet. The workshop will teach the principle, examine the organizations strengths, and then build a plan of action to create a crisis team that communicates confidence for the customers and shareholders.

Service Provider Specific Resilience & Security Empowerment Workshop Modules

The new Security Empowerment Workshops are an evolution of materials that have been crafted and presented in the past. The following list the past Service Provider Security workshops. These workshops are service provider focused, but can be used for any large network.

Overview, Principles, and Foundation – Understanding how the “Internet Principles” Drive Service Provider Security

This module reviews the Internet’s End-to-End principles, Metcalfe’s Law, the principles of the IETF, and how continuous evolution has driven the Internet. This module provides a foundation for the entire workshop. This module will also cover the five core “planes” of a modern network and the core principles used to mitigate the damage from attack.

Threats and Risk to Today’e Service Provider Network

Why are service provider attacks not common? The reality is they are very common. What is unknown to the typical Service Provider CxO is the extent of the threat actor’s system infiltration (APT Attack) and deep network understanding. For the cyber-criminal, the Service Provider network is the primary path to money. If the network goes down, they make no money. For the state sponsored cyber-soldier, the service provider’s network is their battle space. If the battle space goes down, then their ability to perform their mission goes down. This module will example these factors and apply them to updated risk assessments for today’s service provider backbone.

Preparing your Network Operations Center (NOC)

The network operation center (NOC) is the core security reaction force for a service provider’s backbone. It is a mistake to have a “security operation center” separate from the network operations. This module will explain why based on a over a decade of experience with service provider operational experiences. It will review the typical tools and techniques that the NOC must prepare for and how they will train to respond to an attack.

The Operational Security Community – Collective Defense through Trust

In 2002 the first major operational security community was quietly created with the largest ISPs and service providers. NSP-SEC is a collective of trusted operators who work together to protect their customers, their backbones, and the Internet they can impact. NSP-SEC established the principles of collective trust that today has evolved into a multitude of specialize groups. This module will example these groups, how they work within the community, and how a service provider would work with these groups to protect their network.

Point Protection of the Network

Defense in Depth is an obsolete principle. The new principles of security use concepts where every element in the network is a security realm on their own. In a backbone, that means each network element and the supporting services must have security tools in place to protect it against attacks from inside and outside the network. This module will review these principles and the techniques needed to ensure operational entropy will not degrade the security posture over time.

Edge  Protection of the Network

Edge protection is more than access list. Edge protection of a network is building resiliency into the network architecture. It covers techniques like core hiding, how to advertise routes to protect the network, and reduce the surface area of attack for the service provider.

Remote Triggered Black Hole (RTBH) – The #1 DDOS Response Tool

BGP Remote Triggered Black Hole (RTBH) is the core tool used to mitigate DDOS attacks. RTBH is one of a set of tools that include BGP Shunts, MPLS Shunts, Flow-Spec, and Source Based RTBH. This module will cover each of these techniques, review how they are used in networks today, and help the operator prepare for deployment.

Sink Hole – The “Security” Swiss Army Knife of the Network

Sink Holes are strategically place sections of the network that are attacked to the backbone designed to absorb packet loss, shunted DDOS packet flows, and intentional hacking into Honeypots. Sink Holes – when designed mindfully – are powerful security tools. It is very common to hear a Internet security guru talk about how they have “sink holed a botnet.” This module will enlighten the operator into the details of how sink holes work, operate, are designed, and used in today’s battle against the threat.

Source Address Validation

IP Packet have many fields that can be spoofed and abused. This “spoofing” has lead to huge Internet resiliency and security problems. Today’s networks have the tools to ensure that all packets from customers are checked to make sure they are legitimate and not spoofed. This module will explore many of these tools, review how they are deployed in a network, and then shown as a tool to help detect problems on the network.

Control Plane Security

Routing protocols are the glue that holds a network together. Routing protocols are also the core element that if attacked can take down the service provider network and other adjacent networks. This module will review all aspect of control plane security exploring what needs to be done with BGP, OSPF, ISIS, MPLS, and other control plane elements.

BGP Hijacks and the Resilience of the Global Routing

Today’s telecoms’ in an interconnected mesh of BGP that is glued together with trust and best practices. This model will review the elements all service providers need to put into their planning, preparations, tools, and architecture. This module will cover the core aspects of the threats to global connectivity, how to spot a BGP hijacks, and key elements to invest before a major incident.

Total Visibility of the Network

Availability, Visibility, and Control are the three core principles of a resilient service provider. This module will cover the modern tools to gain packet flow viability through, to, and around the network. It will start with simple tool that are impactful, yet cost effective. The module will then look at other more expansive flow based analytics and Deep Packet Inspection (DPI) tools – how they should be used and the limitations of integration inside a network. It will then cover the future as virtualization and commodity architectures emerge as the dominant service expansion model.

DNS Architecture and Principles of Resiliency

DNS is the dial tone of the Internet. Nothing works on the Internet without DNS. Yet, DNS is often overlooked and taken for granted in a service provider’s network. This neglect has resulted in dramatic and avoidable outages in major operators in 2014. All of them could have been avoided with mindful DNS principles to match the architecture to the various roles DNS acts within a network. This module will cover the core DNS architectural principles a service provider must consider for the following DNS modules:

  • Authoritative DNS Module (Outside world resolving the domain names)
  • Tracking Area/APN DNS Module (Internal DNS) (3G and 4G)
  • Resolver DNS Module (Recursive Resolver for Customers)
  • Roaming DNS Module (External DNS – ENUM)
  • Infrastructure DNS Module (OSS, NMS, Troubleshooting)

DDOS Attack Preparing and Reacting to Extorsion, Retribution, and Colateral Damage

All DDOS Attacks are a conversation between people. People launch the attack. People defend against the attack. This module will review several case studies of how organizations prepare and respond to DDOS Attacks. It will use table top exercises to help the students grasp the factors that must be considered during an DDOS Attack.

DNS Firewalls

DNS Response Policy Zone (DNS RPZ) is a break through technology that is having huge impact on protecting customers from attack. This technique is popularly called a DNS Firewall. It is an element on the DNS Resolver that will first check black list “zones” to see if a domain is good or bad. This allows the operator to have a huge list of bad domains listed that would be used for SPAM, Phishing, Malware, and other miscreant activities. DNS RPZ should be integral to all service providers. It is a solution that is cost effective and works.

Remediating Violated Customers

Service Provider customers get infected, violated, and abused by cyber-criminals and nation state cyber-soldiers. The service provider has a choice. They can either leave all their infected customers a lone and hope this malware is not used against them, OR they can proactively work with their customers to remediate and clean up these infections. This module exports the best practices used to by other operators to clean up their customers. It is based on the 2012 US FCC work for bonnet remediation (a joint project with major operators in the US and Japan).

Regaining Control over a Violated Network – How to Mitigate an APT attack in a Service Provider

Always assume your network will be violated by the “advanced persistent threat” (APT) actors who see value in your investment. Cyber-criminals and state sponsored cyber-soldiers both see service provider networks as ideal environments to infiltrate. Given this persistent threat vector, operators should alway consider their network as violated. This module reviews an exercise that can be done quarterly to seek out and find the infiltration, how they have violated the network, and what can be done to get them off.

Reflection Attacks – What are they? How to Stop Them?

Reflection DDOS attacks are the most common DDOS tool used by the criminal elements in the expanded “DDOS market place.” DDOS Reflection attacks are difficult to track to the source (most are spoofed) and have huge impact on their way to the target. This model will review DDOS reflection attacks, how the miscreants are finding the reflectors, and what this would mean as more IOT/M2M is deployed throughout the network. This module will cover what needs to be done in every operators network to prevent their resources from being used as a reflector and what needs to be done to prepare for mitigating a DDOS Reflection targeted at them or their customer.

Passive DNS

Passive DNS is a break through technology that cost effectively allows the security community to monitor DNS “logs” without the high “logging cost.” The passive DNS feeds are then combined with other operators into one of several organization’s DNS “data bases” and use to track the cyber-criminals use of DNS. Passive DNS has provided the good guys with the tools to see the bad guy’s next move – as they use DNS to stage their next attacks. This module will review the technology, the uses, and the implications of passive DNS. It will also review today’s options for deploy passive DNS sensors in their network.


Backscatter is the packet response to activities from other parts of the Internet that happen to be addressed to some part of your organization’s network. In the past, backscatter was a major tool to first explore the cyber-criminal activities. As the IPv4 space was allocated, the ability to monitor all of the Internet with backscatter is reduced. But, backscatter is a critical tool that an operator can deploy and use to protect their network. This module will review how backscatter works, why it works, and how it can be used today. Practical use for DNS poison attempts will be used to demonstrate how the old tools are still critical today.

Vulnerability and Resilience of the Vendors in the Network

The security of a service provider’s network is dependent on the vendor’s security principles. Vulnerability will happen. How the vendor responds to these vulnerabilities is critical for all operators to understand. This module will review all the best practices that a service provider’s vendor should comply with. It will explain each one, how they work, and what should be expected. It will also cover what are the operator’s responsibility to their vendor’s security activities.