CARIS2: Coordinating Attack Response at Internet Scale

The Coordinating Attack Response at Internet Scale (CARIS) 2 workshop, sponsored by the Internet Society, will take place 28 February – 1 March 2019 in Cambridge, Massachusetts, USA. Participants will span regional, national, international, and enterprise CSIRTs, operators (service providers/network & security operators), transport operators and researchers, incident response researchers, vendors, and representatives from standards communities. This workshop will continue the work started at the first CARIS workshop. You can read the final report from the 1st CARIS workshop and in RFC8073, Coordinating Attack Response at Internet Scale (CARIS) Workshop Report.

One goal of the workshop is to improve mutual awareness of the participating organisations, to understand their roles, and improve communication between them. A key outcome of the workshop is to provide input to the Internet Research Task Force (IRTF) proposed research group SMART (Stopping Malware, and Researching Threats).

The workshop will include a mix of invited and selected speakers with opportunities to collaborate throughout, taking full advantage of the tremendous value of having representatives from these diverse communities with common goals in the same room. The participants from the first CARIS workshop emphasised the value in bringing together such a diverse group that had never collaborated previously and the workshop aims to reinforce that. We aim to build strong foundations for ongoing collaboration through the proposed SMART Research Group in the IRTF.

Important Dates

Submission Deadline: 16 December 2018
Notifications: 13 January 2019
Workshop: 28 February – 1 March 2019

To be considered for participation in the CARIS2 workshop, please submit a 2-page statement of interest or position paper that includes some key insight or challenge relevant to the broader group. This may include research topics around attack mitigation or information sharing/exchange, success stories and case studies from your CSIRT, lessons learned, or a deep dive on a particular topic such as privacy or trust.

All attendees are required to submit a position paper to the CARIS program committee. Accepted submissions will be published. Attendees will be selected based on these submissions to ensure the workshop will be beneficial to all and have the potential to impact the coordination of attack response at Internet scale. There is no fee to attend the workshop.

Additional Details

The workshop will take place at the offices of (255 Main St, Cambridge MA 02142 – 6th floor). Office location and hotel suggestions are provided. In addition, the Kendall Hotel is very conveniently located for the workshop venue. During the workshop, lunch and beverage breaks will be sponsored by Dell EMC.

Accepted papers

An archive of accepted workshop papers is available to download.

Day 1
9:00-9:10 — Greeting and workshop overview – Kathleen Moriarty – Chair
Expectation setting (toward brainstorming and results to advance from current state thinking about scalability)
9:10-10:30 — Introductions
Each paper to present up to 2 slides – Who am I(we)?/Why am I here?/What am I looking to get out of this workshop?
10:30-10:45 Break
Current Automation Solutions
10:45-11:15 — Tools & Techniques: NICT – Takeshi Takahashi and Hideaki Kanehara
Solution overview with discussion on findings
11:15-11:45 — OpenC2 – sharing information – Joe Brule
11:45-12:15 — I2NSF solution comparison to OpenC2 and gap discovery – Chris Inacio
12:15-1:15 Lunch
Standardization and Adoption 
1:15-2:00 — Led discussions with break-out groups for brainstorming
2:00-2:15 — Reports from breakouts
2:15-2:30 Break
2:30-3:00 — Manufacturer Usage Description – Eliot Lear
3:00-3:30 — Automated IOT Security, Oscar Garcia-Morchon and Thorsten Dahm
3:30-4:00 — Brainstorm in groups on preventative measures and scaling by preventing intrusions and enabling vendors to deploy mitigations at scale
4:00-4:30 — Reports from breakouts
5:30pm — Dinner Social sponsored by The Internet Society
Day 2
9:00-10:00 — Taxonomies and Gaps – Kirsty Paine, Mirjam Kühne
Preparation materials to be provided in advance of the workshop
10:00-10:15 Break 
Coordination Groups
10:15-10:35 — FIRST – Thomas Schreck
10:35-10:45 — TF-CSIRT – Mirjam Kühne
10:45- 11:05 — NetSecWarriors, Tim April
11:05-11:20 — M2M Sharing Evolution, Scott Pinkerton
11:20-11:30 — Alternate sharing/mitigation models – Kathleen Moriarty
11:30-12:00 —  Discussion: Effectiveness of groups and opportunities to improve efficiency and scale of response
12:00-1:00 Lunch
1:00-1:30 — Measured Approaches to IPv6 Address Anonymization and Identity Association – Dave Plonka and Arthur Berger
1:30-2:30 — Breakouts – how can similar methods be used to increase monitoring capabilities, factoring in privacy concerns?
2:30-2:45 — Report back from breakouts
2:45-3:00 Break
3:00-4:45 — Discussion
Existing solutions for attack coordination and mitigation
Discussion on known gaps
Opportunities to improve protocols to prevent attacks.
4:45-5:00 — Wrap up – Summary and next steps – Kathleen Moriarty

Kendall Square, Cambridge, MA

Technical Program Committee

Mat Ford, Internet Society, UK
Jamie Gillespie, APNIC, AU
Chris Inacio, CERT/CC, US
Mirja Kühlewind, ETH Zürich, CH
Mirjam Kühne, RIPE NCC, NL
Carlos Martinez, LACNIC, UY
Kathleen M. Moriarty, Dell EMC, US
Kirsty Paine, NCSC, UK
Takeshi Takahashi, NICT, JP

Date and Time

Thursday 28 February 2019 –

Friday 01 March 2019


Kendall Square

Cambridge, Massachusetts, USA