DIREKTORAT KEAMANAN INFORMASI
PENANGANAN INSIDEN KEAMANAN INFORMASI BATAM, 12-13 September 2013
HARI ke II
SECURITY INCIDENT HANDLING PENANGANAN INSIDEN KEAMANAN INFORMASI
Managing CSIRT
IGN Mantra, Email: [email protected],
URL: acad-csirt.or.id
Setting UP Guide : CSIRT
Agenda
How it all started
What do CERTs do?
How is Incident Response functioning
CERT cooperation
ENISA and CERTs
2
Setting up a CSIRT
Introduction
Overall strategy for planning and setting up a CSIRT
The first section gives a description of what a CSIRT is. It will also provide information about the
different environments in which CSIRTs can work and what services they can deliver.
Developing the Business Plan
This section describes the business management approach to the setting-up process.
Promoting the Business Plan
This section deal with the business case and funding issues.
Examples of operational and technical procedures
This section describes the procedure of gaining information and translating it into a security
bulletin. This section also provides a description of an incident-handling workflow.
CSIRT training
This section gives a summary of available CSIRT training. For illustration sample course material
is provided in the annex.
Producing an advisory
This section contains an exercise on how to carry out one of the basic (or core) CSIRT services:
the production of a security bulletin (or advisory).
Description of the Project Plan
This section points to the supplementary project plan (checklist) provided with this guide. This
plan aims at being a simple to use tool for the implementation of this guide.
3
The early days of internet
First idea of an Internet in
1960: "A network of such [computers], connected to one
another by wideband communication lines" which
provided "the functions of present-day libraries
together with anticipated advances in information storage and retrieval and [other] symbiotic functions. ” by .C.R. Licklider
Beginning of Internet by the
Defense Advanced Research
Projects Agency (DARPA) in
1981. Map of the TCP/IP test network in January 1982 4
Today’s Internet
5
First incident on the Internet
2 November 1988: The MORRIS worm
First major outbreak , it spread swiftly around
the world
6000 major UNIX machines were infected
(of a total of 60.000 computers connected)
Estimated cost of damage $10M - 100M
Gene Spafford created a mailing list
coordinating the first Incident response
6
The First CERT
After incident people realized they
where in need for:
Timely response
Structured and organized approach
Central coordination
This incident in the history of Internet security
led directly to the founding of the CERT/CC©
7
Europe and CSIRT’s
This model was soon adopted in Europe
1992 Surfnet launched the first CSIRT
in Europe SURFnet-CERT
At present ENISAs inventory of CERT
activities in Europe list over 140 CSIRTs
8
European CERT activities
9
CSIRT abbreviations
CERT© /CERT-CC (Computer Emergency Response Team)
CSIRT (Computer Security Incident Response Team)
IRT (Incident Response Team)
CIRT
SERT
(Computer Incident Response Team)
(Security Emergency Response Team)
Abuse Team (not a CSIRT)
Is a response facility, usually operated by an ISP, who professionally handles "Internet-abuse" reports or complaints. 10
CSIRT definition
CSIRT
A team that responds to computer security
incidents
Providing necessary services to solve or
supporting the resolution of them.
Is trying to prevent any computer security
incidents within its constituency or
responsibility.
Constituency
Customer base of a CSIRT
11
Benefits of having a CSIRT
A dedicated ICT-security team helps to mitigate and prevent major incidents protecting your organization’s valuable assets.
Centralized coordination for ICT-security issues
Specialized organization in handling and responding to ICT-incidents.
Dedicated support available, assisting in taking the appropriate steps and helping the constituent with quick recovery of the ICT infrastructure.
Dealing with legal issues and preserving evidence in the event of a lawsuit.
Educate organization on ICT-security
Stimulating cooperation within the constituency on ICT- security, preventing possible losses.
12
What kind of CSIRTS exists Constituent depended sector CSIRTS In alphabetic order:
National / Governmental Sector
Academic Sector
Commercial
CIP/CIIP Sector
Internal
Military Sector
Small & Medium Enterprises (SME) Sector
Vendor Teams
…
13
CSIRT services 1/3
We can distinguish 4 kind of services
Responsive services
1. Reactive services
2. Proactive services
3. Artifact handling
4. Security quality management 14
CSIRT “Core” Services 2/3
Reactive Services
Alerts and Warnings
Incident Handling
Incident analysis
Incident response support
Incident response coordination
Proactive Service
• Announcements
15
CSIRT services 3/4
Proactive services Announcements Technology watch Security audits or assessments Configuration and maintenance
of security Development of Security Tools Intrusion Detection Services Security-Related Information
Dissemination
Reactive services Alerts and Warnings Incident Handling Incident analysis Incident response support Incident response coordination Incident response on site Vulnerability handling Vulnerability analysis Vulnerability response Vulnerability response
coordination 16
Artifact handling Artifact analysis Artifact response Artifact response coordination Security Quality
Management Risk Analysis Business Continuity and Disaster
Recovery Security Consulting Awareness Building Education/Training Product Evaluation or Certification
CSIRT services 4/4
First questions about services: 1. Understand what a CSIRT is an what benefits it might
provide
2. To what sector is the CSIRT delivering it’s services?
3. Decide on the core services of your CSIRT
4. Start preparing your CSIRT,
Organizational, staff, legal, contracts, procedures
Deliver the core services according your standards and
agreements 17
Choosing the right approach
1. Define a communication approach to your constituents
2. Define the mission statement
3. Make a realistic implementation/project plan
4. Define your CSIRT services
5. Define the organizational structure
6. Define the Information Security policy
7. Hire the right staff
8. Utilise your CSIRT office
9. Look for cooperation between other CSIRTs and possible national initiatives
18
Analyzing your Constituency
Swot analysis
PEST analysis
19
Example SWOT analysis
Result in delivering the
following Core Services:
Alerts and Warnings
Incident handling
Announcements
20
Communicating channels
Public Website
Closed member area on the Website
Web-forms to report incidents
Mailing lists
Phone
SMS
‘Old fashioned’ paper letters
Monthly or annual reports
21
Mission statement
Important to have a mission statement
In communicating your existence to constituents
Communicating it to your staff
Commercial use, elevator pitches, brochures,…
Examples:
“<Name of CSIRT> provides information and assistance to its <constituents (define your constituents)> in implementing proactive measures to reduce the risks of computer security incidents as well as responding to such incidents when they occur.”
"To offer support to <Constituents> on the prevention of and response to ICT-related Security Incidents”
22
Developing a business plan
Defining a financial model
Cost model
Revenue model
Use of existing resources
Membership fee
Subsidy
23
Costs running a CSIRT
Staff 24x7 or office hours
Housing Normal secured or high secured facility
Equipment
Hosting facilities
Branding material (corporate style)
Brochures
24
Your organizational structure
A CSIRT organization could define the following roles General
General manager
Staff
Office manager
Accountant
Communication consultant
Legal consultant
Operational Technical team Technical team leader
Technical CSIRT technicians, delivering the CSIRT services
Researchers
External consultants, Hired when needed 25
Independent business model
26
The embedded model
27
The Campus model
28
The voluntary model
Group of people (specialists) that join together
in case of emergency.
Loosely fitted
Example WARPS
29
Hiring the right staff ( the hot picks)
Flexible, creative, good teams spirit
Strong analytical skills,
Ability to explain difficult technical matter into
easy wording
Good organizational skills and stress durable
Technical knowledge (deep specialist + broad
general internet technology knowledge)
Willingness to work 24x7
Loving to do the job! ;)
30
Utilization & equipping the office
Hardening the building
See ISO17799
Maintaining communication channels
Record tracking system(s)
Use the corporate style from the beginning!
Foresee out-of-band communication in case of
attacks
Check redundancy on internet connectivity
and office in case of emergencies
31
Information security policy
Information handling policy
1. How is incoming information "tagged" or
"classified"?
2. How is information handled, especially with
regard to exclusivity?
3. What considerations are adopted for the
disclosure of information "when what?"
especially incident related information passed
on to other teams or to sites?
32
Information security policy
4.
5.
6.
Are there legal considerations to take into
account with regard to information handling?
Do you have a policy on use of cryptography
to shield exclusivity & integrity in archives
and/or data communication, especially e-
mail.
This policy must include possible legal
boundary conditions such as key escrow or
enforceability of decryption in case of
lawsuits.
33
Information Security policy
National
Laws on information technology
Laws on data protection and privacy
Codes of conduct for corporate governance and IT
Governance
European directives
Directives on data protection and electronic
communication
International
Basel II, Eu. Convention on Cybercrime
Standards
BS 7799
ISO 27001
34
ENISA
National initiatives
TF-CSIRT
WARPS
FIRST
Search for cooperation
35
Promoting your business plan
It visualizes the trends in IT
security, especially the decrease
in the necessary skills to carry
out increasingly sophisticated
attacks.
Another point to mention is the
continuously shrinking time
window between the availability
of software updates for
vulnerabilities and the starting
of attacks against them
36
Promoting your business plan
Viruses Timeline
Patch -> Exploit Spreading rate
Nimda 11 month Code red Days
Slammer 6 month Nimda Hours
Slammer Minutes Nachi
Blaster
Witty
5 month
3 weeks
1 day (!)
37
Business plan & Management
What is the problem?
What would you like to achieve with
your constituents?
What happens if you do nothing?
What happens if you take action?
What is it going to cost?
What is going to gain?
When do you start and when is it
finished?
38
Short wrap-up
How is information handled within your
organization
Do you have a Information security policy?
Do you know other CSIRTs?
Could you share incidents that can help the
promotion of a CSIRT business plan?
Discuss your potential business plan
39
Operational Procedures
Focus on basic services first!
Alerts and Warnings
Incident handling
Announcements
40
Information process flow
41
Information process flow
Information Sources:
• Vulnerability information
• Incident reports
• Public and closed sources
for vulnerability information:
- Public and closed mailing lists ! Vendor vulnerability
product information
- Websites
- Information on the Internet
- Public and private partnerships that provide vulnerability information (FIRST, TF- CSIRT, CERT- CC, US-CERT.)
42
Information process flow
Identification Trustworthy source of information
Correct information • Cross checked with other sources
Relevance
Impact to the IT infrastructure of the constituent
Classification of information
Risk assessment & impact analysis
Impact = Risk x potential damage
43
Information process flow
Risk assessment & impact analysis RISK
Isthe vulnarabilitywidelyknown? Isthe vulnarabilitywidelyexploited?
No,limited No
1 1
Yes,public Yes
2 2
Isiteasytoexploitthe vulnerability? No,hacker 1 Yes,scriptkiddie 2 11,12 High
0 Precondition:defaultconfiguration?
Precondition:physical accessrequired?
No.specific
Yes
1
1
Yes,standard
No
2
2
8,9,10
6,7
Medium
Low
Precondition:useraccountrequired? Yes 1 No 2
Damage
Unauthorizedaccessto data No 0 Yes,read 2 Yes,read+write 4 6 t/m 15 High
0 DoS
Permissions
No
No
0
0
Yes,non-critical
Yes,user
1
4
Yes,critical
Yes,root
5
6
2 t/m 5
0,1
Medium
Low
OVERALL
High Remote root >>Imediatelyactionneeded! Local rootexploit(attackerhasa useraccounton the machine) Denial ofService
Medium Low
Remote userexploit Remote unauthorized accessto data Unauthorizedobtaining data Local unauthorizedaccessto data Local unauthorizedobtaininguser-rights
>>Actionwithin aweek >>Includeitin general process
Local userexploit 44
Information process flow
Distribution of information Website Email Reports Archiving and research Title of the advisory ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
Reference number ÉÉÉÉÉÉÉÉÉÉÉ Systems affected - ÉÉÉÉÉÉÉÉÉÉÉ - ÉÉÉÉÉÉÉÉÉÉÉ
Related OS + version ÉÉÉÉÉÉÉÉÉÉÉ
Risk ÉÉÉ
Impact/potential damage ÉÉÉ
External idÕs :
(High-Medium-Low)
(High-Medium-Low)
(CVE, Vulnerability bulletin IDÕs)
É ÉÉ É
Overview of vulnerability ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
ÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉ
Impact
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
Solution
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
Description (details)
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
Appendi x ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ É ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ 45
Example of an Advisory
Incident handling process
46
Incident Handling process
1. Receiving incident reports
Phone
Fax
2. Incident Evaluation
Identification
Relevance
Classification
Triage
3. Take action
47
Incident handling process
Actions
Start incident ticket
Essential for solving the incident and communicating
with the involved constituents.
Solve the incident
Preserving any information which may needed for
prosecution takes carefully planned action!
Incident handling report
Archiving
NOTE: Each type of incident calls for different actions!
48
Wrap-up
1.
2.
3. 4.
5. 6.
-
- -
-
-
-
-
- -
- -
-
Understanding what a CSIRT is.
What sector do you deliver your services to?
What kinds of services can a CSIRT provide to its
constituents? Analysis of the environment and constituents
Defining the mission statement
Defining your goals Defining your Cost model
Defining the organizational model
Starting to hire your staff
Utilizing your office
Defining the needed Security policy
Looking for cooperation partners
Dealing with matters of project management Have the business case approved
Fit everything into a project plan
Making the CSIRT operational. Creating workflows
Implementing CSIRT tooling
The next step is: training your staff 49
Workflow 2nd example
Producing an advisory
50
Bulletin
Identifier
Bulletin Title
Executive
Summary
Maximum
Severity Rating
Impact of
Vulnerability
Affected
Software
Microsoft Security Bulletin MS06-042 Cumulative Security Update for Internet Explorer (918899)
This update resolves several vulnerabilities in Internet Explorer that
could allow remote code execution.
C ritica l
Remote Code Execution
Windows, Internet Explorer. For more information, see the Affected
Software and Download Locations section.
Collecting vulnerability
information
Verify the authenticity on
vendor website
Gather more details on
The vulnerability
Affected systems
51
Workflow 2nd example
Is the vulnerability well known? Is the vulnerability widespread?
Is it easy to exploit the
vulnerability?
Is it a remotely exploitable
Y Y
Y Y
vulnerability? Damage
Remote accessibility and chance of remote code execution.
This vulnerability contains multiple issues which make the damage
risk HIGH. 52
Workflow 2nd example
Evaluate information
Assess the risk RISK
1. All desktop systems that run Microsoft
Related OS + version Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 Microsoft Windows XP Professional x64 Edition Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server
2003 withSP1 for Itanium-based Systems Microsoft Windows Server 2003 x64 Edition
Risk HIGH Impact/potential damage HIGH External idÕs:
(High-Medium-Low) (High-Medium-Low)
(CVE, Vulnerability bulletin IDÕs)
MS-06-42
Overview of vulnerability
Microsoft has found several critical vulnerabilities in Internet Explorer which can lead too remote code execution.
Impact An attacker could take complete control over the system, installing programs, adding users and vie, change or delete data. Mitigating factor is that the above only can take place if the user is logged in with administrator rights. Users logged on with less rights could be less impacted.
Solution Patch your IE immediately
Description (details) See for more information ms06-042.mspx
Appendix See for more information ms06-042.mspx 53
Workflow 2nd example
Distribution of information Title of advisory Multiple vulnerabilities found in Internet explorer
Reference number
082006-1 Systems affected
ENISA and CSIRTs
Mission
Promote and facilitate good practice in setting-up and running of
CSIRTs / WARPs / Abuse Teams / etc.
Encourage cooperation between different actors
Develop relations to the various CERT/CSIRT communities
Support their activities
Run a Working-Group with external experts
How ENISA supports CSIRT community? Promote best practice!
2005:
Stocktaking
2006:
Setting up &
Cooperation
2007:
Support
Operation
Quality
Assurance
2008:
CERT Exercises 2009:
CERT Baseline
Capabilities
Document
[…]
2009:
CERT
Exercises
Report
TERIMA KASIH
Contact :
Informations : [email protected]
Incident Response : [email protected]
URL : http://govcsirt.kominfo.go.id/