3. Presenter
Adli Wahid (@adliwahid)
Security Specialist, APNIC
Adli is responsible for the security outreach activities at APNIC. He engages
with APNIC members, CSIRTs, Law Enforcement agencies in promoting
security best practices.
Adli is also actively involved with the regional CSIRTs organisations such as
APCERT, OIC-CERT and TF-CSIRT. He is currently a boar member of
FIRST.org
Prior to joining APNIC, Adli was a regional Cyber Security Manager at Bank
of Tokyo Mitsubishi – UFJ and Head of Malaysia CERT (MyCERT)
Areas of interests: CSIRTs, Honeypots, Malware, International
Collaboration,
Contact:
Email: adli@apnic.net
4. Agenda
1. About APNIC
2. Whois Database for Incident Handling & Response
3. Challenges
4. Conclusion
4
6. What is APNIC?
• Regional Internet Registry (RIR) for the
Asia Pacific region
– Comprises 56 economies
• Secretariat located in Brisbane,
Australia
– Currently employs around 70 staff
• Not-for-profit, membership-based
organization
• Governed by the Executive Council
(EC), who are elected by the Members
6
9. How APNIC support the Internet
community
• Distribution and Registration of Internet Resources (v4,v6,
ASN)
• Facilitate the policy development process
– Via mailing lists, conferences etc.
• Training services
• Information dissemination
• Collaboration & Liaison
10. Security Initiatives @ APNIC
• Target Audience
– Primarily Network Operators & Service Providers, APNIC members
Topics Domain
Resource Public Key Infrastructure
(RPKI)
Routing
DNSSEC DNS
Source Address Validation Everywhere
(SAVE)
DDoS Mitigation
Updating IRT References in APNIC
Whois Database
Abuse Handling & Incident
Response
http://www.apnic.net/security
15. Where to find information ?
• Whois Database
– Domain (Names) & Numbers
– Security point of contact for a domain?
• Regional Internet Registry
– Maintains information related to IP Address & AS Numbers
– Including point of contact for Security
• Incident Response Teams (IRT) Object
– Specialized Mandatory IRT contacts for inetnum, inet6num & aut-
num
– https://www.apnic.net/services/manage-resources/abuse-contacts
– https://www.apnic.net/apnic-info/whois_search/using-whois/guide/irt
15
17. Challenges with Information in the
Whois Database
1. Information not available
2. Information not accurate
– There’s mechanism to update information or report
3. No guarantee recipient know what to do or expected of
them
17
18. Examples
Dear IRT,
[ We have identified a command & control on your
network that is related to the XYZ malware. Please do the
necessary]
[A host (a.c.d.e) on your network is hosting a phishing
site of Bank BBB. Please remove the phishing site
immediately. Refer to screenshots]
[The following IP addresses on your network is running
an open DNS resolver that could be used in an DDoS
amplification attack]
18
19. Security Awareness & Incident
Management for Network Operators /
Providers
• Understanding different types of incidents & Reports
– Malware, DDoS, Data Breaches, Phishing etc
– Suspicious Activities: Scanning
• Impact of Different Types of Incidents
– How do I prioritize?
• Expectations : Process
– Take down or Investigate
• Best Practices for Incident Handling
– Policy or Procedures
19
20. Best Practices
1. Mobile Messaging Best Practices for Service Providers
– https://www.m3aawg.org/sites/maawg/files/news/
M3AAWG_Mobile_Messaging_Best_Practices_Service_Providers-
2015-04.pdf
2. M3AAWG Anti-Abuse Best Common Practices for Hosting
& Cloud Services
– https://www.m3aawg.org/sites/maawg/files/news/
M3AAWG_Hosting_Abuse_BCPs-2015-03.pdf
3. Many more here:
– https://www.m3aawg.org/published-documents
20
21. Role of National CERT / CSIRT
• Help to reach out to the relevant person in the organization
– Translate
– Explain
– Incident Response Framework, Capacity Development, Information
Sharing
• What if there is no National CERT / CSIRT ?
– See Previous Slides
– NZITF is a good model (http://www.nzitf.org.nz)
21
22. Conclusion
• There is a need to have accurate information in the whois
database for dealing with abuses & security incidents
• Training & creating awareness that the IRT / Abuse
contacts know what do will make a huge difference
• Let’s work together!
23. More Information
• Providing Abuse Contact Information
– https://www.apnic.net/services/manage-resources/abuse-contacts
– https://www.apnic.net/apnic-info/whois_search/using-whois/abuse-
and-spamming
– https://www.apnic.net/apnic-info/whois_search/using-whois/abuse-
and-spamming/invalid-contact-form
• E-Learning on Establishing CSIRT
– https:/training.apnic.net
• APCERT
– http://www.apcert.org
• FIRST
– http://www.first.org
23