APNIC Senior Security Specialist Adli Wahid spoke on the importance and role of CERTs in helping prevent cyber attacks at the Philippines Cybersecurity Conference 2021, held online from 13 to 29 October 2021.

1. CERTS/CSIRTs and
Protection of The
Nation’s Assets
Adli Wahid
Senior Internet Security Specialist @ APNIC

2. Happy Cyber Security
Awareness Month J L
2

3. https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/ 3

4. Let’s Connect!
• Online:
oEmail: adli@apnic.net
oLinkedIN/Twitter: @adliwahid
oUnsplash: www.unsplash.com/adliwahid
4

5. Context
oAPNIC – Regional Internet Registry
o www.apnic.net
oSecurity Engagement with Security Community & Stakeholders
o CERT in the Pacific Project & Developing Economies
oCommunity Honeynet Project
oPast experience with National & Enterprise CERT/CSIRT
oRegional CERT/CSIRT activities i.e FIRST & APCERT
5

6. The Plan
1. Context and Perspectives
2. Potential Areas for Contributions (CERTs/CSIRTs)
3. Challenges & Way Forward
+ Stories & Some Examples
6

7. CERT/CSIRTs
• Computer Emergency Response Teams
• Computer Security Incidents Response Teams
• Entity
o All shapes and sizes
o National Responsibilities Vs Enterprise CSIRTs
o Services – depends on constituents
o Incident Coordination / handling / Management @ Mininum
• Function
o Respond to security incident
o Minimize impact, improve detection
o Proactive – prevent incident
o Initiatives to support all of the above
• CERT/CC establishment & the Morris Worm
o Many CERT in our region was established after that
o Forum of Incident Response and Security Teams (1990)
Morris Worm (1988) source code
Reference: https://en.wikipedia.org/wiki/Morris_worm
7

8. Community of CERTs/CSIRTs
• Beyond the entities – people
oTrust is based on person / personalities
oSometimes forgotten
• Network of CERTs/CSIRTs
oCollaboration
oInformation sharing
oThreats & Insights
• Help increase preparedness &
capabilities
• Tools, Artifacts, Training
OUR-CERT*
CERT/CSIRT in the Pacific Workshop 2018
8

9. Cyber Security Incidents
• All Shapes & Sizes
• Global & Beyond borders
• Types vs Impact
o Malware related
o Sabotage
o Scam / Fraud
o Surveillance
o Custom *
• Indicates
o Gaps in defense / controls
o Lack of *something*
9
Confidentiality
Integrity
Availability
Privacy
NIST Cyber Security Framework

10. Nation’s Assets
• People (safety and wellbeing)
• Information
• Infrastructure
• The whole Ecosystem
10

11. Actors
• Lots of Players
o Criminals
o Nation State Actors
o Individuals*
• “Left of the Hack”
o R & D
o Infrastructure setup
o Recon & Recruitment
o Money Mules
o System breach and exfiltration
• Underground Economy
• Zeus Trojan (2007)
• Mirai (2014)
11
Motive Capabilities
Actors / Adversaries
Zeus Botnet (FBI)

12. Incident Response
Prevention
Detection
and Warning
Continuous
Monitoring
Respond &
Mitigate
Collaborate

13. How can the CERTs/CSIRTs contribute?
13

14. Constituents - Increasing Preparedness
• Organisations of all shapes and sizes
• Different Stages of the Security
Journey
• Those who
o Can & can’t afford* security
o Never experienced a breach or incidents
o Are not always visible
o Only have access to publicly available
information
o Not being served by a CERT/CSIRT
o Learn about cyber security from movies
Table Top Exercise 2019
Clueless Mature
Getting There
0 5 10

15. 15
The Matrix Reloaded ft. NMAP

16. APCERT Drill 2007
16
u 0700 Lord of Armageddon (LoA) declare cyber
war on Beijing Olympics
u 0900 Co-ordinated botnet attacks from AP
region causing media sites and government
portals inaccessible
u 1100 Spam containing malware that turns PC
into zombies were filling up mailboxes in AP
economies
u 1300 Border and Core routers crashing and
rebooting frequently. 0-day exploit for Cisco IOS
rumoured to be available. Cisco promise to
release fix in a few hours
u 1430 – Cisco released patch and advisory on
critical IOS vulnerability
u 1600 – Security analysts announced that bots
automagically removed themselves, no more
attacks
http://www.apcert.orrg

17. Trusted Point of Contact
• People* discover issues/vulnerabilities
• Ideal situation
o Report to system owner & problem solved
o Everyone has a www.domain.com/security.txt
o Whois has an IRT object
• Reality
o Who should I contact?
o Reported but 0 response & action (+ ignored)
o APNIC Community Honeynet Project feed
• CERT/CSIRT
o The Go-To trusted point of contact
o Coordinate – understand local context
o Know the contacts personally
17
Shadowserver.org

18. Trusted Network Information Sharing
• There’s always something brewing
• Global, Regional & Local
• Platform for threat sharing & private
mailing list
• Vendors have special programs for
CERTs/CSIRTs
• Actionable information & insights
• Solarwinds & MISP -> actionable Intel
19

19. Solarwinds Example –
event from another MISP instance/feed

20. Solarwinds - Indicators (domain)

21. $TTL 1w;
@ SOA localhost. root.localhost (2021011900 2h 30m 30d 1h)
NS localhost.
; The following domain names and all of their sub-domains will timeout.
avsvmcloud.com CNAME rpz-drop.
*.avsvmcloud.com CNAME rpz-drop.
zupertech.com CNAME rpz-drop.
*.zupertech.com CNAME rpz-drop.
panhardware.com CNAME rpz-drop.
*.panhardware.com CNAME rpz-drop.
databasegalore.com CNAME rpz-drop.
*.databasegalore.com CNAME rpz-drop.
incomeupdate.com CNAME rpz-drop.
*.incomeupdate.com CNAME rpz-drop.
highdatabase.com CNAME rpz-drop.
*.highdatabase.com CNAME rpz-drop.
websitetheme.com CNAME rpz-drop.
*.websitetheme.com CNAME rpz-drop.
freescanonline.com CNAME rpz-drop.
*.freescanonline.com CNAME rpz-drop.
virtualdataserver.com CNAME rpz-drop.
*.virtualdataserver.com CNAME rpz-drop.
deftsecurity.com CNAME rpz-drop.
*.deftsecurity.com CNAME rpz-drop.
thedoccloud.com CNAME rpz-drop.
*.thedoccloud.com CNAME rpz-drop.
digitalcollege.org CNAME rpz-drop.
*.digitalcollege.org CNAME rpz-drop.
globalnetworkissues.com CNAME rpz-drop.
*.globalnetworkissues.com CNAME rpz-drop.
seobundlekit.com CNAME rpz-drop.
*.seobundlekit.com CNAME rpz-drop.
virtualwebdata.com CNAME rpz-drop.
*.virtualwebdata.com CNAME rpz-drop.
DNS RPZ references
1. https://isc.sans.edu/diary/DNS+Firewalling+with+
MISP/24556
2. https://blog.apnic.net/2020/07/02/dns-rpz-using-
the-dns-as-a-layer-of-defence/
3. https://blog.apnic.net/2018/03/21/blocking-dns-
requests-associated-with-malware/
4. https://www.dnsrpz.info/

22. Suricata Rules generated (snip)
alert dns any any -> any any (msg: "MISP e1358 [] Domain avsvmcloud.com";
dns_query; content:"avsvmcloud.com"; nocase; pcre: "/(^|[^A-Za-z0-9-
])avsvmcloud.com$/i"; classtype:trojan-activity; sid:9823577; rev:1;
priority:1; reference:url,https://misp.honeynet.asia/events/view/1358;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg: "MISP e1358 [] Outgoing
HTTP Domain avsvmcloud.com"; flow:to_server,established; content: "Host|3a|";
nocase; http_header; content:"avsvmcloud.com"; fast_pattern; nocase;
http_header; pcre: "/(^|[^A-Za-z0-9-])avsvmcloud.com[^A-Za-z0-9-.]/Hi";
tag:session,600,seconds; classtype:trojan-activity; sid:9823578; rev:1;
priority:1; reference:url,https://misp.honeynet.asia/events/view/1358;)

23. Capacity Development
• CERT/CSIRT work = learning on the job
oAnalysis & investigation
oMalware and digital forensics
oContent & artifacts available
• Training & Support
• Help everyone improve together
• Cyber Security Exercises
• Based on real incidents + on-site
• Opportunity for self-assessment (IR preparedness, gaps)
• CyberQuest 2017 – Financial Sector ISAC (Japan)
24

24. 25
https://blog.apnic.net/2017/02/06/cyberquest-incident-handling-exercise-japanese-financial-industry/

25. Miners activities on
Honeypots
26

26. Outreach & Advisories
• Customise narrative to increase
awareness
• Specific example & Context
• Make criminals work harder
• Based on experience in IR &
dealing with breaches
• Phishing & Money mule story
27
Dear Sir/Madam:
Our warehouses are filled with great new and used warehouse equipment and
racking products, ready for fast shipment.
Due to the large amount of order we receive from Asia, most especially Malaysia,
China and India, we are in need of agents who will work from Malaysia as payment
agents.
Customers will make payments into your account. Instructions on how the funds
will be sent to us will then be given to you. You will be paid RM 2,000 on every
transfer and also get a Monthly Payment of $3,000 (USD)
Please provide us the following details to proceed.
Full Names:
Contact Address:
Mobile Phone Number:
Bank Name:
Account Number:
We only accept Maybank and CIMB Accounts.
Visit our website for more details.
www.americanequipmentinc.com/Online.html
Management
American Equipment Inc.
223 6th Street
Brookings, SD 57006 USA
www.americanequipmentinc.com/Online.html

27. Hi CERT, Close
those open ports.
Botnets are using
them to launch
DDoS attacks
Hey ISP, close/disable
those ports
Hey, Users –
close those ports
Security
Researcher
CERT/CSIRT ISP User
What? Hey IoTs
Vendors why did you
enable all these
ports?
Vendor
?
Others

28. Policy & Strategy
• Technical insights / lessons learned
o To improve/create policy or strategy
o Practical
o Behind the scenes
• Possible areas
o Blocking IPs / Domains
o Data breach reporting
o Cyber security standards (for CII etc)
o Cyber Norms
o National Cyber Security Strategy
• Translating strategy to implementation
• Responding as a group / community
o Software / Product Security
29
CERT/CSIRT Workshop for Policy Makers (Geneva) 2017

29. Challenges & Conclusion
• CERTs/CSIRTs play an important role
• Enabler of digital economy
• Defender of online safety, trust and privacy
• People to people network
• Vision & Resources
• Core task vs additional tasks
• Empowerment
• Opportunities
• Supporting the Eco-system
o Including tools
o Collaboration
• Check out available resources
o academy.apnic.net
o www.first.org
o Ethics FIRST - https://ethicsfirst.org/
o www.Europa.eu
30

30. Salamat!
Adli Wahid
adli@apnic.net
www.apnic.net
31