National CERT, a interesting way to integrate cyber-security
into the economical sector
Raphael Vinot - TLP:GREEN
November 24, 2014

Luxembourg - CERT collaborative landscape
2 of 14

CIRCL, national CERT of Luxembourg
CIRCL1 is composed of 6 full-time incident handlers + 2 FTE
backup operators.
Private organisation, publicly funded (Finance ministry)
The team is operating as an autonomous technical team relying on
its own infrastructure.
Operators competencies include reverse engineering, malware analysis,
network and system forensic, software engineering and data mining.
CIRCL, the national CERT, is part of SMILE2 gie (a publicly
funded organization to promote information security in
Luxembourg).
In 2014, CIRCL handled more than 83000 security events and
conducted more than 3000 technical investigations.
1http://www.circl.lu/
2http://www.smile.public.lu/
3 of 14

Importance of a non-pro

t organisation
Reassure companies willing to start a business in Luxembourg
Make it clear that IT Security is important for the Luxemburgian
government
Hard/impossible to bill events are also handled
Small websites compromised (CMS, extensions...)
Potentially vulnerables systems connected to the internet (SCADA)
Information leaks
Services availability to organizations/citizen located in Luxembourg
4 of 14

Main goals
Globally improving the IT Security of pivate companies based in
Luxembourg
Providing

rebrigade-like support to companies in case of IT
Security related incident
Default contact point for international contacts
Incident management for national and international cases
Vulnerability handling and responsible vulnerability disclosure
Widely trusted and well known in all the sectors of activities
5 of 14

Building the trust
As open as possible in our activities
Public and annonimised reports on our activities
Presentations to conferences
Contributions to open source projects
Having clear and strict con

dentiality rules with the requestor
our work is on behalf of the victim
no third party is informed without a written statement of the initial
victim
Information sharing
6 of 14

MISP - Statistics and Platform Usage
3 MISP instances operated by CIRCL
National CERTs MISP (26 members)
Connected to NATO, CERTs MISP (CERT.at, CERT-EU, MISP.be...)
Less than 20% of the members fetch from the API to feed on their
systems
Private sector MISP3 (60+ members)
25% of the AV are on the platform
Connected to Deloitte CTISRP and private organizations having their
own instances
Ephemeral MISP
3http:
//www.circl.lu/services/misp-malware-information-sharing-platform/
7 of 14

Bridging MISP Communities
Central position between governments, private companies and civil
society
Synchronization works for common community (National CERTs
or NATO members community)
But when you need to connect communities, validation and review
of events usually need to be performed
Experience is key
CIRCL developed a Python Library to access MISP: PyMISP4 for
that purpose
Operators see the update from a speci

c community and then
decide to push events or not to the other community (guid are
preserved)
4https://github.com/MISP/PyMISP
8 of 14

9 of 14

Other tools
Passive DNS
A database storing historical DNS records from various resources
including malware analysis or partners
BGP Ranking
Correlation of a large variety of private/public datasets including IP,
pre

xes or ASN forsuspicious activities.
Metrics on internet providers worldwide
Dynamic Malware Analysis Platform (DMA)
A platform operated by CIRCL, which allows the analysis of potential
malicious software or suspicious documents in a secure and virtualized
environment
Based on Cuckoo
10 of 14

CIRCL Services - Dynamic Malware Analysis
11 of 14

CIRCL Services - BGP Ranking
12 of 14

Conclusion
Do you want to share IOCs? Help others and bene

t?
! info@circl.lu
CA57 2205 C002 4E06 BA70 BE89 EAAD CFFC 22BD 4CD5
13 of 14