Day 1 Enisa Setting Up A Csirt


Published on

Presentation by ENISA

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Day 1 Enisa Setting Up A Csirt

  2. 2. Agenda How it all started  What do CERTs do?  How is Incident Response functioning  CERT cooperation  ENISA and CERTs 2
  3. 3. Setting up a CSIRT  Introduction  Overall strategy for planning and setting up a CSIRT  The first section gives a description of what a CSIRT is. It will also provide information about the different environments in which CSIRTs can work and what services they can deliver.  Developing the Business Plan  This section describes the business management approach to the setting-up process.  Promoting the Business Plan  This section deal with the business case and funding issues.  Examples of operational and technical procedures  This section describes the procedure of gaining information and translating it into a security bulletin. This section also provides a description of an incident-handling workflow.  CSIRT training  This section gives a summary of available CSIRT training. For illustration sample course material is provided in the annex.  Producing an advisory  This section contains an exercise on how to carry out one of the basic (or core) CSIRT services: the production of a security bulletin (or advisory).  Description of the Project Plan  This section points to the supplementary project plan (checklist) provided with this guide. This plan aims at being a simple to use tool for the implementation of this guide. 3
  4. 4. The early days of internet  First idea of an Internet in 1960: "A network of such [computers], connected to one another by wideband communication lines" which provided "the functions of present-day libraries together with anticipated advances in information storage and retrieval and [other] symbiotic functions. ” by .C.R. Licklider  Beginning of Internet by the Defense Advanced Research Projects Agency (DARPA) in 1981. Map of the TCP/IP test network in January 1982 4
  5. 5. Today’s Internet 5
  6. 6. First incident on the Internet 2 November 1988: The MORRIS worm  First major outbreak , it spread swiftly around the world  6000 major UNIX machines were infected (of a total of 60.000 computers connected)  Estimated cost of damage $10M - 100M  Gene Spafford created a mailing list coordinating the first Incident response 6
  7. 7. The First CERT After incident people realized they where in need for: Timely response Structured and organized approach Central coordination This incident in the history of Internet security led directly to the founding of the CERT/CC© 7
  8. 8. Europe and CSIRT’s This model was soon adopted in Europe 1992 Surfnet launched the first CSIRT in Europe SURFnet-CERT At present ENISAs inventory of CERT activities in Europe list over 140 CSIRTs 8
  9. 9. European CERT activities 9
  10. 10. CSIRT abbreviations CERT© /CERT-CC (Computer Emergency Response Team) CSIRT (Computer Security Incident Response Team) IRT (Incident Response Team) CIRT (Computer Incident Response Team) SERT (Security Emergency Response Team) Abuse Team (not a CSIRT) Is a response facility, usually operated by an ISP, who professionally handles "Internet-abuse" reports or complaints. 10
  11. 11. CSIRT definition CSIRT A team that responds to computer security incidents Providing necessary services to solve or supporting the resolution of them. Is trying to prevent any computer security incidents within its constituency or responsibility. Constituency Customer base of a CSIRT 11
  12. 12. Benefits of having a CSIRT  A dedicated ICT-security team helps to mitigate and prevent major incidents protecting your organization’s valuable assets.  Centralized coordination for ICT-security issues  Specialized organization in handling and responding to ICT-incidents.  Dedicated support available, assisting in taking the appropriate steps and helping the constituent with quick recovery of the ICT infrastructure.  Dealing with legal issues and preserving evidence in the event of a lawsuit.  Educate organization on ICT-security  Stimulating cooperation within the constituency on ICT- security, preventing possible losses. 12
  13. 13. What kind of CSIRTS exists Constituent depended sector CSIRTS In alphabetic order:  National / Governmental Sector  Academic Sector  Commercial  CIP/CIIP Sector  Internal  Military Sector  Small & Medium Enterprises (SME) Sector  Vendor Teams  … 13
  14. 14. CSIRT services 1/3 We can distinguish 4 kind of services Responsive services 1. Reactive services 2. Proactive services 3. Artifact handling 4. Security quality management 14
  15. 15. CSIRT “Core” Services 2/3 Reactive Services  Alerts and Warnings  Incident Handling  Incident analysis  Incident response support  Incident response coordination Proactive Service • Announcements 15
  16. 16. CSIRT services 3/4 Reactive services Proactive services Artifact handling Alerts and Warnings Announcements Artifact analysis Incident Handling Technology watch Artifact response Incident analysis Security audits or assessments Artifact response coordination Incident response support Configuration and maintenance Security Quality of security Management Incident response coordination Development of Security Tools Risk Analysis Incident response on site Intrusion Detection Services Business Continuity and Disaster Recovery Vulnerability handling Security-Related Information Security Consulting Dissemination Vulnerability analysis Awareness Building Vulnerability response Education/Training Vulnerability response Product Evaluation or Certification coordination 16
  17. 17. CSIRT services 4/4 First questions about services: 1. Understand what a CSIRT is an what benefits it might provide 2. To what sector is the CSIRT delivering it’s services? 3. Decide on the core services of your CSIRT 4. Start preparing your CSIRT, Organizational, staff, legal, contracts, procedures  Deliver the core services according your standards and agreements 17
  18. 18. Choosing the right approach 1. Define a communication approach to your constituents 2. Define the mission statement 3. Make a realistic implementation/project plan 4. Define your CSIRT services 5. Define the organizational structure 6. Define the Information Security policy 7. Hire the right staff 8. Utilise your CSIRT office 9. Look for cooperation between other CSIRTs and possible national initiatives 18
  19. 19. Analyzing your Constituency Swot analysis PEST analysis 19
  20. 20. Example SWOT analysis Result in delivering the following Core Services:  Alerts and Warnings  Incident handling  Announcements 20
  21. 21. Communicating channels Public Website Closed member area on the Website Web-forms to report incidents Mailing lists Email Phone SMS ‘Old fashioned’ paper letters Monthly or annual reports 21
  22. 22. Mission statement Important to have a mission statement In communicating your existence to constituents Communicating it to your staff Commercial use, elevator pitches, brochures,… Examples: “<Name of CSIRT> provides information and assistance to its <constituents (define your constituents)> in implementing proactive measures to reduce the risks of computer security incidents as well as responding to such incidents when they occur.” "To offer support to <Constituents> on the prevention of and response to ICT-related Security Incidents” 22
  23. 23. Developing a business plan Defining a financial model  Cost model  Revenue model  Use of existing resources  Membership fee  Subsidy 23
  24. 24. Costs running a CSIRT  Staff  24x7 or office hours  Housing  Normal secured or high secured facility  Equipment  Hosting facilities  Branding material (corporate style)  Brochures 24
  25. 25. Your organizational structure A CSIRT organization could define the following roles  General  General manager  Staff  Office manager  Accountant  Communication consultant  Legal consultant  Operational Technical team  Technical team leader  Technical CSIRT technicians, delivering the CSIRT services  Researchers  External consultants, Hired when needed 25
  26. 26. Independent business model 26
  27. 27. The embedded model 27
  28. 28. The Campus model 28
  29. 29. The voluntary model  Group of people (specialists) that join together in case of emergency.  Loosely fitted Example WARPS 29
  30. 30. Hiring the right staff ( the hot picks)  Flexible, creative, good teams spirit  Strong analytical skills,  Ability to explain difficult technical matter into easy wording  Good organizational skills and stress durable  Technical knowledge (deep specialist + broad general internet technology knowledge)  Willingness to work 24x7  Loving to do the job! ;) 30
  31. 31. Utilization & equipping the office  Hardening the building See ISO17799  Maintaining communication channels  Record tracking system(s)  Use the corporate style from the beginning!  Foresee out-of-band communication in case of attacks  Check redundancy on internet connectivity and office in case of emergencies 31
  32. 32. Information security policy Information handling policy 1. How is incoming information "tagged" or "classified"? 2. How is information handled, especially with regard to exclusivity? 3. What considerations are adopted for the disclosure of information "when what?" especially incident related information passed on to other teams or to sites? 32
  33. 33. Information security policy 4. Are there legal considerations to take into account with regard to information handling? 5. Do you have a policy on use of cryptography to shield exclusivity & integrity in archives and/or data communication, especially e- mail. 6. This policy must include possible legal boundary conditions such as key escrow or enforceability of decryption in case of lawsuits. 33
  34. 34. Information Security policy  National  Laws on information technology  Laws on data protection and privacy  Codes of conduct for corporate governance and IT Governance  European directives  Directives on data protection and electronic communication  International  Basel II, Eu. Convention on Cybercrime  Standards  BS 7799  ISO 27001 34
  35. 35. Search for cooperation ENISA National initiatives TF-CSIRT WARPS FIRST 35
  36. 36. Promoting your business plan  It visualizes the trends in IT security, especially the decrease in the necessary skills to carry out increasingly sophisticated attacks.  Another point to mention is the continuously shrinking time window between the availability of software updates for vulnerabilities and the starting of attacks against them 36
  37. 37. Promoting your business plan Viruses Timeline Patch -> Exploit Spreading rate Nimda 11 month Code red Days Slammer 6 month Nimda Hours Nachi 5 month Slammer Minutes Blaster 3 weeks Witty 1 day (!) 37
  38. 38. Business plan & Management What is the problem? What would you like to achieve with your constituents? What happens if you do nothing? What happens if you take action? What is it going to cost? What is going to gain? When do you start and when is it finished? 38
  39. 39. Short wrap-up  How is information handled within your organization  Do you have a Information security policy?  Do you know other CSIRTs?  Could you share incidents that can help the promotion of a CSIRT business plan?  Discuss your potential business plan 39
  40. 40. Operational Procedures Focus on basic services first!  Alerts and Warnings  Incident handling  Announcements 40
  41. 41. Information process flow 41
  42. 42. Information process flow Information Sources: • Vulnerability information • Incident reports • Public and closed sources for vulnerability information: - Public and closed mailing lists ! Vendor vulnerability product information - Websites - Information on the Internet - Public and private partnerships that provide vulnerability information (FIRST, TF- CSIRT, CERT- CC, US-CERT.) 42
  43. 43. Information process flow  Identification  Trustworthy source of information  Correct information • Cross checked with other sources  Relevance  Impact to the IT infrastructure of the constituent  Classification of information  Risk assessment & impact analysis  Impact = Risk x potential damage 43
  44. 44. Information process flow Risk assessment & impact analysis RISK Is the vulnarability widely known? No, limited 1 Yes, public 2 Is the vulnarability widely exploited? No 1 Yes 2 Is it easy to exploit the vulnerability? No, hacker 1 Yes, script kiddie 2 11,12 High Precondition: default configuration? No. specific 1 Yes, standard 2 8,9,10 Medium 0 Precondition: physical access required? Yes 1 No 2 6,7 Low Precondition: user account required? Yes 1 No 2 Damage Unauthorized access to data No 0 Yes, read 2 Yes, read + write 4 6 t/m 15 High DoS No 0 Yes, non-critical 1 Yes, critical 5 2 t/m 5 Medium 0 Permissions No 0 Yes, user 4 Yes, root 6 0,1 Low OVERALL High Remote root >> Imediately action needed! Local root exploit (attacker has a user account on the machine) Denial of Service Medium Remote user exploit >> Action within a week Remote unauthorized access to data Unauthorized obtaining data Local unauthorized access to data Low Local unauthorized obtaining user-rights >> Include it in general process Local user exploit 44
  45. 45. Information process flow Distribution of information  Website  Email  Reports  Archiving and research Title of the advisory ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ Reference number ÉÉÉÉÉÉÉÉÉÉÉ S ystems affected - ÉÉÉÉÉÉÉÉÉÉÉ - ÉÉÉÉÉÉÉÉÉÉÉ Related OS + ve rsion ÉÉÉÉÉÉÉÉÉÉÉ Risk (Hi gh-Medium-Low) ÉÉÉ Impact/potenti al damage (Hi gh-Medium-Low) ÉÉÉ External idÕs : (CVE, Vu lnerabi lity bullet in IDÕs) É ÉÉ É Overview of vu lnerability ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉ Impact ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ S olution ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ Description (details) ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ Example of an Advisory Appendi x ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ É ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ 45
  46. 46. Incident handling process 46
  47. 47. Incident Handling process 1. Receiving incident reports  Email  Phone  Fax 2. Incident Evaluation  Identification  Relevance  Classification  Triage 3. Take action 47
  48. 48. Incident handling process Actions  Start incident ticket  Essential for solving the incident and communicating with the involved constituents.  Solve the incident  Preserving any information which may needed for prosecution takes carefully planned action!  Incident handling report  Archiving NOTE: Each type of incident calls for different actions! 48
  49. 49. Wrap-up 1. Understanding what a CSIRT is. 2. What sector do you deliver your services to? 3. What kinds of services can a CSIRT provide to its constituents? - Analysis of the environment and constituents - Defining the mission statement 4. Defining your goals - Defining your Cost model - Defining the organizational model - Starting to hire your staff - Utilizing your office - Defining the needed Security policy - Looking for cooperation partners 5. Dealing with matters of project management - Have the business case approved - Fit everything into a project plan 6. Making the CSIRT operational. - Creating workflows - Implementing CSIRT tooling The next step is: training your staff 49
  50. 50. Workflow 2nd example Producing an advisory Bullet in Microsoft Security Bullet in MS06-042 Identifier Bullet in Title Cumulative Security Update for Internet Explorer (918899) Executive T his update resolves s e veral vulnerabilities in I nternet E xplorer that Summa ry could allow remote code execution. Maximum C riti al c Severity Rating Impact of Remote Code Exec ut ion Vulnerability A f fected Windows, Internet Explorer. For mo information, s ee the Affected re Software Software and Download Locations sec t ion. 50
  51. 51. Workflow 2nd example Collecting vulnerability information  Verify the authenticity on vendor website  Gather more details on  The vulnerability  Affected systems 51
  52. 52. Workflow 2nd example Evaluate information Assess the risk RISK Is the vulnerability well known? Y Is the vulnerability widespread? Y Is it easy to exploit the Y vulnerability? Is it a remotely exploitable Y vulnerability? Damage Remote accessibility and chance of remote code execution. This vulnerability contains multiple issues which make the damage risk HIGH. 52
  53. 53. Workflow 2nd example Distribution of information Title of advisory M ultiple vulnerabilities found in Internet explorer Reference number 082006-1 S ystems affected 1. All desktop systems that run Microsoft Related OS + version  Microsoft Windows 2000 Service Pack 4  Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2  Microsoft Windows XP Profes sional x64 Edition  Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1  Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems  Microsoft Windows Server 2003 x64 Edition Risk (High-Medium-Low) HIGH Impact/potenti al damage (High-Medium-Low) HIGH External idÕs : (CVE, Vu lnerability bulletin IDÕs) M S-06-42 Overview of vu lnerability Microsoft has found several critical vulnerabilities in Internet Explorer which can lead too remote code execution. Impact An attacker could take complete control over the system, installing programs, adding users and vie, change or delete data. Mitigating factor is that the above only can take place if the user is logged in with administrator rights. Users logged on with less rights could be less impacted. S olution Patch your IE immediately Description (details) See for more information ms06-042.mspx Appendi x See for more information ms06-042.mspx 53
  54. 54. ENISA and CSIRTs Mission  Promote and facilitate good practice in setting-up and running of CSIRTs / WARPs / Abuse Teams / etc.  Encourage cooperation between different actors  Develop relations to the various CERT/CSIRT communities  Support their activities  Run a Working-Group with external experts
  55. 55. How ENISA supports CSIRT community? Promote best practice! 2005: 2006: 2007: 2008: 2009: 2009: Stocktaking Setting up & Support CERT Exercises CERT CERT Baseline Cooperation Operation Exercises Capabilities Quality Report Document Assurance […]
  56. 56. Stay in touch with ENISA!
  57. 57. THANK YOU! Contact: Andrea DUFKOVA Section for Computer Security and Incident Response ENISA