Вы находитесь на странице: 1из 73
JPCERT/CC is an independent non-profit organization, acting as a national point of contact for the

JPCERT/CC is an independent non-profit organization, acting as a national point of contact for the other CSIRTs in Japan. Since its establishment in 1992,the center has been gathering computer security incident and vulnerability information, issuing security alerts and advisories, and providing incident responses as well as education and training to raise awareness of security issues.

Fundamental of Computer Incident Handling

Yurie Ito Director of Technical Operation JPCERT/Coordination Center, Japan

@CSIRT Training in AfNOG tutorial, Morocco 1 June, 2008

What is CSIRT?
What is CSIRT?

CSIRT: Computer Security Incident Response Team CERT: Computer Emergency Response Team CSIRT/CC: Coordination Center CERT: Computer Emergency Readiness Team IRT: Incident Response Team

Many types of CSIRTs:

- National POC CSIRT

- Organization CSIRT

- Government CSIRT

- Military CSIRT

- Academic Research CSIRT - Vendor/Product CSIRT

Regional CSIRT

- Copyright® 2008 JPCERT/CC All rights reserved.
-
Copyright® 2008 JPCERT/CC All rights reserved.
Introduction / History Copyright® 2008 JPCERT/CC All rights reserved. 2

Introduction / History

Morris Worm
Morris Worm
Morris Worm Copyright® 2008 JPCERT/CC All rights reserved. 3
Morris Worm
Morris Worm
Morris Worm 1988 November 2 n d — Robert Tappan Morris — University student — Just

1988 November 2 nd

Robert Tappan Morris

University student

Just a program to know how large the internet

This incident was epoch of “Internet Security”

the internet — This incident was epoch of “Internet Security” Copyright® 2008 JPCERT/CC All rights reserved.
the internet — This incident was epoch of “Internet Security” Copyright® 2008 JPCERT/CC All rights reserved.
After Action
After Action
After Action To identify how to improve response to computer security incident… Effects of the worm
To identify how to improve response to computer security incident…
To identify how to improve response to
computer security incident…
how to improve response to computer security incident… Effects of the worm — 6,000 major Unix

Effects of the worm

6,000 major Unix machine were infected

of the worm — 6,000 major Unix machine were infected Someone guess that there were about

Someone guess that there were about 60,000 computer at that time.

Cost of the damage estimated at

$10M-100M

at that time. — Cost of the damage estimated at $10M-100M — A call for a

A call for a single point of contact to

be established for Internet security problems

point of contact to be established for Internet security problems Copyright® 2008 JPCERT/CC All rights reserved.
CERT/CC Web page http://www.cert.org/
CERT/CC Web page
http://www.cert.org/
CERT/CC Web page http://www.cert.org/ Copyright® 2008 JPCERT/CC All rights reserved. 6
Copyright® 2008 JPCERT/CC All rights reserved. 6
Copyright® 2008 JPCERT/CC All rights reserved.
6
FIRST
FIRST
FIRST F orum of I ncident R esponse and S ecurity T eams — Only worldwide

Forum of Incident Response and Security Teams

Only worldwide CSIRT forum Top experts from across the field Neutral interconnect for vendors and others Low cost, low overhead

Copyright® 2008 JPCERT/CC All rights reserved.
FIRST Resources
FIRST Resources

Technical ResourcesFIRST Resources Expertise Resources 200 PoCs of Incident Response T eams from all over the world

Expertise ResourcesFIRST Resources Technical Resources 200 PoCs of Incident Response T eams from all over the world

200 PoCs of Incident Response Teams from all over the world eams from all over the world

Tools -200 PoCs of Incident Response T eams from all over the world — Mailing Lists —

Mailing Lists

Web Site Best Practice Guides Team Contact details Presentations

IRC

Annual Conference

Regional TC’s (Technical Colloquia)

Training

Special Interests Group

TC’s (Technical Colloquia) — Training — Special Interests Group Copyright® 2008 JPCERT/CC All rights reserved.
TC’s (Technical Colloquia) — Training — Special Interests Group Copyright® 2008 JPCERT/CC All rights reserved.
TC’s (Technical Colloquia) — Training — Special Interests Group Copyright® 2008 JPCERT/CC All rights reserved.
Copyright® 2008 JPCERT/CC All rights reserved.
Copyright® 2008 JPCERT/CC All rights reserved.
Members -- http://www.first.org/about/organization/teams/
Members -- http://www.first.org/about/organization/teams/
Members -- http://www.first.org/about/organization/teams/ FIRST's incident response teams draw their members from,

FIRST's incident response teams draw their members from, among others, Apple, Boeing, British Telecommunications, Cablecom, Cisco Systems, Citigroup, Commerzbank, Deutsche Bank, Energis, Ernst and Young, Fujitsu-Siemens, the German Savings Bank, Google, Goldman Sachs, IBM, Intel, JP Morgan, Merrill Lynch, NASA, NATO, Nortel, Oracle, the Royal Bank of Scotland, Sprint, Sun Microsystems, Symantec, Wells Fargo, the American Red Cross Computer Emergency Response Team, CERT Bundeswehr, CERT Chile, the Danish Computer Security Incident Response Team, CERT Italiano, CERT Israeli Academic, Japan Security Operation Centre, CSIRT Korea, CERT Malaysia, Ontario Information Protection Centre, CERT Polska, CERT Slovenia, CERT Singapore, CERT Swiss Education and Research Network, CERT Taiwan, CERT US Department of Defense, CERT HM Government, UK, CERT US Department of Defence, the US Army Emergency Response Team, the US Computer Emergency Readiness Centre, the US Postal Service Computer Incident Response Team, the Massachusetts Institute of Technology, Georgia Institute of Technology and the Universities of Chicago, Georgia, Indiana, Michigan, Northwestern, Oxford, Pennsylvania State, Rechenzentrum, Stanford, and Wisconsin-Madison.

Definition of Incident Response, Intrusion, and Events Copyright® 2008 JPCERT/CC All rights reserved. 11

Definition of Incident Response, Intrusion, and Events

Cyber Incident
Cyber Incident
Spyware Botnets Phishing Social engineering Troyjan etc Technical vulnerabilities Tools techniques
Spyware
Botnets
Phishing
Social engineering
Troyjan
etc
Technical vulnerabilities
Tools
techniques

How?

etc Technical vulnerabilities Tools techniques How? Where? When? WHO? Why? What? Copyright® 2008 JPCERT/CC All

Where?

When?

vulnerabilities Tools techniques How? Where? When? WHO? Why? What? Copyright® 2008 JPCERT/CC All rights

WHO?

Why?

vulnerabilities Tools techniques How? Where? When? WHO? Why? What? Copyright® 2008 JPCERT/CC All rights reserved.

What?

What is an Incident?
What is an Incident?
What is an Incident? In order to respond we must recognize an “computer security incident” at

In order to respond we must recognize an “computer security incident” at first

No uniform agreement as to what constitutes an incident

It’s depend on what the organization defines

What is an Incident?
What is an Incident?
What is an Incident? “Computer Security Incident” — Sample definition: “Any real or suspected adverse even

“Computer Security Incident”

Sample definition:

“Any real or suspected adverse event in relation to the security of computer system or computer networks(According to CSIRT FAQ in

CERT/CC)

JPCERT/CC definition

A A “computer “computer security security incident” incident” is is a a computer computer security security related related

event event caused caused by by humans, humans, including including both both intentional intentional and and accidental accidental ones. ones.

Examples Examples are: are: unauthorized unauthorized use use of of resources, resources, service service

interference, interference, destruction destruction of of data, data, unintended unintended disclosure disclosure of of

information, information, and and other other behaviors behaviors that that can can lead lead to to these these events. events.

that can can lead lead to to these these events. events. Copyright® 2008 JPCERT/CC All rights
What is an Incident?
What is an Incident?

“Incident” = “Adverse event”.What is an Incident? — That threatens systems’ Confidentiality Integrity Accessibility “Adverse event” <=

That threatens systems’

Confidentiality= “Adverse event”. — That threatens systems’ Integrity Accessibility “Adverse event” <=

Integrityevent”. — That threatens systems’ Confidentiality Accessibility “Adverse event” <= observable — DoS

Accessibility— That threatens systems’ Confidentiality Integrity “Adverse event” <= observable — DoS (Denial of

“Adverse event” <= observablethreatens systems’ Confidentiality Integrity Accessibility — DoS (Denial of Service) attack — Unauthorized access

DoS (Denial of Service) attack

Unauthorized access

Web, Database, Host …— DoS (Denial of Service) attack — Unauthorized access — Deface public Web site (by intrusion)

Deface public Web site (by intrusion)

Worm that infects workstation on a network

Scan

What is the “Incident Response”?
What is the “Incident Response”?

“Incident Response” is the process of addressing computer security incident . process of addressing computer security incident.

Detecting / Analyzing the incident

Limiting the incident effect

General goals are:/ Analyzing the incident — Limiting the incident effect — The progress of the incident is

The progress of the incident is halted.

Affected systems return to normal operation.

Identifies Intrusion
Identifies Intrusion

Observe system for unexpected behavior or anything suspicious suspicious

Investigate anything considered unusualsystem for unexpected behavior or anything suspicious If the investigation finds something that isn’t explained

If the investigation finds something that isn’t explained by authorized activity, immediately initiate response procedures by authorized activity, immediately initiate response procedures

Incident samples
Incident samples

Scan activity to Firewall serverIncident samples Web defacement Information leakage Phishing site — Used a server as phishing site —

Web defacementIncident samples Scan activity to Firewall server Information leakage Phishing site — Used a server as

Information leakagesamples Scan activity to Firewall server Web defacement Phishing site — Used a server as phishing

Phishing siteto Firewall server Web defacement Information leakage — Used a server as phishing site — Your

Used a server as phishing site

Your website used as phishing site

Intrusion (Web, Database, Ftp, Proxy, and so on…) Ftp, Proxy, and so on…)

DoS attack to Web serversite Intrusion (Web, Database, Ftp, Proxy, and so on…) Used a proxy server as open proxy

Used a proxy server as open proxyFtp, Proxy, and so on…) DoS attack to Web server SMTP relay Virus infection Forged e-mail

SMTP relayDoS attack to Web server Used a proxy server as open proxy Virus infection Forged e-mail

Virus infectionto Web server Used a proxy server as open proxy SMTP relay Forged e-mail and returned

Forged e-mail and returned tons of error mailsUsed a proxy server as open proxy SMTP relay Virus infection Laptop lost Malware distribution Become

Laptop lostinfection Forged e-mail and returned tons of error mails Malware distribution Become as a Bot One-click

Malware distributionForged e-mail and returned tons of error mails Laptop lost Become as a Bot One-click fraud

Become as a Bottons of error mails Laptop lost Malware distribution One-click fraud Miss operation So many other incidents…

One-click frauderror mails Laptop lost Malware distribution Become as a Bot Miss operation So many other incidents…

Miss operationlost Malware distribution Become as a Bot One-click fraud So many other incidents… Copyright® 2008 JPCERT/CC

So many other incidents…

Why CSIRT Copyright® 2008 JPCERT/CC All rights reserved. 19

Why CSIRT

What is CSIRT?
What is CSIRT?

POC (Point of Contact)

Coordination CSIRTCSIRT Response ProvidesProvides ServiceService andand SupportSupport
Coordination
CSIRTCSIRT
Response
ProvidesProvides ServiceService andand SupportSupport

Constituency

ServiceService andand SupportSupport Constituency Incident Response Constituency?   ・ Service?
Incident Response
Incident Response

Incident Response

Constituency?andand SupportSupport Constituency Incident Response   ・ Service? ・ ・ Copyright® 2008

 

Service?・

What is CSIRT? - JPCERT/CC model
What is CSIRT? - JPCERT/CC model

POC (Point of Contact)

Coordination CSIRTCSIRT Response ProvidesProvides ServiceService andand SupportSupport
Coordination
CSIRTCSIRT
Response
ProvidesProvides ServiceService andand SupportSupport

Constituency

ServiceService andand SupportSupport Constituency Incident Response ・ ・ ・ Constituency? → Internet
Incident Response
Incident Response

Incident Response

Constituency? → Internet community in Japan Internet community in Japan

Service? → Incident Response and Analysis, Security Alert, Coordination with other CSIRTs, Vendor Coordination, Education & Incident Response and Analysis, Security Alert, Coordination with other CSIRTs, Vendor Coordination, Education & Training, Research & Analysis

What is CSIRT? – Why we need national POC?
What is CSIRT?
– Why we need national POC?

CSIRT gains the trust of its constituencyWhat is CSIRT? – Why we need national POC? Culture understanding — Local culture and other

Culture understandingneed national POC? CSIRT gains the trust of its constituency — Local culture and other countries

Local culture and other countries culture

Company culture

Government culture

Legal Understandingculture — Company culture — Government culture Language — Local language — English, French — Other

LanguageCompany culture — Government culture Legal Understanding — Local language — English, French — Other

Local language

English, French

Other languages

Background
Background
Background Many excuses for not planning for incident response, saying the following: — “We are NOT

Many excuses for not planning for incident response, saying the following:

“We are NOT a target. I do NOT believe that who would want to compromise our network.”

“We can NOT be hacked. We have best network defenses that proved very expensive.”

“We already plan but NEVER deal successfully with it. We were always putting out fires.”

“We thought we would just figure it out WHEN THE TIME CAME.”

Background
Background

Depending on Internet/Computer to the extent that day-to-day operation operation

Internet is vital for business and daily life

Internet/Computer will help our activities in a cost-effective and efficient way and efficient way

help our activities in a cost-effective and efficient way The Operator of Critical Infrastructure are concerned…

The Operator of Critical Infrastructure are concerned…help our activities in a cost-effective and efficient way — The computer system are vulnerable to

The computer system are vulnerable to attack or being used to further attacks to others.

Background
Background

Internet/Computer is complex and dynamicBackground Interne is easily accessible to anyone with Computer and a network connection. — Less cross

Interne is easily accessible to anyone with Computer and a network connection. network connection.

Less cross border than real world

There is NOT perfect system or user.network connection. — Less cross border than real world — Miss to configure, outdated/unpatc hed system,

Miss to configure, outdated/unpatched system, Vulnerabilities in software, and lack of security awareness of users.

in software, and lack of security awareness of users. Possible intrusion/vulnerability in your and your

Possible intrusion/vulnerability in your and your constituency system !

Why Do I Need a CSIRT?
Why Do I Need a CSIRT?

Malicious acts will happenWhy Do I Need a CSIRT? — Even the best information security infrastructure can NOT guarantee.

Even the best information security infrastructure can NOT guarantee.

Attackers target to resources

can NOT guarantee. — Attackers target to resources What is their motivation ? — Technical interests

What is their motivation ?

Technical interests Money

If Incidents occur, it is critical to have an effective means of responding. responding.

To limit the damage and lower the cost of recovery limit the damage and lower the cost of recovery

Need to have the ability: Protect, Detect, Analyze and Respond to an incident.

Professional should respond to an Incident

Cyber security Incident changes
Cyber security Incident changes
Cyber security Incident changes Large scale, wide spreading incident (e.g. virus, worm out break, ) Script

Large scale, wide spreading incident (e.g. virus, worm out break, )

Script Kiddies, Manias

Motivation: for Fun - Stopping – e.g. Denial of service Motivation: for Fame, Recognition - e.g. Web defacement

Motivation: for Fame, Recognition - e.g. Web defacement Specific Targeted – Pin point incident, using powerful
Motivation: for Fame, Recognition - e.g. Web defacement Specific Targeted – Pin point incident, using powerful
Motivation: for Fame, Recognition - e.g. Web defacement Specific Targeted – Pin point incident, using powerful

Specific Targeted – Pin point incident, using powerful tool (e.g. Botnet)

Professionals, Criminals

Motivation: Specific. Stealing – ID, money, information (e.g. Phishing, ID theft…)

Multiple Disciplines Cooperation Motivation
Multiple Disciplines Cooperation Motivation

Need multiple communication network to share information timely and efficiently – CSIRT to bridge the gap: efficiently – CSIRT to bridge the gap:

Difficulties of communication between

- Private sector and Public sector

- Different function layers – CSIRT, Policy Makers, Law enforcement

- competitors

- International

Building a global distributed network of operational processes between CSIRT partners. CSIRT partners.

Systemic sharing of information and resources using the trusted network will minimize the coordination effort

Minimize potential for misunderstanding or mistakes when sharing sensitive information

Disclosing information as appropriate, as necessaryor mistakes when sharing sensitive information — Keep working closely with private sectors, as

Keep working closely with private sectors, as independent neutral organization

So, What does a CSIRT do?
So, What does a CSIRT do?

Provides a single point of for reporting - a single point of for reporting -

info@jpcert.or.jp for reporting incident

office@jpcert.or.jp for general contact

Vuls@jpcert.or.jp for vulnerability

Assists the organizational constituency and general computing community in preventing and handling computer security incidents the organizational constituency and general computing community in preventing and handling computer security incidents

Share information and lesson learned with other CSIRT / response teams and appropriate organizations and sites. information and lesson learned with other CSIRT / response teams and appropriate organizations and sites.

CSIRT Services Copyright® 2008 JPCERT/CC All rights reserved. 30

CSIRT Services

CSIRT Services
CSIRT Services

At first, responding “Incident”CSIRT Services — Incident Handling Incident response Incident analysis Incident coordination Statistics Still other

Incident Handling

Incident responseAt first, responding “Incident” — Incident Handling Incident analysis Incident coordination Statistics Still

Incident analysis“Incident” — Incident Handling Incident response Incident coordination Statistics Still other services —

Incident coordination— Incident Handling Incident response Incident analysis Statistics Still other services — Vulnerability —

StatisticsIncident response Incident analysis Incident coordination Still other services — Vulnerability — Artifact —

Still other servicesresponse Incident analysis Incident coordination Statistics — Vulnerability — Artifact — Education / Training

Vulnerability

Artifact

Education / Training

Others

— Vulnerability — Artifact — Education / Training — Others Copyright® 2008 JPCERT/CC All rights reserved.
CSIRT Services
CSIRT Services

ReactiveCSIRT Services — to respond requests for assistance — reports of incidents from your cons tituency,

to respond requests for assistance

reports of incidents from your constituency, and any threats or attacks against CSIRT systems.

Incident Handlingtituency, and any threats or attacks against CSIRT systems. – Incident analysis – Incident response on

Incident analysis

Incident response on site

Incident response support

Incident response coordination

Any other service ?– Incident response support – Incident response coordination Copyright® 2008 JPCERT/CC All rights reserved. 32

CSIRT Services
CSIRT Services

ReactiveCSIRT Services — to improve the infrastructure and security processes of the constituency before any incident

to improve the infrastructure and security processes of the constituency before any incident or event occurs or is detected.

The main goals are to avoid incidents and to reduce their impact and scope when they do occur.

Ex) Vulnerability Handlingand to reduce their impact and scope when they do occur. – Vulnerability analysis – Vulnerability

Vulnerability analysis

Vulnerability response

Vulnerability response coordination

With Vendor CSIRT

CISCO PSIRT, Hitachi HIRT, Microsoft MSRC…Vulnerability response coordination — With Vendor CSIRT Proactive — Announcement Alerts and Warnings —

ProactiveVendor CSIRT CISCO PSIRT, Hitachi HIRT, Microsoft MSRC… — Announcement Alerts and Warnings — Technical Alert

Announcement

Alerts and WarningsHitachi HIRT, Microsoft MSRC… Proactive — Announcement — Technical Alert Incidents, Vulnearbility, other inte

Technical Alert

Incidents, Vulnearbility, other internet security related information rnet security related information

Training, education

CSIRT Services
CSIRT Services

http://www.cert.org/csirts/services.html CERT/CC Definition

Copyright® 2008 JPCERT/CC All rights reserved. 34
Copyright® 2008 JPCERT/CC All rights reserved.
34
Important things to define
Important things to define

What to do?For whom?

For whom?What to do?

What to do? For whom? In What local setting?
What to do? For whom? In What local setting?
What to do? For whom? In What local setting?

In What local setting?What to do? For whom?

Mission

Constituency

Place in Organization

In cooperation with whom? Relationship to other teams Relationship to other teams

in Organization In cooperation with whom? Relationship to other teams Copyright® 2008 JPCERT/CC All rights reserved.
Objective of Incident Response
Objective of Incident Response

Provide support for recovering from and dealing with incidents recovering from and dealing with incidents

Provide technical support in response to computer security incidents

Questions about technical solutiontechnical support in response to computer security incidents — Help to stop the attack How? —

Help to stop the attack

How?about technical solution — Help to stop the attack — Contain the damage The objective for

Contain the damage

The objective for the Incident Response will be derived from the CSIRT mission statement from the CSIRT mission statement

JPCERT/CC – National CSIRT Activities in Japan JPCERT/CC is an independent non-profit organization, acting as
JPCERT/CC – National CSIRT Activities in Japan JPCERT/CC is an independent non-profit organization, acting as

JPCERT/CC – National CSIRT Activities in Japan

JPCERT/CC is an independent non-profit organization, acting as a national point of contact for the other CSIRTs in Japan. Since its establishment in 1992, the center has been gathering computer incident and vulnerability information, issuing security alerts and advisories, and providing incident responses as well as education and training to raise awareness of security issues.

General Information about JPCERT/CC
General Information about JPCERT/CC

Brief historyGeneral Information about JPCERT/CC — Voluntarily started in 1992 as JPCERT/CC — Officially established as JPCERT

Voluntarily started in 1992 as JPCERT/CC

Officially established as JPCERT/CC funded by MITI (Ministry of International Trade and Industry - predecessor of METI) in August 1996

Service started on October 1st, 1996

Budgeted by METIin August 1996 — Service started on October 1st, 1996 Non-governmental, Not for profit Organization National

Non-governmental, Not for profit Organization— Service started on October 1st, 1996 Budgeted by METI National CSIRT in Japan (Point of

National CSIRT in Japan (Point of Contact for International relations) ntact for International relations)

FIRST(Forum of Incident Response and Security Team) Full member (since 1998) se and Security Team) Full member (since 1998)

APCERT(Asia Pacific Computer Emergency Response Teams) SC member, Secretariat Emergency Response Teams) SC member, Secretariat

Our history Oct 1996 Oct 2006 Aug 1998 Japan Computer Emergency Response Center Vulnerability Handling
Our history
Oct 1996
Oct 2006
Aug 1998
Japan Computer Emergency Response Center
Vulnerability Handling (Proactive activities)
Joined FIRST
10
th
Anniversary
Incident Response (Reactive service)
Network Monitoring ISDAS (Real-
time situation awareness)
Mar 2003
Oct 2006
Jul 2004
Copyright® 2008 JPCERT/CC All rights reserved.
Recent Internet trend and JPCERT/CC
Recent Internet trend and JPCERT/CC
 

1996

 

2002

 

2005

JPCERT/CC Employees

5

 

13

 

26

 

Incident response

Incident response

Incident response

International teamwork

International teamwork

International teamwork

JPCERT/CC Activities

Traffic monitoring

Traffic monitoring

Vulnerability handling

 

(2004)

Watch & warning

Internet users (Japan)

5.7 million (1997)

46

million (2002)

70

million (2005)

Broadband users (Japan)

13

million (2002)

38

million (2005)

Budget
Budget

JPCERT/CC’s activities are fully funded and budgeted by METIBudget — METI: Ministry of Economy, Trade and Industry Non Governmental, Not for profit, Industry/Vendor Neutral

METI: Ministry of Economy, Trade and Industry

Non Governmental, Not for profit, Industry/Vendor Neutral Organization Organization

International incident handlings
International incident handlings
International incident handlings Overcome the differences between — Languages — Security Cultures — Rules, Laws,

Overcome the differences between Languages Security Cultures Rules, Laws, Regulations

— Languages — Security Cultures — Rules, Laws, Regulations Copyright® 2008 JPCERT/CC All rights reserved.
Incident Response Coordination
Incident Response Coordination
22.. DetectionDetection 6.6. RespondRespond 1.1. SuspiciousSuspicious accessaccess Incident site Source host
22..
DetectionDetection
6.6. RespondRespond
1.1. SuspiciousSuspicious accessaccess
Incident site
Source host
5.5. RequestRequest
Domestic ISPs
33..ReportReport
JPCERT/CC
4.4. CooperateCooperate
Overseas CSIRTs

Japan

Overseas

Copyright® 2008 JPCERT/CC All rights reserved.
Copyright® 2008 JPCERT/CC All rights reserved.
Coordination and Information Sharing for situation awareness
Coordination and Information Sharing for situation
awareness
ISPISP CSIRTsCSIRTs
ISPISP CSIRTsCSIRTs
Sharing for situation awareness ISPISP CSIRTsCSIRTs JPCERT/CC JPCERT/CC VendorVendor CSIRTsCSIRTs

JPCERT/CCJPCERT/CC

VendorVendor CSIRTsCSIRTs
VendorVendor CSIRTsCSIRTs
CSIRTsCSIRTs JPCERT/CC JPCERT/CC VendorVendor CSIRTsCSIRTs ResearchersResearchers AcademicAcademic Governments,
CSIRTsCSIRTs JPCERT/CC JPCERT/CC VendorVendor CSIRTsCSIRTs ResearchersResearchers AcademicAcademic Governments,
CSIRTsCSIRTs JPCERT/CC JPCERT/CC VendorVendor CSIRTsCSIRTs ResearchersResearchers AcademicAcademic Governments,
CSIRTsCSIRTs JPCERT/CC JPCERT/CC VendorVendor CSIRTsCSIRTs ResearchersResearchers AcademicAcademic Governments,
CSIRTsCSIRTs JPCERT/CC JPCERT/CC VendorVendor CSIRTsCSIRTs ResearchersResearchers AcademicAcademic Governments,
ResearchersResearchers AcademicAcademic
ResearchersResearchers
AcademicAcademic

Governments,Governments, CriticalCritical InformationInformation InfrastructuresInfrastructures

OverseasOverseas CSIRTsCSIRTs (FIRST,APCERT)(FIRST,APCERT)
OverseasOverseas CSIRTsCSIRTs
(FIRST,APCERT)(FIRST,APCERT)
Vulnerability Handling
Vulnerability Handling

receive vulnerability reports From Japan, from Other Vulnerability Handling Teams

reports From Japan, from Other Vulnerability Handling Teams — verify and impact analyze the report is

verify and impact analyze the report is this really a vulnerability? what is effect of vulnerability? Population of the affected software? are exploits available? is the vulnerability actively being exploited?

are exploits available? is the vulnerability actively being exploited? Copyright® 2008 JPCERT/CC All rights reserved.
are exploits available? is the vulnerability actively being exploited? Copyright® 2008 JPCERT/CC All rights reserved.
are exploits available? is the vulnerability actively being exploited? Copyright® 2008 JPCERT/CC All rights reserved.
are exploits available? is the vulnerability actively being exploited? Copyright® 2008 JPCERT/CC All rights reserved.
are exploits available? is the vulnerability actively being exploited? Copyright® 2008 JPCERT/CC All rights reserved.
Lesson learned from our CSIRT development Process
Lesson learned from our CSIRT
development Process

Vital to have a good understanding Sponsors to CSIRT activities. Sponsors to CSIRT activities.

Get a capable trust CSIRT partners and ask them to lead you to the CSIRT network. — JPCERT/CC case – ask them to lead you to the CSIRT network. JPCERT/CC case –

1998 - CERT/CC Sponsors JPCERT/CC to the FIRST CERT/CC to the FIRST

- Vul Handling Capability Building projectcase – 1998 - CERT/CC Sponsors JP CERT/CC to the FIRST - Vulnerability collaborative Handling Operation

- Vulnerability collaborative Handling Operationto the FIRST - Vul Handling Capability Building project - Decision Suppor t system project -

- Decision Support system project t system project

- Analysis Capability building ProjectHandling Operation - Decision Suppor t system project 2003 2004 2005 2006 Vital to being connected

2003

2004

2005

2006

Vital to being connected to the CSIRT Network/ community. — Share resources, information, experience — Security and Incident response is not a competitive service! Share resources, information, experience Security and Incident response is not a competitive service!

APCERT (Asia and Pacific)and Incident response is not a competitive service! FIRST (Global) TF-CSIRT (Europe), OAS (Americas), GCC (Gulf)

FIRST (Global)is not a competitive service! APCERT (Asia and Pacific) TF-CSIRT (Europe), OAS (Americas), GCC (Gulf) Copyright®

TF-CSIRT (Europe), OAS (Americas), GCC (Gulf)is not a competitive service! APCERT (Asia and Pacific) FIRST (Global) Copyright® 2008 JPCERT/CC All rights

Copyright® 2008 JPCERT/CC All rights reserved.
Copyright® 2008 JPCERT/CC All rights reserved.
Type of Security Incident Copyright® 2008 JPCERT/CC All rights reserved. 47

Type of Security Incident

Type of Security Incident
Type of Security Incident

no standard “type” — Worm, virus, trojan, malware, cyber attack, intrusion, phishing, pharming, spyware, spam, cracking, hacking, scan, Worm, virus, trojan, malware, cyber attack, intrusion, phishing, pharming, spyware, spam, cracking, hacking, scan, probe, vulnerability, blackmailing, targeted attack, harvesting, bot, relay, social-engineering, exploit, DoS, DDoS, zero-day, cross-site-scripting, cross-site-request- forgery, SQL Injection, skimming, man-in-the-middle, brute force, birthday attack, spoofing, smurf attack, alteration, slipping, cache poisoning, route poisoning, SYN flood attack, buffer overflow, stack overflow, heap overflow, return into libc, miss patching, miss operation, fraud, identity theft…

Should be talked on “category”into libc, miss patching, miss operation, fraud, identity theft… Copyright® 2008 JPCERT/CC All rights reserved. 48

Category of Incident
Category of Incident

So far, no consensus has emerged in the security community as to which taxonomy is the best… community as to which taxonomy is the best…

According to the NIST Document:the security community as to which taxonomy is the best… “Computer Security Incident Handling Guide”, (

“Computer Security Incident Handling Guide”,

(http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf)

we found the following:

(Next few Slides)

Category of Incident
Category of Incident

Denial of ServiceCategory of Incident — an attack that prevents or impairs the aut horized use of networks,

an attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources

Malicious Codenetworks, systems, or applications by exhausting resources — a virus, worm, Trojan horse, or other code-based

a virus, worm, Trojan horse, or other code-based malicious entity that infects

a host

Unauthorized Accessor other code-based malicious entity that infects a host — a person gains logical or physical

a person gains logical or physical access without permission to a network, system, application, data, or other resource

Inappropriate Usageto a network, system, application, data, or other resource — a person violates acceptable computing use

a person violates acceptable computing use policies

Multiple Component— a person violates acceptable computing use policies — a single incident that encompasses two or

a single incident that encompasses two or more incidents.

DDoS attack by Bot example
DDoS attack by Bot example
Internet
Internet
DDoS
DDoS

HERDER

C&C

DDoS attack by Bot example Internet DDoS HERDER C&C TARGET Bot Copyright® 2008 JPCERT/CC All rights
DDoS attack by Bot example Internet DDoS HERDER C&C TARGET Bot Copyright® 2008 JPCERT/CC All rights
DDoS attack by Bot example Internet DDoS HERDER C&C TARGET Bot Copyright® 2008 JPCERT/CC All rights
DDoS attack by Bot example Internet DDoS HERDER C&C TARGET Bot Copyright® 2008 JPCERT/CC All rights
DDoS attack by Bot example Internet DDoS HERDER C&C TARGET Bot Copyright® 2008 JPCERT/CC All rights
DDoS attack by Bot example Internet DDoS HERDER C&C TARGET Bot Copyright® 2008 JPCERT/CC All rights
DDoS attack by Bot example Internet DDoS HERDER C&C TARGET Bot Copyright® 2008 JPCERT/CC All rights
TARGET
TARGET
DDoS attack by Bot example Internet DDoS HERDER C&C TARGET Bot Copyright® 2008 JPCERT/CC All rights

Bot

Malicious Code (or malware)
Malicious Code (or malware)

VirusesMalicious Code (or malware) — File Infector Viruses — Boot Sector Viruses — Macro Viruses —

File Infector Viruses

Boot Sector Viruses

Macro Viruses

Virus Hoaxes

Trojan HorsesBoot Sector Viruses — Macro Viruses — Virus Hoaxes Worms Mobile Code Blended Attack — E-mail

WormsViruses — Macro Viruses — Virus Hoaxes Trojan Horses Mobile Code Blended Attack — E-mail —

Mobile Code— Macro Viruses — Virus Hoaxes Trojan Horses Worms Blended Attack — E-mail — Windows shares

Blended AttackViruses — Virus Hoaxes Trojan Horses Worms Mobile Code — E-mail — Windows shares — Web

E-mail

Windows shares

Web servers

Web clients

Copyright® 2008 JPCERT/CC All rights reserved. 52
Copyright® 2008 JPCERT/CC All rights reserved.
52
Unauthorized Access
Unauthorized Access
Unauthorized Access The examples of unauthorized access are the following: — Remote root compromise — Defacing

The examples of unauthorized access are the following:

Remote root compromise

Defacing web server

Cracking password (by brute force)

ssh server exampleDefacing web server — Cracking password (by brute force) — Get credit card number phishing —

Get credit card number

phishingbrute force) ssh server example — Get credit card number — Get sensitive data (cf. medical

Get sensitive data (cf. medical information)

Get User ID & Password

Keeping pirated software and music files

Inappropriate Usage
Inappropriate Usage
Inappropriate Usage The examples of unauthorized access are the following: — Download password cracking tool &

The examples of unauthorized access are the following:

Download password cracking tool & pornography

Send Spam e-mail

Set up unauthorized Web site

Use music (or pirated materials) sharing services

Transfer sensitive data

It’ll depend on your security policy or acceptable use policy

depend on your security policy or acceptable use policy If your policy permit, it will not

If your policy permit, it will not be a problem.

Multiple Component
Multiple Component

1.

Malicious code spread through e-mail compromises an internal workstation.

2. An attacker (who may or may not be the one who sent the malicious code) uses the infected workstation to compromise additional workstations and servers.

3. An attacker (who may or may not have been involved in Steps 1 or 2) uses one of the compro- mised hosts to launch a DDoS attack against another organization.

mised hosts to launch a DDoS attack against another organization. Copyright® 2008 JPCERT/CC All rights reserved.
JPCERT/CC definition of Incident category
JPCERT/CC definition of Incident category

ScanJPCERT/CC definition of Incident category — Scan/probe activity — Mostly by worms an viruses Abuse —

Scan/probe activity

Mostly by worms an viruses

Abuse— Scan/probe activity — Mostly by worms an viruses — Open relay mail server — Open

Open relay mail server

Open proxy server

Other relay problems

Forgedmail server — Open proxy server — Other relay problems — E-mail spoofing for From: Intrusion

E-mail spoofing for From:

IntrusionOther relay problems Forged — E-mail spoofing for From: — Defacement — Phishing is ty pe

Defacement

Phishing is type of intrusion

DoS : Denial-of-Service— Defacement — Phishing is ty pe of intrusion — Server resource consumption — Operating System

Server resource consumption

Operating System termination

Network resource consumption

OtherSystem termination — Network resource consumption — SPAM mail receiving — Computer viruses infection

SPAM mail receiving

Computer viruses infection

Incident reporting format of JPCERT/CC
Incident reporting format of JPCERT/CC

1. Contact Info

Name

Organization Name

Division

E-mail address or FAX number

2. Purpose of Reporting

1. Information providing

2. Question

3. Request for coordination

4. Other

3. Summary of the Incident

Source IP address or hostname

Description about the incident

System information of the system

IP address or hostnameabout the incident System information of the system Protocol / Port number Hardware / OS Timestamp

Protocol / Port numberSystem information of the system IP address or hostname Hardware / OS Timestamp Timezone ← very

Hardware / OSof the system IP address or hostname Protocol / Port number Timestamp Timezone ← very important

TimestampIP address or hostname Protocol / Port number Hardware / OS Timezone ← very important !!!

Timezoneor hostname Protocol / Port number Hardware / OS Timestamp ← very important !!! 4. Log

very important !!!

4. Log information

Timestamp problem
Timestamp problem

How to specify the date with this log information ?

Access from 192.168.100.200 to 10.55.166.28 TCP 445 port on 07/05/02 22:35:22

Possibleto 10.55.166.28 TCP 445 port on 07/05/02 22:35:22 — 2007/May/2nd — 2002/July/5th — 2005/May/7th What

2007/May/2nd

2002/July/5th

2005/May/7th

What is next action for this ?Possible — 2007/May/2nd — 2002/July/5th — 2005/May/7th Copyright® 2008 JPCERT/CC All rights reserved. 58

Timezone problem
Timezone problem

How to handle with this log information ?

Access from 192.168.100.200 to 10.55.166.28 TCP 445 port on 2007/Jan/15 22:35:22

You don’t know where the reporter lives.to 10.55.166.28 TCP 445 port on 2007/Jan/15 22:35:22 You don’t know where the server is placed.

You don’t know where the server is placed.22:35:22 You don’t know where the reporter lives. From your access log to outside network, no

From your access log to outside network, no one used any computer on “2007/Jan/15 22:35:22” with your timezone. computer on “2007/Jan/15 22:35:22” with your timezone.

What is next action for this ?used any computer on “2007/Jan/15 22:35:22” with your timezone. Copyright® 2008 JPCERT/CC All rights reserved. 59

Incident report format of MyCERT
Incident report format of MyCERT
Incident report format of MyCERT Copyright® 2008 JPCERT/CC All rights reserved. 60
Copyright® 2008 JPCERT/CC All rights reserved. 60
Copyright® 2008 JPCERT/CC All rights reserved.
60
Incident report format of CERT/CC
Incident report format of CERT/CC

http://www.cert.org/reporting/incident_form.txt

References 1
References 1

CERT Coordination Center - CSIRT Development http://www.cert.org/csirts/

Handbook for CSIRTs http://www.cert.org/archive/pdf/csirt-handbook.pdf

CSIRT Services http://www.cert.org/archive/pdf/CSIRT-services-list.pdf

Organizational Models for Computer Security Incident Response Teams

http://www.cert.org/archive/pdf/03hb001.pdf

References 2
References 2

Forum of Incident Response and Security Teams http://www.first.org/

Alphabetical list of FIRST Members http://www.first.org/members/teams/

Members around the world http://www.first.org/members/map/

TERENA - CSIRT Starter Kit http://www.terena.nl/activities/tf-csirt/starter-kit.html

Asia Pacific Computer Emergency Response Team http://www.apcert.org/

CSIRT Culture and Philosophy

Yurie Ito Director JPCERT/CC
Yurie Ito
Director
JPCERT/CC
Philosophy of CSIRT
Philosophy of CSIRT

ensure objectivity and accuracy of information objectivity and accuracy of information

Cannot hide or suppress the truthof CSIRT ensure objectivity and accuracy of information Identifies the real problem Passionate about solving the

Identifies the real problemaccuracy of information Cannot hide or suppress the truth Passionate about solving the problem and mitigate

Passionate about solving the problem and mitigateinformation Cannot hide or suppress the truth Identifies the real problem Copyright® 2008 JPCERT/CC All rights

But in the real world --
But in the real world --
But in the real world -- Because you are coordination center you will see -- —

Because you are coordination center you will see --

Political agendas get in the way.
people don’t cooperate.
Funding depends on political agendas.
All layer of the problems

Especially you are / will be --
Especially you are / will be --
Especially you are / will be -- National POC CSIRT — National Focal point within a

National POC CSIRT

National Focal point within a country to coordinate incident handling activities

Analyze incident and vulnerability information along with other teams, vendors, and technology experts to provide assessment for your constituency and communities

Bridging the gaps – brings together multiple different sectors (cross domain, cross public private sectors, cross boarder)

Developing mechanism for trusted communication for your community

TRUST
TRUST

Respect the confidentiality of informationTRUST Keep up with current Intellectual property laws Set crystal clear information handling policy ensure objectivity

Keep up with current Intellectual property lawsTRUST Respect the confidentiality of information Set crystal clear information handling policy ensure objectivity and

Set crystal clear information handling policyinformation Keep up with current Intellectual property laws ensure objectivity and accuracy of information Provide

ensure objectivity and accuracy of information objectivity and accuracy of information

Provide useful information - reactive Mitigationhandling policy ensure objectivity and accuracy of information Copyright® 2008 JPCERT/CC All rights reserved.

Security Culture in CSIRT Community
Security Culture in CSIRT Community
Security Culture in CSIRT Community CSIRT Culture — My Security is depending on your security 1.

CSIRT Culture

My Security is depending on your security

1.

Collaboration

Security is not competition

Share expertise/Resource

Best practices

2.

Web of TRUST

most important thing for CSIRT

Reputation business – you live or die with this

Timely manner of coordination — Support each other — Learn from mistakes — Do not

Timely manner of coordination— Support each other — Learn from mistakes — Do not stop the information —

Support each other

Learn from mistakes

Do not stop the information

Information gathers where information flows

Identifies Stakeholdersinformation — Information gathers where information flows — How well you connected with your st akeholders

How well you connected with your stakeholders with trust is a key

Be proactive Think worst case at all the time — Be paranoid – but do

Be proactiveThink worst case at all the time — Be paranoid – but do not scare

Think worst case at all the timeBe proactive — Be paranoid – but do not scare people — Always think how to

Be paranoid – but do not scare people

Always think how to fix the problem

You are part of the inter depending network Let’s work together to make the global

You are part of the inter depending networkLet’s work together to make the global infrastructure more safe place Copyright® 2008 JPCERT/CC All

Let’s work together to make the global infrastructure more safe place more safe place