day 1 enisa setting up a csirt

INTODUCTION TO THE CSIRT SETTING UP GUIDE

http://www.enisa.europa.eu/act/cert/support/guide

http://www.enisa.europa.eu/act/cert/support/guide

Agenda

How it all started

What do CERTs do?

How is Incident Response functioning

CERT cooperation

ENISA and CERTs

2

Setting up a CSIRT

Introduction

Overall strategy for planning and setting up a CSIRT

The first section gives a description of what a CSIRT is. It will also provide information about the different environments in which CSIRTs can work and what services they can deliver.

Developing the Business Plan

This section describes the business management approach to the setting-up process.

Promoting the Business Plan

This section deal with the business case and funding issues.

Examples of operational and technical procedures

This section describes the procedure of gaining information and translating it into a security bulletin. This section also provides a description of an incident-handling workflow.

CSIRT training

This section gives a summary of available CSIRT training. For illustration sample course material is provided in the annex.

Producing an advisory

This section contains an exercise on how to carry out one of the basic (or core) CSIRT services: the production of a security bulletin (or advisory).

Description of the Project Plan

This section points to the supplementary project plan (checklist) provided with this guide. This plan aims at being a simple to use tool for the implementation of this guide.

3

The early days of internet

First idea of an Internet in 1960:

"A network of such [computers], connected to one

another by wideband communication lines" which provided "the functions of present-day libraries together with anticipated advances in information storage and retrieval and [other] symbiotic functions. ” by .C.R. Licklider

Beginning of Internet by the Defense Advanced Research Projects Agency (DARPA) in 1981.

4

Map of the TCP/IP test network in January 1982

http://en.wikipedia.org/wiki/TCP/IP

Today’s Internet

5

First incident on the Internet

2 November 1988: The MORRIS worm

First major outbreak , it spread swiftly around the world

6000 major UNIX machines were infected

(of a total of 60.000 computers connected)

Estimated cost of damage $10M - 100M

Gene Spafford created a mailing list coordinating the first Incident response

6

The First CERT

After incident people realized they

where in need for:

Timely response

Structured and organized approach

Central coordination

This incident in the history of Internet security led directly to the founding of the CERT/CC©

7

Europe and CSIRT’s

This model was soon adopted in Europe

1992 Surfnet launched the first CSIRT

in Europe SURFnet-CERT

At present ENISAs inventory of CERT activities in Europe list over 140 CSIRTs

8

European CERT activities

9

CSIRT abbreviations

CERT© /CERT-CC (Computer Emergency Response Team)

CSIRT (Computer Security Incident Response Team)

IRT (Incident Response Team)

CIRT (Computer Incident Response Team)

SERT (Security Emergency Response Team)

Abuse Team (not a CSIRT)

Is a response facility, usually operated by an ISP, who professionally handles "Internet-abuse" reports or complaints.

10

CSIRT definition

CSIRT

A team that responds to computer security incidents

Providing necessary services to solve orsupporting the resolution of them.

Is trying to prevent any computer security incidents within its constituency or responsibility.

Constituency

Customer base of a CSIRT

11

Benefits of having a CSIRT

A dedicated ICT-security team helps to mitigate and prevent major incidents protecting your organization’s valuable assets.

Centralized coordination for ICT-security issues

Specialized organization in handling and responding to ICT-incidents.

Dedicated support available, assisting in taking the appropriate steps and helping the constituent with quick recovery of the ICT infrastructure.

Dealing with legal issues and preserving evidence in the event of a lawsuit.

Educate organization on ICT-security

Stimulating cooperation within the constituency on ICT-security, preventing possible losses.

12

What kind of CSIRTS exists

Constituent depended sector CSIRTS In alphabetic order:

National / Governmental Sector

Academic Sector

Commercial

CIP/CIIP Sector

Internal

Military Sector

Small & Medium Enterprises (SME) Sector

Vendor Teams

…

13

CSIRT services 1/3

We can distinguish 4 kind of services

Responsive services

1. Reactive services

2. Proactive services

3. Artifact handling

4. Security quality management

14

CSIRT “Core” Services 2/3

Reactive Services

Alerts and Warnings

Incident Handling

Incident analysis

Incident response support

Incident response coordination

Proactive Service

• Announcements

15

CSIRT services 3/4

16

Reactive services Proactive services Artifact handling

Alerts and Warnings Announcements Artifact analysis

Incident Handling Technology watch Artifact response

Incident analysis Security audits or assessments Artifact response coordination

Incident response support Configuration and maintenance

of security

Security QualityManagement

Incident response coordination Development of Security Tools Risk Analysis

Incident response on site Intrusion Detection Services Business Continuity and Disaster

Recovery

Vulnerability handling Security-Related Information

Dissemination

Security Consulting

Vulnerability analysis Awareness Building

Vulnerability response Education/Training

Vulnerability response

coordination

Product Evaluation or Certification

CSIRT services 4/4

First questions about services:

1. Understand what a CSIRT is an what benefits it might

provide

2. To what sector is the CSIRT delivering it’s services?

3. Decide on the core services of your CSIRT

4. Start preparing your CSIRT,

Organizational, staff, legal, contracts, procedures

Deliver the core services according your standards and

agreements

17

Choosing the right approach

1. Define a communication approach to your constituents

2. Define the mission statement

3. Make a realistic implementation/project plan

4. Define your CSIRT services

5. Define the organizational structure

6. Define the Information Security policy

7. Hire the right staff

8. Utilise your CSIRT office

9. Look for cooperation between other CSIRTs and possible national initiatives

18

Analyzing your Constituency

Swot analysis

PEST analysis

19

Example SWOT analysis

Result in delivering the

following Core Services:

Alerts and Warnings

Incident handling

Announcements

20

Communicating channels

Public Website

Closed member area on the Website

Web-forms to report incidents

Mailing lists

Email

Phone

SMS

‘Old fashioned’ paper letters

Monthly or annual reports

21

Mission statement

Important to have a mission statement

In communicating your existence to constituents

Communicating it to your staff

Commercial use, elevator pitches, brochures,…

Examples:“<Name of CSIRT> provides information and assistance to its <constituents (define your constituents)> in implementing proactive measures to reduce the risks of computer security incidents as well as responding to such incidents when they occur.”

"To offer support to <Constituents> on the prevention of and response to ICT-related Security Incidents”

22

Developing a business plan

Defining a financial model

Cost model

Revenue model

Use of existing resources

Membership fee

Subsidy

23

Costs running a CSIRT

Staff 24x7 or office hours

Housing Normal secured or high secured facility

Equipment

Hosting facilities

Branding material (corporate style)

Brochures

24

Your organizational structure

A CSIRT organization could define the following roles General

General manager

Staff Office manager

Accountant

Communication consultant

Legal consultant

Operational Technical team Technical team leader

Technical CSIRT technicians, delivering the CSIRT services

Researchers

External consultants, Hired when needed

25

Independent business model

26

The embedded model

27

The Campus model

28

The voluntary model

Group of people (specialists) that join together in case of emergency.

Loosely fitted

Example WARPS

29

Hiring the right staff ( the hot picks)

Flexible, creative, good teams spirit

Strong analytical skills,

Ability to explain difficult technical matter into easy wording

Good organizational skills and stress durable

Technical knowledge (deep specialist + broad general internet technology knowledge)

Willingness to work 24x7

Loving to do the job! ;)

30

Utilization & equipping the office

Hardening the building

See ISO17799

Maintaining communication channels

Record tracking system(s)

Use the corporate style from the beginning!

Foresee out-of-band communication in case of

attacks

Check redundancy on internet connectivity

and office in case of emergencies

31

Information security policy

Information handling policy

1. How is incoming information "tagged" or

"classified"?

2. How is information handled, especially with

regard to exclusivity?

3. What considerations are adopted for the

disclosure of information "when what?"

especially incident related information passed

on to other teams or to sites?

32

Information security policy

4. Are there legal considerations to take into

account with regard to information handling?

5. Do you have a policy on use of cryptography

to shield exclusivity & integrity in archives

and/or data communication, especially e-

mail.

6. This policy must include possible legal

boundary conditions such as key escrow or

enforceability of decryption in case of

lawsuits.

33

Information Security policy

National

Laws on information technology

Laws on data protection and privacy

Codes of conduct for corporate governance and IT Governance

European directives

Directives on data protection and electronic communication

International

Basel II, Eu. Convention on Cybercrime

Standards

BS 7799

ISO 27001

34

ENISA

National initiatives

TF-CSIRT

WARPS

FIRST

Search for cooperation

35

Promoting your business plan

It visualizes the trends in IT security, especially the decrease in the necessary skills to carry out increasingly sophisticated attacks.

Another point to mention is the continuously shrinking time window between the availability of software updates for vulnerabilities and the starting of attacks against them

36

Promoting your business plan

Viruses Timeline

Patch -> Exploit Spreading rate

Nimda 11 month Code red Days

Slammer 6 month Nimda Hours

Nachi 5 month Slammer Minutes

Blaster 3 weeks

Witty 1 day (!)

37

Business plan & Management

What is the problem?

What would you like to achieve with your constituents?

What happens if you do nothing?

What happens if you take action?

What is it going to cost?

What is going to gain?

When do you start and when is it finished?

38

Short wrap-up

How is information handled within your organization

Do you have a Information security policy?

Do you know other CSIRTs?

Could you share incidents that can help the promotion of a CSIRT business plan?

Discuss your potential business plan

39

Operational Procedures

Focus on basic services first!

Alerts and Warnings

Incident handling

Announcements

40

Information process flow

41


Information Sources:• Vulnerability information

• Incident reports

• Public and closed sources

for vulnerability information:

- Public and closed mailing lists ! Vendor vulnerability

product information

- Websites

- Information on the Internet

- Public and private partnerships that provide vulnerability information (FIRST, TF- CSIRT, CERT-CC, US-CERT.)

42


Identification Trustworthy source of information Correct information

• Cross checked with other sources

Relevance

Impact to the IT infrastructure of the constituent

Classification of information

Risk assessment & impact analysis

Impact = Risk x potential damage

43


Risk assessment & impact analysis

44

RISK

Is the vulnarabil ity widely known? No, l imited 1 Yes, public 2

Is the vulnarabil ity widely exploited? No 1 Yes 2

Is it easy to exploit the vulnerabil ity? No, hacker 1 Yes, script kiddie 2 11,12 High

Precondition: default configuration? No. specific 1 Yes, standard 2 8,9,10 Medium 0

Precondition: physical access required? Yes 1 No 2 6,7 Low

Precondition: user account required? Yes 1 No 2

Damage

Unauthorized access to data No 0 Yes, read 2 Yes, read + write 4 6 t/m 15 High

DoS No 0 Yes, non-critical 1 Yes, critical 5 2 t/m 5 Medium 0

Permissions No 0 Yes, user 4 Yes, root 6 0,1 Low

OVERALL

High Remote root >> Imediately action needed!

Local root exploit (attacker has a user account on the machine)

Denial of Service

Medium Remote user exploit >> Action within a week

Remote unauthorized access to data

Unauthorized obtaining data

Local unauthorized access to data

Low Local unauthorized obtaining user-rights >> Include it in general process

Local user exploit


Distribution of informationWebsite Email Reports Archiving and research

45

Title of the advisory

ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ

Reference number

ÉÉÉÉÉÉÉÉÉÉÉ

Systems affected

- ÉÉÉÉÉÉÉÉÉÉÉ

- ÉÉÉÉÉÉÉÉÉÉÉ

Related OS + version

ÉÉÉÉÉÉÉÉÉÉÉ

Risk (High-Medium-Low)

ÉÉÉ

Impact/potential damage (High-Medium-Low)

ÉÉÉ

External idÕs: (CVE, Vulnerability bulletin IDÕs) É ÉÉ É

Overview of vulnerability

ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ

ÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉ

Impact



Solution



Description (details)




Appendi x


É ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ


Example of an Advisory

Incident handling process

46

Incident Handling process

1. Receiving incident reports

Email

Phone

Fax

2. Incident Evaluation

Identification

Relevance

Classification

Triage

3. Take action

47

Incident handling process

Actions

Start incident ticket

Essential for solving the incident and communicating

with the involved constituents.

Solve the incident

Preserving any information which may needed for

prosecution takes carefully planned action!

Incident handling report

Archiving

NOTE: Each type of incident calls for different actions!

48

Wrap-up1. Understanding what a CSIRT is.

2. What sector do you deliver your services to?

3. What kinds of services can a CSIRT provide to its constituents?

- Analysis of the environment and constituents

- Defining the mission statement

4. Defining your goals- Defining your Cost model

- Defining the organizational model

- Starting to hire your staff

- Utilizing your office

- Defining the needed Security policy

- Looking for cooperation partners

5. Dealing with matters of project management- Have the business case approved

- Fit everything into a project plan

6. Making the CSIRT operational.- Creating workflows

- Implementing CSIRT tooling

The next step is: training your staff

49

Workflow 2nd example

Producing an advisory

50

Bulletin

Identifier

Microsoft Security Bulletin MS06-042

Bulletin Title Cumulative Security Update for Internet Explorer (918899)

Executive

Summary

This update resolves several vulnerabilities in Internet Explorer that

could allow remote code execution.

Maximum

Severity Rating

C ritical

Impact of

Vulnerability

Remote Code Execution

Affected

Software

Windows, Internet Explorer. For more information, see the Affected

Software and Download Locations sec tion.

Collecting vulnerability

information

Verify the authenticity on vendor website

Gather more details on

The vulnerability

Affected systems

51


Evaluate information

Assess the risk

52

RISK

Is the vulnerability well known? Y

Is the vulnerability widespread? Y

Is it easy to exploit the vulnerability?

Y

Is it a remotely exploitable vulnerability?

Y

Damage Remote accessibility and chance of remote code execution. This vulnerability contains multiple issues which make the damage risk HIGH.


Distribution of information

53

Title of advisory

Multiple vulnerabilities found in Internet explorer

Reference number

082006-1

Systems affected 1. All desktop systems that run Microsoft

Related OS + version Microsoft Windows 2000 Service Pack 4

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2

Microsoft Windows XP Professional x64 Edition

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server

2003 with SP1 for Itanium-based Systems

Microsoft Windows Server 2003 x64 Edition

Risk (High-Medium-Low)

HIGH

Impact/potential damage (High-Medium-Low)

HIGH

External idÕs: (CVE, Vulnerability bulletin IDÕs)

MS-06-42

Overview of vulnerability Microsoft has found several critical vulnerabilities in Internet Explorer which can lead too remote

code execution.

Impact An attacker could take complete control over the system, installing programs, adding users and vie,

change or delete data. Mitigating factor is that the above only can take place if the user is logged in

with administrator rights. Users logged on with less rights could be less impacted.

Solution Patch your IE immediately

Description (details) See for more information ms06-042.mspx

Appendi x See for more information ms06-042.mspx


ENISA and CSIRTs

Mission

Promote and facilitate good practice in setting-up and running of

CSIRTs / WARPs / Abuse Teams / etc.

Encourage cooperation between different actors

Develop relations to the various CERT/CSIRT communities

Support their activities

Run a Working-Group with external experts

How ENISA supports CSIRT community? Promote best practice!

2005: Stocktaking

2006: Setting up &Cooperation

2007: Support OperationQuality Assurance

2008: CERT Exercises

2009:CERT Baseline Capabilities Document

[…]

2009:CERT Exercises Report

http://www.enisa.europa.eu/act/certStay in touch with ENISA!

http://www.enisa.europa.eu/act/cert

Contact: Andrea DUFKOVA

Section for Computer Security and Incident Response

ENISA

[email protected]

THANK YOU!

mailto:[email protected]

