Escolar Documentos
Profissional Documentos
Cultura Documentos
Since its establishment in 1992,the center has been gathering computer security incident and vulnerability information, issuing security alerts and advisories, and providing incident responses as well as education and training to raise awareness of security issues.
Yurie Ito Director of Technical Operation JPCERT/Coordination Center, Japan @CSIRT Training in AfNOG tutorial, Morocco 1 June, 2008
What is CSIRT? CSIRT: Computer Security Incident Response Team CERT: Computer Emergency Response Team CSIRT/CC: Coordination Center CERT: Computer Emergency Readiness Team IRT: Incident Response Team Many types of CSIRTs: - National POC CSIRT - Organization CSIRT - Government CSIRT - Military CSIRT - Academic Research CSIRT - Vendor/Product CSIRT - Regional CSIRT
Copyright 2008 JPCERT/CC All rights reserved.
Introduction / History
Morris Worm
Morris Worm
1988 November 2nd
Robert Tappan Morris University student Just a program to know how large the internet This incident was epoch of Internet Security
After Action
Effects of the worm
6,000 major Unix machine were infected
Someone guess that there were about 60,000 computer at that time.
To identify how to improve response to computer security incident
A call for a single point of contact to be established for Internet security problems
FIRST
Forum of Incident Response and Security Teams Only worldwide CSIRT forum Top experts from across the field Neutral interconnect for vendors and others Low cost, low overhead
FIRST Resources
Technical Resources Expertise Resources 200 PoCs of Incident Response Teams from all over the world Tools Mailing Lists Web Site Best Practice Guides Team Contact details Presentations IRC Annual Conference Regional TCs (Technical Colloquia) Training Special Interests Group
Copyright 2008 JPCERT/CC All rights reserved.
Members -- http://www.first.org/about/organization/teams/
FIRST's incident response teams draw their members from, among others, Apple, Boeing, British Telecommunications, Cablecom, Cisco Systems, Citigroup, Commerzbank, Deutsche Bank, Energis, Ernst and Young, Fujitsu-Siemens, the German Savings Bank, Google, Goldman Sachs, IBM, Intel, JP Morgan, Merrill Lynch, NASA, NATO, Nortel, Oracle, the Royal Bank of Scotland, Sprint, Sun Microsystems, Symantec, Wells Fargo, the American Red Cross Computer Emergency Response Team, CERT Bundeswehr, CERT Chile, the Danish Computer Security Incident Response Team, CERT Italiano, CERT Israeli Academic, Japan Security Operation Centre, CSIRT Korea, CERT Malaysia, Ontario Information Protection Centre, CERT Polska, CERT Slovenia, CERT Singapore, CERT Swiss Education and Research Network, CERT Taiwan, CERT US Department of Defense, CERT HM Government, UK, CERT US Department of Defence, the US Army Emergency Response Team, the US Computer Emergency Readiness Centre, the US Postal Service Computer Incident Response Team, the Massachusetts Institute of Technology, Georgia Institute of Technology and the Universities of Chicago, Georgia, Indiana, Michigan, Northwestern, Oxford, Pennsylvania State, Rechenzentrum, Stanford, and Wisconsin-Madison.
Copyright 2008 JPCERT/CC All rights reserved.
11
Cyber Incident
When?
Why?
WHO?
How?
Where?
What is an Incident?
In order to respond we must recognize an computer security incident at first
No uniform agreement as to what constitutes an incident Its depend on what the organization defines
13
What is an Incident?
Computer Security Incident
Sample definition: Any real or suspected adverse event in relation to the security of computer system or computer networks (According to CSIRT FAQ in
CERT/CC)
JPCERT/CC definition
A Acomputer computersecurity securityincident incidentis isa acomputer computersecurity securityrelated related event eventcaused causedby byhumans, humans,including includingboth bothintentional intentionaland and accidental accidentalones. ones. Examples Examplesare: are:unauthorized unauthorizeduse useof ofresources, resources,service service interference, interference,destruction destructionof ofdata, data,unintended unintendeddisclosure disclosureof of information, information,and andother otherbehaviors behaviorsthat thatcan canlead leadto tothese theseevents. events.
14
What is an Incident?
Incident = Adverse event.
That threatens systems
Confidentiality Integrity Accessibility
Deface public Web site (by intrusion) Worm that infects workstation on a network Scan
15
What is the Incident Response? Incident Response is the process of addressing computer security incident.
Detecting / Analyzing the incident Limiting the incident effect
16
Identifies Intrusion
Observe system for unexpected behavior or anything suspicious Investigate anything considered unusual If the investigation finds something that isnt explained by authorized activity, immediately initiate response procedures
17
Incident samples
Scan activity to Firewall server Web defacement Information leakage Phishing site
Used a server as phishing site Your website used as phishing site
Intrusion (Web, Database, Ftp, Proxy, and so on) DoS attack to Web server Used a proxy server as open proxy SMTP relay Virus infection Forged e-mail and returned tons of error mails Laptop lost Malware distribution Become as a Bot One-click fraud Miss operation So many other incidents
Copyright 2008 JPCERT/CC All rights reserved.
18
Why CSIRT
19
What is CSIRT?
POC (Point of Contact) Coordination
CSIRT
Constituency
Response
Constituency? Service?
Copyright 2008 JPCERT/CC All rights reserved.
Incident Response
20
CSIRT
Constituency
Response
Provides Service and Support Constituency? Internet community in Japan Service? Incident Response and Analysis, Security Alert, Coordination with other CSIRTs, Vendor Coordination, Education & Training, Research & Analysis
Copyright 2008 JPCERT/CC All rights reserved.
Incident Response
21
22
Background
Many excuses for not planning for incident response, saying the following:
We are NOT a target. I do NOT believe that who would want to compromise our network. We can NOT be hacked. We have best network defenses that proved very expensive. We already plan but NEVER deal successfully with it. We were always putting out fires. We thought we would just figure it out WHEN THE TIME CAME.
23
Background
Depending on Internet/Computer to the extent that day-to-day operation
Internet is vital for business and daily life
24
Background
Internet/Computer is complex and dynamic Interne is easily accessible to anyone with Computer and a network connection.
Less cross border than real world
25
If Incidents occur, it is critical to have an effective means of responding. To limit the damage and lower the cost of recovery
Need to have the ability: Protect, Detect, Analyze and Respond to an incident. Professional should respond to an Incident
Copyright 2008 JPCERT/CC All rights reserved.
26
Large scale, wide spreading incident (e.g. virus, worm out break, )
Specific Targeted Pin point incident, using powerful tool (e.g. Botnet)
Professionals, Criminals
Motivation: for Fun Stopping e.g. Denial of service Motivation: for Fame, Recognition - e.g. Web defacement
Assists the organizational constituency and general computing community in preventing and handling computer security incidents Share information and lesson learned with other CSIRT / response teams and appropriate organizations and sites.
29
CSIRT Services
30
CSIRT Services
At first, responding Incident
Incident Handling
Incident response Incident analysis Incident coordination Statistics
31
Incident Handling
Incident analysis Incident response on site Incident response support Incident response coordination
32
CSIRT Services
Reactive
to improve the infrastructure and security processes of the constituency before any incident or event occurs or is detected. The main goals are to avoid incidents and to reduce their impact and scope when they do occur.
Ex) Vulnerability Handling Vulnerability analysis Vulnerability response Vulnerability response coordination
With Vendor CSIRT
CISCO PSIRT, Hitachi HIRT, Microsoft MSRC
Proactive
Announcement
Training, education
Copyright 2008 JPCERT/CC All rights reserved.
33
CSIRT Services
34
35
The objective for the Incident Response will be derived from the CSIRT mission statement
Copyright 2008 JPCERT/CC All rights reserved.
36
JPCERT/CC is an independent non-profit organization, acting as a national point of contact for the other CSIRTs in Japan. Since its establishment in 1992, the center has been gathering computer incident and vulnerability information, issuing security alerts and advisories, and providing incident responses as well as education and training to raise awareness of security issues.
Copyright 2008 JPCERT/CC All rights reserved.
Brief history Voluntarily started in 1992 as JPCERT/CC Officially established as JPCERT/CC funded by MITI (Ministry of International Trade and Industry - predecessor of METI) in August 1996 Service started on October 1st, 1996 Budgeted by METI Non-governmental, Not for profit Organization National CSIRT in Japan (Point of Contact for International relations) FIRST(Forum of Incident Response and Security Team) Full member (since 1998) APCERT(Asia Pacific Computer Emergency Response Teams) SC member, Secretariat
Our history
Oct 1996
Aug 1998
Japan Computer Emergency Response Center th activities) Vulnerability Handling (Proactive Joined FIRST Anniversary 10 Incident Response (Reactive service) Network Monitoring ISDAS (Realtime situation awareness)
Oct 2006
Mar 2003
Jul 2004
Oct 2006
JPCERT/CC Activities
Traffic monitoring
Origin: Access Media/impress2005AccessMedia International,2005 Copyright 2008 JPCERT/CC All rights reserved.
Budget
Overcome the differences between Languages Security Cultures Rules, Laws, Regulations
1. Suspicious access
5. Request
Domestic ISPs
3Report
JPCERT/CC
4. Cooperate
Overseas CSIRTs
Japan
Overseas
ISP CSIRTs
JPCERT/CC
Vendor CSIRTs
Vulnerability Handling
receive vulnerability reports From Japan, from Other Vulnerability Handling Teams verify and impact analyze the report is this really a vulnerability? what is effect of vulnerability? Population of the affected software? are exploits available? is the vulnerability actively being exploited?
47
48
Category of Incident
So far, no consensus has emerged in the security community as to which taxonomy is the best According to the NIST Document:
Computer Security Incident Handling Guide,
(http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf)
49
Category of Incident
Denial of Service
an attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources
Malicious Code
a virus, worm, Trojan horse, or other code-based malicious entity that infects a host
Unauthorized Access
a person gains logical or physical access without permission to a network, system, application, data, or other resource
Inappropriate Usage
a person violates acceptable computing use policies
Multiple Component
a single incident that encompasses two or more incidents.
Copyright 2008 JPCERT/CC All rights reserved.
50
DDoS
Internet
HERDER C&C
TARGET
Bot
51
Unauthorized Access
The examples of unauthorized access are the following:
Remote root compromise Defacing web server Cracking password (by brute force)
ssh server example
Get sensitive data (cf. medical information) Get User ID & Password Keeping pirated software and music files
53
Inappropriate Usage
The examples of unauthorized access are the following:
Download password cracking tool & pornography Send Spam e-mail Set up unauthorized Web site Use music (or pirated materials) sharing services Transfer sensitive data
54
Multiple Component
1. Malicious code spread through e-mail compromises an internal workstation. 2. An attacker (who may or may not be the one who sent the malicious code) uses the infected workstation to compromise additional workstations and servers. 3. An attacker (who may or may not have been involved in Steps 1 or 2) uses one of the compromised hosts to launch a DDoS attack against another organization.
55
Abuse
Forged Intrusion
DoS : Denial-of-Service
Other