The CSIRT initiative
Download
Report
Transcript The CSIRT initiative
1
Academic and Research Network of Slovenia
The CSIRT initiative
Gorazd Božič
ARNES SI-CERT, Jamova 39, Ljubljana, Slovenia
[email protected]
NATO ANW, Ljubljana, 15.9.2001
2
Code Red infection
Academic and Research Network of Slovenia
3
Email worms, past and present
Academic and Research Network of Slovenia
LoveLetter
Sircam
60
25000
50
20000
40
15000
30
10000
20
10
5000
0
0
1
2
3
Day
4
5
1
2
3
Day
4
5
4
Outline of the presentation
Academic and Research Network of Slovenia
security issues
what is CSIRT
overview of collaboration efforts
TERENA TF-CSIRT
5
How much security?
Academic and Research Network of Slovenia
convenience
security
6
Goals
Academic and Research Network of Slovenia
secure data storage
secure information exchange
ensure uninterupted operation of services
enable recovery after an incident
7
Examine stereotypes
Academic and Research Network of Slovenia
you have to be a paranoic to do it properly
– Not exactly. A paranoid person could spend a lot of time on
improbable scenarios: conspiracy theories and other obscurities.
you have to be an outstanding technical expert
– It helps, but it is not a necessity. You have to be familiar with
fundamentals and have the proper experience.
more security is always the way to go
– Wrong. Banks could lower possibility of theft by performing strip
searches of all customers and thus lose all their customers.
8
Threats
Academic and Research Network of Slovenia
stolen / altered / erased information
– sensitive information
– information needed for normal operations
unstable operation of services
– loss of customers
– system becomes de facto unusable
public exposure
– confidential information from databases made public
– details of the attack on our site are on evening news
9
The attacker
Academic and Research Network of Slovenia
hacker / cracker / “script kiddie”
– age: 15-25 years, limited social life, “rebeling against the system” selfimage, seeks affirmation within the “cyber-community”
vandal
– angry at something / somebody, motivation not always known
insider
– disgrunteled or bribed employee / student / staff member
industrial espionage, terrorism
– hired specialist, motivation: financial or political gain
10
Common scenario of the attack
Academic and Research Network of Slovenia
find a scanner for latest OS/server vulnerabilities
and scan a wide range of address space
use available exploits to gain access
– http://www.securityfocus.com/
– Bugtraq mailing list
hide yourself on attacked host
prepare the system for future use
– install sniffers to collect passwords
– install DDoS tools
11
Measures to take
Academic and Research Network of Slovenia
packet filtering
content filtering
application-level protection
encryption
tracking down the intruder
preventing further attempts
12
Outline of the presentation
Academic and Research Network of Slovenia
security issues
what is CSIRT
overview of collaboration efforts
TERENA TF-CSIRT
13
What is CSIRT?
Academic and Research Network of Slovenia
Computer Security Incident Response Team
– CERT – Computer Emergency Response Team
– IRT – Incident Response Team
a well-known contact point for network security
issues
a source of knowledge for security issues
network security incident coordinator
relay service for incident reports
14
Historical view
Academic and Research Network of Slovenia
1998
– Internet Worm leads to formation of Computer Emergency
Response Team (now CERT/CC)
1990’s
– emergence of other CERTs; AusCERT and European national
CERTs
1990
– FIRST - Forum of Incident Response and Security Teams
1997
– start of EuroCERT project
2000
– TF-CSIRT task force
15
Roles of a CSIRT
Academic and Research Network of Slovenia
assist in incident resolution
coordinate between victim and source sites
distribute information on known vulnerabilities
16
Do you need a CSIRT?
Academic and Research Network of Slovenia
national ISP: yes! (local issues, helping
constituency directly, the same time zone)
large organisation: maybe
small network: probably not
17
Existing IRT’s and associations
Academic and Research Network of Slovenia
CERT Coordination Center
CIAC, Computer Incident Advisory Capability
ASSIST (US Department of Defense)
AUSCERT, Australian CERT
FIRST, Forum of Incident Response and Security Teams
national European CERTs
TERENA TF-CSIRT
18
Establishing CSIRT
Academic and Research Network of Slovenia
define what you will and will not do
who will you do it for (what is your constituency)
seek contacts with other CSIRTs and law
enforcement agencies
19
Defining goals
Academic and Research Network of Slovenia
raising the level of security
quick resolution of incidents
forming a bigger picture
assisting victim sites/networks with expertise
20
Defining what you will (not) do
Academic and Research Network of Slovenia
dealing with intrusions
relaying reports
giving advice on security issues
on-site assistance
determining active measures
investigating abuse
21
Availability
Academic and Research Network of Slovenia
working hours
additional ad-hoc coverage during
non-working hours
paging service
around the clock availability
on-site inspections
22
Scope of work
Academic and Research Network of Slovenia
what platforms will you cover
types of incidents
research on vulnerabilities
standalone projects (hardware and software
evaluations, testing hosts and networks,
securing specific sites, …)
23
Defining constituency
Academic and Research Network of Slovenia
by parent ISP organisation
by geographical/national criteria
by organisational criteria
question of constituency is related to community
that will fund the CSIRT
24
Communicating with your constituency
Academic and Research Network of Slovenia
guarantee non-disclosure of information
give feedback on incident resolution progress
don’t interfere with sites’ security policies, but
offer advice
25
Communicating with other CSIRTs
Academic and Research Network of Slovenia
make yourself known to the CSIRT community
work with other teams
submit your information to Trusted Introducer
get your team’s PGP key signed by other
CSIRTs (key signing parties at conferences)
26
Communicating with law enforcement
Academic and Research Network of Slovenia
law enforcement will probably be unprepared for
dealing with computer crime
find the proper department that will understand
basic issues
require advice about local law
assist them willingly, don’t let them abuse your
availability
27
Outline of the presentation
Academic and Research Network of Slovenia
security issues
what is CSIRT
overview of collaboration efforts
TERENA TF-CSIRT
28
History of CSIRT collaboration efforts
Academic and Research Network of Slovenia
1992
• RARE established the CERT Task Force, which was active
until 1994. The CERT-TF concluded that there was an urgent
need for a European incident response centre.
1993
• First meeting of European CERTs and interested parties was
held in Amsterdam.
1994
• Series of discussions and initiatives for an European CERT
Coordination Center by RARE/TERENA
29
History of CSIRT collaboration efforts
Academic and Research Network of Slovenia
1995
• TERENA forms the task force CERIE, which forms a report
outlining the functioning of a possible European CERT
Coordination Center
1996
• Proposal for European CERT/CC won by DANTE/UKERNA
consortium
1997
• Official start of SIRCE project (also called EuroCERT)
1999
• SIRCE/EuroCERT project finished
30
The results of 1990’s efforts
Academic and Research Network of Slovenia
the need for collaboration is apparent
various teams with different constituencies
European-wide CSIRT is currently not feasible
will to continue working together on specific
issues that are of common interest
31
Outline of the presentation
Academic and Research Network of Slovenia
security issues
what is CSIRT
overview of collaboration efforts
TERENA TF-CSIRT
32
TERENA TF-CSIRT task force
Academic and Research Network of Slovenia
http://www.terena.nl/task-forces/tf-csirt/
formed in May 2000
participants are European CSIRTs from
research, commercial and governmental
networks in Europe and neighbouring countries
more gradual approach
concentrate on specific projects
33
Aims of TF-CSIRT
Academic and Research Network of Slovenia
to provide a forum for exchanging experiences
and knowledge
to establish pilot services for the European
CSIRTs community
to promote common standards and procedures
for responding to security incidents
to assist the establishment of new CSIRTs and
the training of CSIRTs staff
to co-ordinate other joint initiatives
34
Activities of TF-CSIRT
Academic and Research Network of Slovenia
seminars and meetings (every 4 months)
TI – Trusted Introducer service
IODEF – Incident Object Description and
Exchange Format
security contact information in RIPE database
assisting the establishment of new CSIRTs
training of new (staff of) CSIRTs
35
TI – Trusted Introducer service
Academic and Research Network of Slovenia
http://www.ti.terena.nl/
establishing level of trust between CSIRTs
– level 0 team: the team exists
– level 1 team: team has applied for level 2 status
– level 2 team: the team is recognised
team information is checked regulary
if you are a security team:
– fill the form http://www.ti.terena.nl/templates/l0-new.txt
– send it to [email protected]
36
IODEF working group
Academic and Research Network of Slovenia
the goal:
– “define a common data format and common
exchange procedures for sharing information needed
to handle an incident between different CSIRTs”
the results will include:
– The Incident Object Data Model specification
– The IODEF XML Data Type Description
– Tools for using the IODEF XML DTD
37
Training workshop
Academic and Research Network of Slovenia
workshop will train staff of existing CSIRTs or
help new CSIRTs
workshop will encompass the following:
–
–
–
–
–
legal issues
organisational issues
technical issues
market issues
operational issues
38
Conclusion
Academic and Research Network of Slovenia
network security is a basic need
larger networks need to form a CSIRT
existing CSIRTs wish to cooperate
different needs require a gradual approach
let others know you exist
39
References
Academic and Research Network of Slovenia
http://www.terena.nl/task-forces/tf-csirt, TERENA TF-CSIRT
http://www.ti.terena.nl/, TI – Trusted Introducer
http://www.first.org/, FIRST – Forum of Incident Response and
Security Teams
http://www.cert.org/, CERT Coordination Center