introduction to csirts

SecurityIncidentResponseCapabilities&CSIRTs

AdliWahidSecuritySpecialistadli@apnic.net

AdliWahid

• SecuritySpecialist@APNIC• BoardMember@FIRST.org• MemberofINTERPOLCyberCrimeExpertGroup• Let’sConnect

• Twitter:@adliwahid• Linkedin:AdliWahid• APNIC’sBlog:https://blog.apnic.net

SecurityResilience

SecuritybyDesign

SecurityinDeployment

SecurityinOperation

SecurityinBreach

EcosystemNetwork

Operators/ServiceProviders

LawEnforcement/

Judiciary

PolicyMakers EndUsers/Consumers

NationalCERTs/CSIRTs|CyberSecurity

Agency

Hardware/SoftwareVendors

Why?

1. Getnotified2. ReduceImpactofSecurityIncident3. Understandthe(root)cause4. DoSomethingAboutIt

GetNotified• HowcanotherCERTs/CSIRTcontactyou?

o Incidentso SourceofSecurityIncidentso Suspiciousactivitieso ThreatInformation

• Whois db andothermeanso APNIC’sWhois Accuracyinitiative

• Willyoudosomethingaboutit?o Awarenesso Capabilitieso Policies&Procedures

• Alloftheabove:Preparedness

irt:IRT-APNIC-IS-APaddress:SouthBrisbane,Australiae-mail:helpdesk@apnic.netabuse-mailbox:helpdesk@apnic.netadmin-c:AIC1-APtech-c:AIC1-APauth:#Filteredremarks:APNICInfrastructureServicesmnt-by:MAINT-APNIC-IS-APchanged:hm-changed@apnic.net 20110704source:APNIC

https://blog.apnic.net/2016/09/27/lea-stakeholders-enter-whois-discussion/

ReducePotentialImpact• Timeliness• SecurityIncidentshaveaffectconstituent’s

• Operation• Business• Image/Brand• Safety

• Understandthe(root)causeoAdvise/Alerttheconstituents

• Reducecostrequiredtofix

Cryptolocker

http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/

DoSomethingAboutIt• Remediation

oAnalysisoCollaborationo Escalation

• DDoSExampleo Fixing/removingvulnerablehostso Fixing/removingvulnerableservicesoBCP38/SourceAddressValidationoContinuousMonitoring

• Joinindustry-wideinitiatives

ShadowServer Foundation

https://www.cybergreen.net

Mapping Threat to Incident Response

l© NIST

NIST SP 800-61 rev 2 (2012

CommunityofCSIRTs• Trustedgroup• InformationSharing• Beyondthat

o LessonsLearnedo JointProjects(Standards,Tools,Frameworks)o JointActivities(Events,Drills)oResources(Training,Trainers)oMentoring

oExamples:o FIRST.org ,APCERT,NZITF

FIRST.org Fellows

https://www.first.org

CERT/CSIRTActivitiesinAPRegion• Partnerships

• CollaborationwithFIRST.org• MoUwithAsiaPacificComputerEmergencyResponseTeams(APCERT)

• Shareresources,promoteinitiatives• Activities

• FIRSTTechnicalColloquia(SecurityTrack)atAPRICOT&APNICSupportedEvents

• CyberSecurityWorkshops• Training/E-Learning

• 2017• FIRST-TC@APRICOT• Moreactivitiesbeingplanned

TongaCERTDiscussion

SecurityWorkshopinBhutan

ThankYou

AdliWahidadli@apnic.net