Handling an incident in CERT-EU

FIRST - 2017

Emilien LE JAMTEL

emilien.le.jamtel@cert.europa.eu

Introduction

• CERT for European Institutions, Agencies, and Bodies.

• Created in 2011.

• Operational support to infrastructure teams.

• Defence against targeted cyber threats.

• Hub of information and skills.

Constituents

• Around 60 organisations

• From 40 – 40.000 users

• Seperate, heterogenous networks

• Cross-sectoral

– Government, foreign policy, embassies

– Banking, energy, pharmaceutical, chemical, food, telecom

– Maritime, rail and aviation safety

– Law enforcement (EUROPOL, FRONTEX, EUPOL) and justice

– Research, hi-tech, navigation (GALILEO), defence (EUMS, EDA)

• High-value targets

4

• Step-by-step incident case

• Focus on tools and exchange of information

• With external entities

• Between CERT-EU teams

• Involved parties

Content of this presentation

5

P F A T C

Partners First Response

Team

Analysts Threat Intelligence

Team

Constituents

CERT-EU

Chapter 1

Initial alert

P

F

A

Chapter 2

Sharing

P

F

C

Threat Intel

Database

Partners

ConstituentsCERT-EU

SOC

PGP email

CSV

CSV

Chapter 3

Hunting

F

Building Blocks

• Log management tool:

• IDS:

• Cyber Threat Intelligence database: CERT-EU

• Monitoring:

16

CERT-EU Infrastructure

17DNS EmailProxy

FireEye

Splunk Indexer

Constituent X

DNSEmail

Proxy

SourceFire

Splunk Indexer

Constituent Y

Splunk Search Head

Cyber Threat Intelligence

Intelligence Sources

- Partners

- OSINT

- Monitoring

CERT-EU

AbuseHelper Incident

Handling

Team

SourceFire

DNS Proxy

Splunk Indexer

Constituent Z

Log Sources

Web traffic:

» DNS

» Proxy

Emails:

» Exchange

» Mimesweeper

Hosts:

» Sysmon

» Applocker

» McAfee

Appliances:

» Sourcefire

» Ironport

» FireEyeFuture :

► Firewalls

► Active Directory

► Servers

► Reverse Proxy

18

DNS EmailProxy Mimesweeper SourceFire

AV (McAfee)

Splunk Indexer

Sysmon:

powershell,

applocker, events,

cmd

Constituent

T

A

C

Th0r Packages

• Preparation

– YARA rules

– Evil hashes

– Custom filenames characteristics

• Distribution

– GPO

– Endpoint Management

• Reporting and analysis

– Text/HTML report

– Splunk app

C

A

T

Chapter 4

New evidence

C

Constituents details

CERT-EU deliverables

Indicator search

File Analysis

Vulnerability scanning

Customer Portal

P

A

Peers - Partners

Chapter 5

Another infection?

F

A

Splunk:Network

30

F

Splunk & CTI

31

T

F

Drill-Down

32

F

A

Chapter 6

And now what?

Technical Report

Analysis of campaign

A

T

ReportsCITAR

CITAR-FlashAlerts

Technical Products

Incident Reports

Incident Timeline

Technical details

Recovery

Advisories

Technical description

Detection Mechanism

Prevention

Reaction

Feeds

IOCs

Detection rules

IT administrators

Incident Response teams

SOC teams

Near Real time

Tactical Products

CITAR

Tactical Context

Threat type and level

TTPs

Structured course of

action

CITAR-FLASH

Ongoing campaigns

Targeted entities

Short-term course of

action

Whitepapers

Based on incidents

Peer-reviewed

CIO

Incident Response teams

Significant

Campaigns

Strategic Products

Security Brief

One page

Commented threat

New TTPs

Threat Landscape

Threat evolution

Adversaries profiling

Sectorial

High-level course of

action

CIO / CEO

Policy makers

Periodic Bulletin

Epilogue

What we didn’t speak about

• Red Team

• Vulnerability Assessment services

• Bugbounty program

• Research and whitepapers

• Automation framework (AH)

• Workshops / trainings

• …

40

Thank You

https://cert.europa.eu/

https://github.com/certeu/

41