introduction to csirts
TRANSCRIPT
SecurityIncidentResponseCapabilities&CSIRTs
AdliWahid
• SecuritySpecialist@APNIC• [email protected]• MemberofINTERPOLCyberCrimeExpertGroup• Let’sConnect
• Twitter:@adliwahid• Linkedin:AdliWahid• APNIC’sBlog:https://blog.apnic.net
SecurityResilience
SecuritybyDesign
SecurityinDeployment
SecurityinOperation
SecurityinBreach
EcosystemNetwork
Operators/ServiceProviders
LawEnforcement/
Judiciary
PolicyMakers EndUsers/Consumers
NationalCERTs/CSIRTs|CyberSecurity
Agency
Hardware/SoftwareVendors
Why?
1. Getnotified2. ReduceImpactofSecurityIncident3. Understandthe(root)cause4. DoSomethingAboutIt
GetNotified• HowcanotherCERTs/CSIRTcontactyou?
o Incidentso SourceofSecurityIncidentso Suspiciousactivitieso ThreatInformation
• Whois db andothermeanso APNIC’sWhois Accuracyinitiative
• Willyoudosomethingaboutit?o Awarenesso Capabilitieso Policies&Procedures
• Alloftheabove:Preparedness
irt:IRT-APNIC-IS-APaddress:SouthBrisbane,Australiae-mail:[email protected]:[email protected]:AIC1-APtech-c:AIC1-APauth:#Filteredremarks:APNICInfrastructureServicesmnt-by:MAINT-APNIC-IS-APchanged:[email protected] 20110704source:APNIC
https://blog.apnic.net/2016/09/27/lea-stakeholders-enter-whois-discussion/
ReducePotentialImpact• Timeliness• SecurityIncidentshaveaffectconstituent’s
• Operation• Business• Image/Brand• Safety
• Understandthe(root)causeoAdvise/Alerttheconstituents
• Reducecostrequiredtofix
Cryptolocker
http://www.informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
DoSomethingAboutIt• Remediation
oAnalysisoCollaborationo Escalation
• DDoSExampleo Fixing/removingvulnerablehostso Fixing/removingvulnerableservicesoBCP38/SourceAddressValidationoContinuousMonitoring
• Joinindustry-wideinitiatives
ShadowServer Foundation
https://www.cybergreen.net
Mapping Threat to Incident Response
l© NIST
NIST SP 800-61 rev 2 (2012
CommunityofCSIRTs• Trustedgroup• InformationSharing• Beyondthat
o LessonsLearnedo JointProjects(Standards,Tools,Frameworks)o JointActivities(Events,Drills)oResources(Training,Trainers)oMentoring
oExamples:o FIRST.org ,APCERT,NZITF
FIRST.org Fellows
https://www.first.org
CERT/CSIRTActivitiesinAPRegion• Partnerships
• CollaborationwithFIRST.org• MoUwithAsiaPacificComputerEmergencyResponseTeams(APCERT)
• Shareresources,promoteinitiatives• Activities
• FIRSTTechnicalColloquia(SecurityTrack)atAPRICOT&APNICSupportedEvents
• CyberSecurityWorkshops• Training/E-Learning
• 2017• FIRST-TC@APRICOT• Moreactivitiesbeingplanned
TongaCERTDiscussion
SecurityWorkshopinBhutan
ThankYou