Post on 19-Jun-2020
CESNET-CERTS
Academic CSIRT Meeting17 Jun 2012
Malta
Andrea Kropáčová, andrea@cesnet.cz
CESNET-CERTS, http://csirt.cesnet.cz/CESNET, z. s. p. o., http://www.cesnet.cz/
CESNET-CERTShttp://csirt.cesnet.cz
certs@cesnet.cz, abuse@cesnet.cz
Provided by CESNET
CESNET provides Czech NREN
CESNET has 26 members and about 300 „participants“
Responsibility:
CESNET2 network
AS2852
7 members (not full time)
2 are members of EGI
CESNET-CERTSHistory:
...... 2003 „established“
Jan 2004 „listed“
Jan 2008 „accredited“
Apr 2008 we established CSIRT.CZ
Dec 2010 CSIRT.CZ was declared as National CSIRT of Czech Republic
Jan 2011 transfer of CSIRT.CZ to CZ.NIC started
Jun 2011 transfer of CSIRT.CZ finished
CESNET-CERTS(Inter) national cooperation:
Working group E-CRIME
Working group CESNET CSIRT
Working group IPv6
Working group CSIRT.CZ
Security forces of CZ
TERENA, TF-CSIRT, TI
ENISA
EGI
CESNET-CERTSServices:
incident handling and incident response for CESNET2
network traffic monitoring in CESNET2
gathering and corelating data
public sources
Shadowserver, UCEPROTECT, TeamCymru, DShield, NASK Polska
CESNET2
IDS (based on LaBrea), honeypots (Kippo, Dionaea), netflows, logs
forensics laboratory
CESNET Audit System
education
CESNET IDSBased on LaBrea
watches unassigned address range of CESNET2
from 195.113.0.0/16
results (detected attacks)
source of the attack is from CESNET2
--> CESNET-CERTS incident handling
source of the attack is from Czech Republic
--> CSIRT.CZ
the rest ...
--> DSHIELD (http://www.dshield.org)
CESNET-CERTSEducation:
workshops
presentation at local conferences
education of members of security forces
Working group CESNET CSIRT
„all security topics“
sharing, cooperation, education
feedback for CESNET-CERTS
training courses for university students
training courses for university employees
Course for students
University
meeting room
invitation
(first presentation)
CESNET
speakers
presentation
http://csirt.cesnet.cz/ --> Služby --> Školení pro (nejen) studenty prvních ročníků
Topics:
CESNET and CESNET-CERTS
Law and cybercrime
Me anonym?
How to secure workstation
The world of Open Source
... on-demand ...
CESNET-CERTS IHIncident handling and incident response
abuse@cesnet.cz, certs@cesnet.cz
„last resort“ for CESNET2
reports go directly to CESNET2 end networks
Environment for effective IH and IR
cooperation with abuse@ in end-networks
security incident classification
IH and IR work-flow
„proactive services“ – IDS, SSERV, ORR, UCE
transparent administration of AS2852
3 members of CESNET-CERTS are LIR
CESNET-CERTSAS2852: 195.178.64.0/19
146.102.0.0/16
147.32.0.0/15
160.216.0.0/15
158.196.0.0/16
147.228.0.0/14
147.251.0.0/16
158.194.0.0/16
193.84.32.0/20
193.84.160.0/20
195.113.0.0/16
193.84.192.0/19
78.128.128.0/17
CESNET-CERTSAS2852: 195.178.64.0/19
146.102.0.0/16
147.32.0.0/15
160.216.0.0/15
158.196.0.0/16
147.228.0.0/14
147.251.0.0/16
158.194.0.0/16
193.84.32.0/20
193.84.160.0/20
195.113.0.0/16
193.84.192.0/19
78.128.128.0/17
CESNET
University of Economics
Czech Technical University
University of Defence
Technical University of Ostrava
University of West Bohemia
Masaryk University (CSIRT-MU)
Palacky University
Czech University of Life Scienses
Nuclear Research Institute
CESNET „participants“
Silesial University
CESNET „participants“
195.113.149.216
147.251.5.231
195.113.149.216
147.251.5.231
Incident handlingWays and means we use to solve security incidents:
AP and AUP :-)
positive motivation
established cooperation, communication channels
existing legislation (as a „negotiation“ motivation)
experiences, knowledge of the local environment, contact
cooperation with NOC
blocking IP address/network
filters, QoS
no IH policy
no security policy
Incident handlingWhy
no IH policy?
no security policy?
Security policy and IH policy designed in 2005
26 members ~= 26 opinions and goals
„policy should be more severe“
„policy should be softer (frame only)“
„we do not want a policy“
„we want policy, but this one is agains our uni policy“
„we want policy, but ...“
Statistic
Statistic
Statistic
CESNET-CERTS(Inter) national cooperation:
Working group E-CRIME
Working group CESNET CSIRT
Working group IPv6
Working group CSIRT.CZ
Security forces of CZ
TERENA, TF-CSIRT, TI
ENISA
EGI
CESNET-CERTSEducation:
workshop
presentation at local conferences
education of members of security forces
Working group CESNET CSIRT
„all security topics“
sharing, cooperation, education
feedback for CESNET-CERTS
workshop for university students
workshop for university employees
Security forcesIn the beginning:
„Who owned IP address a.b.c.d on 12 Apr 2012 between 16:15 – 20:30?“
„How was the web changed/server hacked ...?“
„Who has these informations?“
Education:
„How Internet works“ - IP, domains, services, SI
Where are information (about security incidents)
logs (network and services)
netflows
mail headers, ...
Topics to disscuss (1)How is your LIR policy?
all IP assigments are in RIPE DB?
do you use IRT objects?
all IP assigments covered by IRT object?
Topics to disscuss (1)How is your LIR policy?
all IP assigments are in RIPE DB?
do you use IRT objects?
all IP assigments covered by IRT object?
CESNET:
YES
CSIRT-MU only (147.251.0.0/16)
CSIRT-MU only (147.251.0.0/16)
Topics to disscuss (2)Automated IH?
handwork?, (semi) automatic?
using OTRS, RT, RTIR?
tweaking OTRS, RT, RTIR?
Topics to disscuss (2)Automated IH?
handwork?, (semi) automatic?
using OTRS, RT, RTIR?
tweaking OTRS, RT, RTIR?
CESNET
handwork, OTRS monitors and helps with work-flow
OTRS
OTRS tweaking a lot :-)
data harvesting (IP, type of incident, ...)
creating report automatically
statistics
Topics to disscuss (3)For NREN CERT/CSIRT teams:
how many official CERT/CSIRT teams are in your constituency?
how many „security teams“ are in your constituency?
do you organizace some working group for them?
how you communicate with them?
Topics to disscuss (3)For NREN CERT/CSIRT teams:
how many official CERT/CSIRT teams are in your constituency?
how many „security teams“ are in your constituency?
do you organize some working group for them?
how you communicate with them?
CESNET
1 = CSIRT-MU
presumed 26
Working group CESNET CSIRT
WG, WWW, e-mail ...
Topics to disscuss (4)For NREN CERT/CSIRT teams (related to „Security policies“):
do you have security policies in you NREN?
teams within your constitunency have some duty to NREN CERT/CSIRT?
Topics to disscuss (4)For NREN CERT/CSIRT teams (related to „Security policies“):
do you have security policies in you NREN?
teams within your constitunency have some duty to NREN CERT/CSIRT?
CESNET
AP and AUP
No
Topics to disscuss (5)Do you provide some IDS? What?
Topics to disscuss (6)Do you provide education of users, admins and other staff?
How do you provide this education?
Topics to disscuss (6)Do you provide education of users, admins and other staff?
How do you provide this education?
CESNET:
YES, „Monty Python“
Workshops in CESNET, workshops in place
Topics to disscuss (7)Technical and „political“ - do you have technical resources (technical or administrative = mandate) to block IP or part of the network?
Topics to disscuss (7)Technical and „political“ - do you have technical resources (technical or administrative = mandate) to block IP or part of the network?
CESNET
Yes, we have a AP and AUP :-)
No, only establised cooperation with NOC
Topics to disscuss (8)How do you communicate with your constituency?
e-mail? www? blogs? social network? press?
(how) are you succesfull?
how do you try to achieve „be known and respected“?
Topics to disscuss (8)How do you communicate with your constituency?
e-mail? www? blogs? social network? press?
(how) are you succesfull?
how do you try to achieve „be known and respected“?
CESNET
e-mails, www, personally – Working group CESNET CSIRT
???
???
Topics to disscuss (9)LEA
do you cooperate with them?
do you educate them?
some good/bad experiences?
?
Czech RepublicCESNET-CERTS (academic sector)
Created 2003, provided by CESNET
CSIRT-MU (academic sector)
Created 2008, provided by Masaryk University
CZ.NIC-CSIRT (internal)
Created 2008, Provided by CZ.NIC
ACTIVE24-CSIRT (internal)
Created 2012, provided by Active24
CSIRT.CZ (National CSIRT of Czech Republic)
Created 2008, Provided by CZ.NIC
CSIRT.CZ (National CSIRT)Created in 2007 by CESNET-CERTS
Started at 3rd April 2008 as a „last resort“ team
2008 – 2010 operated by CESNET (CESNET-CERTS)
Task of grant „Cyber Threads...“ funded by Ministry of Interior
Jun 2008 status „listed“ from TI
Dec 2010:
CSIRT.CZ declared as National CSIRT of The Czech Rep.
by Memorandum between MI and CZ.NIC
Jan 2011 – transfer to CZ.NIC started
Oct 2011 – „accredited“ by TI
Czech RepublicJan 2007 – Ministry of Informatics was canceled
Feb 2010 – Cyber Security Departement at Ministry of Interior
Main tasks:
To cooperate with other entities in the area of cyber security in accordance with the law on cyber security;
To coordinate activities of other institutions leading towards ensuring cyber security;
To coordinate Czech Republic’s representation in the area of cyber security at various international conference, including attending international organisations’ (EU, NATO, etc.) meetings;
To ensure Governmental CSIRT operation;
To cooperate with independent professional entities in the area of cyber security;
To draft Czech Republic’s cyber security strategy;
To prepare a bill on cyber security.
Czech RepublicDec 2010 – Memorandum between MI and CZ.NIC about „CSIRT.CZ becomes National CSIRT of Czech Republic“
Oct 2011 – the government resolution:
established NSA authority for area of cyber security
APPROVED the establishment of the National cyber security centre within the structures of the National Security Authority (NSA)
IMPOSED to launch a full operation of the National cyber security centre by 31 December 2015, including the governmental point of coordination for the immediate response to computer incidents (governmental CERT - Computer Emergency Response Team).
Feb 2012 – NSA launched "the cyber security substance matter"