CERT Basic Training 2008 Flower Mound CERT Community Emergency Response Team (CERT) Orientation.
Cert adli wahid_iisf2011
-
Upload
directorate-of-information-security-ditjen-aptika -
Category
Technology
-
view
742 -
download
0
Transcript of Cert adli wahid_iisf2011
![Page 1: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/1.jpg)
Ministry of Science, Technology and Innovation
Computer Emergency Response Team Co-ordination Centre (CERT/CC)
Adli Wahid VP Cyber Security Response Service and Head of
Malaysia CERT CyberSecurity Malaysia
E: [email protected] T: adliwahid
![Page 2: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/2.jpg)
Agenda
• Concepts • The Case of a CERT/CC • MyCERT Case Study • Conclusion
![Page 3: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/3.jpg)
Incident Response and Handling
• Incident Response is all of the technical components required in order to analyze and contain an incident. – Required skills i.e. networking and log analysis,
computer forensics, malware reverse engineering • Incident Handling is the logistics,
communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner – Goals: protect and restore
![Page 4: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/4.jpg)
Objectives of Incident Handling
1. To mitigate or reduce risks associated to an incident
2. To respond to all incidents and suspected incidents based on pre-determined process
3. Provide unbiased investigations on all incidents
4. Establish a 24x7 hotline/contact – to enable effective reporting of incidents.
5. Control and contain an incident Affected systems return to normal operation Recommend solutions
![Page 5: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/5.jpg)
Eradication
Preparation
1
2
3
4
5
6
6 Steps Of Incident Handling
![Page 6: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/6.jpg)
CERT/CSIRTs
• Components – Constituency – Mission – Organization – Funding – Services – Policies and Procedures
• This requires a TEAM
![Page 7: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/7.jpg)
CERTs/CSIRTs Services
Reac,ve Proac,ve
1. Incident Response and Handling 2. Advisories
1. Watch and Warn / Threat Monitoring
2. Research and Development 3. Training and Outreach/Awareness 4. Cyber Security Crisis
![Page 8: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/8.jpg)
THE CASE FOR A CERT/CC
![Page 9: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/9.jpg)
Good vs Evil
Law Enforcem
ent
Providers CSIRTs
Sys Admins
Criminals
Spammers
Bot Herders
Phishers
VS
![Page 10: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/10.jpg)
Motivation of a National CSIRT
• Point of contact of incidents reporting – National (Trusted) PoC for Internal & External
reporting – Incident co-ordination (with LEs, Other CERTs/
CSIRTs – Collaboration & Intel Exchanged
• Situational Awareness • Improving laws and regulations • Provide assistance to Internet users • Protection of Critical Infrastructure
![Page 11: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/11.jpg)
Different types of Incidents
• The ‘Usual’ Stuff – Malware – Denial of Service – Online Fraud/Scams – Identity Theft
• Cyber Crisis – Anonymous Attack – APT / Targetted Attacks – Global Outbreaks
–
![Page 12: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/12.jpg)
Handling Local Banks Phishing Incidents • Things to do
– Prevent people from visiting phishing site • Remove Block
– Recover stolen credentials • Email account • Database
– Assist Victim to make reports – Co-ordinate with Bank and Law Enforcement – Detect Phishing sites faster
• Do It yourself or Get others to feed you
![Page 13: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/13.jpg)
Issues & Challenges
• Mandate & Constituencies – Who should ‘report’ to ‘who’ – Who should handle what
• End-to-End Resolution – I have reported the incident, can we catch
the bad guy? Can I have my money back – One stop centre
![Page 14: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/14.jpg)
MYCERT
![Page 15: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/15.jpg)
Incident Handling / Cyber999
Malware Research Centre
Co-‐ordinaNon Centre
![Page 16: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/16.jpg)
• MyCERT was established in 1997, deals mostly with technical teams, CSIRTs, LEs
• Cyber999 launched in 2008, allows the all to report to MyCERT
• A lot of incidents were affecting the Internet Users at large – Phishing, Malware (botnets), Online Fraud,
Harassment • Cyber999 Provides a one stop centre for
incidents reporting
![Page 17: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/17.jpg)
![Page 18: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/18.jpg)
• Launched in 2009 • Previously a ‘watch and warn’ or ‘early
warning function’ • Specializes in malware analysis / tracking • Activities
– Operates the distributed honeynet project – Produce tools / services – Execute the national cyber security exercise – Issues advisories and alerts , special reports
![Page 19: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/19.jpg)
DNSWatch MYPHPIPS
hOp://www.mycert.org.my/en/resources/security_tools/main/main/detail/768/index.html
Tools from our Lab
![Page 20: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/20.jpg)
National Cyber Crisis Exercise (X-Maya)
• Led by the National Security Council since 2008
• Improve readiness and situational awareness among CNII agencies – National Threat Level – Reporting structure in a crisis
• CyberSecurity Malaysia / MyCERT provide simulation of the cyber security incidents for the players
![Page 21: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/21.jpg)
Conclusion
• Central co-ordination point is critical • Help drives other national level initiatives i.e.
awareness, training, critical infrastructure protection, certification programmes
• Working together is the best way forward
![Page 22: Cert adli wahid_iisf2011](https://reader033.fdocuments.in/reader033/viewer/2022052822/554bc9a5b4c90594278b57bb/html5/thumbnails/22.jpg)
Questions
• CyberSecurity Malaysia http://www.cybersecurity.my
• MyCERT: http://www.mycert.org.my • Email: [email protected] • Twitter: adliwahid