Evolution of CSIRTs: how to engage Critical Infrastructures and cooperate beyond borders Giza, 19th...
15
Evolution of CSIRTs: how to engage Critical Infrastructures and cooperate beyond borders Giza, 19th December 2011
-
Upload
david-gentile -
Category
Documents
-
view
217 -
download
0
Transcript of Evolution of CSIRTs: how to engage Critical Infrastructures and cooperate beyond borders Giza, 19th...
Evolution of CSIRTs: how to engage Critical Infrastructures and cooperate beyond borders
Giza, 19th December 2011
2
In the last years the number, type and impact of security incident is increasing
Internet distributed denial of service attack. 6 of the 13 root servers that form the foundation of the Internet were affected, two badly
Internet distributed denial of service attack. 6 of the 13 root servers that form the foundation of the Internet were affected, two badly
Suxnet worm infect 100.000 industrial control system with a worldwide geographic distribution
Suxnet worm infect 100.000 industrial control system with a worldwide geographic distribution
A series of cyber attacks that swamped websites of Estonian parliament, banks, ministries, newspapers and broadcasters
A series of cyber attacks that swamped websites of Estonian parliament, banks, ministries, newspapers and broadcasters
A series of coordinated cyber attacks against major government, media, and financial websites in South Korea and the USA
A series of coordinated cyber attacks against major government, media, and financial websites in South Korea and the USA
Major videogames companies under attacks
Major videogames companies under attacks
Security Incident timeline
2007 2008-2010 7/2009 2/2011 11/2011
Main SSL Certificate has been violated
Main SSL Certificate has been violated
Massive DNS cache poisoning attack that affected millions of users in Brazil
Massive DNS cache poisoning attack that affected millions of users in Brazil
Titan Rain, a series of coordinated attacks on US army, navy and missile units systems
Titan Rain, a series of coordinated attacks on US army, navy and missile units systems
2009-2010 3-9/2011 4-6/2011 2/2011
Cyber-attack hits Canadian government computers
Cyber-attack hits Canadian government computers
2007
Operation Aurora, sophisticated and targeted attack international organizations
Operation Aurora, sophisticated and targeted attack international organizations
Cyber-attack hits Canadian government computers
Cyber-attack hits Canadian government computers
3
Relevant CERTs was born to prevent and response to incident…
European CERTs Map 2011
4
…they extended their services from being a only reaction force to a more complete security service provider, including preventive and quality services..
Reactive Services Proactive Services Artifact Handling
• Alerts and warning• Incident Handling• Incident Analysis• Incident Response• Support• Incident Response Coordinator• Incident Response on site• Vulnerability Handling• Vulnerability Analysis• Vulnerability Response• Vulnerability Response
Coordination
• Announcements• Technology Watch• Security Audits or
Assessments• Configuration and
Maintenance of Security• Development of Security
Tools• Intrusion Detection Services• Security-Related Information
Dissemination
• Artifact Analysis• Artifact Response• Artifact Response
Coordination
Security Quality Management
• Risk Analysis• Business Continuity and
Disaster Recovery• Security Consulting• Awareness Building• Education/Training• Product Evaluation or
Certification
CERT Services
5
…and at national, regional and international level are started CERTs cooperation initiatives but no one only for national private sector
CIRCANational forum of
cooperation from public and private sector
CIRCANational forum of
cooperation from public and private sector
O-IRT-othe Dutch o-IRT-o initiative
associates CERT teams including 31 organizations
from public and private sector
O-IRT-othe Dutch o-IRT-o initiative
associates CERT teams including 31 organizations
from public and private sector
Polish Abuse ForumAbuse Forum assembles a
group of CERTs andsecurity teams of Polish ISP and ICP (Incident Content
Providers)
Polish Abuse ForumAbuse Forum assembles a
group of CERTs andsecurity teams of Polish ISP and ICP (Incident Content
Providers)
Main cooperation initiatives
CERT-Verbundthe initiative associates
German securityand incident response
teams from various sectors
CERT-Verbundthe initiative associates
German securityand incident response
teams from various sectorsUKCERTSthe British UKCERTs alliance
is an informal forum of CERTs
from different sectors
UKCERTSthe British UKCERTs alliance
is an informal forum of CERTs
from different sectors
CEENet Central and Eastern
European Associationcomprised of 23 national
research/education networks
CEENet Central and Eastern
European Associationcomprised of 23 national
research/education networks
EGC a group of CERTs with
governmentalconstituencies and national
responsibilities in their countries.
EGC a group of CERTs with
governmentalconstituencies and national
responsibilities in their countries.
APCERT a CERTs coalition that
ensures network security and incident
response activities in the Asia Pacific Region.
APCERT a CERTs coalition that
ensures network security and incident
response activities in the Asia Pacific Region.
NORDUnet CERT assembles Scandinavian
CERTs within the NORDUnet (cooperation of
Nordic national research networks)
NORDUnet CERT assembles Scandinavian
CERTs within the NORDUnet (cooperation of
Nordic national research networks)
TERENA TF-CSIRT a task force organised
under the TERENA
TERENA TF-CSIRT a task force organised
under the TERENA
FIRST the biggest international
forum of CERTs and othersecurity teams
FIRST the biggest international
forum of CERTs and othersecurity teams
National initiatives Regional/international initiatives
6
Indeed today CERTs have still lack of engagement, services, investment, mutual aid and coordination
As is
To Be
No engagementNo involvement in Incident ResponseLack of coordination at the international levelOnly one-way servicesLack of information sharingLack of mutual aidNo shared incident management policies and procedures No shared incident management strategies and framework
No engagementNo involvement in Incident ResponseLack of coordination at the international levelOnly one-way servicesLack of information sharingLack of mutual aidNo shared incident management policies and procedures No shared incident management strategies and framework
EngagementInvolvement in Incident ResponseCoordination at the international levelInter-sector and intra-sector cooperationTwo-ways servicesInformation sharing and shared situational awarenessIncident management mutual aidShared incident management policies and proceduresShared incident management framework
EngagementInvolvement in Incident ResponseCoordination at the international levelInter-sector and intra-sector cooperationTwo-ways servicesInformation sharing and shared situational awarenessIncident management mutual aidShared incident management policies and proceduresShared incident management framework
CERTs improvement needs
7
Responding to issues and in accordance with common points of national strategies, GCSEC intent to create a Cyber Incident Response Coordination Capabilities (CIRC2) involving private sector
Common key Points and Recommendations national
cyber security strategyRelevant Sectors to involve in the first stage
EnergyCompany
TransportationCompany
FinanceCompany
TelcoCompany
8
information sharing on threats, vulnerabilities, warnings, alerts, methodologies and tools for incident management
Definition of shared incident management policies and procedures
Mutual aid to directly enforce the CIRC2 member’s capabilities of incident response
Contribution to definition of national and international regulatory and policy framework
Objectives of CIRC2 are information sharing, mutual aid, definition of shared policies/procedures, contribution to regulatory framework, private cooperation
Representation in international context and facilitation of coordination between public and private stakeholders
CIRC2Objectives
9
Only in the second stage, the CIRC2 could be transformed in an effective Incident Response Joint Team of Private Sector
To became an effective IR Joint Team, the IR Capability should take several actions as:
establish the legal form of the organization (e.g. consortium)define the mission and the range and level of services that IRT will offer (e.g. proactive or reactive services)define a funding modelidentify an organizational modeldefine interactions/interfacesdefine incident response processesimplement secure information systems and network infrastructuresidentify required resources
IRTEnergy
Company
IRTTransportation
Company
IRTFinance
Company
Incident Response Joint Team(Private Sector)
During the second stage of the project, a capability assessment of each IRT will be performed by GCSEC , in order to align
them to the best practice
Public National Italian Response Team
Out of scope
Out of scope
Comments
10
CIRC2 is based on a model composed of organization, processes and tools
Organization
Processes
Tools
CIRC2 Model
11
Legal entityFunding ModelNon disclosure agreements (NDAs)Mutual Aid and Assistance Agreement…
Organizational model and structureReporting structure, authorityRoles and responsibilitiesStaff…Information sharing policyIncident classification and communication policyTrust communication policyResource management policiesIncident handling guidelinesRisk management policyInteroperability policy…
The model includes strategies, legal and administrative framework, organizational model and policies…
Mission, vision, goals, objectives, constraintsParticipation strategy (members and other National Stakeholders) and minimum capability’s levelRisk Management strategiesTrust Model…
Strategies
Legal & adminframework
Organization model
Policies
Organization main aspects IllustrativeIllustrative
12
Information sharing process
Mutual aid and assistance process
Communication and coordination process
Risk management process
Incident reporting process
Incident classification process
Incident coordinated response process
Performance measurement process
Shared resources (personnel, equipment, facilities,
supplies, and other) management process
Escalation process
Emergency management process
Post incident evaluation process
Lessons learned and improvement process
Incident management exercise process
…
… management processes of CIRC2 …
Processes main aspects IllustrativeIllustrative
13
Information sharing platform
Technological instruments to support trust
Early warning system
Instruments for secure communications
Incident forensics tools
Other tools
…all tools needed for cooperation, information sharing and incident management
Tools main aspects IllustrativeIllustrative
14
Each member will draw benefits from participation in the CIRC2
More effectively and efficiently some processes that if they had
implemented individually (e.g. forensics and post incident analysis)
Information knowledge and information sharing
Better incident response through mutual aid and assistance
Incident exercises and awareness building across private sector
Shared technologies and common automated platform for security
vulnerabilities identification and communication, alerts and warning
Cost reduction
Resource sharing and staff exchange
More effectively and efficiently some processes that if they had
implemented individually (e.g. forensics and post incident analysis)
Information knowledge and information sharing
Better incident response through mutual aid and assistance
Incident exercises and awareness building across private sector
Shared technologies and common automated platform for security
vulnerabilities identification and communication, alerts and warning
Cost reduction
Resource sharing and staff exchange
CIRC2 member benefit
15
Other organizations/governments can benefit CIRC2 project
Be informed on CIRC2 development
Support requirements definition
Join the Pilot project
Be informed on CIRC2 development
Support requirements definition
Join the Pilot project
How to participate
