How to Build a CIRT based on Open source tools - itu.int · How to Build a CIRT based on Open...
Transcript of How to Build a CIRT based on Open source tools - itu.int · How to Build a CIRT based on Open...
How to Build a CIRT based on Open source tools
Marwan BEN RACHEDTechnical Officer - Cybersecurity -ITU-
1
Baku, Azerbaijan, 3-7 September 2018
ITU Cyber Drill - ALERT (Applied Learning for Emergency Response Teams) for CIS Region
22
3
The Basic Services Offered by a National CIRT
SERVICE AREA
Service
National CIRT
Incident Response Center
Consulting and Technical Assistance Department
Awareness And Communication
Department
INCIDENT MANAGEMENT
§ Incident handling§ Incident analysis § Incident mitigation and
recovery
ANALYSIS
§ Artifact analysis
SITUAITON AWARENESS
§ Development and curation of security Intelligence
INFORMATION ASSURANCE
§ Risk Management
OUREACH AND COMMUNICATION
§ Security Awareness Raising
§ Knowledge Sharing and Publications Dissemination
3
4
Incident Response Center
4
Request Tracker for Incident Response (RTIR)
• https://www.bestpractical.com/rtir• Purposely-built for CSIRT
• Developed in cooperation with many security teams to ensure it meets the needs of incident response.
Alerting and Reporting
5
Open Technology Real Services (OTRS)
• http://www.otrs.com/software• The Flexible Open Source Service Management Software
DashboardTickets
Alerting and Reporting
6
osTicket• http://osticket.com
Custom fields
Rich HTML
Ticket filtersAuto responder
Alerting and Reporting
7
CSIRT Web PortalAlerting and Reporting
8
9
Incident Response Center
9
10
Active Monitoring
Data base
Events gathering unit
Synchronization server
Update server
Firewall VPN
correlation units
ISP
Ministries
HealthTransport
Energy
Financial Institutions
10
11
PartnersISP
Ministries DATA CENTER
CIRT
Critical infrastructure
Active Monitoring
11
12
Active Monitoring
PartnersISP
Critical infrastructure
MinistriesDATA CENTER
CIRT
12
13
https://github.com/Snorby
Active Monitoring
13
www.graylog.org
Active Monitoring
14
15
Incident Response Center
15
16
Passive Monitoring
16
17
Passive Monitoring
17
18
Passive Monitoring
18
19
Incident Response Center
19
Public Feeds• Web defacement• http://www.zone-h.org/archive/special=1
Public Feeds• Phishing• https://www.phishtank.com/asn_search.php
Public Feeds• Malware• https://www.malwaredomainlist.com/mdl.php
Public Feeds• Botnet• https://zeustracker.abuse.ch/monitor.php
Public Feeds
26
Incident Response Center
27
HoneyNet Platforms
27
T-POT:Honeypotplatform
http://dtag-dev-sec.github.io/
HoneyNet Platforms
29
Incident Response Center
Collective Intelligence FrameworkCIF
csirtgadgets.org/
30
Collective Intelligence FrameworkCIF
31
Collective Intelligence FrameworkCIF
33
34
Digital Forensic Tools
34
35
REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware
MALWARE AND MEMORY FORENSICS
Digital Forensic Tools
36
The Interactive Disassembler (IDA)
Digital Forensic Tools
https://www.hex-rays.com
36
37
Digital Forensic Tools
Cuckoo Sandbox is a malware analysis system.
VirusTotal is a free service that analyzes suspicious files and URLs and facilitates the quick detection of viruses, worms, trojans, and all kinds of malware.
Malwr : Automated Malware Analysis Sandboxes and Serviceshttps://malwr.com/
https://www.virustotal.com/
https://cuckoosandbox.org/
37
38
The Basic Services Offered by a National CIRT
SERVICE AREA
Service
National CIRT
Incident Response Center
Consulting and Technical Assistance Department
Awareness And Communication
Department
INCIDENT MANAGEMENT
§ Incident handling§ Incident analysis § Incident mitigation and
recovery
ANALYSIS
§ Artifact analysis
SITUAITON AWARENESS
§ Development and curation of security Intelligence
INFORMATION ASSURANCE
§ Risk Management
OUREACH AND COMMUNICATION
§ Security Awareness Raising
§ Knowledge Sharing and Publications Dissemination
38
39
Example of Security Assessment tools
39
40
Security Assessment tools
www.kali.org
40
41
Security Assessment tools
https://www.tenable.com/
41
42
static code analysis
rips-scanner.sourceforge.net/
42
43
The Basic Services Offered by a National CIRT
SERVICE AREA
Service
National CIRT
Incident Response Center
Consulting and Technical Assistance Department
Awareness And Communication
Department
INCIDENT MANAGEMENT
§ Incident handling§ Incident analysis § Incident mitigation and
recovery
ANALYSIS
§ Artifact analysis
SITUAITON AWARENESS
§ Development and curation of security Intelligence
INFORMATION ASSURANCE
§ Risk Management
OUREACH AND COMMUNICATION
§ Security Awareness Raising
§ Knowledge Sharing and Publications Dissemination
43
44
Example of Alerts, Warnings and Announcements Tools
44
45
https://www.phplist.com/
Alerts, Warnings and Announcements Tools
45
46
Alerts, Warnings and Announcements Tools
Monitoring threats and vulnerabilities
https://www.ncsc.nl/incident-response/taranis.html
46