Fundamental of Computer Incident Handling

JPCERT/CC is an independent non-profit organization, acting as a national point of contact for the other CSIRTs in Japan.
Since its establishment in 1992,the center has been gathering computer security incident and vulnerability information, issuing security alerts and advisories, and providing incident responses as well as education and training to raise awareness of security issues.
Fundamental of Computer Incident Handling
Yurie Ito Director of Technical Operation JPCERT/Coordination Center, Japan @CSIRT Training in AfNOG tutorial, Morocco 1 June, 2008
What is CSIRT? CSIRT: Computer Security Incident Response Team CERT: Computer Emergency Response Team CSIRT/CC: Coordination Center CERT: Computer Emergency Readiness Team IRT: Incident Response Team Many types of CSIRTs: - National POC CSIRT - Organization CSIRT - Government CSIRT - Military CSIRT - Academic Research CSIRT - Vendor/Product CSIRT - Regional CSIRT
Copyright 2008 JPCERT/CC All rights reserved.
Introduction / History
Morris Worm
Morris Worm
1988 November 2nd
Robert Tappan Morris University student Just a program to know how large the internet This incident was epoch of Internet Security
After Action
Effects of the worm
6,000 major Unix machine were infected
Someone guess that there were about 60,000 computer at that time.
To identify how to improve response to computer security incident
Cost of the damage estimated at $10M-100M
A call for a single point of contact to be established for Internet security problems
CERT/CC Web page http://www.cert.org/
FIRST
Forum of Incident Response and Security Teams Only worldwide CSIRT forum Top experts from across the field Neutral interconnect for vendors and others Low cost, low overhead
FIRST Resources
Technical Resources Expertise Resources 200 PoCs of Incident Response Teams from all over the world Tools Mailing Lists Web Site Best Practice Guides Team Contact details Presentations IRC Annual Conference Regional TCs (Technical Colloquia) Training Special Interests Group
Members -- http://www.first.org/about/organization/teams/
FIRST's incident response teams draw their members from, among others, Apple, Boeing, British Telecommunications, Cablecom, Cisco Systems, Citigroup, Commerzbank, Deutsche Bank, Energis, Ernst and Young, Fujitsu-Siemens, the German Savings Bank, Google, Goldman Sachs, IBM, Intel, JP Morgan, Merrill Lynch, NASA, NATO, Nortel, Oracle, the Royal Bank of Scotland, Sprint, Sun Microsystems, Symantec, Wells Fargo, the American Red Cross Computer Emergency Response Team, CERT Bundeswehr, CERT Chile, the Danish Computer Security Incident Response Team, CERT Italiano, CERT Israeli Academic, Japan Security Operation Centre, CSIRT Korea, CERT Malaysia, Ontario Information Protection Centre, CERT Polska, CERT Slovenia, CERT Singapore, CERT Swiss Education and Research Network, CERT Taiwan, CERT US Department of Defense, CERT HM Government, UK, CERT US Department of Defence, the US Army Emergency Response Team, the US Computer Emergency Readiness Centre, the US Postal Service Computer Incident Response Team, the Massachusetts Institute of Technology, Georgia Institute of Technology and the Universities of Chicago, Georgia, Indiana, Michigan, Northwestern, Oxford, Pennsylvania State, Rechenzentrum, Stanford, and Wisconsin-Madison.
Definition of Incident Response, Intrusion, and Events
11
Cyber Incident
When?
Why?
Spyware Botnets Phishing Troyjan etc.... Tools techniques
Social engineering Technical vulnerabilities What?
WHO?
How?
Where?
What is an Incident?
In order to respond we must recognize an computer security incident at first
No uniform agreement as to what constitutes an incident Its depend on what the organization defines
13
Computer Security Incident
Sample definition: Any real or suspected adverse event in relation to the security of computer system or computer networks (According to CSIRT FAQ in
CERT/CC)
JPCERT/CC definition
A Acomputer computersecurity securityincident incidentis isa acomputer computersecurity securityrelated related event eventcaused causedby byhumans, humans,including includingboth bothintentional intentionaland and accidental accidentalones. ones. Examples Examplesare: are:unauthorized unauthorizeduse useof ofresources, resources,service service interference, interference,destruction destructionof ofdata, data,unintended unintendeddisclosure disclosureof of information, information,and andother otherbehaviors behaviorsthat thatcan canlead leadto tothese theseevents. events.
14
Incident = Adverse event.
That threatens systems
Confidentiality Integrity Accessibility
Adverse event <= observable

DoS (Denial of Service) attack Unauthorized access
Web, Database, Host
Deface public Web site (by intrusion) Worm that infects workstation on a network Scan
15
What is the Incident Response? Incident Response is the process of addressing computer security incident.
Detecting / Analyzing the incident Limiting the incident effect
General goals are:

The progress of the incident is halted. Affected systems return to normal operation.
16
Identifies Intrusion
Observe system for unexpected behavior or anything suspicious Investigate anything considered unusual If the investigation finds something that isnt explained by authorized activity, immediately initiate response procedures
17
Incident samples
Scan activity to Firewall server Web defacement Information leakage Phishing site
Used a server as phishing site Your website used as phishing site
Intrusion (Web, Database, Ftp, Proxy, and so on) DoS attack to Web server Used a proxy server as open proxy SMTP relay Virus infection Forged e-mail and returned tons of error mails Laptop lost Malware distribution Become as a Bot One-click fraud Miss operation So many other incidents
18
Why CSIRT
19
What is CSIRT?
POC (Point of Contact) Coordination
CSIRT
Constituency
Response
Provides Service and Support
Constituency? Service?
Incident Response
20
What is CSIRT? - JPCERT/CC model

POC (Point of Contact) Coordination
CSIRT
Constituency
Response
Provides Service and Support Constituency? Internet community in Japan Service? Incident Response and Analysis, Security Alert, Coordination with other CSIRTs, Vendor Coordination, Education & Training, Research & Analysis
Incident Response
21
What is CSIRT? Why we need national POC?

CSIRT gains the trust of its constituency Culture understanding
Local culture and other countries culture Company culture Government culture
Legal Understanding Language

Local language English, French Other languages
22
Background
Many excuses for not planning for incident response, saying the following:
We are NOT a target. I do NOT believe that who would want to compromise our network. We can NOT be hacked. We have best network defenses that proved very expensive. We already plan but NEVER deal successfully with it. We were always putting out fires. We thought we would just figure it out WHEN THE TIME CAME.
23
Background
Depending on Internet/Computer to the extent that day-to-day operation
Internet is vital for business and daily life
Internet/Computer will help our activities in a cost-effective and efficient way
The Operator of Critical Infrastructure are concerned

The computer system are vulnerable to attack or being used to further attacks to others.
24
Background
Internet/Computer is complex and dynamic Interne is easily accessible to anyone with Computer and a network connection.
Less cross border than real world
There is NOT perfect system or user.

Miss to configure, outdated/unpatched system, Vulnerabilities in software, and lack of security awareness of users.
Possible intrusion/vulnerability in your and your constituency system !

25
Why Do I Need a CSIRT?

Malicious acts will happen
Even the best information security infrastructure can NOT guarantee. Attackers target to resources
What is their motivation ?
Technical interests Money
If Incidents occur, it is critical to have an effective means of responding. To limit the damage and lower the cost of recovery
Need to have the ability: Protect, Detect, Analyze and Respond to an incident. Professional should respond to an Incident
26
Cyber security Incident changes
Large scale, wide spreading incident (e.g. virus, worm out break, )
Specific Targeted Pin point incident, using powerful tool (e.g. Botnet)
Script Kiddies, Manias
Professionals, Criminals
Motivation: for Fun Stopping e.g. Denial of service Motivation: for Fame, Recognition - e.g. Web defacement
Motivation: Specific. Stealing ID, money, information (e.g. Phishing, ID theft)
Multiple Disciplines Cooperation Motivation

Need multiple communication network to share information timely and efficiently CSIRT to bridge the gap: Difficulties of communication between - Private sector and Public sector - Different function layers CSIRT, Policy Makers, Law enforcement - competitors - International Building a global distributed network of operational processes between CSIRT partners. Systemic sharing of information and resources using the trusted network will minimize the coordination effort Minimize potential for misunderstanding or mistakes when sharing sensitive information Disclosing information as appropriate, as necessary Keep working closely with private sectors, as independent neutral organization Reducing the potential impact of incidents and vulnerabilities
So, What does a CSIRT do?

Provides a single point of for reporting info@jpcert.or.jp for reporting incident office@jpcert.or.jp for general contact Vuls@jpcert.or.jp for vulnerability
Assists the organizational constituency and general computing community in preventing and handling computer security incidents Share information and lesson learned with other CSIRT / response teams and appropriate organizations and sites.
29
CSIRT Services
30
CSIRT Services
At first, responding Incident
Incident Handling
Incident response Incident analysis Incident coordination Statistics
Still other services

Vulnerability Artifact Education / Training Others
31
CSIRT Services Reactive

to respond requests for assistance reports of incidents from your constituency, and any threats or attacks against CSIRT systems.
Incident Handling
Incident analysis Incident response on site Incident response support Incident response coordination
Any other service ?

32
CSIRT Services
Reactive
to improve the infrastructure and security processes of the constituency before any incident or event occurs or is detected. The main goals are to avoid incidents and to reduce their impact and scope when they do occur.
Ex) Vulnerability Handling Vulnerability analysis Vulnerability response Vulnerability response coordination
With Vendor CSIRT
CISCO PSIRT, Hitachi HIRT, Microsoft MSRC
Proactive
Announcement
Alerts and Warnings

Technical Alert
Incidents, Vulnearbility, other internet security related information
Training, education
33
CSIRT Services
http://www.cert.org/csirts/services.html CERT/CC Definition

34
Important things to define

What to do? For whom? In What local setting? Place in Organization In cooperation with whom? Relationship to other teams Mission Constituency
35
Objective of Incident Response

Provide support for recovering from and dealing with incidents
Provide technical support in response to computer security incidents
Questions about technical solution
Help to stop the attack

How?
Contain the damage
The objective for the Incident Response will be derived from the CSIRT mission statement
36
JPCERT/CC National CSIRT Activities in Japan
JPCERT/CC is an independent non-profit organization, acting as a national point of contact for the other CSIRTs in Japan. Since its establishment in 1992, the center has been gathering computer incident and vulnerability information, issuing security alerts and advisories, and providing incident responses as well as education and training to raise awareness of security issues.
General Information about JPCERT/CC
Brief history Voluntarily started in 1992 as JPCERT/CC Officially established as JPCERT/CC funded by MITI (Ministry of International Trade and Industry - predecessor of METI) in August 1996 Service started on October 1st, 1996 Budgeted by METI Non-governmental, Not for profit Organization National CSIRT in Japan (Point of Contact for International relations) FIRST(Forum of Incident Response and Security Team) Full member (since 1998) APCERT(Asia Pacific Computer Emergency Response Teams) SC member, Secretariat
Our history
Oct 1996
Aug 1998
Japan Computer Emergency Response Center th activities) Vulnerability Handling (Proactive Joined FIRST Anniversary 10 Incident Response (Reactive service) Network Monitoring ISDAS (Realtime situation awareness)
Oct 2006
Mar 2003
Jul 2004
Oct 2006
Recent Internet trend and JPCERT/CC

1996 JPCERT/CC Employees 5 Incident response International teamwork 2002 13 Incident response International teamwork 2005 26 Incident response International teamwork
JPCERT/CC Activities
Traffic monitoring
Traffic monitoring Vulnerability handling (2004) Watch & warning
Internet users (Japan) Broadband users (Japan)
5.7 million (1997)
46 million (2002) 13 million (2002)
70 million (2005) 38 million (2005)
Origin: Access Media/impress2005AccessMedia International,2005 Copyright 2008 JPCERT/CC All rights reserved.
Budget
JPCERT/CCs activities are fully funded and budgeted by METI

METI: Ministry of Economy, Trade and Industry
Non Governmental, Not for profit, Industry/Vendor Neutral Organization
International incident handlings
Overcome the differences between Languages Security Cultures Rules, Laws, Regulations
Incident Response Coordination
6. Respond Source host
1. Suspicious access
2Detection Incident site
5. Request
Domestic ISPs
3Report
JPCERT/CC
4. Cooperate
Overseas CSIRTs
Japan
Overseas
Coordination and Information Sharing for situation awareness
ISP CSIRTs
JPCERT/CC
Vendor CSIRTs
Overseas CSIRTs (FIRST,APCERT) Researchers Academic
Governments, Critical Information Infrastructures
Vulnerability Handling
receive vulnerability reports From Japan, from Other Vulnerability Handling Teams verify and impact analyze the report is this really a vulnerability? what is effect of vulnerability? Population of the affected software? are exploits available? is the vulnerability actively being exploited?
Lesson learned from our CSIRT development Process

Vital to have a good understanding Sponsors to CSIRT activities. Get a capable trust CSIRT partners and ask them to lead you to the CSIRT network. JPCERT/CC case 1998 - CERT/CC Sponsors JPCERT/CC to the FIRST 2003 - Vul Handling Capability Building project 2004 - Vulnerability collaborative Handling Operation 2005 - Decision Support system project 2006 - Analysis Capability building Project Vital to being connected to the CSIRT Network/ community. Share resources, information, experience Security and Incident response is not a competitive service!
APCERT (Asia and Pacific) FIRST (Global) TF-CSIRT (Europe), OAS (Americas), GCC (Gulf)
Type of Security Incident
47
Type of Security Incident

no standard type Worm, virus, trojan, malware, cyber attack, intrusion, phishing, pharming, spyware, spam, cracking, hacking, scan, probe, vulnerability, blackmailing, targeted attack, harvesting, bot, relay, social-engineering, exploit, DoS, DDoS, zero-day, cross-site-scripting, cross-site-requestforgery, SQL Injection, skimming, man-in-the-middle, brute force, birthday attack, spoofing, smurf attack, alteration, slipping, cache poisoning, route poisoning, SYN flood attack, buffer overflow, stack overflow, heap overflow, return into libc, miss patching, miss operation, fraud, identity theft Should be talked on category
48
Category of Incident
So far, no consensus has emerged in the security community as to which taxonomy is the best According to the NIST Document:
Computer Security Incident Handling Guide,
(http://csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf)
we found the following: (Next few Slides)
49
Category of Incident
Denial of Service
an attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources
Malicious Code
a virus, worm, Trojan horse, or other code-based malicious entity that infects a host
Unauthorized Access
a person gains logical or physical access without permission to a network, system, application, data, or other resource
Inappropriate Usage
a person violates acceptable computing use policies
Multiple Component
a single incident that encompasses two or more incidents.
50
DDoS attack by Bot example
DDoS
Internet
HERDER C&C
TARGET
Bot
51
Malicious Code (or malware)

Viruses
File Infector Viruses Boot Sector Viruses Macro Viruses Virus Hoaxes
Trojan Horses Worms Mobile Code Blended Attack

E-mail Windows shares Web servers Web clients
52
Unauthorized Access
The examples of unauthorized access are the following:
Remote root compromise Defacing web server Cracking password (by brute force)
ssh server example
Get credit card number

phishing
Get sensitive data (cf. medical information) Get User ID & Password Keeping pirated software and music files
53
Inappropriate Usage
The examples of unauthorized access are the following:
Download password cracking tool & pornography Send Spam e-mail Set up unauthorized Web site Use music (or pirated materials) sharing services Transfer sensitive data
Itll depend on your security policy or acceptable use policy

If your policy permit, it will not be a problem.
54
Multiple Component
1. Malicious code spread through e-mail compromises an internal workstation. 2. An attacker (who may or may not be the one who sent the malicious code) uses the infected workstation to compromise additional workstations and servers. 3. An attacker (who may or may not have been involved in Steps 1 or 2) uses one of the compromised hosts to launch a DDoS attack against another organization.
55
JPCERT/CC definition of Incident category

Scan
Scan/probe activity Mostly by worms an viruses Open relay mail server Open proxy server Other relay problems E-mail spoofing for From: Defacement Phishing is type of intrusion Server resource consumption Operating System termination Network resource consumption SPAM mail receiving Computer viruses infection
56
Abuse
Forged Intrusion
DoS : Denial-of-Service
Other
Incident reporting format of JPCERT/CC

1. Contact Info
Name Organization Name Division E-mail address or FAX number Information providing Question Request for coordination Other Source IP address or hostname Description about the incident System information of the system
IP address or hostname Protocol / Port number Hardware / OS Timestamp Timezone very important !!!
2.
Purpose of Reporting
1. 2. 3. 4.
3.
Summary of the Incident

4.
Log information
57
Timestamp problem
How to specify the date with this log information ?
Access from 192.168.100.200 to 10.55.166.28 TCP 445 port on 07/05/02 22:35:22
Possible 2007/May/2nd 2002/July/5th 2005/May/7th What is next action for this ?
58
Timezone problem
How to handle with this log information ?
Access from 192.168.100.200 to 10.55.166.28 TCP 445 port on 2007/Jan/15 22:35:22
You dont know where the reporter lives. You dont know where the server is placed. From your access log to outside network, no one used any computer on 2007/Jan/15 22:35:22 with your timezone. What is next action for this ?
59
Incident report format of MyCERT
60
Incident report format of CERT/CC
http://www.cert.org/reporting/incident_form.txt
61
References 1
CERT Coordination Center - CSIRT Development http://www.cert.org/csirts/ Handbook for CSIRTs http://www.cert.org/archive/pdf/csirt-handbook.pdf CSIRT Services http://www.cert.org/archive/pdf/CSIRT-services-list.pdf Organizational Models for Computer Security Incident Response Teams http://www.cert.org/archive/pdf/03hb001.pdf
62
References 2
Forum of Incident Response and Security Teams http://www.first.org/ Alphabetical list of FIRST Members http://www.first.org/members/teams/ Members around the world http://www.first.org/members/map/ TERENA - CSIRT Starter Kit http://www.terena.nl/activities/tf-csirt/starter-kit.html Asia Pacific Computer Emergency Response Team http://www.apcert.org/
63
CSIRT Culture and Philosophy
Yurie Ito Director JPCERT/CC
Philosophy of CSIRT
ensure objectivity and accuracy of information Cannot hide or suppress the truth Identifies the real problem Passionate about solving the problem and mitigate
But in the real world --
Because you are coordination center you will see - Political agendas get in the way. people dont cooperate. Funding depends on political agendas. All layer of the problems
Especially you are / will be -National POC CSIRT National Focal point within a country to coordinate incident handling activities Analyze incident and vulnerability information along with other teams, vendors, and technology experts to provide assessment for your constituency and communities Bridging the gaps brings together multiple different sectors (cross domain, cross public private sectors, cross boarder) Developing mechanism for trusted communication for your community
TRUST
Respect the confidentiality of information Keep up with current Intellectual property laws Set crystal clear information handling policy ensure objectivity and accuracy of information Provide useful information - reactive Mitigation
Security Culture in CSIRT Community
CSIRT Culture My Security is depending on your security 1. Collaboration Security is not competition Share expertise/Resource Best practices Web of TRUST most important thing for CSIRT Reputation business you live or die with this
2.
Timely manner of coordination Support each other Learn from mistakes Do not stop the information Information gathers where information flows Identifies Stakeholders How well you connected with your stakeholders with trust is a key
Be proactive Think worst case at all the time Be paranoid but do not scare people Always think how to fix the problem
You are part of the inter depending network Lets work together to make the global infrastructure more safe place

Fundamental of Computer Incident Handling

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fundamental of Computer Incident Handling

Uploaded by

Copyright:

Available Formats

JPCERT/CC is an independent non-profit organization, acting as a national point of contact for the other CSIRTs in Japan.

Fundamental of Computer Incident Handling

Copyright 2008 JPCERT/CC All rights reserved.

Copyright 2008 JPCERT/CC All rights reserved.

Copyright 2008 JPCERT/CC All rights reserved.

Cost of the damage estimated at $10M-100M

Copyright 2008 JPCERT/CC All rights reserved.

CERT/CC Web page http://www.cert.org/

Copyright 2008 JPCERT/CC All rights reserved.

Copyright 2008 JPCERT/CC All rights reserved.

Copyright 2008 JPCERT/CC All rights reserved.

Definition of Incident Response, Intrusion, and Events

Copyright 2008 JPCERT/CC All rights reserved.

Spyware Botnets Phishing Troyjan etc.... Tools techniques

Social engineering Technical vulnerabilities What?

Copyright 2008 JPCERT/CC All rights reserved.

Copyright 2008 JPCERT/CC All rights reserved.

Copyright 2008 JPCERT/CC All rights reserved.

Adverse event <= observable

Copyright 2008 JPCERT/CC All rights reserved.

General goals are:

Copyright 2008 JPCERT/CC All rights reserved.

Copyright 2008 JPCERT/CC All rights reserved.

Copyright 2008 JPCERT/CC All rights reserved.

Provides Service and Support

What is CSIRT? - JPCERT/CC model

What is CSIRT? Why we need national POC?

Legal Understanding Language

Copyright 2008 JPCERT/CC All rights reserved.

Internet/Computer will help our activities in a cost-effective and efficient way

The Operator of Critical Infrastructure are concerned

There is NOT perfect system or user.

Possible intrusion/vulnerability in your and your constituency system !

Why Do I Need a CSIRT?

Cyber security Incident changes

Script Kiddies, Manias

Motivation: Specific. Stealing ID, money, information (e.g. Phishing, ID theft)

Copyright 2008 JPCERT/CC All rights reserved.

Multiple Disciplines Cooperation Motivation

So, What does a CSIRT do?

Copyright 2008 JPCERT/CC All rights reserved.

Copyright 2008 JPCERT/CC All rights reserved.

Still other services

Copyright 2008 JPCERT/CC All rights reserved.

CSIRT Services Reactive

Any other service ?

Alerts and Warnings

http://www.cert.org/csirts/services.html CERT/CC Definition

Important things to define

Copyright 2008 JPCERT/CC All rights reserved.

Objective of Incident Response

Help to stop the attack

Contain the damage

JPCERT/CC National CSIRT Activities in Japan

General Information about JPCERT/CC

Copyright 2008 JPCERT/CC All rights reserved.

Copyright 2008 JPCERT/CC All rights reserved.

Recent Internet trend and JPCERT/CC

Traffic monitoring Vulnerability handling (2004) Watch & warning

Internet users (Japan) Broadband users (Japan)

5.7 million (1997)

46 million (2002) 13 million (2002)

70 million (2005) 38 million (2005)

JPCERT/CCs activities are fully funded and budgeted by METI