Dealing with network security incidents Fundamentals of network security Part III

1
Dealing with network security incidentsFundamenta
ls of network security / Part III

• Gorazd Boicgorazd.bozic_at_arnes.siARNES,
  Academic and Research Network of
  SloveniaSI-CERT, Slovenian Computer Emergency
  Response Team
• CEENet Workshop, August 2000Budapest, Hungary

2
Questions raised after the incident

• what measures to take after the incident?
• who do we report to?
• were others also affected and how do we notify
  them?
• do we wish the law enforcement involved and if
  so, who do we contact?

3
Measures to take

• collect the evidence if necessary, do a full
  backup of compromised hosts
• decide on follow-up actions
• block further attempts from intruders and
  sanitise compromised hosts
• monitor intruders activities preferably set up
  a restricted fake environment
• report the incident

4
What is anIncident Response Team (IRT)

• a well-known contact point
• a source of knowledge for security issues
• incident coordinator
• relay service for incident reports
• service also known as CERT - Computer Emergency
  Response Team

5
Historical view

• 1998 Internet Worm leads to formation of
  Computer Emergency Response Team (now CERT/CC)
• 1990s emergence of other CERTs AUSCERT and
  European national CERTs
• 1990 FIRST - Forum of Incident Response and
  Security Teams
• 1997 start of EuroCERT project

6
Roles of an IRT

• assist in incident resolution
• coordinate between victim and source sites
• distribute information on known vulnerabilities

7
Do you need an IRT?

• national ISP yes! (local issues, helping
  constituency directly, the same time zone)
• large organisation maybe
• small network probably not

8
Existing IRTs and associations

• CERT Coordination Center
• CIAC, Computer Incident Advisory Capability
• ASSIST (US Department of Defense)
• AUSCERT, Australian CERT
• FIRST, Forum of Incident Response and Security
  Teams
• national European CERTs

9
Establishing an IRT

• define what you will and will not do
• who will you do it for (what is your
  constituency)
• seek contacts with other IRTs and law enforcement
  agencies

10
Defining goals

• raising the level of security
• quick resolution of incidents
• forming a bigger picture
• assisting victim sites/networks with expertise

11
Defining what you will (not) do

• dealing with intrusions
• relaying reports
• giving advice on security issues
• on-site assistance
• determining active measures
• investigating abuse

12
Availability

• working hours
• additional ad-hoc coverage duringnon-working
  hours
• paging service
• around the clock availability
• on-site inspections

13
Scope of work

• what platforms will you cover
• types of incidents
• research on vulnerabilities
• standalone projects (hardware and software
  evaluations, testing hosts and networks, securing
  specific sites, )

14
Defining constituency

• by parent ISP organisation
• by geographical/national criteria
• by organisational criteria
• question of constituency is related to community
  that will fund the IRT

15
Help others, too

• security issues are in the best interest of
  everybody
• victim site is a part of another IRTs
  constituency direct them to their own IRT
• else, provide at least minimal help

16
Promote your activities

• inform your constituency
• let yourself be known to other IRTs
• be visible in public
• establish trust

17
Communicating with your constituency

• guarantee non-disclosure of information
• give feedback on incident resolution progress
• dont interfere with sites security policies,
  but offer advice

18
Communicating with other IRTs

• present yourself on the Web
• submit your information to European CERT
  coordination effort (Terena TF-CSIRT)
• use encryption when needed (PGP)
• get your teams PGP key signed by other IRTs (key
  signing parties at conferences)

19
Communicating with law enforcement

• law enforcement will probably be unprepared for
  dealing with computer crime
• find the proper department that will understand
  basic issues
• require advice about local law
• assist them willingly, dont let them abuse your
  availability

20
Be patient

• dont be discouraged when reports dont start
  appearing immediately
• readily accept criticism
• admit your mistakes and update your procedures
  accordingly
• take time to update your technical knowledge

21
Be careful

• are you sure youre not talking to the intruder?
• are reports real, or are they a hoax?
• what information will you disclose to whom?
• are your archives safe?

22
Useful links

• European CERT coordination (Terena
  TF-CSIRT)http//www.terena.nl/cert/
• CERT/CC http//www.cert.org/
• AusCERThttp//www.auscert.org.au/Information/Ausc
  ert_info/papers.html

23
Conclusion

• incident response service is an essential
  higher-level service for national (and other
  large) networks
• incident coordination helps determining the scale
  of specific attacks
• IRTs operation differs from operation of law
  enforcement agencies - its Internet specific