Future Role of National CSIRT - Cases in JPCERT/CC

transcript

Future Role of National CSIRT

- Cases in JPCERT/CC -

Global Coordination Division, JPCERT/CC

20 June, 2016

In the next hour (or more) I will talk about:

1. JPCERT/CC Overview, Incident Statistics

2. A Study on CSIRT Maturity Level

A few thoughts to begin with:

There is no perfect model for CSIRT

—Needs, situation etc. may vary in each country

What JPCERT/CC does is just an example

—No need to copy what we do

—Hope that it helps you to think about a model that suits your country/constituency

Some of the key roles as a National CSIRT

(other than incident handling):

—Leading role within your economy as a “coordination centre” of domestic CSIRTs (enterprise/academic etc.) and other stakeholders in cyber security

—Presence in regional/international communities as a “representative”: Connection is a key

What is a National CSIRT?

CERT/CC’s definition

“A CSIRT with National Responsibility (or "National

CSIRT") is a CSIRT that has been designated by a

country or economy to have specific responsibilities in

cyber protection for the country or economy. A National

CSIRT can be inside or outside of government, but must

be specifically recognized by the government as having

responsibility in the country or economy.”

(https://www.cert.org/incident-management/national-csirts/)

Agenda

•Who we are

•What we do

…Just in case you’re not familiar with us

JPCERT/CC

Activity Overview

JPCERT/CC

Global Coordination Division

JPCERT/CC Updates

JPCERT/CC Organizational Structure

Incident Statistics

Other Services and Awareness-Raising

JPCERT/CC Introduction

Foundation

• October, 1996

Number of Staffs

• About 70

Organization status

• An independent, non-profit

organization

• Assigned by METI* as the

vulnerability handling organization*Ministry of Economy, Trade and Industry, Japan

JPCERT/CC Introduction

Constituency

• Internet users in Japan, mainly for enterprises

• Mainly providing service through technical staffs with high

degree of professionalism (e.g. system administrators) in

enterprises

JPCERT/CC Features

We are…

the experienced CSIRT in Japan

closely collaborating with local and global entities and

mainly providing service through technical staffs with high

degree of professionalism in the enterprises

playing a prominent role within the both domestic and

international information security community such as

APC, NCA, FIRST and APCERT

International and Regional Activities

Forum of Incident Response and Security Teams (FIRST)

• The first Japanese CSIRT to obtain membership

• Current Steering Committee Member

Asia Pacific Computer Emergency Response Team (APCERT)

• Founding member

• Current Steering Committee member

• Secretariat since its foundation

• Former Chair (2011-14)

-Global Collaboration among CERTs-

APCERT

TF-CSIRT

OIC-CERT

AFNOG/AfriNIC/AfREN

APEC-TEL

ASEAN / ANSAC

GFIRST

CLARA WG-CSIRT

・Incident Handling

Coordination・Vulnerability Handling

・Artifact Handling

・Publishing Security Alerts

・Education, Training

・Develop Security Tools

・Monitoring

・Detect Invasions

・Providing Security

Information・Information Analysis, etc.

FIRST APCERT

Overseas CSIRTs

Government

Internal

CSIRTs

Vendors

Industrial Entities

Law Enforcement

Domestic

Overseas

Other International

CSIRT Communities

・Incident Handling

Coordination・Vulnerability Handling

・Artifact Handling

・Alerts Publishing

・CSIRT capacity building

training・Drill

・Collaborative Activities

(events)・Information Sharing, etc.

Associations

VendorsISPs

JPCERT/CC - 3 Services and 6 Basic Activities -P

revent -Vulnerability

Information Handling

h -Information gathering / analysis / sharing

-Internet Traffic Monitoring

Respond - Incident Handling

Early Warning InformationInformation sharing with critical infrastructure enterprises, etc.

CSIRT Establishment SupportCapacity building for internal CSIRTs in enterprises / overseas national CSIRTs

Industrial Control System SecurityActivities to protect ICS, such as incident handling and information gathering/sharing

Artifact AnalysisAnalysis on attack methods / behavior of malware (unauthorized program)

Domestic CollaborationCollaboration with various security communities in Japan

International CollaborationCollaboration with overseas organizations for smoother handling of incidents and vulnerabilities

Coordinate with developers

on unknown vulnerability

information

Secure Coding

Mitigating the damage

through efficient incident

handling

Information sharing to

prevent similar incidents

Alerts / Advisories

INCIDENT STATISTICS

Number of Incident Reports Received at JPCERT/CC

Number of Incidents Coordinated by JPCERT/CC

Number of Reported Incidents (JFY)

9684 9792

2011 2012 2013 2014 2015

Breakdown of reported incidents

Scan53.8%

Website defacement

Phishing11.8%

Malware4.0%

DoS0.8%

Targeted attack0.8% ICS

Other11.4%

Abuse Statics of 2015 (Jan – Dec)Targeted Attack

Malware

Incident Handling Flow

•Victim

•Incident detectors

•Relevant parties, etc.

•ISP/ASP

•System

administrators

•CSIRTs, etc.

Countermeasure

ResponseIncident Report

(Request for

countermeasure)

Appropriate Parties

Feedback Report

OTHER SERVICES AND

AWARENESS RAISING

Network Packet Traffic Monitoring

TSUBAME Project

• Initiated and lead by JPCERT/CC

• Internet traffic monitoring project observing various

scanning activities

• Sensors deployed in Asia Pacific region

(25 teams/21 economies participating as of January 2016)

• All observed data are visualized on TSUBAME portal.

• Analysis report is shared periodically.

• Annual TSUBAME Workshop is held in conjunction

with APCERT Annual General Meeting.

Tsubame is swallow in English

Features of TSUBAME

Common platform for CSIRTs in the AP region

Data can be utilized for CSIRT operation*

*Reports can be publicly released under the condition that sensitive

information, such as IP addresses, are not included.

Common data shared among member teams

Data obtained from all sensors is available for all member

Findings and analysis report being shared through a mailing

list and annual workshop

Sensors are put on the “live network” (cf. dark network)

Visualization of data

http://www.apcert.org/about/structure/tsubame-wg/

Alerts and Advisories

Security Alerts

• Countermeasures for incidents with high impact

• Issued as necessary (about 20-30/year in average)

Early Warning Information

• Security alerts with confidentiality

• For critical infrastructure entities

• Issued when necessary

Vulnerability Information

• Provided via portal site (JVN)

Analyst Note

• Useful security information gathered by analysts

• Issued every working day

Open Publication from JPCERT/CC

JVN – Japan Vulnerability Notes

• jvn.jp/en/

Security Alerts

• https://www.jpcert.or.jp/english/at/2014.html

• Countermeasures for incidents with high impact

• Issued as necessary (about 20-30/year in average)

English Blog

• JPCERT/CC activities and security trends

• blog.jpcert.or.jp

Twitter

• Blog and security alert updates

• @jpcert_en

Control System Security Awareness Building

ICS (Industrial Control System) :

“System which controls and manages other devices or

systems”

• Electric power grid, gas, water supply and sewerage

• Traffic and transportation

• Environmental monitoring

• Manufacturing facilities in plants…etc.

Control System Security Awareness Building

What JPCERT/CC does for ICS Security:

• Incident and vulnerability handling operation to ICSs in

• Annual technical conference on ICS security

• Information sharing opportunities for ICS engineers

• Bimonthly newsletter (in Japanese)

• Citation of major global news on ICS security

• Summary of ICS-CERT advisories and alerts

• Distribution of ICS security assessment tool “SSAT”

• Simple MS/Excel-based tool for asset owners to assess their

level of ICS security

• Originally developed by CPNI*1 in U.K.

*1 : Centre for the Protection of National Infrastructure (CPNI)

Vulnerability Handling

Vulnerability: A weakness in a product which may allow an attacker to reduce a system's security.

JPCERT/CC is assigned by the Ministry of Economy, Trade and Industry (METI) to coordinate and communicate with vendors on vulnerability disclosures. (Announcement #235)

Information published on JVN (https://jvn.jp/en/)

In 2010, JPCERT/CC was approved by the MITRE Corporation*1 as CNA (CVE*2 Numbering Authority).

*1 An American not-for-profit organization

*2 Common Vulnerabilities and Exposures

Various Developers

Reporters

(Domestic)

End users

Corporate users

System Integrator

Retail outlet

JPCERT/CCIPA

CERT/CC (US)

CPNI (UK)

NCSC-FI

Overseas Coordination Centers

Reporters

(Overseas)

Japan Overseas

Vulnerability Handling Flow

Artifact (Malware) Analysis

What is malware?

Malicious Software

• Broader in concept than a computer virus

• Virus, Worm, Trojan Horse, Rootkit, Bot, DoS Tool,

Exploit kit, Spyware

Why do CSIRTs need Malware Analysis?

• To utilize analysis results for CSIRT’s basic activities

• To verify public information (it could be wrong)

• To keep up on attack trends

• To evaluate threats

Secure Coding Awareness Building

Why do we need secure coding?• Vulnerabilities exist in IT products• Products should be secure from coding process

In which programming language?

• C/C++

• Java

• Android JPCERT/CC recently translated materials originally composed by CERT/CC.

Seminars are conducted in Japan and overseas to:

• Help engineers to understand vulnerabilities and attack mechanisms

• Help engineers to learn useful examples of actual secure coding methods and how to study further

Capacity Building for Overseas CSIRTs

CSIRT Development Training (On-site)

• Cambodia(’07,’08), Indonesia(’10, ‘14), Lao(’07,’09,’12,’13,‘14), Mongolia(’09,’13,‘14)

Myanmar(’07,’11x2,’12x2,’15), Qatar (’06), Thailand(’12, ‘14x3), Vietnam(’10x2)

• Pacific Islands (PacCERT) ’11 – ‘12

• Africa (AfricaCERT) ’10 - (ongoing)

C/C++ Secure Coding Seminar

• India(’10), Indonesia(’09,’11,‘13), Philippines(’10),

Thailand(’09,’11), Vietnam(’10)

Java Secure Coding Seminar

• Indonesia(’12), Thailand(’12,‘15)

Android Secure Coding Seminar

• Thailand(’12,’15), India (‘14)

TSUBAME

• Workshop @APCERT AGM ‘09 – (ongoing)

• Indonesia (’14), Laos (‘14), Sri Lanka (‘14)

AOTS Information Security Training in Tokyo for ASEAN countries (’08 -’11)

Training for HIDA (The Overseas Human Resources and Development Association) (‘14,’15)

Information security training for ASEAN countries as part of the ASEAN-Japan Information Security Training in Tokyo, organized and hosted by NISC (’11)

JPCERT/CC English Blog

http://blog.jpcert.or.jp/

Recent

Conferences/Trainings

participation

Publication

announcement

(reports/tools)

Technical

Trends/Observation

Agenda

•Situation around corporate CSIRTs in

•Gives you some hints on CSIRTs

CSIRT against Cyber Attacks- Necessity of Emergency Response -

Watch and Warning Group

Topics

The number of cyber attacks is increasing, since attackers can gain economic benefit from cyber attacks

—Phishing, Banking fraud with Trojan

Attack methods are becoming more and more sophisticated with the increase of cyber attacks

What should be prepared in enterprises/organizationsagainst cyber attack?

This presentation aims to provide you with some hints on necessary functions for a CSIRT (Computer Security Incident Response Team)

Categories of cyber attackers

Based on the purpose of attackers, attribution of attackers can be

categorized in 3 groups

Attacking techniques and level differ among groups

For fun/hacktivists For financial purposes For targeted attacks

Attack purposes -Political appeal

-Showing off techniques

- Obtaining money

(unauthorized money

transfer)

- Stealing information or

system destruction of target

organizations

Main attack methods - DoS (Denial of Service)

attacks to websites

-Website defacement for

political appeal

- Taking over SNS accounts

- Malware distribution

caused by website

defacement

- Sending malware-attached

emails

- Distributing malware at

defaced websites (Only for

targeted users)

Technique level

Categorized by JPCERT/CC Watch and Warning Group

Detecting intrusion and preparation

Limit in preventing intrusion into organizations’ network

— Intrusion not only through emails but also viewing a website

— Attacks leveraging 0day vulnerabilities

— Employees’ lack of knowledge in security, human errors

— Limit in security software’s ability in detecting suspicious communication

Actions AFTER detecting intrusions are also

important:

- Adequate logs saved from individual

devices?

- Any system to detect intrusion afterwards?

- Important information assets securely

separated?

- Procedures in handling incidents?

Defense Side

Business is the first priority (Not Security) in enterprises

Marginal effect of security invest is diminishing

(There is no PERFECT solution for cyber security)

Management persons need to know the balance of profit and invest

Effect of Security Invest

Against Cyber attack

To reduce the cost for cyber security “Information

Sharing” is efficient

Sophisticated attacks are not preventable,

so we should focus on quick detection and response

With the increase of cyber security incidents in recent

years, there are a large number of companies and

organisations in Japan that launch a CSIRT.

** CSIRT(Computer Security Incident Response Team)

Now the number of CSIRT Association (NCA) member is

120 (as of January 2016)

What is a “CSIRT”?CSIRT (Computer Security Incident Response Team)

— CERT/CC (USA): The first CSIRT in the world established in 1988

— Organizations which mainly provides cyber incident handling

CSIRTs can be categorized as follows:

1. “Internal CSIRTs” dealing with security problems within organizations

(e.g. corporations, universities, ministries)2. “Vendor CSIRTs” which provide services for their product users

3. “POC/National CSIRTs” acting as point of contact for global coordination

Management

External

Management

Internal CSIRT

Internal

National CSIRT

OVERSEAS

DOMESTIC

Company A

Company B

Survey on CSIRT

The industrial categories of members cover from manufacturing

industry (TOYOTA, Panasonic, Fujitsu etc.), construction company

(Taisei), hotel (Imperial Hotel) to electric power company (HAMA-

CSIRT).

Since there are CSIRTs from diverse sectors, the definition of

“CSIRT activities” is now becoming unclear, and there are some

“CSIRTs in name only”, which do not possess enough functions as a

Computer Security Incident Response Team.

Fig. Number of NCA membersIn the "Cybersecurity Strategy" published by NISC in Japan,

it is encouraged that enterprises will create and operate a CSIRT.

6 1315 17

27 3147

What is a “CSIRT”?

Range of CSIRT Services by CERT/CC, CMU

Background of CSIRT Maturity Level Survey

In order to examine the current situation in CSIRT activities,

JPCERT/CC, NCA and the University of Tokyo jointly conducted a

survey based on SIM3, CERT/CC’s material and other original

questions.

SIM3(Security Incident Management Maturity Model)

https://www.terena.org/activities/tf-csirt/publications/SIM3-v15.pdf

SIM3 is consist of 4 parts

— Organization

— Human

— Tool

— Process

CSIRT’s scale and organization overview

3-3. How many members does

your CSIRT have now?

1 - 4members

5 - 9 members

10 - 19 members

more than 20members

With the increase of cyber security incidents in recent years, members in each CSIRT are also increasing. Small CSIRTs with less than 4 members are merely 14% of the total.

Also, more than 30% of the organizations have a security-dedicated department, which explains

the tendency to enhance security function.

Notification from external parties

2-4. Did you receive any

notification from external

parties after launching the

CSIRT?

• 2-4-1. Who did you receive the

notification(s) from?

17%31%

Related to vulnerabilitiesin web services

Related to productvulnerabilities

Related to incidents

Others

Not received

2.4.1Security vendors

Information-technologyPromotion Agency,Japan (IPA)

General users

JPCERT/CC

Others

Most CSIRTs have received some sort of notifications from external parties, and the number

counts up to more than 80% of the total participants. This results can be a strong support that

CSIRTs are in great demand.

Information Sharing

2-5. Are you a part of any

information sharing group

related to cyber attacks?

• 2-6. What format do you usually

use for information sharing?

0% 4% 3%

Text format

Open IOC

STIX/TAXII

Others

Yes No

All of the participants share information externally.

Text format is mostly preferred, while STIX/TAXII is not yet common.

SOC operation

2-14. Do you have monitoring

operation by SOC?

• 2-14-2. If yes, how is the SOC

being managed?

2.14.2

By our ownorganization

By our groupcompany

Outsourced

Surprisingly more than 70% of participants have a SOC function. In addition,

a half of them is managed by their own organization.

Skill set

3-4. Do you define any skill set that is required as a CSIRT

member ?

3.4 It is defined, documented andapproved by CISO. Furthermore, ouroperation is audited referring to thedocuments.It is defined, documented andapproved by CISO

It is defined, documented but notofficially approved.

There are some benchmarks, but it isnot documented.

There is no definition set, and weconsider as and when necessary.

80% of participants lack documents on skill set required for CSIRT

resources.47

Range of CSIRT Service

2-9 What kind of service do CSIRT provide?

And is it operated by in-house or outsourcing?

54%31%

0% 15%

Incident Handling

mainly in-house

half in-house/halfoutsourcing

mainly outsourcing

CSIRT does notprovide

Malware Analysis

mainly in-house

mainly outsourcing

CSIRT does not provide

Forensics

mainly in-house

mainly outsourcing

Vulnerability Handling

mainly in-house

mainly outsourcing

Compared to management service such as “Incident Handling”, technical

services tend to be operated by outsourcing. 48

Through NCA’s activities and the survey:

CSIRTs in enterprise is in great demand in Japan

JPCERT/CC, as Secretariat of Nippon CSIRT

Association, helps establishing CSIRTs in local

enterprises

Existing CSIRTs’ operation and capabilities still vary

Future Role of National CSIRT - Cases in JPCERT/CC

Documents