Date post: | 08-May-2015 |
Category: |
Technology |
Upload: | directorate-of-information-security-ditjen-aptika |
View: | 742 times |
Download: | 0 times |
Ministry of Science, Technology and Innovation
Computer Emergency Response Team Co-ordination Centre (CERT/CC)
Adli Wahid VP Cyber Security Response Service and Head of
Malaysia CERT CyberSecurity Malaysia
E: [email protected] T: adliwahid
Agenda
• Concepts • The Case of a CERT/CC • MyCERT Case Study • Conclusion
Incident Response and Handling
• Incident Response is all of the technical components required in order to analyze and contain an incident. – Required skills i.e. networking and log analysis,
computer forensics, malware reverse engineering • Incident Handling is the logistics,
communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner – Goals: protect and restore
Objectives of Incident Handling
1. To mitigate or reduce risks associated to an incident
2. To respond to all incidents and suspected incidents based on pre-determined process
3. Provide unbiased investigations on all incidents
4. Establish a 24x7 hotline/contact – to enable effective reporting of incidents.
5. Control and contain an incident Affected systems return to normal operation Recommend solutions
Eradication
Preparation
1
2
3
4
5
6
6 Steps Of Incident Handling
CERT/CSIRTs
• Components – Constituency – Mission – Organization – Funding – Services – Policies and Procedures
• This requires a TEAM
CERTs/CSIRTs Services
Reac,ve Proac,ve
1. Incident Response and Handling 2. Advisories
1. Watch and Warn / Threat Monitoring
2. Research and Development 3. Training and Outreach/Awareness 4. Cyber Security Crisis
THE CASE FOR A CERT/CC
Good vs Evil
Law Enforcem
ent
Providers CSIRTs
Sys Admins
Criminals
Spammers
Bot Herders
Phishers
VS
Motivation of a National CSIRT
• Point of contact of incidents reporting – National (Trusted) PoC for Internal & External
reporting – Incident co-ordination (with LEs, Other CERTs/
CSIRTs – Collaboration & Intel Exchanged
• Situational Awareness • Improving laws and regulations • Provide assistance to Internet users • Protection of Critical Infrastructure
Different types of Incidents
• The ‘Usual’ Stuff – Malware – Denial of Service – Online Fraud/Scams – Identity Theft
• Cyber Crisis – Anonymous Attack – APT / Targetted Attacks – Global Outbreaks
–
Handling Local Banks Phishing Incidents • Things to do
– Prevent people from visiting phishing site • Remove Block
– Recover stolen credentials • Email account • Database
– Assist Victim to make reports – Co-ordinate with Bank and Law Enforcement – Detect Phishing sites faster
• Do It yourself or Get others to feed you
Issues & Challenges
• Mandate & Constituencies – Who should ‘report’ to ‘who’ – Who should handle what
• End-to-End Resolution – I have reported the incident, can we catch
the bad guy? Can I have my money back – One stop centre
MYCERT
Incident Handling / Cyber999
Malware Research Centre
Co-‐ordinaNon Centre
• MyCERT was established in 1997, deals mostly with technical teams, CSIRTs, LEs
• Cyber999 launched in 2008, allows the all to report to MyCERT
• A lot of incidents were affecting the Internet Users at large – Phishing, Malware (botnets), Online Fraud,
Harassment • Cyber999 Provides a one stop centre for
incidents reporting
• Launched in 2009 • Previously a ‘watch and warn’ or ‘early
warning function’ • Specializes in malware analysis / tracking • Activities
– Operates the distributed honeynet project – Produce tools / services – Execute the national cyber security exercise – Issues advisories and alerts , special reports
DNSWatch MYPHPIPS
hOp://www.mycert.org.my/en/resources/security_tools/main/main/detail/768/index.html
Tools from our Lab
National Cyber Crisis Exercise (X-Maya)
• Led by the National Security Council since 2008
• Improve readiness and situational awareness among CNII agencies – National Threat Level – Reporting structure in a crisis
• CyberSecurity Malaysia / MyCERT provide simulation of the cyber security incidents for the players
Conclusion
• Central co-ordination point is critical • Help drives other national level initiatives i.e.
awareness, training, critical infrastructure protection, certification programmes
• Working together is the best way forward
Questions
• CyberSecurity Malaysia http://www.cybersecurity.my
• MyCERT: http://www.mycert.org.my • Email: [email protected] • Twitter: adliwahid