Future Role of National CSIRT
- Cases in JPCERT/CC -
Global Coordination Division, JPCERT/CC
20 June, 2016
Copyright©2016JPCERT/CC All rights reserved.
In the next hour (or more) I will talk about:
1. JPCERT/CC Overview, Incident Statistics
2. A Study on CSIRT Maturity Level
2
Copyright©2016JPCERT/CC All rights reserved.
A few thoughts to begin with:
There is no perfect model for CSIRT
—Needs, situation etc. may vary in each country
What JPCERT/CC does is just an example
—No need to copy what we do
—Hope that it helps you to think about a model that suits your country/constituency
Some of the key roles as a National CSIRT
(other than incident handling):
—Leading role within your economy as a “coordination centre” of domestic CSIRTs (enterprise/academic etc.) and other stakeholders in cyber security
—Presence in regional/international communities as a “representative”: Connection is a key
3
Copyright©2016JPCERT/CC All rights reserved.
What is a National CSIRT?
CERT/CC’s definition
“A CSIRT with National Responsibility (or "National
CSIRT") is a CSIRT that has been designated by a
country or economy to have specific responsibilities in
cyber protection for the country or economy. A National
CSIRT can be inside or outside of government, but must
be specifically recognized by the government as having
responsibility in the country or economy.”
(https://www.cert.org/incident-management/national-csirts/)
4
Copyright©2016JPCERT/CC All rights reserved.
Agenda
1. JPCERT/CC Overview, Incident Statistics
2. A Study on CSIRT Maturity Level
5
•Who we are
•What we do
…Just in case you’re not familiar with us
JPCERT/CC
Activity Overview
JPCERT/CC
Global Coordination Division
Copyright©2016JPCERT/CC All rights reserved.
JPCERT/CC Updates
JPCERT/CC Organizational Structure
Incident Statistics
Other Services and Awareness-Raising
7
Copyright©2016JPCERT/CC All rights reserved.
JPCERT/CC Introduction
Foundation
• October, 1996
Number of Staffs
• About 70
Organization status
• An independent, non-profit
organization
• Assigned by METI* as the
vulnerability handling organization*Ministry of Economy, Trade and Industry, Japan
8
Copyright©2016JPCERT/CC All rights reserved.
JPCERT/CC Introduction
Constituency
• Internet users in Japan, mainly for enterprises
• Mainly providing service through technical staffs with high
degree of professionalism (e.g. system administrators) in
enterprises
9
Copyright©2016JPCERT/CC All rights reserved.
JPCERT/CC Features
We are…
the experienced CSIRT in Japan
closely collaborating with local and global entities and
mainly providing service through technical staffs with high
degree of professionalism in the enterprises
playing a prominent role within the both domestic and
international information security community such as
APC, NCA, FIRST and APCERT
10
Copyright©2016JPCERT/CC All rights reserved.
International and Regional Activities
Forum of Incident Response and Security Teams (FIRST)
• The first Japanese CSIRT to obtain membership
• Current Steering Committee Member
Asia Pacific Computer Emergency Response Team (APCERT)
• Founding member
• Current Steering Committee member
• Secretariat since its foundation
• Former Chair (2011-14)
11
Copyright©2016JPCERT/CC All rights reserved.
-Global Collaboration among CERTs-
12
APCERT
EGC
ENISA
TF-CSIRT
OIC-CERT
AFNOG/AfriNIC/AfREN
APEC-TEL
ASEAN / ANSAC
GFIRST
GCC-
CERT
FIRST
CLARA WG-CSIRT
Copyright©2016JPCERT/CC All rights reserved.
・Incident Handling
Coordination・Vulnerability Handling
・Artifact Handling
・Publishing Security Alerts
・Education, Training
・Develop Security Tools
・Monitoring
・Detect Invasions
・Providing Security
Information・Information Analysis, etc.
FIRST APCERT
Overseas CSIRTs
Government
Internal
CSIRTs
Vendors
Media
Users
Industrial Entities
Law Enforcement
Domestic
Overseas
ISPs
Other International
CSIRT Communities
・Incident Handling
Coordination・Vulnerability Handling
・Artifact Handling
・Alerts Publishing
・CSIRT capacity building
training・Drill
・Collaborative Activities
(events)・Information Sharing, etc.
Associations
VendorsISPs
13
Copyright©2016JPCERT/CC All rights reserved.
JPCERT/CC - 3 Services and 6 Basic Activities -P
revent -Vulnerability
Information Handling
Watc
h -Information gathering / analysis / sharing
-Internet Traffic Monitoring
Respond - Incident Handling
Early Warning InformationInformation sharing with critical infrastructure enterprises, etc.
CSIRT Establishment SupportCapacity building for internal CSIRTs in enterprises / overseas national CSIRTs
Industrial Control System SecurityActivities to protect ICS, such as incident handling and information gathering/sharing
Artifact AnalysisAnalysis on attack methods / behavior of malware (unauthorized program)
Domestic CollaborationCollaboration with various security communities in Japan
International CollaborationCollaboration with overseas organizations for smoother handling of incidents and vulnerabilities
Coordinate with developers
on unknown vulnerability
information
Secure Coding
Mitigating the damage
through efficient incident
handling
Information sharing to
prevent similar incidents
Alerts / Advisories
14
Copyright©2016JPCERT/CC All rights reserved.
INCIDENT STATISTICS
15
Copyright©2016JPCERT/CC All rights reserved.
Number of Incident Reports Received at JPCERT/CC
Number of Incidents Coordinated by JPCERT/CC
Number of Reported Incidents (JFY)
16
2802
5606
8717
9684 9792
0
2000
4000
6000
8000
10000
12000
2011 2012 2013 2014 2015
8485
20019
29191
22255
19624
0
5000
10000
15000
20000
25000
30000
35000
2011 2012 2013 2014 2015
Copyright©2016JPCERT/CC All rights reserved.
Breakdown of reported incidents
17
Scan53.8%
Website defacement
17.2%
Phishing11.8%
Malware4.0%
DoS0.8%
Targeted attack0.8% ICS
0.1%
Other11.4%
Abuse Statics of 2015 (Jan – Dec)Targeted Attack
0.8 %
Malware
4.0 %
Copyright©2016JPCERT/CC All rights reserved.
Incident Handling Flow
18
•Victim
•Incident detectors
•Relevant parties, etc.
•ISP/ASP
•System
administrators
•CSIRTs, etc.
1
2 3
4
Countermeasure
ResponseIncident Report
(Request for
countermeasure)
Appropriate Parties
Feedback Report
Copyright©2016JPCERT/CC All rights reserved.
OTHER SERVICES AND
AWARENESS RAISING
19
Copyright©2016JPCERT/CC All rights reserved.
Network Packet Traffic Monitoring
TSUBAME Project
• Initiated and lead by JPCERT/CC
• Internet traffic monitoring project observing various
scanning activities
• Sensors deployed in Asia Pacific region
(25 teams/21 economies participating as of January 2016)
• All observed data are visualized on TSUBAME portal.
• Analysis report is shared periodically.
• Annual TSUBAME Workshop is held in conjunction
with APCERT Annual General Meeting.
20 20
Tsubame is swallow in English
Copyright©2016JPCERT/CC All rights reserved.
Features of TSUBAME
Common platform for CSIRTs in the AP region
Data can be utilized for CSIRT operation*
*Reports can be publicly released under the condition that sensitive
information, such as IP addresses, are not included.
Common data shared among member teams
Data obtained from all sensors is available for all member
teams
Findings and analysis report being shared through a mailing
list and annual workshop
Sensors are put on the “live network” (cf. dark network)
Visualization of data
http://www.apcert.org/about/structure/tsubame-wg/
21
Copyright©2016JPCERT/CC All rights reserved.
Alerts and Advisories
Security Alerts
• Countermeasures for incidents with high impact
• Issued as necessary (about 20-30/year in average)
Early Warning Information
• Security alerts with confidentiality
• For critical infrastructure entities
• Issued when necessary
Vulnerability Information
• Provided via portal site (JVN)
• Issued when necessary
Analyst Note
• Useful security information gathered by analysts
• Issued every working day
22
Copyright©2016JPCERT/CC All rights reserved.
Open Publication from JPCERT/CC
JVN – Japan Vulnerability Notes
• jvn.jp/en/
• Issued when necessary
Security Alerts
• https://www.jpcert.or.jp/english/at/2014.html
• Countermeasures for incidents with high impact
• Issued as necessary (about 20-30/year in average)
English Blog
• JPCERT/CC activities and security trends
• blog.jpcert.or.jp
• Blog and security alert updates
• @jpcert_en
23
Copyright©2016JPCERT/CC All rights reserved.
Control System Security Awareness Building
ICS (Industrial Control System) :
“System which controls and manages other devices or
systems”
• Electric power grid, gas, water supply and sewerage
• Traffic and transportation
• Environmental monitoring
• Manufacturing facilities in plants…etc.
24
Copyright©2016JPCERT/CC All rights reserved.
Control System Security Awareness Building
What JPCERT/CC does for ICS Security:
• Incident and vulnerability handling operation to ICSs in
Japan
• Annual technical conference on ICS security
• Information sharing opportunities for ICS engineers
• Bimonthly newsletter (in Japanese)
• Citation of major global news on ICS security
• Summary of ICS-CERT advisories and alerts
• Distribution of ICS security assessment tool “SSAT”
• Simple MS/Excel-based tool for asset owners to assess their
level of ICS security
• Originally developed by CPNI*1 in U.K.
*1 : Centre for the Protection of National Infrastructure (CPNI)
25
Copyright©2016JPCERT/CC All rights reserved.
Vulnerability Handling
Vulnerability: A weakness in a product which may allow an attacker to reduce a system's security.
JPCERT/CC is assigned by the Ministry of Economy, Trade and Industry (METI) to coordinate and communicate with vendors on vulnerability disclosures. (Announcement #235)
Information published on JVN (https://jvn.jp/en/)
In 2010, JPCERT/CC was approved by the MITRE Corporation*1 as CNA (CVE*2 Numbering Authority).
*1 An American not-for-profit organization
*2 Common Vulnerabilities and Exposures
26
Copyright©2016JPCERT/CC All rights reserved.
Various Developers
Reporters
(Domestic)
End users
Corporate users
System Integrator
ISP
Retail outlet
Media
JPCERT/CCIPA
CERT/CC (US)
CPNI (UK)
NCSC-FI
Overseas Coordination Centers
Reporters
(Overseas)
Japan Overseas
JVN
Vulnerability Handling Flow
27
Copyright©2016JPCERT/CC All rights reserved.
Artifact (Malware) Analysis
What is malware?
Malicious Software
• Broader in concept than a computer virus
• Virus, Worm, Trojan Horse, Rootkit, Bot, DoS Tool,
Exploit kit, Spyware
Why do CSIRTs need Malware Analysis?
• To utilize analysis results for CSIRT’s basic activities
• To verify public information (it could be wrong)
• To keep up on attack trends
• To evaluate threats
28
Copyright©2016JPCERT/CC All rights reserved.
Secure Coding Awareness Building
Why do we need secure coding?• Vulnerabilities exist in IT products• Products should be secure from coding process
In which programming language?
• C/C++
• Java
• Android JPCERT/CC recently translated materials originally composed by CERT/CC.
Seminars are conducted in Japan and overseas to:
• Help engineers to understand vulnerabilities and attack mechanisms
• Help engineers to learn useful examples of actual secure coding methods and how to study further
29
Copyright©2016JPCERT/CC All rights reserved.
Capacity Building for Overseas CSIRTs
CSIRT Development Training (On-site)
• Cambodia(’07,’08), Indonesia(’10, ‘14), Lao(’07,’09,’12,’13,‘14), Mongolia(’09,’13,‘14)
Myanmar(’07,’11x2,’12x2,’15), Qatar (’06), Thailand(’12, ‘14x3), Vietnam(’10x2)
• Pacific Islands (PacCERT) ’11 – ‘12
• Africa (AfricaCERT) ’10 - (ongoing)
C/C++ Secure Coding Seminar
• India(’10), Indonesia(’09,’11,‘13), Philippines(’10),
Thailand(’09,’11), Vietnam(’10)
Java Secure Coding Seminar
• Indonesia(’12), Thailand(’12,‘15)
Android Secure Coding Seminar
• Thailand(’12,’15), India (‘14)
TSUBAME
• Workshop @APCERT AGM ‘09 – (ongoing)
• Indonesia (’14), Laos (‘14), Sri Lanka (‘14)
AOTS Information Security Training in Tokyo for ASEAN countries (’08 -’11)
Training for HIDA (The Overseas Human Resources and Development Association) (‘14,’15)
Information security training for ASEAN countries as part of the ASEAN-Japan Information Security Training in Tokyo, organized and hosted by NISC (’11)
3030
Copyright©2016JPCERT/CC All rights reserved.
JPCERT/CC English Blog
http://blog.jpcert.or.jp/
Recent
Conferences/Trainings
participation
Publication
announcement
(reports/tools)
Technical
Trends/Observation
31
Copyright©2016JPCERT/CC All rights reserved.
Agenda
1. JPCERT/CC Overview, Incident Statistics
2. A Study on CSIRT Maturity Level
32
•Situation around corporate CSIRTs in
Japan
•Gives you some hints on CSIRTs
CSIRT against Cyber Attacks- Necessity of Emergency Response -
Watch and Warning Group
Copyright©2016JPCERT/CC All rights reserved.
Topics
The number of cyber attacks is increasing, since attackers can gain economic benefit from cyber attacks
—Phishing, Banking fraud with Trojan
Attack methods are becoming more and more sophisticated with the increase of cyber attacks
What should be prepared in enterprises/organizationsagainst cyber attack?
This presentation aims to provide you with some hints on necessary functions for a CSIRT (Computer Security Incident Response Team)
34
Copyright©2016JPCERT/CC All rights reserved.
Categories of cyber attackers
Based on the purpose of attackers, attribution of attackers can be
categorized in 3 groups
Attacking techniques and level differ among groups
35
For fun/hacktivists For financial purposes For targeted attacks
Attack purposes -Political appeal
-Showing off techniques
- Obtaining money
(unauthorized money
transfer)
- Stealing information or
system destruction of target
organizations
Main attack methods - DoS (Denial of Service)
attacks to websites
-Website defacement for
political appeal
- Taking over SNS accounts
- Malware distribution
caused by website
defacement
- Sending malware-attached
emails
- Distributing malware at
defaced websites (Only for
targeted users)
Technique level
LOW
HIGH
Categorized by JPCERT/CC Watch and Warning Group
Copyright©2016JPCERT/CC All rights reserved.
Detecting intrusion and preparation
Limit in preventing intrusion into organizations’ network
— Intrusion not only through emails but also viewing a website
— Attacks leveraging 0day vulnerabilities
— Employees’ lack of knowledge in security, human errors
— Limit in security software’s ability in detecting suspicious communication
Actions AFTER detecting intrusions are also
important:
- Adequate logs saved from individual
devices?
- Any system to detect intrusion afterwards?
- Important information assets securely
separated?
- Procedures in handling incidents?
Copyright©2016JPCERT/CC All rights reserved.
Defense Side
Business is the first priority (Not Security) in enterprises
Marginal effect of security invest is diminishing
(There is no PERFECT solution for cyber security)
Management persons need to know the balance of profit and invest
100%
0%
Effect of Security Invest
37
Copyright©2016JPCERT/CC All rights reserved.
Against Cyber attack
To reduce the cost for cyber security “Information
Sharing” is efficient
Sophisticated attacks are not preventable,
so we should focus on quick detection and response
With the increase of cyber security incidents in recent
years, there are a large number of companies and
organisations in Japan that launch a CSIRT.
** CSIRT(Computer Security Incident Response Team)
Now the number of CSIRT Association (NCA) member is
120 (as of January 2016)
38
Copyright©2016JPCERT/CC All rights reserved.
What is a “CSIRT”?CSIRT (Computer Security Incident Response Team)
— CERT/CC (USA): The first CSIRT in the world established in 1988
— Organizations which mainly provides cyber incident handling
CSIRTs can be categorized as follows:
1. “Internal CSIRTs” dealing with security problems within organizations
(e.g. corporations, universities, ministries)2. “Vendor CSIRTs” which provide services for their product users
3. “POC/National CSIRTs” acting as point of contact for global coordination
Management
External
Org.
External
Org.
External
Org.
External
Org.
External
Org.
External
Org.
Management
Dept.
A
Dept.
B
Dept.
A
Dept.
B
Internal CSIRT
Internal
CSIRT
Internal
CSIRT
National CSIRT
OVERSEAS
DOMESTIC
Company A
Company B
39
Copyright©2016JPCERT/CC All rights reserved.
Survey on CSIRT
The industrial categories of members cover from manufacturing
industry (TOYOTA, Panasonic, Fujitsu etc.), construction company
(Taisei), hotel (Imperial Hotel) to electric power company (HAMA-
CSIRT).
Since there are CSIRTs from diverse sectors, the definition of
“CSIRT activities” is now becoming unclear, and there are some
“CSIRTs in name only”, which do not possess enough functions as a
Computer Security Incident Response Team.
Fig. Number of NCA membersIn the "Cybersecurity Strategy" published by NISC in Japan,
it is encouraged that enterprises will create and operate a CSIRT.
6 1315 17
27 3147
69
112
40
Copyright©2016JPCERT/CC All rights reserved.
What is a “CSIRT”?
Range of CSIRT Services by CERT/CC, CMU
41
Copyright©2016JPCERT/CC All rights reserved.
Background of CSIRT Maturity Level Survey
In order to examine the current situation in CSIRT activities,
JPCERT/CC, NCA and the University of Tokyo jointly conducted a
survey based on SIM3, CERT/CC’s material and other original
questions.
SIM3(Security Incident Management Maturity Model)
https://www.terena.org/activities/tf-csirt/publications/SIM3-v15.pdf
SIM3 is consist of 4 parts
— Organization
— Human
— Tool
— Process
42
Copyright©2016JPCERT/CC All rights reserved.
CSIRT’s scale and organization overview
3-3. How many members does
your CSIRT have now?
14%
47%
28%
8%
3%
3.3
1 - 4members
5 - 9 members
10 - 19 members
more than 20members
With the increase of cyber security incidents in recent years, members in each CSIRT are also increasing. Small CSIRTs with less than 4 members are merely 14% of the total.
Also, more than 30% of the organizations have a security-dedicated department, which explains
the tendency to enhance security function.
43
Copyright©2016JPCERT/CC All rights reserved.
Notification from external parties
2-4. Did you receive any
notification from external
parties after launching the
CSIRT?
• 2-4-1. Who did you receive the
notification(s) from?
27%
17%31%
8%
17%
2.4
Related to vulnerabilitiesin web services
Related to productvulnerabilities
Related to incidents
Others
Not received
18%
16%
20%
31%
15%
2.4.1Security vendors
Information-technologyPromotion Agency,Japan (IPA)
General users
JPCERT/CC
Others
Most CSIRTs have received some sort of notifications from external parties, and the number
counts up to more than 80% of the total participants. This results can be a strong support that
CSIRTs are in great demand.
44
Copyright©2016JPCERT/CC All rights reserved.
Information Sharing
2-5. Are you a part of any
information sharing group
related to cyber attacks?
• 2-6. What format do you usually
use for information sharing?
93%
0% 4% 3%
2.6
Text format
Open IOC
STIX/TAXII
Others
100%
0%
2.5
Yes No
All of the participants share information externally.
Text format is mostly preferred, while STIX/TAXII is not yet common.
45
Copyright©2016JPCERT/CC All rights reserved.
SOC operation
2-14. Do you have monitoring
operation by SOC?
• 2-14-2. If yes, how is the SOC
being managed?
73%
27%
2.14
Yes
No
49%
18%
33%
2.14.2
By our ownorganization
By our groupcompany
Outsourced
Surprisingly more than 70% of participants have a SOC function. In addition,
a half of them is managed by their own organization.
46
Copyright©2016JPCERT/CC All rights reserved.
Skill set
3-4. Do you define any skill set that is required as a CSIRT
member ?
3%8%
8%
42%
39%
3.4 It is defined, documented andapproved by CISO. Furthermore, ouroperation is audited referring to thedocuments.It is defined, documented andapproved by CISO
It is defined, documented but notofficially approved.
There are some benchmarks, but it isnot documented.
There is no definition set, and weconsider as and when necessary.
80% of participants lack documents on skill set required for CSIRT
resources.47
Copyright©2016JPCERT/CC All rights reserved.
Range of CSIRT Service
2-9 What kind of service do CSIRT provide?
And is it operated by in-house or outsourcing?
54%31%
0% 15%
Incident Handling
mainly in-house
half in-house/halfoutsourcing
mainly outsourcing
CSIRT does notprovide
28%
9%
26%
37%
Malware Analysis
mainly in-house
half in-house/halfoutsourcing
mainly outsourcing
CSIRT does not provide
25%
12%
21%
42%
Forensics
mainly in-house
half in-house/halfoutsourcing
mainly outsourcing
CSIRT does notprovide
54%
20%
6%
20%
Vulnerability Handling
mainly in-house
half in-house/halfoutsourcing
mainly outsourcing
CSIRT does notprovide
Compared to management service such as “Incident Handling”, technical
services tend to be operated by outsourcing. 48
Copyright©2016JPCERT/CC All rights reserved.
Through NCA’s activities and the survey:
CSIRTs in enterprise is in great demand in Japan
JPCERT/CC, as Secretariat of Nippon CSIRT
Association, helps establishing CSIRTs in local
enterprises
Existing CSIRTs’ operation and capabilities still vary
49