Future Role of National CSIRT - Cases in JPCERT/CC

Future Role of National CSIRT

- Cases in JPCERT/CC -

Global Coordination Division, JPCERT/CC

20 June, 2016

Copyright©2016JPCERT/CC All rights reserved.

In the next hour (or more) I will talk about:

1. JPCERT/CC Overview, Incident Statistics

2. A Study on CSIRT Maturity Level

2


A few thoughts to begin with:

There is no perfect model for CSIRT

—Needs, situation etc. may vary in each country

What JPCERT/CC does is just an example

—No need to copy what we do

—Hope that it helps you to think about a model that suits your country/constituency

Some of the key roles as a National CSIRT

(other than incident handling):

—Leading role within your economy as a “coordination centre” of domestic CSIRTs (enterprise/academic etc.) and other stakeholders in cyber security

—Presence in regional/international communities as a “representative”: Connection is a key

3


What is a National CSIRT?

CERT/CC’s definition

“A CSIRT with National Responsibility (or "National

CSIRT") is a CSIRT that has been designated by a

country or economy to have specific responsibilities in

cyber protection for the country or economy. A National

CSIRT can be inside or outside of government, but must

be specifically recognized by the government as having

responsibility in the country or economy.”

(https://www.cert.org/incident-management/national-csirts/)

4


Agenda



5

•Who we are

•What we do

…Just in case you’re not familiar with us

JPCERT/CC

Activity Overview

JPCERT/CC

Global Coordination Division


JPCERT/CC Updates

JPCERT/CC Organizational Structure

Incident Statistics

Other Services and Awareness-Raising

7


JPCERT/CC Introduction

Foundation

• October, 1996

Number of Staffs

• About 70

Organization status

• An independent, non-profit

organization

• Assigned by METI* as the

vulnerability handling organization*Ministry of Economy, Trade and Industry, Japan

8


JPCERT/CC Introduction

Constituency

• Internet users in Japan, mainly for enterprises

• Mainly providing service through technical staffs with high

degree of professionalism (e.g. system administrators) in

enterprises

9


JPCERT/CC Features

We are…

the experienced CSIRT in Japan

closely collaborating with local and global entities and

mainly providing service through technical staffs with high

degree of professionalism in the enterprises

playing a prominent role within the both domestic and

international information security community such as

APC, NCA, FIRST and APCERT

10


International and Regional Activities

Forum of Incident Response and Security Teams (FIRST)

• The first Japanese CSIRT to obtain membership

• Current Steering Committee Member

Asia Pacific Computer Emergency Response Team (APCERT)

• Founding member

• Current Steering Committee member

• Secretariat since its foundation

• Former Chair (2011-14)

11

http://www.first.org/


-Global Collaboration among CERTs-

12

APCERT

EGC

ENISA

TF-CSIRT

OIC-CERT

AFNOG/AfriNIC/AfREN

APEC-TEL

ASEAN / ANSAC

GFIRST

GCC-

CERT

FIRST

CLARA WG-CSIRT


・Incident Handling

Coordination・Vulnerability Handling

・Artifact Handling

・Publishing Security Alerts

・Education, Training

・Develop Security Tools

・Monitoring

・Detect Invasions

・Providing Security

Information・Information Analysis, etc.

FIRST APCERT

Overseas CSIRTs

Government

Internal

CSIRTs

Vendors

Media

Users

Industrial Entities

Law Enforcement

Domestic

Overseas

ISPs

Other International

CSIRT Communities

・Incident Handling

Coordination・Vulnerability Handling

・Artifact Handling

・Alerts Publishing

・CSIRT capacity building

training・Drill

・Collaborative Activities

(events)・Information Sharing, etc.

Associations

VendorsISPs

13


JPCERT/CC - 3 Services and 6 Basic Activities -P

revent -Vulnerability

Information Handling

Watc

h -Information gathering / analysis / sharing

-Internet Traffic Monitoring

Respond - Incident Handling

Early Warning InformationInformation sharing with critical infrastructure enterprises, etc.

CSIRT Establishment SupportCapacity building for internal CSIRTs in enterprises / overseas national CSIRTs

Industrial Control System SecurityActivities to protect ICS, such as incident handling and information gathering/sharing

Artifact AnalysisAnalysis on attack methods / behavior of malware (unauthorized program)

Domestic CollaborationCollaboration with various security communities in Japan

International CollaborationCollaboration with overseas organizations for smoother handling of incidents and vulnerabilities

Coordinate with developers

on unknown vulnerability

information

Secure Coding

Mitigating the damage

through efficient incident

handling

Information sharing to

prevent similar incidents

Alerts / Advisories

14


INCIDENT STATISTICS

15


Number of Incident Reports Received at JPCERT/CC

Number of Incidents Coordinated by JPCERT/CC

Number of Reported Incidents (JFY)

16

2802

5606

8717

9684 9792

0

2000

4000

6000

8000

10000

12000

2011 2012 2013 2014 2015

8485

20019

29191

22255

19624

0

5000

10000

15000

20000

25000

30000

35000

2011 2012 2013 2014 2015


Breakdown of reported incidents

17

Scan53.8%

Website defacement

17.2%

Phishing11.8%

Malware4.0%

DoS0.8%

Targeted attack0.8% ICS

0.1%

Other11.4%

Abuse Statics of 2015 (Jan – Dec)Targeted Attack

0.8 %

Malware

4.0 %


Incident Handling Flow

18

•Victim

•Incident detectors

•Relevant parties, etc.

•ISP/ASP

•System

administrators

•CSIRTs, etc.

1

2 3

4

Countermeasure

ResponseIncident Report

(Request for

countermeasure)

Appropriate Parties

Feedback Report


OTHER SERVICES AND

AWARENESS RAISING

19


Network Packet Traffic Monitoring

TSUBAME Project

• Initiated and lead by JPCERT/CC

• Internet traffic monitoring project observing various

scanning activities

• Sensors deployed in Asia Pacific region

(25 teams/21 economies participating as of January 2016)

• All observed data are visualized on TSUBAME portal.

• Analysis report is shared periodically.

• Annual TSUBAME Workshop is held in conjunction

with APCERT Annual General Meeting.

20 20

Tsubame is swallow in English


Features of TSUBAME

Common platform for CSIRTs in the AP region

Data can be utilized for CSIRT operation*

*Reports can be publicly released under the condition that sensitive

information, such as IP addresses, are not included.

Common data shared among member teams

Data obtained from all sensors is available for all member

teams

Findings and analysis report being shared through a mailing

list and annual workshop

Sensors are put on the “live network” (cf. dark network)

Visualization of data

http://www.apcert.org/about/structure/tsubame-wg/

21


Alerts and Advisories

Security Alerts

• Countermeasures for incidents with high impact

• Issued as necessary (about 20-30/year in average)

Early Warning Information

• Security alerts with confidentiality

• For critical infrastructure entities

• Issued when necessary

Vulnerability Information

• Provided via portal site (JVN)


Analyst Note

• Useful security information gathered by analysts

• Issued every working day

22


Open Publication from JPCERT/CC

JVN – Japan Vulnerability Notes

• jvn.jp/en/


Security Alerts

• https://www.jpcert.or.jp/english/at/2014.html

• Countermeasures for incidents with high impact

• Issued as necessary (about 20-30/year in average)

English Blog

• JPCERT/CC activities and security trends

• blog.jpcert.or.jp

Twitter

• Blog and security alert updates

• @jpcert_en

23


Control System Security Awareness Building

ICS (Industrial Control System) :

“System which controls and manages other devices or

systems”

• Electric power grid, gas, water supply and sewerage

• Traffic and transportation

• Environmental monitoring

• Manufacturing facilities in plants…etc.

24


Control System Security Awareness Building

What JPCERT/CC does for ICS Security:

• Incident and vulnerability handling operation to ICSs in

Japan

• Annual technical conference on ICS security

• Information sharing opportunities for ICS engineers

• Bimonthly newsletter (in Japanese)

• Citation of major global news on ICS security

• Summary of ICS-CERT advisories and alerts

• Distribution of ICS security assessment tool “SSAT”

• Simple MS/Excel-based tool for asset owners to assess their

level of ICS security

• Originally developed by CPNI*1 in U.K.

*1 : Centre for the Protection of National Infrastructure (CPNI)

25


Vulnerability Handling

Vulnerability: A weakness in a product which may allow an attacker to reduce a system's security.

JPCERT/CC is assigned by the Ministry of Economy, Trade and Industry (METI) to coordinate and communicate with vendors on vulnerability disclosures. (Announcement #235)

Information published on JVN (https://jvn.jp/en/)

In 2010, JPCERT/CC was approved by the MITRE Corporation*1 as CNA (CVE*2 Numbering Authority).

*1 An American not-for-profit organization

*2 Common Vulnerabilities and Exposures

26

https://jvn.jp/en/


Various Developers

Reporters

(Domestic)

End users

Corporate users

System Integrator

ISP

Retail outlet

Media

JPCERT/CCIPA

CERT/CC (US)

CPNI (UK)

NCSC-FI

Overseas Coordination Centers

Reporters

(Overseas)

Japan Overseas

JVN

Vulnerability Handling Flow

27


Artifact (Malware) Analysis

What is malware?

Malicious Software

• Broader in concept than a computer virus

• Virus, Worm, Trojan Horse, Rootkit, Bot, DoS Tool,

Exploit kit, Spyware

Why do CSIRTs need Malware Analysis?

• To utilize analysis results for CSIRT’s basic activities

• To verify public information (it could be wrong)

• To keep up on attack trends

• To evaluate threats

28


Secure Coding Awareness Building

Why do we need secure coding?• Vulnerabilities exist in IT products• Products should be secure from coding process

In which programming language?

• C/C++

• Java

• Android JPCERT/CC recently translated materials originally composed by CERT/CC.

Seminars are conducted in Japan and overseas to:

• Help engineers to understand vulnerabilities and attack mechanisms

• Help engineers to learn useful examples of actual secure coding methods and how to study further

29


Capacity Building for Overseas CSIRTs

CSIRT Development Training (On-site)

• Cambodia(’07,’08), Indonesia(’10, ‘14), Lao(’07,’09,’12,’13,‘14), Mongolia(’09,’13,‘14)

Myanmar(’07,’11x2,’12x2,’15), Qatar (’06), Thailand(’12, ‘14x3), Vietnam(’10x2)

• Pacific Islands (PacCERT) ’11 – ‘12

• Africa (AfricaCERT) ’10 - (ongoing)

C/C++ Secure Coding Seminar

• India(’10), Indonesia(’09,’11,‘13), Philippines(’10),

Thailand(’09,’11), Vietnam(’10)

Java Secure Coding Seminar

• Indonesia(’12), Thailand(’12,‘15)

Android Secure Coding Seminar

• Thailand(’12,’15), India (‘14)

TSUBAME

• Workshop @APCERT AGM ‘09 – (ongoing)

• Indonesia (’14), Laos (‘14), Sri Lanka (‘14)

AOTS Information Security Training in Tokyo for ASEAN countries (’08 -’11)

Training for HIDA (The Overseas Human Resources and Development Association) (‘14,’15)

Information security training for ASEAN countries as part of the ASEAN-Japan Information Security Training in Tokyo, organized and hosted by NISC (’11)

3030


JPCERT/CC English Blog

http://blog.jpcert.or.jp/

Recent

Conferences/Trainings

participation

Publication

announcement

(reports/tools)

Technical

Trends/Observation

31

http://blog.jpcert.or.jp/


Agenda



32

•Situation around corporate CSIRTs in

Japan

•Gives you some hints on CSIRTs

CSIRT against Cyber Attacks- Necessity of Emergency Response -

Watch and Warning Group


Topics

The number of cyber attacks is increasing, since attackers can gain economic benefit from cyber attacks

—Phishing, Banking fraud with Trojan

Attack methods are becoming more and more sophisticated with the increase of cyber attacks

What should be prepared in enterprises/organizationsagainst cyber attack?

This presentation aims to provide you with some hints on necessary functions for a CSIRT (Computer Security Incident Response Team)

34


Categories of cyber attackers

Based on the purpose of attackers, attribution of attackers can be

categorized in 3 groups

Attacking techniques and level differ among groups

35

For fun/hacktivists For financial purposes For targeted attacks

Attack purposes -Political appeal

-Showing off techniques

- Obtaining money

(unauthorized money

transfer)

- Stealing information or

system destruction of target

organizations

Main attack methods - DoS (Denial of Service)

attacks to websites

-Website defacement for

political appeal

- Taking over SNS accounts

- Malware distribution

caused by website

defacement

- Sending malware-attached

emails

- Distributing malware at

defaced websites (Only for

targeted users)

Technique level

LOW

HIGH

Categorized by JPCERT/CC Watch and Warning Group


Detecting intrusion and preparation

Limit in preventing intrusion into organizations’ network

— Intrusion not only through emails but also viewing a website

— Attacks leveraging 0day vulnerabilities

— Employees’ lack of knowledge in security, human errors

— Limit in security software’s ability in detecting suspicious communication

Actions AFTER detecting intrusions are also

important:

- Adequate logs saved from individual

devices?

- Any system to detect intrusion afterwards?

- Important information assets securely

separated?

- Procedures in handling incidents?


Defense Side

Business is the first priority (Not Security) in enterprises

Marginal effect of security invest is diminishing

(There is no PERFECT solution for cyber security)

Management persons need to know the balance of profit and invest

100%

0%

Effect of Security Invest

37


Against Cyber attack

To reduce the cost for cyber security “Information

Sharing” is efficient

Sophisticated attacks are not preventable,

so we should focus on quick detection and response

With the increase of cyber security incidents in recent

years, there are a large number of companies and

organisations in Japan that launch a CSIRT.

** CSIRT(Computer Security Incident Response Team)

Now the number of CSIRT Association (NCA) member is

120 (as of January 2016)

38


What is a “CSIRT”?CSIRT (Computer Security Incident Response Team)

— CERT/CC (USA): The first CSIRT in the world established in 1988

— Organizations which mainly provides cyber incident handling

CSIRTs can be categorized as follows:

1. “Internal CSIRTs” dealing with security problems within organizations

(e.g. corporations, universities, ministries)2. “Vendor CSIRTs” which provide services for their product users

3. “POC/National CSIRTs” acting as point of contact for global coordination

Management

External

Org.

External

Org.

External

Org.

External

Org.

External

Org.

External

Org.

Management

Dept.

A

Dept.

B

Dept.

A

Dept.

B

Internal CSIRT

Internal

CSIRT

Internal

CSIRT

National CSIRT

OVERSEAS

DOMESTIC

Company A

Company B

39


Survey on CSIRT

The industrial categories of members cover from manufacturing

industry (TOYOTA, Panasonic, Fujitsu etc.), construction company

(Taisei), hotel (Imperial Hotel) to electric power company (HAMA-

CSIRT).

Since there are CSIRTs from diverse sectors, the definition of

“CSIRT activities” is now becoming unclear, and there are some

“CSIRTs in name only”, which do not possess enough functions as a

Computer Security Incident Response Team.

Fig. Number of NCA membersIn the "Cybersecurity Strategy" published by NISC in Japan,

it is encouraged that enterprises will create and operate a CSIRT.

6 1315 17

27 3147

69

112

40


What is a “CSIRT”?

Range of CSIRT Services by CERT/CC, CMU

41


Background of CSIRT Maturity Level Survey

In order to examine the current situation in CSIRT activities,

JPCERT/CC, NCA and the University of Tokyo jointly conducted a

survey based on SIM3, CERT/CC’s material and other original

questions.

SIM3(Security Incident Management Maturity Model)

https://www.terena.org/activities/tf-csirt/publications/SIM3-v15.pdf

SIM3 is consist of 4 parts

— Organization

— Human

— Tool

— Process

42

https://www.terena.org/activities/tf-csirt/publications/SIM3-v15.pdf


CSIRT’s scale and organization overview

3-3. How many members does

your CSIRT have now?

14%

47%

28%

8%

3%

3.3

1 - 4members

5 - 9 members

10 - 19 members

more than 20members

With the increase of cyber security incidents in recent years, members in each CSIRT are also increasing. Small CSIRTs with less than 4 members are merely 14% of the total.

Also, more than 30% of the organizations have a security-dedicated department, which explains

the tendency to enhance security function.

43


Notification from external parties

2-4. Did you receive any

notification from external

parties after launching the

CSIRT?

• 2-4-1. Who did you receive the

notification(s) from?

27%

17%31%

8%

17%

2.4

Related to vulnerabilitiesin web services

Related to productvulnerabilities

Related to incidents

Others

Not received

18%

16%

20%

31%

15%

2.4.1Security vendors

Information-technologyPromotion Agency,Japan (IPA)

General users

JPCERT/CC

Others

Most CSIRTs have received some sort of notifications from external parties, and the number

counts up to more than 80% of the total participants. This results can be a strong support that

CSIRTs are in great demand.

44


Information Sharing

2-5. Are you a part of any

information sharing group

related to cyber attacks?

• 2-6. What format do you usually

use for information sharing?

93%

0% 4% 3%

2.6

Text format

Open IOC

STIX/TAXII

Others

100%

0%

2.5

Yes No

All of the participants share information externally.

Text format is mostly preferred, while STIX/TAXII is not yet common.

45


SOC operation

2-14. Do you have monitoring

operation by SOC?

• 2-14-2. If yes, how is the SOC

being managed?

73%

27%

2.14

Yes

No

49%

18%

33%

2.14.2

By our ownorganization

By our groupcompany

Outsourced

Surprisingly more than 70% of participants have a SOC function. In addition,

a half of them is managed by their own organization.

46


Skill set

3-4. Do you define any skill set that is required as a CSIRT

member ?

3%8%

8%

42%

39%

3.4 It is defined, documented andapproved by CISO. Furthermore, ouroperation is audited referring to thedocuments.It is defined, documented andapproved by CISO

It is defined, documented but notofficially approved.

There are some benchmarks, but it isnot documented.

There is no definition set, and weconsider as and when necessary.

80% of participants lack documents on skill set required for CSIRT

resources.47


Range of CSIRT Service

2-9 What kind of service do CSIRT provide?

And is it operated by in-house or outsourcing?

54%31%

0% 15%

Incident Handling

mainly in-house

half in-house/halfoutsourcing

mainly outsourcing

CSIRT does notprovide

28%

9%

26%

37%

Malware Analysis

mainly in-house


mainly outsourcing

CSIRT does not provide

25%

12%

21%

42%

Forensics

mainly in-house


mainly outsourcing


54%

20%

6%

20%

Vulnerability Handling

mainly in-house


mainly outsourcing


Compared to management service such as “Incident Handling”, technical

services tend to be operated by outsourcing. 48


Through NCA’s activities and the survey:

CSIRTs in enterprise is in great demand in Japan

JPCERT/CC, as Secretariat of Nippon CSIRT

Association, helps establishing CSIRTs in local

enterprises

Existing CSIRTs’ operation and capabilities still vary

49

Date post:	09-Jan-2022
Category:	Documents
Upload:	others
View:	2 times
Download:	0 times

Future Role of National CSIRT - Cases in JPCERT/CC

Documents