Incident
Response
EGYPTNational Telecom Regulatory Authority
Proactive VS. Reactive services
National Telecom Regulatory Authority - EGYPT
2
Proactive Services
Designed to improve security capabilities before any
incident occurs or is detected. The main goals are to
avoid incidents, and to reduce their impact and scope
when they do occur.
Penetration testing, malware analysis and awareness
teams perform proactive services.
National Telecom Regulatory Authority - EGYPT
3
Reactive Services
Reactive services are designed to respond to requests
for assistance, reports of incidents from the EG-CERT
constituency, and any threats or attacks against
Egyptian critical information infrastructure.
Incident Response and Cyber Forensics teams perform
reactive services.
National Telecom Regulatory Authority - EGYPT
4
EG-CERT
scope
National Telecom Regulatory Authority - EGYPT
5
CRITICAL INFRASTRUCTURE
Cybersecurity Risk Landscape
Different Types of Incidents
National Telecom Regulatory Authority - EGYPT
8
Incident
Type
Malware
URLDDOS
attack
Abusive
content
Website
Defacement
Different Types of Incidents
National Telecom Regulatory Authority - EGYPT
9
Incident
Type
SQL
Injection
RFI
Authentication
bypass
APTs constitute a mature attack and
introduce a new paradigm of cyber
security threats
Examples:
Generic phishing scams
Attacks against
organizations with little-to-
no security – weakest in
the heard/opportunistic
approach
Cyber techniques
available on internet/open
source
Types of Attackers:
Amateur hackers
Scam artists
Examples:
Distribute Denial of
Service
Targeted private data
extraction
Extortion as motive
Customized tools
Developed techniques
Types of Attackers:
Extortionists
Mature cyber criminals
Examples:
Highly sophisticated
adversaries who can bypass
virtually all of today’s “best
practice” security controls
Primary goal is long-term,
persistent occupation for
data theft, intelligence
espionage, and other
malicious activities
Types of Attackers:
Nation states
Sophisticated adversaries
Sophisticated, planned
over long-periods,
complex, and targeted
Technical mature, developed by
advanced individuals or teams,
but not coordinated or extremely
targeted
Simple, easily
accessed tools, done
by amateur hacker
and not particularly
targeted
Basic Advanced APTs
Maturity Level
Organizations with sensitive data need to be especially wary
of APTs: marginal improvements in traditional security are not
enough
2008: Large Oil Companies
2010: Sophisticated
Technology Companies
Target Result Motivation
Companies unaware of extent of
attack until alerted by FBI; APTs
had been persistent since 2008
and actively exfiltrating e-mails
and passwords of senior
executives
Chinese attackers successfully
exfiltrated sensitive data from
Google, Adobe, Yahoo, Dow
Chemical, and Symantec (a
leading manufacturer of
computer security products)
servers
Attackers sought
valuable data about
new discoveries of
oil deposits (this
data can cost
hundreds of millions
of dollars to
produce)
Attackers sought
persistent access to
cutting-edge
intellectual capital
Attackers successfully infiltrated
several nuclear sites and
damaged uranium enrichment
facilities
Cited as one of the most refined
pieces of malware ever
discovered, experts believe only a
nation state would be able to
produce it
Attackers sought to
disrupt critical
industrial
infrastructure,
specifically targeting
nuclear facilities
2010: Stuxnet
Cyber Security has to be animportant part of the development
of Information Society&
Digital Transformation era.
Our Mission (Feeds)
Sample Incident Response Scenario
INCIDENT HANDLING 2019
15
INCIDENT CHART 2018
16
HOW TO REDUCE NUMBER OF INCIDENT
17
Cyber ForensicsDec. 2019
EGYPTNational Telecom Regulatory Authority
Sample Incident Response Scenario
Digital Forensics
Receiving Digital Evidences:
Evidence Acquisition and analysis:
Reporting
National Telecom Regulatory Authority - EGYPT
20
Cases Categories
The Digital Forensic Department is working on different
types of cases:
National Telecom Regulatory Authority - EGYPT
21
21%
8%
8%
33%
8%
21%
Information Leakage andBussniss Damage
Internet Banking theft
Encryption Cracking
Harassemnt
Internet Fraud
Hacking
THE FOLLOWING CHART INDICATES THE WORKING HOURS/TASK:
22
5%
3% 1%
15%
23%
13%
1%
29%
6%
1%
3%
Case number 17569 alkanater
Case number 8337 public funds
Case number 3452
Case number 4992 South Cairo
Case number 955
Case number 14564
Case number 3505
Case Number 21
Case number 1824
Case number4282
Case number 1 Elshrouk
THE FOLLOWING CHART INDICATES THE CASES PERCENTAGE /CASE CATEGORY:
23
Data Exfiltration, 3
Forgery, 2Cloud
Investigation, 2
Drugs, 1
Illegal Call Forwarding, 2Harrassement, 2
0
0.5
1
1.5
2
2.5
3
3.5
Data Exfiltration Forgery CloudInvestigation
Drugs Illegal CallForwarding
Harrassement
TYPE OF CASE
PhishPhry…
National Telecom Regulatory Authority - EGYPT
24
In Oct 2009, Egypt-US identity
theft ring: “Authorities arrested
100 Americans and Egyptians
in the smashing of an
international identity theft ring
publicized as one of the largest
cybercrime cases ever
National Telecom Regulatory Authority - EGYPT
25
PhishPhry…
Our first case was one of largest phishing case which
required:
Forensics analysis on HD, mobile phones and e-mails.
Forensics report: over400 pages.
1600 working hours.
12 dedicated specialists.
A model for cooperation within and across boarders.
EG-CERT received special thanks from the US Department
of Homeland Security for the work and the detailed report.
National Telecom Regulatory Authority - EGYPT
26
EG-CERT Short-term Goals
Target achievements:1. Egypt Botnet free within 5 years
Structure:o Launch the Awareness program in 2020;
o Reactivate the National Committee on Child Online Protection (COP)
Capacity Building:
o Increase the number of the Public Awareness campaigns.
o Develop National Cyber Drill for CNI.
o Develop National training program for Cybersecurity
National Telecom Regulatory Authority - EGYPT
27