The Establishment Process of ID-SIRTII

Indonesia Security Incidents Response Team on Internet Infrastructure

sponsored by:

The Training Program on Information Security for Asian Countries 1

The Establishment Process of ID-SIRTII Indonesia Security Incidents Response Team on Internet Infrastructure

Lessons Learned from the ASIS Program Tokyo, 19 March – 26 March 2008 presented by

The Indonesian Delegation:   Richardus Eko Indrajit   Muhammad Salahuddien

Lessons Learned


The Format of Presentation Slides Agenda of Today

INTRODUCTION

PRESENTATION

Management Aspects of ID-SIRTII by R. Eko Indrajit

Technical Aspects of ID-SIRTII by Muh. Salahuddien

Q&A AND DISCUSSION

CLOSING

Lessons learned by Indonesian delegation from ASIS Program of JPCERT/AOTS

The implementation of knowledge acquired within the Indonesian ID-SIRTII setting

Related reference(s) used as background knowledge

Page number Program name

Main theme of managerial and/or technical aspect

ID-SIRTII official logo

1

2

3

4

Lessons Learned


Outline of the Strategic Plan   Implement the knowledge learnt from the ASIS program to adjust and to enhance the existing profile of ID-SIRTII

  Differentiate the issues on two main domain: management and technical matters – and identify the things that should be considered and taken into attentions

  Focus on the main important aspects of the national level CSIRT to ensure the success of the establishment effort

  Make certain that all mandatory and necessary aspects of building the national CSIRT have been addressed and prepared in a holistic and integrated way

MANAGEMENT ASPECTs of ID-SIRTII as the Indonesian National CSIRT/CC

1 Philosophy, Principles, and Strategy

2 Roles, Services, and Responsibilities

3 Constituents, Management, and Resources

4 Legal, Communication, and Coordination

TECHNICAL ASPECTs of ID-SIRTII as the Indonesian National CSIRT/CC

1 Incident Components of Vulnerabilities, Threats, and Attacks (Exploitations)

2 Monitoring, Analysis, and Response Activities

3 Range of Tools and Technology

4 Cases of CSIRTs/CERTs in Action

&

Learning from ASIS Course

Issues of CSIRT Creation and

Possible Solutions

Plan and Schedule of Promoting

CSIRT Creation

Lessons Learned


ID-SIRTII Establishment Status   Develop national’s capability CSIRT should be done in stages

  Start from small, grow, and scale fast

  Build the capabilities along with the readiness of the resources

  Work professionally to build trust among the stakeholders

  Collaborate with stakeholders to deliver services

  Manage expectation of the constituency so that no misunderstanding on organisation roles and responsibilities

  Remember the fact that every CSIRT is unique in tasks & activities covered

Stage 1: Initialising and educating stakeholders on the need of national CSIRT

Stage 2: Planning on the establishment of Indonesian National CSIRT (ID-SIRTII)

Stage 3: Developing core infrastructure and superstructure of ID-SIRTII

Stage 4: Operating the facilities

Stage 5: Conducting collaboration with other parties

Stage 6: Evaluating and enhancing the system and capabilities

We are here !

Lessons Learned


The Profile of Indonesia   Form National CSIRTs that matches with the posture and profile of the country through understanding the requirements of the main sponsors and the expectations of related constituents

  Consider all the complexities and difficulties in running national level CSIRTs for the purpose of building effective strategy on developing and implementing it

  Learn from the other established CSIRTs/ CERTs to give the ideas on how to develop such institution successfully

  Think about the CC or “Coordination Center” role for the institution to ease them in building the scope and image of the national CSIRT without being misunderstood by related partners, constituents, customers, and other stakeholders.

Lessons Learned


Missions and Objectives   Define organisation’s mission that relates with sponsor’s expectation

  Link the mission with the objectives and main tasks that share the common interests with other stakeholders

  Help the institution in scoping its roles and responsibilities in incident response management

  Use as a baseline in creating policies, determining quality, conducting services, and developing procedures within the institution

““To expedite the economic growth of the country through providing the society with secure internet environment within the nation””

1. Monitoring internet traffic for incident handling purposes.

2. Managing log files to support law enforcement.

3. Educating public for security awareness.

4. Assisting institutions in managing security.

5. Providing training to constituency and stakeholders.

6. Running laboratory for simulation practices.

7. Establishing external and international collaborations.

Lessons Learned


Constituency Domain   Define and determine constituencies should be done to get clear picture on who are the customers

  Differentiate between direct customers and indirect customers

  Map the constituents help the organisation to build collaboration strategy to leverage its the limited resources

  Make sure to build trust to all constituents to help organisation fulfilling its missions

  State to all constituents regarding “your security is my security” paradigm to build shared mission among the communities

ID-SIRTII

ISPs

NAPs

IXs

Law Enforcement

National Security

Communities

International CSIRTs/CERTs

Government of Indonesia

Lessons Learned


Coordination Structure

ID-SIRTII (CC) as National CSIRT

Sector CERT Internal CERT Vendor CERT Commercial CERT

  Know and position yourself among other CSIRTs/CERTs to manage expectation of your constituency

  Determine the scope on the coordination role you are playing to manage stakeholders expectation

  Categorise the other CSIRTs/CERTs to easily conduct coordination and cooperation activities

  Build partnerships with other related institutions to safeguarding internet

Bank CERT

Airport CERT

University CERT

GOV CERT

Military CERT

SOE CERT

SME CERT

Telkom CERT

BI CERT

Police CERT

KPK CERT

Lippo CERT

KPU CERT

Pertamina CERT

Hospital CERT UGM CERT

Cisco CERT

Microsoft CERT

Oracle CERT

SUN CERT

IBM CERT

SAP CERT

Yahoo CERT

Google CERT

A CERT

B CERT

C CERT

D CERT

E CERT

F CERT

G CERT

H CERT

Other CERTs Other CERTs Other CERTs Other CERTs

Lessons Learned


Institution Main Tasks   Determine the scope of your institution is important

  Map the missions and objectives into CSIRT’s type of major services

  Prepare the resources based on required capabilities to conduct such various services

  Help the constituents to understand the roles and responsibilities of your organisation

  Develop procedures and mechanism to deliver each service to related stakeholders

INCIDENT HANDLING DOMAIN and ID-SIRTII

MAIN TASKS

Reactive Services

Proactive Services Security Quality Management

Services

1. Monitoring traffic Alerts and Warnings Announcements Technology Watch Intrusion Detection

Services

x

2. Managing log files Artifact Handling x x

3. Educating public x x Awareness Building

4. Assisting institutions Security-Related Information

Dissemnination Vulnerability

Handling Intrusion Detection

Services

Security Audit and Assessment

Configuration and Maintenenace of Security Tools, Applications, and

Infrastructure

Security Consulting

5. Provide training x X Education Training

6. Running laboratory x x Risk Analysis BCP and DRP

7. Establish collaborations Incident Handling x Product Evaluation

Lessons Learned


web defacement information leakage phishing intrusion Dos/DDoS

SMTP relay virus infection hoax malware distribution botnet open proxy

root access theft sql injection trojan horse worms password cracking

spamming malicious software spoofing blended attack

Incident Definitions and Examples   Define what “incident” means can give clear picture on the scope and services offered by the institution

  Beware that there are various definitions of “incident” with a good number of existing incident samples happening in internet

  Study the nature and characteristics of every type of incidents will help the institution in preparing or developing strategy for incident response

  Analyse incidents is really time consuming so that some necessary tools are required to ease and fasten the effort

““one or more intrusion events that you suspect are involved in a possible violation of your security policies””

““an event that has caused or has the potential to cause damage to an organization's business systems, facilities, or personnel””

““any occurrence or series of occurrences having the same origin that results in the discharge or substantial threat””

““an undesired event that could have resulted in harm to people, damage to property, loss to process, or harm to the

environment.””

Lessons Learned


Incident Classifications   Categorise the incident can help stakeholders in understanding the issues and responding to it in an effective manner

  Study the trend of internet incidents and comprehend the nature of those activities for the purpose of knowing the magnitude of impacts and the level of complexities surrounding them

  Analyse the incident types occurred in the territory based on its probability to occur and its impact to the victim(s) as a part of risk management activities

  Understand and comprehend deeply the various approach used by hackers to harm computer and internet system

  Come out with a good number of potential solutions to hinder several incidents to occur within the territory due to the understanding of its behaviors

INTERCEPTION

INTERRUPTION

MODIFICATION

FABRICATION

phising social engineering

blackmail

web defacement

SQL injection

trojan horse

scanning

spyware spoofing

DDoS virus

worms

Lessons Learned


Priorities on Handling Incidents   Analyse the nature of incidents before set up the response team and approach

  Map incidents category based on CSIRT’s view to constituent’s context

  Assign priority level requirement to every constituency-based classification

  Deploy incident handling team resources based on the associate form required to face the case

  Procure or develop KM-Based Website to take care of “low priority” consumers oriented enquiries on handling their incidents

TYPE OF

INCIDENT AND ITS PRIORITY

Public Safety and National Defense

(Very Priority)

Economic Welfare

(High Priority)

Political Matters

(Medium Priority)

Social and Culture Threats

(Low Priority)

1. Interception

Many to One

One to Many

Many to Many

Automated Tool (KM-Based Website)

2. Interruption

Many to One

One to Many

Many to Many

Automated Tool

(KM-Based Website)

3. Modification

Many to One

One to Many

Many to Many

Automated Tool

(KM-Based Website)

4. Fabrication

Many to One

One to Many

Many to Many

Automated Tool

(KM-Based Website)

Lessons Learned


Chain of Processes   Manage incidents should be handled through a series of activities

  Develop a holistic framework can help CSIRT in managing its daily processes and activities

  Concentrate on conducting core processes more than supporting activities can help the institution in set up its priorities

  Allocate resources should be done based on their competencies and skills

Monitor Internet Traffic

Manage Log Files

Response and Handle Incidents

Establish External and International Collaborations

Run Laboratory for Simulation Practices

Provide Training to Constituency and Stakeholders

Assist Institutions in Managing Security

Educate Public for Security Awareness

Deliver Required Log Files

Analyse Incidents

Report on Incident Handling

Management Process and

Research Vital

Statistics

Supporting Activities

Core Process

Lessons Learned


Detail of Activity Procedures   Develop detail procedures on managing all CSIRT’s activities is a very important to do for ensuring the quality of services delivered

  Fulfill the expectations of constituents can only be done if the institution can give them valuable values on responding to incidents reported

  Consider of following the international standard(s) on managing the institution (ex. ISO270001, ISO17799, ISO2001:9000, etc.) can be the approach for conducting quality services

  Ensure that all activities define has covered the main roles and responsibilities of the national CSIRT assigned to the institution

  Benchmark the activities with the other similar institutions is worth the effort to make certain that enough coverage and details have been in place

ID-SIRTII

1. CORE PROCESS 2. SUPPORTING ACTIVITIES

1.1 LOG FILE MANAGEMENT

1.2 INTERNET TRAFFIC MNGT.

2.1 TRAINING CONDCUT

2.2 RESEARCH AND DEVELOPMENT

2.3 INFO SUPPORT SERVICES

2.4 EXTERNAL COLLABORATION

1.1.1 Collect

1.1.2 Organise

1.1.3 Store

1.1.4 Retrieve

1.1.5 Transfer

1.1.6 Distribute

1.1.7 Archieve

1.2.1 Gather

1.2.2 Monitor

1.2.3 Analyse

1.2.4 Detect

1.2.5 Inform

1.2.6 Distribute

1.2.7 Archieve

2.1.1 Plan

2.1.2 Offer

2.1.3 Register

2.1.4 Execute

2.1.5 Evaluate

2.2.1 Propose

2.2.2 Study

2.2.3 Report

2.2.4 Plan

2.2.5 Execute

2.2.6 Evaluate

2.3.1 Require

2.3.2 Prepare

2.3.3 Inform

2.3.4 Execute

2.3.5 Evaluate

2.3.6 Learn

2.4.1 Explore

2.4.2 Propose

2.4.3 Correspond

2.4.4 Engage

2.4.5 Plan

2.4.6 Execute

2.4.7 Evaluate

ACTIVITIES

1. CORE PROCESS 2. SUPPORTING ACTIVITIES

1.1 LOG FILE MANAGEMENT

1.2 INTERNET TRAFFIC MNGT.

2.1 TRAINING CONDCUT

2.2 RESEARCH AND DEVELOPMENT

2.3 INFO SUPPORT SERVICES

2.4 EXTERNAL COLLABORATION

1.1.1 Collect

1.1.2 Organise

1.1.3 Store

1.1.4 Retrieve

1.1.5 Transfer

1.1.6 Distribute

1.1.7 Archieve

1.2.1 Gather

1.2.2 Monitor

1.2.3 Analyse

1.2.4 Detect

1.2.5 Inform

1.2.6 Distribute

1.2.7 Archieve

2.1.1 Plan

2.1.2 Offer

2.1.3 Register

2.1.4 Execute

2.1.5 Evaluate

2.2.1 Propose

2.2.2 Study

2.2.3 Report

2.2.4 Plan

2.2.5 Execute

2.2.6 Evaluate

2.3.1 Require

2.3.2 Prepare

2.3.3 Inform

2.3.4 Execute

2.3.5 Evaluate

2.3.6 Learn

2.4.1 Explore

2.4.2 Propose

2.4.3 Correspond

2.4.4 Engage

2.4.5 Plan

2.4.6 Execute

2.4.7 Evaluate

Lessons Learned


People and Structure   Form the organisation structure that can support the management of core activities of the national level CSIRT

  Ensure that the team consists of people who have range of competencies w.r.t. managerial and technical aspects

  Assess the competencies and expertise requirements for every job title for the purpose of recruitment the right people

  Map the person based on his/her expertise and competencies to the related job title within the institution

  Make certain the professionalism of the persons recruited to the institution by signing special agreement letter as the binding contract

  Develop job descriptions and SOPs related to every job title exist within the institution

Deputy of Operation and Security

Deputy of Data Center, Applications & Database

Deputy of Research and Development

Deputy of Education and Public Affairs

Deputy of External Collaborations

Chairman

Vice Chairman General Secretary

Inspection Board Advisory Board

Ministry of ICT Directorate of

Telco & Communication

Lessons Learned


Holistic Framework   Communicate the roles and responsibilities of CSIRT institution in a simple way to make other stakeholders understand its main functions

  Illustrate all important components of the institution by using an “easy-to-understand” strategic framework

  Position each component of the institution within the framework so that it shows the relationships among them

  Introduce “MAYDAY” as the marketing gimmick of the institution (ID-SIRTII) to educate and inform public at large

  Socialise the institution profile to all constituents by using different media channels that reach as many communities as possible within the large archipelago of Indonesia

  Build intensive communication with respected stakeholders and constituents

SECURE INTERNET INFRASTRUCTURE

ENVIRONMENT

People

Process

Technology

Log File Management

System

Traffic Monitoring

System

Incident Indication Analysis

Incident Response.

Management

Advisory Board

Executive Board

MONITOR - ANALYSIS - YELL - DETECT - ALERT - YIELD

STAKEHOLDERS COLLABORATION AND SUPPORT

NATIONAL REGULATION AND GOVERNANCE

STRONG INSTITUTIONAL RELATIONSHIPS AND COMMITMENT

Lessons Learned


Legal Framework   Ensure that there are regulations existed to back up the CSIRT activities within the nation

  Understand carefully the regulation types and coverage with regards to the main tasks the institution is operating

  Make certain that there is system incentive and “punishment” to get all related partners of the institution follow such governance model

  Work with other countries in some cases will require another legal framework or agreement besides the international law; it is important to have some kind of umbrella agreement among the nations which want to work together in combating cyber crime

  Learn the law and legal system of the other countries should be done by the institution to get the picture on how to develop the effective way on solving international-based cases

Undang-Undang No.36/1999 regarding National Telecommunication Industry

Peraturan Pemerintah No.52/2000 regarding Telecommunication Practices

Peraturan Menteri Kominfo No.27/PER/M.KOMINFO/9/2006 regarding Security on IP-Based Telecommunication Network Management

Peraturan Menteri No.26/PER/M.KOMINFO/2007 regarding Indonesian Security Incident Response Team on Internet Infrastructure

Lessons Learned


Starting Topology   Develop the technology required to operate CSIRT in stages, which can be done from small technology set up with several sensors

  Build the effective collaboration and coordination between the institution and the external parties (ex. Internet service providers, network access points, and internet exchanges) to enable services offered by CSIRT

  Map the capabilities of the technology installed with the services that can be delivered by the institution to manage the expectations of the public and stakeholders

  Collaborate with the external parties should be well institutionalised by developing together all necessary documents (ex. agreement, policy, SOPs, etc.) to operate all sensors and other devices placed in their possession’s territories

““… start with 9 sensors installed in major ISPs/NAPs/IXs…””

Lessons Learned


Core Application   Procure the right software and tools to help CSIRT operation in delivering the incident analysis and response process properly

  Learn on how different software, applications, and tools can be done to help the CSIRT operation can give better picture to the managerial and technical staff in developing the strategy to deliver their services to constituents

  Study the strengths and weakness of every tools can bring value to the CSIRT’s management in terms of deciding the right tools portfolio to be used within the institution

  Benchmark related applications that are ready in the market can also be done by the institution to get the feeling on how every application perform in features and capabilities they claim to have in their products Source: Sourcefire

Lessons Learned


Software Main Functionalities   Ensure that the main or core tools the institution have can bring values to the constituents and stakeholders

  Determine the values can be done by studying and analysing the features and capabilities of the tools

  Fail to understand internal capabilities can bring some negative impacts to the public with regards to their unmatched expectations on CSIRT main roles and functions

Source: Sourcefire

Lessons Learned


Plan on People Development

Lessons Learned


Plan on Process Development

Lessons Learned


Plan on Technology Development

Lessons Learned


Marketing Gimmick   Embrace the public, societies, constituents, and other stakeholders with an effective marketing strategy that may trigger them to promote and to support the initiatives

  Develop the community spirit to protect cyber security by using the language that is easy to understand and reflecting the shared mission of relates stakeholders

  Understand the philosophy stating that by the end of the day, the effective internet security will depend on every individual behavior toward the effort on safeguarding internet

  Work together with the team or partner who are expert on sending the right message to the right people can help the institution in building its image to the public

  Learn how “perception is reality” paradigm will reflect the image of the institution in public’s eye

Why does a car have BRAKES??? The car have BRAKES so that it can go FAST … !!!

Why should we have regulation? Why should we establish institution? Why should we collaborate with others? Why should we agree upon mechanism? Why should we develop procedures? Why should we have standard? Why should we protect our safety? Why should we manage risks? Why should we form response team?

Lessons Learned


Thank You

Id-SIRTII

Menara Sudirman 14th Floor Jalan Jendral Sudirman Kav.60, Jakarta 12190, Indonesia

Phone. +62 21 383 5893 Fax. +62 21 386 2873 Website. http://www.idsirtii.or.id

Email. [email protected] & [email protected] Cell. +62 818 925 926 & +62 818 600 081

Date post:	03-May-2023
Category:	Documents
Upload:	perbanasinstitute
View:	0 times
Download:	0 times

The Establishment Process of ID-SIRTII

Documents