CSIRT capability building and enhancement

Transcription

1 CSIRT capability building and enhancement CNCERT/CC 05 Conference March 2005 Guilin. Mark McPherson AusCERT The University of Queensland Brisbane, Queensland 4072 AUSTRALIA

2 Overview What is a CSIRT? Building Capability Enhancing Capability

3 What is a CSIRT? (1) Definition Types and examples

4 What is a CSIRT? (2) An Incident Response Team (IRT) concerned with Computer Security. +

5 But, how do IRTs respond? IR is the act of doing something when a computer security incident occurs IR can be an ad-hoc activity OR Can take-place according to a predefined IR plan Predefined IR plans: usually nominate an Incident Response Team (IRT) An IRT : has predefined roles and responsibilities acts when an incident occurs or when a precondition is met eg The CEO s PC is attacked..

6 IRT - Types and examples An Incident Response Team (IRT) can be: An Incident-handling team (aka CSIRT) On-site hands-on intervention team (eg Corporate or University IRT) A First Responder team (eg Law Enforcement - electronic Evidence Team [EET])

7 CSIRTs - types and examples (1) An Incident Response Team (IRT) can be: An Incident-handling team (aka CSIRT) What AusCERT does ie Receives reports, provides advice, acts as a liaison between involved parties, disseminates information

8 CSIRTs - types and examples (2) On-site hands-on intervention team (eg Corporate or University IRT) An emergency team who physically respond to confirmed or probable incidents Take a hands-on approach to mitigation

9 CSIRTs - types and examples (3) A First Responder team Forensic analysis teams (some Corporate IRTs do this ) Legal analysis by law enforcement eg Electronic Evidence Team (EET)

10 Building CSIRT capability (1) Establish the mandate or mission Determine constituents/clients Define services and scope Determine staff and other resources required Consider available financial models Study existing models/csirts Build a library

11 Building CSIRT capability (2) Attend conferences and training Existing staff Hire expertise Hire experienced staff or Train new staff Run in trial mode Liaise with other CSIRTs To ascertain performance Get client feedback

12 Enhancing capability Two example areas for enhancement: Capabilities of the CSIRT Capabilities of the IR team members

13 Enhancing capabilities of the CSIRT Adding value through enhanced member services Improvement of existing services Creation of new services

14 Enhancing capabilities of the IR team members Honing your teams skills using fire drills Role-playing Live Drills

15 Enhancing capabilities of the IR team members Other ideas Build a testing lab Basic research etc.. Take-on technical projects Work with other security organisations/agencies Eg Industry groups, Universities, Police

16 Enhanced member services Determining the work required Analysis of member satisfaction Surveys Feedback forums meetings, BOFs Membership churn Face-to-face member forums Conferences Industry groups and initiatives

17 Enhancing member services Improving existing services Examples: Member profiled information Advisories/bulletins Environment and OS-specific information FAQs / Best Practice guides Automated incident response Info-only or Member-driven reporting Extended Incident Response On-site or personalised services

18 Enhanced member services Creating new services Interactive services Member-only web-access Discussion groups/forums/mailing lists Monitoring/facilities management Networks (eg DoS) Websites (eg defacements) Early-warning services eg SMS

19 Fire drill role-playing (1) Purpose: Tests a team s theoretical knowledge/experience Improvement of current IR processes

20 Fire drill role-playing (2) The scenario Exterminate!!! Evaluation of answers Processing lessons-learned

21 Fire drill role-playing (3) Example scenario: Playing one side against the other Corporation s management announces a secret penetration test Informs IRT and asks to report actions of Site security team Site security team reports possible attack IRT logs the call Site security team deals with the attack and reports results IRT reports actions of Site security team to Management Corporation s management analyses security team s performance Site security team complains to IRT about a lack of responsible disclosure!

22 Purpose: Fire drill Live Drills (1) Test the teams effectiveness and practical application Improvement of current IR processes

23 Fire drill Live Drills (2) The Drill The actors The scenario The events and triggers Evaluation Critique of actions taken Processes lessons-learned Refresh policies and procedures

24 Summary CSIRT types: CSIRT, on-site IRT & First-responder (eg EET) Starting-up (Building Capability): Mandate, Scope, Resourcing, Finance, Models, Library, Conferences, Staff expertise, Trial, Liaison & Feedback. Continuing evolution (Enhancing Capability): CSIRT: Improved & new services Team Members: Fire drills role-playing & live tests

25 References Defining Incident Management Processes for CSIRTs: A work in progress Handbook for Computer Security Incident Response Teams (CSIRTs) Incident Response, Kenneth R. Van Wyk & Richard Forno, OReilly & Associates, 2001 AusCERT course (AUS-CSIRT-02) : Establishing a Computer Security Incident Response team (CSIRT) - for Technical Staff and IRT Managers, 2004

26 Questions?

27 Xie-Xie!