CESNET-CERTS. Academic CSIRT Meeting 17 Jun 2012 Malta. Andrea Kropáčová,

Transcription

1 CESNET-CERTS Academic CSIRT Meeting 17 Jun 2012 Malta Andrea Kropáčová, CESNET-CERTS, CESNET, z. s. p. o.,

2 CESNET-CERTS Provided by CESNET CESNET provides Czech NREN CESNET has 26 members and about 300 participants Responsibility: CESNET2 network AS members (not full time) 2 are members of EGI

3 CESNET-CERTS History: established Jan 2004 listed Jan 2008 accredited Apr 2008 we established CSIRT.CZ Dec 2010 CSIRT.CZ was declared as National CSIRT of Czech Republic Jan 2011 transfer of CSIRT.CZ to CZ.NIC started Jun 2011 transfer of CSIRT.CZ finished

4 CESNET-CERTS (Inter) national cooperation: Working group E-CRIME Working group CESNET CSIRT Working group IPv6 Working group CSIRT.CZ Security forces of CZ TERENA, TF-CSIRT, TI ENISA EGI

5 CESNET-CERTS Services: incident handling and incident response for CESNET2 network traffic monitoring in CESNET2 gathering and corelating data public sources Shadowserver, UCEPROTECT, TeamCymru, DShield, NASK Polska CESNET2 forensics laboratory CESNET Audit System IDS (based on LaBrea), honeypots (Kippo, Dionaea), netflows, logs education

6 CESNET IDS Based on LaBrea watches unassigned address range of CESNET2 from /16 results (detected attacks) source of the attack is from CESNET2 --> CESNET-CERTS incident handling source of the attack is from Czech Republic --> CSIRT.CZ the rest... --> DSHIELD (

7 CESNET-CERTS Education: workshops presentation at local conferences education of members of security forces Working group CESNET CSIRT all security topics sharing, cooperation, education feedback for CESNET-CERTS training courses for university students training courses for university employees

8 Course for students University Topics: meeting room CESNET and CESNET-CERTS invitation Law and cybercrime (first presentation) Me anonym? CESNET speakers presentation How to secure workstation The world of Open Source... on-demand > Služby --> Školení pro (nejen) studenty prvních ročníků

9 CESNET-CERTS IH Incident handling and incident response last resort for CESNET2 reports go directly to CESNET2 end networks Environment for effective IH and IR cooperation with in end-networks security incident classification IH and IR work-flow proactive services IDS, SSERV, ORR, UCE transparent administration of AS members of CESNET-CERTS are LIR

10 CESNET-CERTS AS2852: / / / / / / / / / / / / /17

11 CESNET-CERTS AS2852: / / / / / / / / / / / /19 CESNET University of Economics Czech Technical University University of Defence Technical University of Ostrava University of West Bohemia Masaryk University (CSIRT-MU) Palacky University Czech University of Life Scienses Nuclear Research Institute CESNET participants Silesial University /17 CESNET participants

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28 Incident handling Ways and means we use to solve security incidents: AP and AUP :-) positive motivation established cooperation, communication channels existing legislation (as a negotiation motivation) experiences, knowledge of the local environment, contact cooperation with NOC no IH policy no security policy blocking IP address/network filters, QoS

29 Incident handling Why no IH policy? no security policy? Security policy and IH policy designed in members ~= 26 opinions and goals policy should be more severe policy should be softer (frame only) we do not want a policy we want policy, but this one is agains our uni policy we want policy, but...

30 Statistic

31 Statistic

32 Statistic

33 CESNET-CERTS (Inter) national cooperation: Working group E-CRIME Working group CESNET CSIRT Working group IPv6 Working group CSIRT.CZ Security forces of CZ TERENA, TF-CSIRT, TI ENISA EGI

34 CESNET-CERTS Education: workshop presentation at local conferences education of members of security forces Working group CESNET CSIRT all security topics sharing, cooperation, education feedback for CESNET-CERTS workshop for university students workshop for university employees

35 Security forces In the beginning: Who owned IP address a.b.c.d on 12 Apr 2012 between 16:15 20:30? How was the web changed/server hacked...? Who has these informations? Education: How Internet works - IP, domains, services, SI Where are information (about security incidents) logs (network and services) netflows mail headers,...

36 Topics to disscuss (1) How is your LIR policy? all IP assigments are in RIPE DB? do you use IRT objects? all IP assigments covered by IRT object?

37 Topics to disscuss (1) How is your LIR policy? all IP assigments are in RIPE DB? do you use IRT objects? all IP assigments covered by IRT object? CESNET: YES CSIRT-MU only ( /16) CSIRT-MU only ( /16)

38 Topics to disscuss (2) Automated IH? handwork?, (semi) automatic? using OTRS, RT, RTIR? tweaking OTRS, RT, RTIR?

39 Topics to disscuss (2) Automated IH? handwork?, (semi) automatic? using OTRS, RT, RTIR? tweaking OTRS, RT, RTIR? CESNET handwork, OTRS monitors and helps with work-flow OTRS OTRS tweaking a lot :-) data harvesting (IP, type of incident,...) creating report automatically statistics

40 Topics to disscuss (3) For NREN CERT/CSIRT teams: how many official CERT/CSIRT teams are in your constituency? how many security teams are in your constituency? do you organizace some working group for them? how you communicate with them?

41 Topics to disscuss (3) For NREN CERT/CSIRT teams: how many official CERT/CSIRT teams are in your constituency? how many security teams are in your constituency? do you organize some working group for them? how you communicate with them? CESNET 1 = CSIRT-MU presumed 26 Working group CESNET CSIRT WG, WWW, ...

42 Topics to disscuss (4) For NREN CERT/CSIRT teams (related to Security policies ): do you have security policies in you NREN? teams within your constitunency have some duty to NREN CERT/CSIRT?

43 Topics to disscuss (4) For NREN CERT/CSIRT teams (related to Security policies ): do you have security policies in you NREN? teams within your constitunency have some duty to NREN CERT/CSIRT? CESNET AP and AUP No

44 Topics to disscuss (5) Do you provide some IDS? What?

45 Topics to disscuss (6) Do you provide education of users, admins and other staff? How do you provide this education?

46 Topics to disscuss (6) Do you provide education of users, admins and other staff? How do you provide this education? CESNET: YES, Monty Python Workshops in CESNET, workshops in place

47 Topics to disscuss (7) Technical and political - do you have technical resources (technical or administrative = mandate) to block IP or part of the network?

48 Topics to disscuss (7) Technical and political - do you have technical resources (technical or administrative = mandate) to block IP or part of the network? CESNET Yes, we have a AP and AUP :-) No, only establised cooperation with NOC

49 Topics to disscuss (8) How do you communicate with your constituency? ? www? blogs? social network? press? (how) are you succesfull? how do you try to achieve be known and respected?

50 Topics to disscuss (8) How do you communicate with your constituency? ? www? blogs? social network? press? (how) are you succesfull? how do you try to achieve be known and respected? CESNET s, www, personally Working group CESNET CSIRT??????

51 Topics to disscuss (9) LEA do you cooperate with them? do you educate them? some good/bad experiences?

52 ?

53 Czech Republic CESNET-CERTS (academic sector) Created 2003, provided by CESNET CSIRT-MU (academic sector) Created 2008, provided by Masaryk University CZ.NIC-CSIRT (internal) Created 2008, Provided by CZ.NIC ACTIVE24-CSIRT (internal) Created 2012, provided by Active24 CSIRT.CZ (National CSIRT of Czech Republic) Created 2008, Provided by CZ.NIC

54 CSIRT.CZ (National CSIRT) Created in 2007 by CESNET-CERTS Started at 3 rd April 2008 as a last resort team operated by CESNET (CESNET-CERTS) Task of grant Cyber Threads... funded by Ministry of Interior Jun 2008 status listed from TI Dec 2010: CSIRT.CZ declared as National CSIRT of The Czech Rep. by Memorandum between MI and CZ.NIC Jan 2011 transfer to CZ.NIC started Oct 2011 accredited by TI

55 Czech Republic Jan 2007 Ministry of Informatics was canceled Feb 2010 Cyber Security Departement at Ministry of Interior Main tasks: To cooperate with other entities in the area of cyber security in accordance with the law on cyber security; To coordinate activities of other institutions leading towards ensuring cyber security; To coordinate Czech Republic s representation in the area of cyber security at various international conference, including attending international organisations (EU, NATO, etc.) meetings; To ensure Governmental CSIRT operation; To cooperate with independent professional entities in the area of cyber security; To draft Czech Republic s cyber security strategy; To prepare a bill on cyber security.

56 Czech Republic Dec 2010 Memorandum between MI and CZ.NIC about CSIRT.CZ becomes National CSIRT of Czech Republic Oct 2011 the government resolution: established NSA authority for area of cyber security APPROVED the establishment of the National cyber security centre within the structures of the National Security Authority (NSA) IMPOSED to launch a full operation of the National cyber security centre by 31 December 2015, including the governmental point of coordination for the immediate response to computer incidents (governmental CERT - Computer Emergency Response Team). Feb 2012 NSA launched "the cyber security substance matter"