CERT Incident Handling Introduction Adli Wahid adli@apnic.net @adliwahid Issue Date: Revision: About Me • Adli Wahid – Twitter: @adliwahid – LinkedIn: Adli Wahid – Blog: http://blog.apnic.net • Security Specialist @ APNIC – www.apnic.net/security • Board Member of FIRST.org – Outreach, Workshop & Training • Previous Background – Head of Malaysia CERT (MyCERT) – Bank of Tokyo MUFG CERT What we are going to Cover • All about CERT • Sharing of experience & Lessons Learned • Topics – – – – Brief Cyber Security Introduction Organization Operational Technical (A little Bit) Plan • Class Introduction • Introductions – APNIC & FIRST • Quick Cyber Security • CERT / CSIRT Organization (Transit / Terena) • CSIRT Operation (FIRST Module) • Activities – Incident Handling Lab – PGP Key Signing (?) Outcomes • Practical Understanding – Better Understanding of Setting Up – Running a CERT / CSIRT Enhancing Security Incident Response Capabilities in the Asia Pacific Region Issue Date: Revision: Agenda 1. About APNIC 2. Enhancing Incident Response Capabilities 3. Recent and Future activities 7 About APNIC 8 What is APNIC? • Regional Internet Registry (RIR) for the Asia Pacific region – Comprises 56 economies • Secretariat located in Brisbane, Australia – Currently employs around 70 staff • Not-for-profit, membership-based organization • Governed by the Executive Council (EC), who are elected by the Members 9 APNIC’s Vision: A global, open, stable, and secure Internet that serves the entire Asia Pacific community. How we achieve this: • Serving Members • Supporting the Asia Pacific Region • Collaborating with the Internet Community 10 Enhancing Incident Response Capabilities in the AP Region 11 Responding to Security Incidents National Cyber Security Agency National CERT / CSIRTs Enterprise CERTs/ CSIRTs = Critical Infrastructure, Network Providers, Hosting, Cloud, Government, Financial Services, SMEs End-Users 12 Network Operators / Service Providers • A key player in the Incident Response process • Availability is important – Critical Infrastructure (Internet Exchange) – Increasing becoming a target • Need to be aware of the (changing) threat landscape – – – – Help increase resilience the infrastructure by applying best practices Provide timely assistance & mitigation Emerging Trends - IOTs CERT/CSIRT of the last resort • Network Operators Groups (NOGs) – Local & Regional NOGs – APRICOT & APNIC Conference 13 Network Operators – Incident Response Relationship • Inter-dependent entities Security Response Community Law Enforcement Network Operator • Expectations – Resources are not mis-used or abused – Fast ‘take-downs’ or response – Share information (logs, billing etc) – Communicate with Users / Technical support – 24x7x365 • Most of time, at the receiving end End-Users Customers 14 Incident Response Capabilities • Managing Security Incidents – – – – Reduce Impact of Security Incidents Prevent Security Incident from Occurring Fixing actual vulnerabilities Gain insights about emerging threats or incidents (ISACs, Threat Intel Feeds) – Collaborate with other stakeholders (i.e. investigation, policy/strategy) • Managing Security Incident Response Teams – – – – – Establishing CSIRT Operationalizing CSIRT Having the right skill-sets, knowledge and tools Being part of the community Mentoring 15 APNIC’s Approach • Capacity development – Internet Infrastructure – Cyber Security* • Strategic Partnership – Various Stakeholders – Regional & Global – Shared Goals 16 Security Outreach Promoting security best practices in the APNIC community NOGs, CSIRTS and LEA events PK, CN, HK, KR, JP, PH SG, MY, ID, AU, TW Adli Wahid Collaboration with JICA and KISA to deliver regional CERT training Geoff Huston member of ICANN SSAC Adli Wahid member of FIRST Board MoU with APCERT Craig Ng www.apnic.net/security Interpol Global Cyber Crime Group 17 CSIRT Best Practice Forum • IGF 2014 & 2015 – Best Practice Forum on Establishing and Supporting Computer Security Incident Response Teams (CSIRT) for Internet Security • Multi-stakeholder approach • Addresses key concerns of establishing & setting up a CSIRTs – – – – • Key Success Factors Costs & Capacity Building Stakeholder Engagement Opportunities & Challenges Call for Comments – http://intgovforum.org/cms/best-practice-forums/2establishing-and-supporting-csirts 18 Upcoming Activities • Support for regional activities – – – – FIRST & IDSIRTII TC (October) FIRST & KRCERT/CC TC (November) Interpol Global Cyber Crime Meeting (December) APRICOT 2016 in Auckland (February) • E-Learning & Training – https://training.apnic.net • Follow us for the latest updates – Blog https://blog.apnic.net – Twitter @apnic Resource Public Key Infrastructure (RPKI) RPKI presentations to NOGs and conferences ‘Ready to ROA’ Campaign – hands-on sessions to help Members create ROAs www.apnic.net/roa • • • 10 face-to-face and eLearning RPKI training courses delivered Offline simulation of production system Create and revoke ROAs, observe changes to routing state in lab Shirts, stickers, web content to promote campaign Regional RPKI adoption has more than doubled in past year - 0.82% to 1.92% and rising 20 Internet Operational Research Grants New fund supporting the Internet research community in the Asia Pacific Research aiming to improve availability, reliability, and security of the Internet in the Asia Pacific Network measurement and analysis IPv6 deployment BGP Routing Network Security 21 Conclusion • Capacity Development is fundamental & critical • Approach must be flexible and scalable • Plenty of Challenges & Opportunities • Let’s Collaborate! 22 Question? Introduction To FIRST Issue Date: Revision:
