An Agency Under
MOSTI
Open Source Incident
Management Tool for CSIRTs
Adli Wahid
Head, Malaysia CERT (MyCERT)
CyberSecurity Malaysia
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
Agenda
‰
‰
‰
‰
About MyCERT
Where do incidents come from?
Open Source Incident Handling Tool
Conclusion
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
2
About MyCERT
CyberSecurity
Malaysia
1997
Malaysian Internet
Users
15 staff
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
3
MyCERT’s Services
Cyber Early
Warning Research
Cyber999
National CERT &
Global Emergency
Co-ordination
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
4
Possible Services of CSIRT
Reactive
Incident
Handling
Services
Proactive
Activities
Security Quality
Management
Services
Activities
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
5
Where do incidents come from?
External Parties
CSIRT
Internal Parties
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
6
Example of Incidents
‰
‰
‰
‰
‰
Defacement
Host being used to send spam
Host connected to a bot command & control
Scanning activities from your network
Etc – Internal incidents
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
7
SOPs
‰
‰
‰
‰
Standard Operating Procedures
Different for different incidents
Shows workflows and
Response Time (SLAs)
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
8
Overview of MyCERT Incident Handling Process
Complainant
lodge
Security
incident
An Agency Under
• Complainant lodge report to MyCERT via phone, fax, sms and
MOSTI
email:
• cyber999@cybersecurity.org.my or
• mycert@mycert.org.my
• Analyze the report and verify sufficient information is available to
proceed
Yes
1st level
resolve
issue?
• Provide information and guide complainant in next course of
action
• Ensure compliance to service level:
•Destructive or Criminal* incidents – 24 -48 hours
No
•Spam/harrassment – next working day
• Follow up with complainant until case is closed
• Analyze artifacts, logs, intelligence gathering, etc
Yes
2nd level
resolve
issue?
• Provide solution/advise/recommendation based on analysis
conducted
No
Cooperate with
external parties
(ISP, Vendor,
Law Enforcement)
• Cooperation in assisting complainant to lodge official reports with
respective law enforcement.
• Assist law enforcement & ISPs in gathering and preserving evidence
• Escalate to vendor should assistance is needed in getting the
solution or the case is vendor-related
• Feedback to complainant and close the case
Close
Securing Our Cyberspace
* Destructive/Criminal Incidents include: Intrusion, Denial of Service,
Copyright
© 2008 CyberSecurity Malaysia
large
l M li i
C d i f
ti
d Phi hi
Artefacts Handling
Logs
Binaries
Screenshots
ETC
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
10
The tool that you need
Incident Management Tool
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
11
Requirements
‰
‰
‰
‰
‰
Unique ticketing, tracking
Escalation – more than one user
Artifacts handling
Secure communication
Database of contacts
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
12
Open Source Options
OTRS
RTIR
AIRT
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
13
Incident Reporting Channel
Fax
ETC
OTRS
Email
Phone
IDS
Web
SMS
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
14
OTRS Modules
‰
‰
‰
‰
‰
‰
‰
‰
‰
Incident tracking module
Authoring tools for advisories
Vulnerabilities database
Artifact database
Contacts database
Ticket module
WebWatcher
Call module
IDMEFConsole
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
15
Screenshots – OTRS in Action
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
16
Conclusion
‰ People, Process, Technology makes up CSIRT
‰ You need tools to support incident handling activities
‰ Choosing the right tool for your work is important
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
17
‰ Thank You!
‰ adli@cybersecurity.org.my
Securing Our Cyberspace
Copyright © 2008 CyberSecurity Malaysia
18