Evolution of CSIRTs: how to
engage Critical Infrastructures
and cooperate beyond borders
Giza, 19th December 2011
In the last years the number, type and impact of security incident is increasing
Security Incident timeline
 Titan Rain, a
series of
coordinated
attacks on US
army, navy and
missile units
systems
 Internet distributed
denial of service
attack. 6 of the 13
root servers that
form the foundation
of the Internet were
affected, two badly
2007
 A series of cyber
attacks that
swamped websites
of Estonian
parliament, banks,
ministries,
newspapers and
broadcasters
2
2007
 A series of
coordinated cyber
attacks against
major government,
media, and financial
websites in South
Korea and the USA
2008-2010
 Suxnet worm infect
100.000 industrial
control system with
a worldwide
geographic
distribution
7/2009
2/2011
 Cyber-attack hits
Canadian
government
computers
2009-2010
 Operation Aurora,
sophisticated and
targeted attack
international
organizations
 Major
videogames
companies
under
attacks
2/2011
4-6/2011
 Cyber-attack
hits Canadian
government
computers
 Massive DNS
cache poisoning
attack that
affected millions
of users in Brazil
3-9/2011 11/2011
 Main SSL
Certificate
has been
violated
Relevant CERTs was born to prevent and response to incident…
European CERTs Map 2011
3
…they extended their services from being a only reaction force to a more
complete security service provider, including preventive and quality services..
CERT Services
Reactive Services
•
•
•
•
•
•
•
•
•
•
•
4
Alerts and warning
Incident Handling
Incident Analysis
Incident Response
Support
Incident Response Coordinator
Incident Response on site
Vulnerability Handling
Vulnerability Analysis
Vulnerability Response
Vulnerability Response
Coordination
Proactive Services
•
•
•
•
•
•
•
Announcements
Technology Watch
Security Audits or
Assessments
Configuration and
Maintenance of Security
Development of Security
Tools
Intrusion Detection Services
Security-Related Information
Dissemination
Artifact Handling
•
•
•
Artifact Analysis
Artifact Response
Artifact Response
Coordination
Security Quality Management
•
•
•
•
•
•
Risk Analysis
Business Continuity and
Disaster Recovery
Security Consulting
Awareness Building
Education/Training
Product Evaluation or
Certification
…and at national, regional and international level are started CERTs
cooperation initiatives but no one only for national private sector
Main cooperation initiatives
National initiatives
CIRCA
National forum of
cooperation from public
and private sector
UKCERTS
the British UKCERTs alliance
is an informal forum of
CERTs
from different sectors
O-IRT-o
the Dutch o-IRT-o initiative
associates CERT teams
including 31 organizations
from public and private
sector
5
CERT-Verbund
the initiative associates
German security
and incident response
teams from various sectors
Polish Abuse Forum
Abuse Forum assembles a
group of CERTs and
security teams of Polish ISP
and ICP (Incident Content
Providers)
Regional/international initiatives
APCERT
a CERTs coalition that
ensures network security
and incident
response activities in the
Asia Pacific Region.
NORDUnet CERT
assembles Scandinavian
CERTs within the
NORDUnet (cooperation of
Nordic national research
networks)
CEENet
Central and Eastern
European Association
comprised of 23 national
research/education
networks
EGC
a group of CERTs with
governmental
constituencies and national
responsibilities in their
countries.
FIRST
the biggest international
forum of CERTs and other
security teams
TERENA TF-CSIRT
a task force organised
under the TERENA
Indeed today CERTs have still lack of engagement, services, investment,
mutual aid and coordination
CERTs improvement needs
To Be
As is
No engagement
No involvement in Incident Response
Lack of coordination at the
international level
Only one-way services
Lack of information sharing
Lack of mutual aid
No shared incident management
policies and procedures
No shared incident management
strategies and framework
6
Engagement
Involvement in Incident Response
Coordination at the international level
Inter-sector and intra-sector cooperation
Two-ways services
Information sharing and shared situational
awareness
Incident management mutual aid
Shared incident management policies and
procedures
Shared incident management framework
Responding to issues and in accordance with common points of national
strategies, GCSEC intent to create a Cyber Incident Response Coordination
Capabilities (CIRC2) involving private sector
Common key Points and
Recommendations national
cyber security strategy
Relevant Sectors to involve in the first stage
Energy
Company
Finance
Company
7
Transportation
Company
Telco
Company
Objectives of CIRC2 are information sharing, mutual aid, definition of shared
policies/procedures, contribution to regulatory framework, private cooperation
CIRC2
Objectives
information sharing on threats, vulnerabilities,
warnings, alerts, methodologies and tools for incident
management
Definition of shared incident management policies and
procedures
Mutual aid to directly enforce the CIRC2 member’s
capabilities of incident response
Contribution to definition of national and international
regulatory and policy framework
Representation in international context and facilitation
of coordination between public and private
stakeholders
8
Only in the second stage, the CIRC2 could be transformed in an effective
Incident Response Joint Team of Private Sector
Incident Response Joint Team
(Private Sector)
Comments
To became an effective IR Joint
Team, the IR Capability should take
several actions as:
Public National Italian
Response Team
IRT
Energy
Company
IRT
Finance
Company
IRT
Transportation
Company
During the second stage of the project, a
capability assessment of each IRT will be
performed by GCSEC , in order to align
them to the best practice
9
establish the legal form of the
organization (e.g. consortium)
define the mission and the range
and level of services that IRT will
offer (e.g. proactive or reactive
services)
define a funding model
identify an organizational model
define interactions/interfaces
define incident response
processes
implement secure information
systems and network
infrastructures
identify required resources
CIRC2 is based on a model composed of organization, processes and tools
CIRC2 Model
Organization
Processes
Tools
10
The model includes strategies, legal and administrative framework,
organizational model and policies…
Organization main aspects
Strategies
Legal & admin
framework
Organization
model
Policies
11
Illustrative
Mission, vision, goals, objectives, constraints
Participation strategy (members and other National
Stakeholders) and minimum capability’s level
Risk Management strategies
Trust Model
…
Legal entity
Funding Model
Non disclosure agreements (NDAs)
Mutual Aid and Assistance Agreement
…
Organizational model and structure
Reporting structure, authority
Roles and responsibilities
Staff
…
Information sharing policy
Incident classification and communication policy
Trust communication policy
Resource management policies
Incident handling guidelines
Risk management policy
Interoperability policy
…
… management processes of CIRC2 …
Processes main aspects
Illustrative
Information sharing process
Mutual aid and assistance process
Communication and coordination process
Risk management process
Incident reporting process
Incident classification process
Incident coordinated response process
Performance measurement process
Shared resources (personnel, equipment, facilities,
supplies, and other) management process
Escalation process
Emergency management process
Post incident evaluation process
Lessons learned and improvement process
Incident management exercise process
…
12
…all tools needed for cooperation, information sharing and incident
management
Tools main aspects
Information sharing platform
Technological instruments to support trust
Early warning system
Instruments for secure communications
Incident forensics tools
Other tools
13
Illustrative
Each member will draw benefits from participation in the CIRC2
CIRC2 member benefit
More effectively and efficiently some processes that if they had
implemented individually (e.g. forensics and post incident analysis)
Information knowledge and information sharing
Better incident response through mutual aid and assistance
Incident exercises and awareness building across private sector
Shared technologies and common automated platform for security
vulnerabilities identification and communication, alerts and warning
Cost reduction
Resource sharing and staff exchange
14
Other organizations/governments can benefit CIRC2 project
How to participate
Be informed on CIRC2 development
Support requirements definition
Join the Pilot project
15