Building CSIRT Capabilities

advertisement
Building Global CSIRT
Capabilities
Barbara Laswell, Ph.D.
September 2003
CERT® Centers
Software Engineering Institute
Carnegie Mellon
Pittsburgh, PA 15213
Sponsored by the U.S. Department of Defense
1
2003 Carnegie Mellon University
CERT Coordination Center
The CERT/CC was established in 1988 with a mission
to:
• respond to security emergencies on the Internet,
• serve as a focal point for reporting and facilitating
the corrections to security vulnerabilities,
• analyze security-related data to develop and
disseminate countermeasures and prevention
techniques,
• serve as a model to help others establish incident
response teams,
• raise awareness and understanding of security
trends and issues
2
2003 Carnegie Mellon University
Growth in Number of Incidents Reported to
the CERT/CC
3
2003 Carnegie Mellon University
Growth in Number of Vulnerabilities Reported
to the CERT/CC
4
2003 Carnegie Mellon University
Growth in CSIRTs
5
2003 Carnegie Mellon University
Response Teams Around the World
6
2003 Carnegie Mellon University
Impact on CSIRTs
Today’s dynamic environment means less
time for CSIRTs to react.
Therefore, teams require
• a method for quick notification
• established and understood policies and
procedures
• automation of incident handling tasks
• methods to collaborate and share
information with others
• easy and efficient way to sort through all
incoming information
7
2003 Carnegie Mellon University
Current Situation
Many organizations do not have a formalized
incident response capability.
There is a shortage of effective CSIRTs and
trained staff to respond to current and
emerging computer security threats.
A growing number of organizations are
• being mandated or required by
laws/regulations to have an incident
response plan in place
• proactively seeking to implement a CSIRT
as a part of their information security
program.
8
2003 Carnegie Mellon University
Stages of CSIRT Development
Stage 1 Educating the organization
Stage 2 Planning effort
Stage 3 Initial implementation
Stage 4 Operational phase
Stage 5 Peer collaboration
Expert
Novice
9
Stage 1
Stage 2
Stage 3
Stage 4
Education
Planning
Implementation
Operation
2003 Carnegie Mellon University
Stage 5
Collaboration
General Categories of CSIRTs
Internal CSIRT
• Educational
• Governmental
• Commercial
Coordination Centers
• Country
• State
• Region
Analysis Centers
Vendor
Incident Response Provider
10
2003 Carnegie Mellon University
CSIRT Organization Examples
CERT Coordination Center
(CERT/CC)
http://www.cert.org/
Forum of Incident Response
and Security Teams (FIRST)
Department of Defense CERT
(DOD-CERT)
http://www.cert.mil/
German Research Network
CERT (DFN-CERT)
http://www.cert.dfn.de/
http://www.first.org/
Federal Computer Incident
Response Center (FedCIRC)
http://www.fedcirc.gov/
Australian Computer
Emergency Response Team
(AusCERT)
http://www.auscert.org.au/
11
2003 Carnegie Mellon University
Japan Computer Emergency
Response Team Coordination
Center (JPCERT/CC)
http://www.jpcert.or.jp/
IBM Business Continuity and
Recovery Services (IBM-ERS)
http://www.ers.ibm.com/
http://www-1.ibm.com/services/
continuity/recover1.nsf/mss/
incident+management
CSIRT Collaborations
FIRST:
http://www.first.org/team-info/
European CSIRT Directory:
http://www.ti.terena.nl/teams/index.html
Asia Pacific:
http://www.singcert.org.sg/apsirc/
12
2003 Carnegie Mellon University
Range of CSIRT Services
Mandatory Services:
• Incident Handling
Common CSIRT Services:
• Alerts and
Announcements
• Vulnerability Analysis and
Response
• Artifact Analysis
• Education and Training
• Incident Tracing
• Intrusion Detection
13
2003 Carnegie Mellon University
• Auditing and
Penetration Testing
• Security Consulting
• Risk Analysis
• Security Product
Development
• Collaboration
• Coordination
Information Flow
14
2003 Carnegie Mellon University
What is Reported?
15
2003 Carnegie Mellon University
Incident Handling Life Cycle
Other
Email
IDS
Triage
Information
Request
Incident
Report
Hotline/
Phone
Analyze
Vulnerability
Report
Obtain
Contact
Information
Coordinate
Information
and
Response
Provide
Technical
Assistance
16
2003 Carnegie Mellon University
CSIRT Related Projects
State of the Practice of CSIRTs
IETF Incident Handling Working Group (INCH
WG) and Intrusion Detection Working
Group (IDWG)
Automated Incident Reporting (AirCERT)
Incident Detection, Analysis, and Response
(IDAR) Project
Clearing House for Incident Handling Tools
(CHIHT)
Common Advisory Interchange Format
(CAIF)
Best Practices Documents
17
2003 Carnegie Mellon University
Current CSIRT Discussion
Topics
Legal issues and impacts
Automation and standardization of CSIRT
tools
Data sharing and collaboration
Certification for incident handlers and teams
• http://www.cert.org/certification/
Regionalization efforts
18
2003 Carnegie Mellon University
Visit www.cert.org/csirts/
Publications and links to resources to help you create and manage your
CSIRT
Creating a Computer Security Incident Response Team: A Process for Getting
Started
Creating a Financial Institution CSIRT: A Case Study
The Handbook for Computer Security Incident Response Teams (CSIRTs) (pdf)
CSIRT Services
CSIRT Frequently Asked Questions
Responding to Intrusions
Expectations for Computer Security Incident Response (RFC 2350)
Forming an Incident Response Team (AusCERT Publication)
Avoiding the Trial-by-Fire Approach to Security Incidents
NIST: Computer Systems Laboratory Bulletin
NIST: Establishing a Computer Security Incident Response Capability
19
2003 Carnegie Mellon University
For More Information
CERT® Centers
Software Engineering Institute
Carnegie Mellon University
Pittsburgh, PA 15213 USA
+1 (412) 268-7090
http://www.cert.org/training
http://www.cert.org/csirts/
20
2003 Carnegie Mellon University
Download