Ministry of Science, Technology and Innovation

Computer Emergency Response Team Co-ordination Centre (CERT/CC)

Adli Wahid VP Cyber Security Response Service and Head of

Malaysia CERT CyberSecurity Malaysia

E: adli@cybersecurity.my T: adliwahid

Agenda

•  Concepts •  The Case of a CERT/CC •  MyCERT Case Study •  Conclusion

Incident Response and Handling

•  Incident Response is all of the technical components required in order to analyze and contain an incident. –  Required skills i.e. networking and log analysis,

computer forensics, malware reverse engineering •  Incident Handling is the logistics,

communications, coordination, and planning functions needed in order to resolve an incident in a calm and efficient manner – Goals: protect and restore

Objectives of Incident Handling

1.  To mitigate or reduce risks associated to an incident

2.  To respond to all incidents and suspected incidents based on pre-determined process

3.  Provide unbiased investigations on all incidents

4.  Establish a 24x7 hotline/contact – to enable effective reporting of incidents.

5.  Control and contain an incident   Affected systems return to normal operation   Recommend solutions

Eradication

Preparation

1  

2  

3  

4  

5  

6  

6 Steps Of Incident Handling

CERT/CSIRTs

•  Components – Constituency – Mission – Organization – Funding – Services – Policies and Procedures

•  This requires a TEAM

CERTs/CSIRTs Services

Reac,ve   Proac,ve  

1.  Incident  Response  and  Handling  2.  Advisories  

1.  Watch  and  Warn    /  Threat  Monitoring  

2.  Research  and  Development  3.  Training  and  Outreach/Awareness  4.  Cyber  Security  Crisis    

THE CASE FOR A CERT/CC

Good vs Evil

Law  Enforcem

ent  

Providers   CSIRTs  

Sys  Admins  

Criminals  

Spammers  

Bot  Herders  

Phishers  

VS  

Motivation of a National CSIRT

•  Point of contact of incidents reporting – National (Trusted) PoC for Internal & External

reporting –  Incident co-ordination (with LEs, Other CERTs/

CSIRTs – Collaboration & Intel Exchanged

•  Situational Awareness •  Improving laws and regulations •  Provide assistance to Internet users •  Protection of Critical Infrastructure

Different types of Incidents

•  The ‘Usual’ Stuff – Malware – Denial of Service – Online Fraud/Scams –  Identity Theft

•  Cyber Crisis – Anonymous Attack – APT / Targetted Attacks – Global Outbreaks

– 

Handling Local Banks Phishing Incidents •  Things to do

– Prevent people from visiting phishing site •  Remove Block

– Recover stolen credentials •  Email account •  Database

– Assist Victim to make reports – Co-ordinate with Bank and Law Enforcement – Detect Phishing sites faster

•  Do It yourself or Get others to feed you

Issues & Challenges

•  Mandate & Constituencies – Who should ‘report’ to ‘who’ – Who should handle what

•  End-to-End Resolution –  I have reported the incident, can we catch

the bad guy? Can I have my money back – One stop centre

MYCERT

Incident  Handling  /  Cyber999      

Malware  Research  Centre  

 Co-­‐ordinaNon  Centre  

•  MyCERT was established in 1997, deals mostly with technical teams, CSIRTs, LEs

•  Cyber999 launched in 2008, allows the all to report to MyCERT

•  A lot of incidents were affecting the Internet Users at large – Phishing, Malware (botnets), Online Fraud,

Harassment •  Cyber999 Provides a one stop centre for

incidents reporting

•  Launched in 2009 •  Previously a ‘watch and warn’ or ‘early

warning function’ •  Specializes in malware analysis / tracking •  Activities

– Operates the distributed honeynet project – Produce tools / services – Execute the national cyber security exercise –  Issues advisories and alerts , special reports

DNSWatch   MYPHPIPS  

hOp://www.mycert.org.my/en/resources/security_tools/main/main/detail/768/index.html  

Tools from our Lab

National Cyber Crisis Exercise (X-Maya)

•  Led by the National Security Council since 2008

•  Improve readiness and situational awareness among CNII agencies – National Threat Level – Reporting structure in a crisis

•  CyberSecurity Malaysia / MyCERT provide simulation of the cyber security incidents for the players

Conclusion

•  Central co-ordination point is critical •  Help drives other national level initiatives i.e.

awareness, training, critical infrastructure protection, certification programmes

•  Working together is the best way forward

Questions

•  CyberSecurity Malaysia http://www.cybersecurity.my

•  MyCERT: http://www.mycert.org.my •  Email: adli@cybersecurity.my •  Twitter: adliwahid