EG-CERTEgyptian Computer Emergency Team
EG-CERT
Vision and Mission
EG-CERTEgyptian Computer Emergency Team
Problem Statement
• According HSBC, within 2050
different African countries will be
part of top 50 world economies.
•But, consider a rapid growth could
create favorable conditions for the
development of cybercrime.
•Malware infections in Africa are
higher than the worldwide average.
EG-CERTEgyptian Computer Emergency Team
Problem Statement
• BSA’s (Business Software Alliance) 2011 study on
software piracy, the average in the region is around 73% data that
could justify also high level of penetration of malware agents in the
region.
• The main “cyber problem” of the Egypt seems to be the
cybercrime, in 2010 the country was named by Kaspersky Labs as
one of the top sources of password-stealing Trojans
• year before, Egyptian hackers were involved in one of the world’s
largest cyber-crime criminal court cases.
EG-CERTEgyptian Computer Emergency Team
Problem Statement
• Websense security firm has recently confirmed Egypt as third
for countries hosting phishing fraud.
• Fundamental is establishment in each countries of a Computer
Emergency Response Teams (CERT).
EG-CERTEgyptian Computer Emergency Team
EG-CERT
• Established on April 2009 under Egyptian National Telecom Regulatory Authority (NTRA)
• 24/7 Monitoring & Incident Response established on July 2009.
• Forensics Analysis Service established on September 2009.
• Malware analysis & Reverse Engineering established on April 2011.
• Full member in FIRST (Forum for Incident Response and Security Teams) in March 2012.
EG-CERTEgyptian Computer Emergency Team
EG-CERT Vision
• EG-CERT is charged with providing computer and
information security incident response support, defending
against cyber attacks and collaboration with government,
financial entities and any other critical information
infrastructure sectors.
EG-CERTEgyptian Computer Emergency Team
EG-CERT Mission
• Enhancing the security of Egyptian's Communications
and Information Infrastructure through proactive action,
gathering and analyzing of information on security
incidents, coordination and mediation between the
interested parties in solving security incidents and
international cooperation with other CERTs
EG-CERTEgyptian Computer Emergency Team
EG-CERT Scope
• Critical Information Infrastructure Protection:
1-Telecom Sector.
2-Governmental Sector
3-Financial Sector
4-Media Sector.
EG-CERTEgyptian Computer Emergency Team
EG-CERT Services
1. Reactive servicesIncident (Response –Coordination-support on site)
2. Proactive Services
Vulnerability Scanning – Penetration testing
3. Forensics Services
Evidence handling & analysis – Reporting
4. Malware Analysis
Malicious Software Collection - Malware analysis –Reverse engineering
EG-CERTEgyptian Computer Emergency Team
EG-CERT Training
• SANS Security Training and Certification 1. 401 SANS Security Essentials Bootcamp Style
2. 502 Perimeter Protection In-Depth
3. 504 Hacker Techniques, Exploits and Incident Handling
4. 508 Computer Forensics , Investigation and Response
5. 542 Web App Penetration Testing and Ethical Hacking
6. 617 Wireless Ethical hacking, Penetration testing and Defences
7. 610 Reverse Engineering Malware
• MyCERT Training
• BlackHat Training.
• CSI (Crime scene investigation )Training.
• IMPACT Training.
EG-CERTEgyptian Computer Emergency Team
EG-CERT Incident Handling
Feeds•Currently all the analysis is done on the international
feeds.
•The standard is to get both international and local feeds.
•National feeds depends on two resources CII Sensor
Network and the honeynet project distributed on the
internet gates
EG-CERTEgyptian Computer Emergency Team
Incidents From 1/4/2009 to 30/6/2012
Incident type No of cases Incident type No of cases
Web site defacement 789 Authentication bypass 15
Malware URLs 85 SQL Injection 40
Phishing 80 Abusive content 11
Spamdexing 55 Mass web site defacement 10
Online Web shells 6 Remote File Inclusion (RFI) 2
DDOS 25
EG-CERT Incident Handling
EG-CERTEgyptian Computer Emergency Team
EG-CERT Incident Handling
Penetration Testing & Vulnerability AssessmentFinancial Sector Assessment• Central Bank of Egypt Assessment.
• Egyptian Banks Assessment (26 banks).
• Egyptian Exchange Assessment.
EG-CERTEgyptian Computer Emergency Team
EG-CERT Forensics
EG-CERT has involved in solving many cases including:• Credit Cards theft
• Fraud
• Network intrusion
• Analysis of digital evidence involved in physical criminal
activity.
EG-CERTEgyptian Computer Emergency Team
EG-CERT Forensics
EG-CERT has contributed to the investigations of one of largest
phishing (phish phray)case by providing (forensics analysis; report
+400 pages; 1600 working hours by 12 specialists).
EG-CERTEgyptian Computer Emergency Team
EG-CERT Reverse Engineering and
Malware Research
Department
Honeynet ProjectMalware Analysis
and Reverse Engineering
EG-CERTEgyptian Computer Emergency Team
EG-CERT Reverse Engineering and
Malware Research
Honeynet Project• Exploration of the best practices to design, test, analyze, and
implement a honeynet.
• Design and deploy a honeynet on the Egyptian networks to carry
out experimentations and evaluate their performance.
• Build local expertise and knowledge-base in installing, integrating,
and developing honeynets in Egypt.
EG-CERTEgyptian Computer Emergency Team
Honeynet Project
• The Honeynet project is currently being deployed on a
Virtual Server.
• Following is topology of the Virtual Honeynet.
EG-CERT Reverse Engineering and
Malware Research
EG-CERTEgyptian Computer Emergency Team
Honeynet Project TopologyEG-CERT Reverse Engineering and
Malware Research
Honeynet Project Topology
EG-CERTEgyptian Computer Emergency Team
Early Warning Systems
• Composed of two parts:
1. CII Sensors.
2. Honeynet Project. (Dionaea,Nepenthes, Snort, Malware
Sandbox, . . etc)
• CII Sensors as well as the Honeynet Project depend on open
source and cover the critical infrastructure (lot of efforts and
detailed plan for the implementation during the next 6 months
after preparing the required H/W)
EG-CERT Reverse Engineering and
Malware Research
EG-CERTEgyptian Computer Emergency Team
EG-CERT Reverse Engineering and
Malware Research
Malware Analysis and Reverse Engineering Objectives• To Improve Incident Response and Forensics Skills
• To help incident responders assess the severity and repercussions of
a situation that involves malicious software
• To assist in determining how to contain the incident and plan
recovery steps.
• To understand key characteristics of malware present on
compromised systems.
EG-CERTEgyptian Computer Emergency Team
Malware Sandbox
• Hacked websites, fake media players, malicious Office documents and social engineering are all part of the Internet threat landscape today.
• Sandbox gives researchers the ability to Rapidly analyze behavior of malware - including infected Trojans, Office documents, malicious URLs and more - by executing the code inside a controlled environment.
EG-CERT Reverse Engineering and
Malware Research
EG-CERTEgyptian Computer Emergency Team
• Number of attacks per day
EG-CERT Reverse Engineering and
Malware Research
EG-CERTEgyptian Computer Emergency Team
• Number of hits per port
EG-CERT Reverse Engineering and
Malware Research
EG-CERTEgyptian Computer Emergency Team
Services
CII Sensor Network plus the Honeynet Project can provide:
1. Malicious software collection.
2. Malware analysis.
3. Reverse engineering.
4. SLQ-Injections detection.
5. Geographical, IP-based mapping about the attack sources.
6. Detection of phishing attacks
EG-CERT Reverse Engineering and
Malware Research
EG-CERTEgyptian Computer Emergency Team
Benefits
• National feeds can be correlated with international feeds.
• Ability to run without international feeds that come from
different organizations that are not 100% trusted for
continuity.
EG-CERT Reverse Engineering and
Malware Research
EG-CERTEgyptian Computer Emergency Team
The risk of online infection around the world
All of the statistics reported here are based on data collected by the Kaspersky Security Network and its
security modules..http://www.securelist.com/en/analysis/204792231/IT_Threat_Evolution_Q1_2012#16
EG-CERT Reverse Engineering and
Malware Research
EG-CERTEgyptian Computer Emergency Team
Local Threats
Maximum level of local infection (over 60%): 23 Asian countries (India, Vietnam, Mongolia etc.), Middle East countries (Iran, Iraq) and parts of Africa (Sudan, Angola, Nigeria, Cameroon).
High level of local infection (41-60%): 49 countries, including Egypt, Kazakhstan, Russia, Ecuador and Brazil.
.
Malware Research
EG-CERTEgyptian Computer Emergency Team
Local Threats
• Moderate level of local infection (21-40%): 41countries including Turkey, Mexico, Israel, Latvia, Portugal, Italy, the US, Australia and France.
• Lowest level of local infection (20% or less): 18 countries including Canada, New Zealand, Puerto Rico, 13 European countries (including Norway, Finland, the Netherlands, Ireland, Germany, Estonia) plus Japan and Hong Kong
All of the statistics reported here are based on data collected by the Kaspersky Security Network and its
security modules..http://www.securelist.com/en/analysis/204792231/IT_Threat_Evolution_Q1_2012#16
EG-CERT Reverse Engineering and
Malware Research
EG-CERTEgyptian Computer Emergency Team
Threats (Malware Activities)
Flame Malware:
• Kaspersky Lab researchers say "might be the most sophisticated cyber weapon yet unleashed.“
• Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on.
• Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.
EG-CERTEgyptian Computer Emergency Team
Flame Top 7 affected countries
The previous figure shows Egypt as one of the top 10 countries infected with Flame malware.
EG-CERTEgyptian Computer Emergency Team
What EG-CERT has done so far?
• After we knew about the attack and Egypt is among the attacked countries, we
successfully get a sample of the malware for further analysis and we also were
following all the analysis by other parties.
Based on the current information:
• We released a remover tool for the malware that can be downloaded from our web site.
• We developed a malware scanner using signatures which scans the system directory and
support managing and logging by a centralized server.
EG-CERTEgyptian Computer Emergency Team
What EG-CERT has done so far?
• Contacted all ISPs and provided them with all C&C domains
that the malware uses in order to help in defining infected IP
Addresses in Egypt.
• Tedata offered two solutions:
a- Blocking Flame C&C domains.
b- Forwarding all traffic which going to Flame C&C
domains to machine on EG-CERT in order to define infected
machine.
EG-CERTEgyptian Computer Emergency Team
• Participating & Completing in ITU-IMPACT drill 2012.
• Participating & Completing in OIC-CERT drill 2012.
• Participating & Completing in APCERT drill 2012.
• Participating in Annual FIRST Conference 3 times: – (24th Annual FIRST Conference Malta 2012).
– (23rd Annual FIRST Conference Vienna 2011).
– (22nd Annual FIRST Conference MIAMI 2010).
– (21st Annual FIRST Conference KYOTO 2009) .
• Participating In MERIDIAN conference 3 times (2009,2010,2011).
• Participating in Annual Meeting for CSIRTs with National Responsibilities Vienna 2011 & Malta 2012) .
• Participating in CSI Annual conference 2009,2010 in Washington DC, USA.
• Participating in OIC-CERT Annual General Meeting 2009,2010.
• Host The OIC-CERT 2010.
• Participating in Black hat 2009,2010,2011
Building Trust
EG-CERTEgyptian Computer Emergency Team