ENISA

Operational security – CERT relations

Update January 2013

Contact: opsec@enisa.europa.eu

1

How to navigate on our website ? Fast links to 2012 reports:

http://www.enisa.europa.eu/media/2012-fast-links

2

Supporting the CERT and other

operational communities (WS3)

3

National/governmental CERTs the situation has changed…

in 2005 in 2013 ESTABLISHED IN 2005: Finland

France Germany Hungary The Netherlands Norway Sweden UK

Baseline capabilities of n/g CERTs - Initially defined in 2009 (operational aspects)

- In 2010 Policy recommendations drafted

- In 2012 ENISA continues to work on a harmonisation together with MS

Status Report 2012

National/governmental CERT capabilities – updated recommendations 2012

ENISA’s new CERT interactive map: http://www.enisa.europa.eu/activities/cert/background/inv/certs-by-country-interactive-map

Project Background and Objectives

5

2009 & 2010 ENISA carried out its very first attempt to define a minimum set of

baseline capabilities for a n/g CERT.

http://www.enisa.europa.eu/activities/cert/support/baseline-capabilities

Current Project ENISA conducted a stock-taking “Further definition and deployment of

baseline capabilities for national / governmental CERTs” with two

principal objectives:

• to assess the level of compliance of n/g CERTs in EU Member States

with currently defined baseline capabilities and to provide a status

report on the level of deployment of the current set of baseline

capabilities;

• to further discuss the baseline capabilities with CERTs, and where

appropriate adjust and extend the currently defined baseline

capabilities with a focus on national and regional cooperation.

Project Results The final results of the current project have been published in two

reports

•Final Status Report on Deployment of Baseline Capabilities of National /

Governmental CERTs

•Baseline Capabilities of National / Governmental CERTs, Update

Recommendations, 2012

Status Report 2012 Some initial statistics…

15%

10%

30%

30%

5%

10%

Initial

Repeatable

Defined

Managed

Optimised

Other

Self-Assessment of the Maturity

Status of National / Governmental

CERTs

20%

28% 32%

16%

4%

Up to one year 1-2 years 3-5 years

6-8 years Over 8 years

Years of Operation of National /

Governmental CERT

Total: 45 responses to the questionnaire (25 from n/g

CERTs; 20 from other CERTs and other stakeholders)

Interviewed teams assessed themselves as either governmental or

national/governmental CERTs indicated the years of operations between: 4 months

and 11 years.

7

Highlights: Mandate & Strategy

Clarification of the Mandates for N/G CERTs

The role of n/g CERTs is supported by mandates (only two n/g CERT respondents did not refer to

any kind of mandate), the details and form of which vary greatly across Member States.

Are all responsibilities of n/g CERTs considered clear in the mandate?

12 11

6 5

0%

20%

40%

60%

80%

100%

National/GovernmentalCERTs

Other stakeholders

YES NO

n=34 (18 n/g CERTs + 16 other stakeholders)

• 63 percent of n/g CERTs claimed that the roles and

responsibilities of their teams are clearly defined and

that no major changes are needed. This is broadly in

line with the sentiment of other stakeholders, almost 70

percent of which agree with this statement.

• Areas where more more clarity might be necessary:

The scope of services described in the mandate

does not correspond to the team's capacity.

Although constituents are requested to report

incidents, problems can arise when the law is not

sufficiently clear and ISPs and operators do not know

to whom they should report incidents.

Clarification might be required in the future with

regard to collaboration with LEAs.

The provision and funding of so-called GovCERT

services have so far not been adequately addressed.

8

Highlights: Service Portfolio

Scope of Services Provided by N/G CERTs

The scope of support (proactive services, reactive and security quality management services) the

teams provide to their constituents depends on the type of constituent, or customer respectively.

•The more mature the n/g CERT is, the more reactive

services it tends to provide to its constituents.

• Telecommunication operators and government

institutions in general regard the activities of n/g CERTs

positively One of their opinions is illustrative: “Despite a

lack of empowerment from the government institutions

there is a good coordination effort and a very good

sense or responsibility and coordination between the

members.”

• The increasing focus on proactive services is reflected

in the way that n/g CERTs deploy these services. It is

now common for n/g CERTs to publish advisories for

events and incidents that are considered to be of special

importance to its constituents.

Satisfaction of constituents with services provided by n/g CERTs

73%

27%

YES

NO

n=11 other stakeholders (other than n/g CERTs)

Highlights: Service Portfolio

9

Highlights: Operational Capabilities

Budgetary Limitations of N/G CERTs

N/g CERTs' limited budgets often do not allow for significant investments that are needed to provide

additional and innovative services. Nevertheless, the necessary staff training and education is taken

care of mostly within the teams, including participation in international seminars and conferences.

Funding Considered as Sufficient

55%

45% YES

NO

n=11 n/g CERTs

• The budgetry situation is improving as new

strategies and mandates envisage an enhanced role

for the n/g CERTs, which should also result in

increased funding. A slight majority of n/g CERTs who

commented on this topic believe that the current level

of funding is sufficient for them to fulfil their expected

tasks. However, many n/g CERTs still reported a lack

of funds, especially in the newer Member States of

the EU.

• Funding for n/g CERTs usually comes from

governmental bodies and host organisations. Where

n/g CERTs are hosted by NRAs, a part of the budget

directly flows from the operators in a form of a small

portion of their yearly turnover. But a few n/g CERTs

are also actively seeking and generating funds from

other sources.

10

Highlights: Cooperation

Engagement in International CERT Initiatives and Bilateral Cooperation

The n/g CERTs are firmly anchored in international structures and they also engage in fruitful

bilateral cooperation with their counterparts within Europe and beyond.

• Membership in various CERT initiatives is widespread

throughout the EU. With a couple of exceptions, all n/g

CERT’s surveyed indicated that they are members of

one or more of them.

• The most common structures that n/g CERTs belong

to are Trusted Introducer, FIRST, and TF-CSIRT. Other

popular structures included EGC Group, ENISA’s

workshops and working groups and the Anti-Phishing

Working Group.

•The nature of bilateral coordination is typically

informal, particularly in cases where n/g CERTs want to

exchange experiences and best practices.

• Two key factors supporting cooperation with n/g

CERTs in other EU Member States include regional

synergies, and also the maturity level of the other n/g

CERT.

Factors Supporting Cooperation with n/g CERTs in Other Member States

37%

25%

38% Regionalsynergy

Maturity stage

both

n=16 n/g CERTs

Report Overview: Baseline Capabilities of National / Governmental CERTs, Update Recommendations, 2012

The gaps identified in the baseline deployment

study served as the basis for an updated set of

recommendations, the objective of which is to

provide n/g CERTs with guidance needed to

address the gaps, better meet their deployment

capabilities, and identify best practices for

national, regional and international cooperation.

The recommendations were published in the

report “Baseline Capabilities of National /

Governmental CERTs, Update

Recommendations, 2012.”

Recommendations to overcome gaps and

achieve deployment objectives were formulated

in line with responsibilities of relevant

stakeholders, such as policymakers, heads of

n/g CERTs, and members of n/g operational

teams.

Recommendations were also made in line with

developing best practices for national, regional

and international cooperation among n/g CERTs,

their constituents and other stakeholders. 11

Target of Recommendations

Best P

ractic

es in

Co

op

era

tion

Policymakers

Heads of N/G

CERTs

Operational

Teams

CERT Exercises and training material

ENISA CERT training/exercise material, used since 2009, was

extended to host 23 different topics and training exercises

including:

technical aspects (mobile devices forensics based on

Android emulator, investigation of DDoS traces, netflow

analysis, deployment of Honeypots etc.);

organisational aspects (developing CERT infrastructure,

establishing external contacts etc.);

operational aspects (triage & basic incident handling,

automation in incident handling, calculating cost of

information security incident and its return on security

investment (ROSI) etc.).

19. CERT participation in incident handling

related to the Article 13a obligations

20. CERT participation in incident handling

related to the Article 4 obligations

21. Assessing and Testing Communication

Channels between CERTs and all their

stakeholders

22. Social networks used as an attack vector for

targeted attacks

CERT Exercises expanded

Existing 12 exercises improved

10 exercises added:

13. Incident handling during attack on CII

14. Proactive incident detection

15. Cost of ICT incident calculation

16. Mobile incident handling

17. Incident Handling In the Cloud

18. Advanced Persistent Threat incident

handling

CERT Exercises expanded

Additionally a Roadmap was created to answer:

how could ENISA provide more proactive and efficient CERT training?

Based on live consultations & survey

10 proposals identified

Planning window 2013 – 2017

ENISA legal environment & mandate taken into account while

analysing proposals

Proposals: 1. ENISA support to the TRANSITS Framework and other suitable training programs

2. ENISA CERT Exercises at Universities

3. ENISA as co-provider of CERT trainers and trainings

4. CERT Training Information Desk

5. Video material by ENISA – how to organise the exercises

6. ‘Fire Drills’ for the CERT community

7. ENISA CERT Training Hubs (ECTH)

8. ENISA CERT Exercises Certified Provider (ECTCP)

9. Recommendations for Public Administration Organisations

10. Certification Paths

Roadmap

Survey: Perception of TRANSITS

Average scores on a scale of 1 to 10 :

SANS security trainings : 6.5 (*)

CERT/CC CSIRT trainings : 7.0

As compared to TRANSITS courses :

TRANSITS I : 8.7

TRANSITS II : 9.5

Train-the-trainers: 8.0

(*) the low SANS score was unexpected and not clearly explained

Survey: Comparative perceptions

Outside TRANSITS, SANS and CERT/CC

the most mentioned training providers were :

International Information Systems Security

Certification Consortium: (ISC)²

Information Systems Audit and Control

Association: ISACA®

Internet Systems Consortium: ISC

NATO Cooperative Cyber Defence

Centre of Excellence: CCDCOE

Survey: Other useful trainings

EISAS 2012 – Large scale pilot

19

European Information Sharing and Alert System introduced in

COM(2006) 251: “Communication on a strategy for a Secure

Information Society”

In 2012: Pilot Project for collaborative

Awareness Raising for EU Citizens and SMEs Gathered n/g CERTs, governmental agencies and private

companies in 6 different MS

Cross-border awareness raising campaign

Reached more than 1.700 people in 5 months

Social networks involved

Information Provider

Deutsche Telekom AG

NorSIS

LMU

Providers, Disseminators

1. Social Engineering Movie

2. ID Theft Quiz

3. Securing PCs against Botnets

Information Disseminator

CESICAT (Catalonia)

LaCaixa (Catalonia)

CERT Hungary

CERT Poland

NorSIS

all three

all three

all three

all three

No. 1, SE Movie

Main goals:

Define key concepts

Describe the technical and legal/regulatory aspects of the fight against cybercrime

Compile an inventory of operational, legal/regulatory and procedural barriers and

challenges and possible ways to overcome these challenges

Collect existing good and best practices

Develop recommendations

Focus on CERT-LEA cooperation

Differences:

Definitions cybercrimes/attacks

Meanings of sharing

Character of the organizations

Objectives

Types of information

Directions of requests

…

Cybercrime project 2012

21

Legal obstacles

CERT legitimacy, scope, remit and competences

CERTs as evidence holders

Legal pitfalls of data sharing/Data Protection

Legal know-how and awareness

Laws as a barrier to receive information

Cybercrime project 2012

22

Operational obstacles

Governance

Different /unknown policies and procedures

Absence of clearly defined policies have a negative impact on sharing information

Financial burden, opportunity cost or competing priorities

Processes

Security clearance/certification

Language barriers

Different/incompatible/unknown workflows

Duplication

Information misdirection

Tools and technology

Lack of early warning/Knowledge Management tools

Lack of common case management tools

Lack of secure communication channels

Administrative problems: inappropriate time stamp

Information

Lack of clarity on what other party will do with information

Insufficient detail/inappropriate detail

Lack of service catalogues

Lack of information on understanding of role & parameters for co-operation

Cybercrime project 2012

23

Operational obstacle

Personnel and training

Lack of known & trusted personnel/inexperience

Previous poor experience in sharing information

Lack of confidence/clarity in your/their official status

Recommendations

Training

For CERTs: training element on how to deal with LEAs (TRANSITS?)

For LEA: how to deal with CERTs (EC3?)

Structures

Facilitation & Collaboration

Best Practice development

Harmonisation/clarification of legal and regulatory aspects

Cybercrime project 2012

24

An increasing number of complex attacks demand improved early warning detection capabilities for CERTs. By having threat intelligence collected without any impact on production infrastructure, CERTs can better defend their constituencies assets. Honeypots are powerful tools that can be used to achieve this goal.

Long but good! (179 pages)

Additionally „ENISA Honeypots excercise” (another 60 pages)

ENISA Honeypots study

25

Motivation for conducting the study

26

Survey responses concerning categories of tools used for network security

incident gathering

0

5

10

15

20

25

30

35

40

45

50

No answer

I never used it and will not use it.

I used it in the past, but dropped it.

I don't use it but plan to use it in future.

I use it

Honeypots vs other tools

27

Honeypots vs sandboxes

Honeypots vs darknets

Honeypots vs Intrusion Detection / Prevention Systems

Honeypots and web security proxies

Overall, the study has found that honeypot

technologies, while sometimes difficult to

handle, are a good source of threat

intelligence information for CERTs.

General Recommendations for CERTs

28

CERTs are encouraged to explore the possibility of deploying

honeypots across their constituencies. Less privacy concerns than

with other technologies.

CERTs need to cooperate and develop large scale interconnected

sensor networks in order to collect threat intelligence from multiple

geographic areas. Honeypots are a good choice for such solutions.

CERTs should plan for how they will handle any vulnerabilities

discovered or incidents within their network discovered through the

use of a honeypot.

CERTs are encouraged to take part in the development of

honeypots and in providing feedback to honeypot developers. This

will lead to the creation of better tools.

General Recommendations for CERTs

29

Paper on Return on security investments

The aim of this document is to initiate a discussion

among CERTs to create basic tools and best

practices to calculate their Return on Security

Investment (ROSI).

This key notion is essential when justifying costs

engagement and budgets for those entities that deal

with security on a regular basis (security

departments, CERTs, etc.)

FIRST Metrics SIG works to better the metrics and

evaluation methods for internal evaluation of

CERTs.

As part of this work, the Metrics SIG is addressing the topic

of cost of incidents and return on security investment

Note: New exercise scenario on calculating cost of information

security incident and its return on security investment (ROSI)

30

Other activities

- 7th ENISA workshop ‘CERTs in Europe’

Part I. - > technical training for n/g CERT experts

hands-on training exclusively for the EU national/governmental CERT teams

2 days of deep technical dive into topics like botnets, mobile malware and other interesting topics.

Part II. - > 2nd time jointly organised with EUROPOL on 16/17 October

Goal: to facilitate better cooperation between n/g CERTs and LEA in MS.

Continuation of the first workshop (6th ENISA workshop in 2011)

Interactive sessions – n/g CERTs and LEAs group exercise

Final report is published

Supported TRANSITS in Prague and Porto in 2012.

31

Our activities in 2013

- Workshops: 8th annual CERT workshop

I. tentatively in Q2; in Romania; co-located

with TF-CSIRT meeting; hands-on training

II. Tentatively in Q4; with EC3 (EUROPOL) in

The Hague; cybercrime theme (CERT&LEA)

III. Continue supporting TRANSITS trainings

32

Our activities in 2013

- Projects: I. n/g CERT – harmonisation of the baseline capabilities

framework + provision on ICS CERT capabilities

II. Exercise material – extension to cybercrime scenarios

III. EISAS – deployment study

IV. CERT services - Alerts, Warnings and Announcements

V. Secure communication solutions for CERTs; (requirements and

stocktaking)

VI. Information sharing and international incident handling –

harmonisation of legal frameworks

VII. Practical implementation of the ‘Directive on attacks against

IS…’

33

Thank you for your attention!

34