incident response - eg-cert · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% case number 17569 alkanater case...

Incident

Response

EGYPTNational Telecom Regulatory Authority

Proactive VS. Reactive services

National Telecom Regulatory Authority - EGYPT

2

Proactive Services

Designed to improve security capabilities before any

incident occurs or is detected. The main goals are to

avoid incidents, and to reduce their impact and scope

when they do occur.

Penetration testing, malware analysis and awareness

teams perform proactive services.


3

Reactive Services

Reactive services are designed to respond to requests

for assistance, reports of incidents from the EG-CERT

constituency, and any threats or attacks against

Egyptian critical information infrastructure.

Incident Response and Cyber Forensics teams perform

reactive services.


4

EG-CERT

scope


5

CRITICAL INFRASTRUCTURE

Cybersecurity Risk Landscape

Different Types of Incidents


8

Incident

Type

Malware

URLDDOS

attack

Abusive

content

Website

Defacement

Different Types of Incidents


9

Incident

Type

SQL

Injection

RFI

Authentication

bypass

APTs constitute a mature attack and

introduce a new paradigm of cyber

security threats

Examples:

Generic phishing scams

Attacks against

organizations with little-to-

no security – weakest in

the heard/opportunistic

approach

Cyber techniques

available on internet/open

source

Types of Attackers:

Amateur hackers

Scam artists

Examples:

Distribute Denial of

Service

Targeted private data

extraction

Extortion as motive

Customized tools

Developed techniques

Types of Attackers:

Extortionists

Mature cyber criminals

Examples:

Highly sophisticated

adversaries who can bypass

virtually all of today’s “best

practice” security controls

Primary goal is long-term,

persistent occupation for

data theft, intelligence

espionage, and other

malicious activities

Types of Attackers:

Nation states

Sophisticated adversaries

Sophisticated, planned

over long-periods,

complex, and targeted

Technical mature, developed by

advanced individuals or teams,

but not coordinated or extremely

targeted

Simple, easily

accessed tools, done

by amateur hacker

and not particularly

targeted

Basic Advanced APTs

Maturity Level

Organizations with sensitive data need to be especially wary

of APTs: marginal improvements in traditional security are not

enough

2008: Large Oil Companies

2010: Sophisticated

Technology Companies

Target Result Motivation

Companies unaware of extent of

attack until alerted by FBI; APTs

had been persistent since 2008

and actively exfiltrating e-mails

and passwords of senior

executives

Chinese attackers successfully

exfiltrated sensitive data from

Google, Adobe, Yahoo, Dow

Chemical, and Symantec (a

leading manufacturer of

computer security products)

servers

Attackers sought

valuable data about

new discoveries of

oil deposits (this

data can cost

hundreds of millions

of dollars to

produce)

Attackers sought

persistent access to

cutting-edge

intellectual capital

Attackers successfully infiltrated

several nuclear sites and

damaged uranium enrichment

facilities

Cited as one of the most refined

pieces of malware ever

discovered, experts believe only a

nation state would be able to

produce it

Attackers sought to

disrupt critical

industrial

infrastructure,

specifically targeting

nuclear facilities

2010: Stuxnet

Cyber Security has to be animportant part of the development

of Information Society&

Digital Transformation era.

Our Mission (Feeds)

Sample Incident Response Scenario

INCIDENT HANDLING 2019

15

INCIDENT CHART 2018

16

HOW TO REDUCE NUMBER OF INCIDENT

17

Cyber ForensicsDec. 2019

EGYPTNational Telecom Regulatory Authority

Sample Incident Response Scenario

Digital Forensics

Receiving Digital Evidences:

Evidence Acquisition and analysis:

Reporting


20

Cases Categories

The Digital Forensic Department is working on different

types of cases:


21

21%

8%

8%

33%

8%

21%

Information Leakage andBussniss Damage

Internet Banking theft

Encryption Cracking

Harassemnt

Internet Fraud

Hacking

THE FOLLOWING CHART INDICATES THE WORKING HOURS/TASK:

22

5%

3% 1%

15%

23%

13%

1%

29%

6%

1%

3%

Case number 17569 alkanater

Case number 8337 public funds

Case number 3452

Case number 4992 South Cairo

Case number 955

Case number 14564

Case number 3505

Case Number 21

Case number 1824

Case number4282

Case number 1 Elshrouk

THE FOLLOWING CHART INDICATES THE CASES PERCENTAGE /CASE CATEGORY:

23

Data Exfiltration, 3

Forgery, 2Cloud

Investigation, 2

Drugs, 1

Illegal Call Forwarding, 2Harrassement, 2

0

0.5

1

1.5

2

2.5

3

3.5

Data Exfiltration Forgery CloudInvestigation

Drugs Illegal CallForwarding

Harrassement

TYPE OF CASE

PhishPhry…


24

In Oct 2009, Egypt-US identity

theft ring: “Authorities arrested

100 Americans and Egyptians

in the smashing of an

international identity theft ring

publicized as one of the largest

cybercrime cases ever


25

PhishPhry…

Our first case was one of largest phishing case which

required:

Forensics analysis on HD, mobile phones and e-mails.

Forensics report: over400 pages.

1600 working hours.

12 dedicated specialists.

A model for cooperation within and across boarders.

EG-CERT received special thanks from the US Department

of Homeland Security for the work and the detailed report.


26

EG-CERT Short-term Goals

Target achievements:1. Egypt Botnet free within 5 years

Structure:o Launch the Awareness program in 2020;

o Reactivate the National Committee on Child Online Protection (COP)

Capacity Building:

o Increase the number of the Public Awareness campaigns.

o Develop National Cyber Drill for CNI.

o Develop National training program for Cybersecurity


27

incident response - eg-cert · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% case number 17569 alkanater case...

Documents