incident response for policy makers€¦ · the website delivers a certificate which is signed by a...
TRANSCRIPT
![Page 1: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/1.jpg)
Incident Response for Policy Makers
Dr. Serge Droz <[email protected]>Chair, Board of DirectorsMaarten Van Horenbeeck <[email protected]>Member, Board of Directors
An introduction
![Page 2: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/2.jpg)
LicenseCopyright © by Forum of Incident Response and Security Teams, Inc.
FIRST.Org is name under which Forum of Incident Response and Security Teams, Inc. conducts business.
This training material is licensed under Creative Commons Attribution-Non-Commercial-Share-Alike 4.0 (CC BY-NC-SA 4.0)
FIRST.Org makes no representation, express or implied, with regard to the accuracy of the information contained in this material and cannot accept any legal responsibility or liability for any errors or omissions that may be made.
All trademarks are property of their respective owners.
Permissions beyond the scope of this license may be available at [email protected]
![Page 3: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/3.jpg)
Content
During this course, you will learn:• What are Computer Security Incident Response Teams?• Why are CSIRTs essential for the Internet?• How do they work together in a collaborative community?• What are the basic steps in incident handling they
implement?• How is trust built in the incident response community?• How can you help your CSIRT community mature?
![Page 4: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/4.jpg)
4
Association of Incident Response and Security Teams
Founded in 1989
Who we are
![Page 5: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/5.jpg)
Global Coordination: In an emergency you can always find the teams you need to support you in our global community.
Global Language: Incident responders around the world speak the same language and understand each other’s intents and methods.
Automation: Let machines do the boring calculations, so humans can focus on the hard questions.
Policy and Governance: Make sure others understand what we do, and enable us rather than limit us.
Mission
![Page 6: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/6.jpg)
Members
Global FIRST membership495 teams in 92 countries
![Page 7: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/7.jpg)
CC B
Y 3.
0 M
arc
Aver
ette
Part I: Understanding the CSIRT environment
![Page 8: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/8.jpg)
Challenges
No borders
Attribution is hard
”Class breaks”
Rate of innovation
Asymmetric capability
No global authority
“Cyberspace” is unique
Attacks easily expand beyond a single country, and affectothers.
Most evidence is created through technical means, which areeasily instrumented and not attributable.
An attack can be repeated easily. No need to walk kilometersto “juggle locks”
There’s a new technology to be exploited every few weeks.Smart contracts, social media, mobile apps.
An adversary can be a state, or someone who just had avery good idea.
There’s no single authority that acts as the police officer of theinternet.
![Page 9: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/9.jpg)
Actors
![Page 10: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/10.jpg)
2016: Firs
t IOT
Botnet
1988: Morri
s Worm
led to
creati
on of CER
T/CC
1984
: Glob
al DNS, r
un by
John
Pos
tel
196X
: ARPANET
1989
: FIR
ST foun
ded
1996
: Alep
h1: S
mashin
g the
stac
k for
fun a
nd pr
ofit
2000
: The
Mille
nnium
bug
2000
: Bur
st of
Dot-Com
Bub
ble
1998
: CSIR
T Han
dboo
k20
01: B
udap
est C
onve
ntion
sign
ed
2005
: IGF
2011
: Digi
notar
2012
: WCIT
-12
in Dub
ai Gov
erna
nce
2003
: Wor
ld Sum
mit on t
he In
formati
on S
ociet
y20
15: G
FCE20
1x: 1
st IoTBotn
ets
2007
: Cyb
er at
tack o
n Esto
nia
2010
: Stux
net
History
![Page 11: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/11.jpg)
Incident Response
David Mark
![Page 12: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/12.jpg)
Prevention
Detection
Response
Governance
Security practicesAwareness building
Accountability and ownershipLegislation and policy
![Page 13: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/13.jpg)
Workflow
Vest
ibul
um c
ongu
e
Vestibulum congue
Vestibulum congue
Vestibulum congue
Res
pond
Analyze
Triage
Detect
![Page 14: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/14.jpg)
Case Study
![Page 15: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/15.jpg)
The website delivers a certificate whichis signed by a trusted Certificate authority:
To verify a website the browser:1. Asks for the certificate2. Checks if it has been signed by a known CA3. If ok it displays a green lock, if not a warning
CertificatesFIRST
![Page 16: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/16.jpg)
• Operating systems and/or browsers ship with a “trust store”, which defines who can issue digital certificates they trust
• About 150 companies are entrusted by these products
• These companies have to follow strict rules. But this has not always been enough.
• On August 2nd, 2011, Google rolled out ”pins” to require specific companies’ certificates for Google properties.
Case Study: Diginotar
![Page 17: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/17.jpg)
Case Study: Diginotar
![Page 18: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/18.jpg)
6.7.
11
27.7
.11
29.7
.11
Diginotar hacked
14.7
.11
Cert-Pinning introduced
Tweet about MITM by an Iranian user
Cert-Bund reports to NCSC.nl
Browsers start to remove Diginotar from CA Store
Diginotar bankrupt
20.9
.11
8.11
Timeline
![Page 19: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/19.jpg)
CERT-Bund Microsoft
NCSC-NL Diginotar
Mozilla
Victims in Iran
Dutch internet users
Wider CSIRT
community
CA community
Trust stores
Stakeholders
![Page 20: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/20.jpg)
Source: Fox-IT – Black Tulip: Investigation into DigiNotar
Case Study: Diginotar
![Page 21: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/21.jpg)
• CERT-Bund: raise the alarm.• DigiNotar: understand scope of the compromise on their end,
and what type of potential impact is possible.• Google: protect their customers by invalidating trust.• Mozilla/Microsoft: protect customers by invalidating trust.• NCSC-NL:
• CSIRT closest to the issue, affected industry members, coordinate response.
• Assess overall impact through source data
Distinct responsibilities
![Page 22: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/22.jpg)
Guillaume de Germain
Trust
![Page 23: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/23.jpg)
The Internet then and now
Source: https://www.darpa.mil/about-us/darpa-history-and-timeline?PP=2
![Page 24: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/24.jpg)
The Internet then and now
Source: https://www.caida.org/research/topology/as_core_network/2015/Source: https://www.darpa.mil/about-us/darpa-history-and-timeline?PP=2
![Page 25: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/25.jpg)
Models of Governance
Market Hierarchy Collaboration Network
![Page 26: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/26.jpg)
Network Governance
Governance [is achieved] through relatively stable cooperative relationships between three or more legally autonomous organisations based on horizontal, rather than hierarchical coordination, recognizing one or more network or collective goals
The late Elinor Ostrom receives the 2009 economic sciences Nobel prize for her groundbreaking work: “Governing the Commons”.
Source: https://commons.wikimedia.org/wiki/File:Nobel_Prize_2009-Press_Conference_KVA-31.jpg
![Page 27: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/27.jpg)
Effective network collaboration requires trust and a common goal.
If either is missing collaboration is not possible.
![Page 28: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/28.jpg)
Building Trust: Global events August 2017-2018
![Page 29: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/29.jpg)
Trust inhibitors
• Hidden Agendas
• Placing the CERT in the wrong spot
• Sanctions
![Page 30: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/30.jpg)
Trust inhibitors
• Placing the CERT in the wrong spot(k) States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should not use authorized emergency response teams to engage in malicious international activity.
![Page 31: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/31.jpg)
Trust inhibitors
• Sanctions
![Page 32: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/32.jpg)
Part II: Developing a CSIRT community
![Page 33: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/33.jpg)
What do you want to achieve?
![Page 34: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/34.jpg)
● Protect government assets
● Protect critical Infrastructure
● Resilience of the economy
● Cyber hygiene
● Help citizens
![Page 35: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/35.jpg)
Daria Nepriakhina via unsplash
Map existing capabilities
![Page 36: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/36.jpg)
Typical players
ISPs Research Networks
Registries Private sector
![Page 37: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/37.jpg)
Sgt. Justin M. Boling
Example: Large Events
![Page 38: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/38.jpg)
“You absolutely must have everyone on board!”
Cristine Hoepers (CERT.br)
“The Brazilian effort was successful because they had so much practice in collaboration.”
Jacomo Picollini (Team Cymru)
![Page 39: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/39.jpg)
National CSIRT
Better: A CSIRT with a national responsibility. • Government CERT• Registry• NREN
But one CSIRT of last resort
![Page 40: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/40.jpg)
Non-state CSIRTs
https://www.microsoft.com/en-us/msrc
Example: Microsoft Security Response Center
![Page 41: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/41.jpg)
Tina Bosse
Maturing CSIRTs
![Page 42: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/42.jpg)
Maturity
Handle incidents
Meet and Greet
Engage
Serge Droz
![Page 43: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/43.jpg)
SIM3
Security Incident Management Maturity Model
at 5 levels1. Not available2. Implicit3. Explicit internal4. Explicit formal5. Controlled
Measures four groups of parameters1. Organisational2. Human3. Tools4. Processes
See alsohttps://www.thegfce.com/initiatives/c/csirt-maturity-initiative
![Page 44: Incident Response for Policy Makers€¦ · The website delivers a certificate which is signed by a trusted Certificate authority: To verify a website the browser: 1. Asks for the](https://reader034.vdocuments.site/reader034/viewer/2022050303/5f6bf3b302bb7975580ddcf0/html5/thumbnails/44.jpg)