Presentation on theme: "CIRT/CERT Baseline Capabilities"— Presentation transcript:
1CIRT/CERT Baseline Capabilities Anuj Singh, Director – Global Response CentreRegional Arab Forum on Cybersecurity, Cairo, Egypt19th December 2011
2Agenda Introduction Need for a National CIRT Benefits of a National CIRTCIRT FrameworkITU-IMPACT Activities for member statesBaseline CapabilitiesCyber drill - ITU-IMPACT Alert
3Introduction What is a CIRT A team that RESPONDS to cybersecurity incidentsProvides services to a defined constituencyAssist in effectively identifying threats, coordinate at national and regional levels, information disseminationAct as a focal point for the constituencySource:3
4The need for a National CIRT To ensure the continuity of society in times of crisisTo protect essential services and critical national infrastructureTo improve resistance to disruptionTo contain contagion effectTo restore control in information disseminationTo recover quickly back to original state of normalcy4
5Benefits of a National CIRT Serves as a trusted focal point of contact within and beyond the national bordersIdentifies and manages cyber threats that may have adverse effect on the countryHelps to systematically respond to cybersecurity incidents and takes appropriate actionsHelps the constituency to recover quickly and efficiently from security incidentsMinimises loss or theft of information and disruption of services5
6Benefits of a National CIRT Better prepared against future incident handling based on lessons learnedDeals effectively with legal issuesKnowledge exchange platform among constituenciesDevelops and encourages adoption of security best practices & standardsPromotes or undertakes the development of education, awareness and training materials6
7CIRT Framework National CIRTs drive and promote National Cybersecurity Strategies / PoliciesCyber Forensics ServicesGovernance / LegislationsCritical Information Infrastructure ProtectionCybersecurity Awareness, Training & EducationCybersecurity ResearchInternational CooperationSecurity Assurance
8CIRT Services Reactive Services Proactive Services SQM Services Alerts, Warnings and AdvisoriesIncident HandlingIncident analysisIncident response on siteIncident response supportIncident response coordinationVulnerability HandlingVulnerability analysisVulnerability responseVulnerability response coordinationArtifact HandlingArtifact analysisArtifact responseArtifact response coordinationAnnouncementsTechnology WatchSecurity-Related Information DisseminationSecurity Audits or AssessmentsConfiguration and Maintenance of Security Tools, Applications, and InfrastructuresDevelopment of Security ToolsIntrusion Detection ServicesRisk AnalysisBusiness Continuity and Disaster Recovery PlanningSecurity ConsultingAwareness BuildingEducation/TrainingProduct Evaluation or CertificationSource: Handbook for CSIRTs –
9High-Level Process Creating a National CIRT Define the basic framework Establish the fundamental policies / proceduresTrain the staffLaunch the incident handling systemAnnounce the CIRT to the constituencyEstablish contact with other parties
11Workshops & CIRT Deployment To help partner countries assess of their readiness to implement a National CIRT.IMPACT reports on key issues and analysis, recommending a phased implementation plan for National CIRT.Three countries are moving ahead with the deployment of the National CIRT with the help from ITU-IMPACTNo.Partner CountriesAssessment Status1AfghanistanCompleted in October 20092Uganda, Tanzania, Kenya & ZambiaCompleted in April 20103Nigeria, Burkina Faso, Ghana & Ivory CoastCompleted in May 20104Maldives, Bhutan, Nepal & BangladeshCompleted in June 20105Serbia, Montenegro, Bosnia, AlbaniaCompleted in November 20106Cameroon, Chad, Gabon, CongoCompleted in December 20107Armenia and LaosCompleted in November 20118Cambodia, Myanmar and Vietnam9Senegal, Togo, Gambia and Niger
12Phase 1 Phase 2 Phase 3 ITU-IMPACT Support for Member States Proposed CIRT ModelITU –IMPACT Support6 – 8 monthsReactive CIRT servicesPhase 19 – 18 monthsProactive CIRT servicesPhase 219 – 24 monthsSecurity Quality Management servicesPhase 3
13Baseline Capabilities Defines a minimum set of CIRT capabilities that address the challenges and priorities for National CIRTMandate and StrategyService PortfolioCo-operationOperation
14Mandate & Strategy Requirements and Recommendations National CIRTs need a clear mandate to serve a well-defined constituencyTheir role should be embedded in the strategy for national cyber-security and established in an appropriate body with adequate funding.Develop a strategic approach to cyber-security and CNI protectionThe mandate for the national / governmental CIRT should clearly define the scale and scope of its activities
15Service Portfolio Requirements and Recommendations CIRT services should be clearly defined in line with its mandate and strategyReduce the vulnerability of its constituency’s critical networks to cyber attacks and support effective responses to such attacks when they do occur.Effective incident handling capabilitiesProvide services to reduce the vulnerability of networks to cyber–attacksProvide services to support an effective response to cyber–attacksAppropriate internal processes should also be implemented to support the external services.
16Operation Requirements and Recommendations Must be able to respond to incidents developing across borders since cyber-security incidents happen on a global scaleMust have a reputation and competence in order to have the credibility which underpins its operational effectiveness.Ensure that CIRT is sufficiently staffed with the required technical competenceSecure and resilient communication and information infrastructureLocated within physically secure premises and staff should be appropriately screened
17Co-operation Requirements and Recommendations Effective cooperation between CIRTs at all levels is requiredRequires trust and mutual respect between the bodies involvedEffective in building relationshipsNational CIRT should be enabled to invest time and resources in building cooperative relationshipsEstablish a clear framework for cooperation with national law enforcement agencies and stakeholdersAll cooperative relationships should be supported by agreement1 - to facilitate the exchange of the information and knowledge needed to reduce vulnerability and provide effective responses to cyber incidents3 - both on bilateral and multilateral basis.
18ITU-IMPACT ALERT(Applied Learning for Emergency Response Team)
19Introduction to ALERT (Applied Learning for Emergency Response Team) Carried out on the 1st of December 2011 in Yangon, MyanmarFocused exercise for four countries – Cambodia, Laos, Myanmar and VietnamThree scenarios were developed for the participants:Analysing SPAMAnalysing defacement of a WebsiteAnalysing Malware and taking control of the Command and Control ServerSupported by F-Secure and Trend Micro
20ObjectiveEvaluate the readiness of National CIRT in handling incident responseEnhance the CIRT’s incident response capabilitiesStrengthening the national and international cooperation between countries in ensuring continued collective effort against cyber threats.
21Conducting the DrillOrganiser sent the incident scenario to the participants in an .Participant performed their investigation/analysis on the incident and come out with the solution.The participants submitted the solution in an advisory back to the organiser via .
22Drill Setup Mail Server All formal communication between the organizer and participants went through this mail serverIRC ServerInformal communication such as questions or tips regarding the drill to solve the scenarioAd-hoc notifications from the organizerCollaborate with other participating CIRT teamsLinux ServerLinux server was made available to the participants to perform their analysis.