Presentation by ENISA

1. INTODUCTION TO THE CSIRT
SETTING UP GUIDE
http://www.enisa.europa.eu/act/cert/support/guide

2. Agenda
How it all started
 What do CERTs do?
 How is Incident Response functioning
 CERT cooperation
 ENISA and CERTs
2

3. Setting up a CSIRT
 Introduction
 Overall strategy for planning and setting up a CSIRT
 The first section gives a description of what a CSIRT is. It will also provide information about the
different environments in which CSIRTs can work and what services they can deliver.
 Developing the Business Plan
 This section describes the business management approach to the setting-up process.
 Promoting the Business Plan
 This section deal with the business case and funding issues.
 Examples of operational and technical procedures
 This section describes the procedure of gaining information and translating it into a security
bulletin. This section also provides a description of an incident-handling workflow.
 CSIRT training
 This section gives a summary of available CSIRT training. For illustration sample course material
is provided in the annex.
 Producing an advisory
 This section contains an exercise on how to carry out one of the basic (or core) CSIRT services:
the production of a security bulletin (or advisory).
 Description of the Project Plan
 This section points to the supplementary project plan (checklist) provided with this guide. This
plan aims at being a simple to use tool for the implementation of this guide.
3

4. The early days of internet
 First idea of an Internet in
1960:
"A network of such [computers], connected to one
another by wideband communication lines" which
provided "the functions of present-day libraries
together with anticipated advances in information
storage and retrieval and [other] symbiotic functions.
” by .C.R. Licklider
 Beginning of Internet by the
Defense Advanced Research
Projects Agency (DARPA) in
1981.
Map of the TCP/IP test network in January 1982
4

5. Today’s Internet
5

6. First incident on the Internet
2 November 1988: The MORRIS worm
 First major outbreak , it spread swiftly around
the world
 6000 major UNIX machines were infected
(of a total of 60.000 computers connected)
 Estimated cost of damage $10M - 100M
 Gene Spafford created a mailing list
coordinating the first Incident response
6

7. The First CERT
After incident people realized they
where in need for:
Timely response
Structured and organized approach
Central coordination
This incident in the history of Internet security
led directly to the founding of the CERT/CC©
7

8. Europe and CSIRT’s
This model was soon adopted in Europe
1992 Surfnet launched the first CSIRT
in Europe SURFnet-CERT
At present ENISAs inventory of CERT
activities in Europe list over 140 CSIRTs
8

9. European CERT activities
9

10. CSIRT abbreviations
CERT© /CERT-CC (Computer Emergency
Response Team)
CSIRT (Computer Security Incident Response
Team)
IRT (Incident Response Team)
CIRT (Computer Incident Response Team)
SERT (Security Emergency Response Team)
Abuse Team (not a CSIRT)
Is a response facility, usually operated by an ISP,
who professionally handles "Internet-abuse"
reports or complaints.
10

11. CSIRT definition
CSIRT
A team that responds to computer security
incidents
Providing necessary services to solve or
supporting the resolution of them.
Is trying to prevent any computer security
incidents within its constituency or
responsibility.
Constituency
Customer base of a CSIRT
11

12. Benefits of having a CSIRT
 A dedicated ICT-security team helps to mitigate and
prevent major incidents protecting your organization’s
valuable assets.
 Centralized coordination for ICT-security issues
 Specialized organization in handling and responding to
ICT-incidents.
 Dedicated support available, assisting in taking the
appropriate steps and helping the constituent with quick
recovery of the ICT infrastructure.
 Dealing with legal issues and preserving evidence in the
event of a lawsuit.
 Educate organization on ICT-security
 Stimulating cooperation within the constituency on ICT-
security, preventing possible losses.
12

13. What kind of CSIRTS exists
Constituent depended sector CSIRTS In alphabetic order:
 National / Governmental Sector
 Academic Sector
 Commercial
 CIP/CIIP Sector
 Internal
 Military Sector
 Small & Medium Enterprises (SME) Sector
 Vendor Teams
 …
13

14. CSIRT services 1/3
We can distinguish 4 kind of services
Responsive services
1. Reactive services
2. Proactive services
3. Artifact handling
4. Security quality management
14

15. CSIRT “Core” Services 2/3
Reactive Services
 Alerts and Warnings
 Incident Handling
 Incident analysis
 Incident response support
 Incident response coordination
Proactive Service
• Announcements
15

16. CSIRT services 3/4
Reactive services Proactive services Artifact handling
Alerts and Warnings Announcements Artifact analysis
Incident Handling Technology watch Artifact response
Incident analysis Security audits or assessments Artifact response coordination
Incident response support Configuration and maintenance Security Quality
of security Management
Incident response coordination Development of Security Tools Risk Analysis
Incident response on site Intrusion Detection Services Business Continuity and Disaster
Recovery
Vulnerability handling Security-Related Information Security Consulting
Dissemination
Vulnerability analysis Awareness Building
Vulnerability response Education/Training
Vulnerability response Product Evaluation or Certification
coordination
16

17. CSIRT services 4/4
First questions about services:
1. Understand what a CSIRT is an what benefits it might
provide
2. To what sector is the CSIRT delivering it’s services?
3. Decide on the core services of your CSIRT
4. Start preparing your CSIRT,
Organizational, staff, legal, contracts, procedures
 Deliver the core services according your standards and
agreements
17

18. Choosing the right approach
1. Define a communication approach to your
constituents
2. Define the mission statement
3. Make a realistic implementation/project plan
4. Define your CSIRT services
5. Define the organizational structure
6. Define the Information Security policy
7. Hire the right staff
8. Utilise your CSIRT office
9. Look for cooperation between other CSIRTs and
possible national initiatives
18

19. Analyzing your Constituency
Swot analysis
PEST analysis
19

20. Example SWOT analysis
Result in delivering the
following Core Services:
 Alerts and Warnings
 Incident handling
 Announcements
20

21. Communicating channels
Public Website
Closed member area on the Website
Web-forms to report incidents
Mailing lists
Email
Phone
SMS
‘Old fashioned’ paper letters
Monthly or annual reports
21

22. Mission statement
Important to have a mission statement
In communicating your existence to constituents
Communicating it to your staff
Commercial use, elevator pitches, brochures,…
Examples:
“<Name of CSIRT> provides information and assistance to its
<constituents (define your constituents)> in implementing
proactive measures to reduce the risks of computer security
incidents as well as responding to such incidents when they
occur.”
"To offer support to <Constituents> on the prevention of and
response to ICT-related Security Incidents”
22

23. Developing a business plan
Defining a financial model
 Cost model
 Revenue model
 Use of existing resources
 Membership fee
 Subsidy
23

24. Costs running a CSIRT
 Staff
 24x7 or office hours
 Housing
 Normal secured or high secured facility
 Equipment
 Hosting facilities
 Branding material (corporate style)
 Brochures
24

25. Your organizational structure
A CSIRT organization could define the following roles
 General
 General manager
 Staff
 Office manager
 Accountant
 Communication consultant
 Legal consultant
 Operational Technical team
 Technical team leader
 Technical CSIRT technicians, delivering the CSIRT services
 Researchers
 External consultants, Hired when needed
25

26. Independent business model
26

27. The embedded model
27

28. The Campus model
28

29. The voluntary model
 Group of people (specialists) that join together
in case of emergency.
 Loosely fitted
Example WARPS
29

30. Hiring the right staff
( the hot picks)
 Flexible, creative, good teams spirit
 Strong analytical skills,
 Ability to explain difficult technical matter into
easy wording
 Good organizational skills and stress durable
 Technical knowledge (deep specialist + broad
general internet technology knowledge)
 Willingness to work 24x7
 Loving to do the job! ;)
30

31. Utilization & equipping the office
 Hardening the building
See ISO17799
 Maintaining communication channels
 Record tracking system(s)
 Use the corporate style from the beginning!
 Foresee out-of-band communication in case of
attacks
 Check redundancy on internet connectivity
and office in case of emergencies
31

32. Information security policy
Information handling policy
1. How is incoming information "tagged" or
"classified"?
2. How is information handled, especially with
regard to exclusivity?
3. What considerations are adopted for the
disclosure of information "when what?"
especially incident related information passed
on to other teams or to sites?
32

33. Information security policy
4. Are there legal considerations to take into
account with regard to information handling?
5. Do you have a policy on use of cryptography
to shield exclusivity & integrity in archives
and/or data communication, especially e-
mail.
6. This policy must include possible legal
boundary conditions such as key escrow or
enforceability of decryption in case of
lawsuits.
33

34. Information Security policy
 National
 Laws on information technology
 Laws on data protection and privacy
 Codes of conduct for corporate governance and IT
Governance
 European directives
 Directives on data protection and electronic
communication
 International
 Basel II, Eu. Convention on Cybercrime
 Standards
 BS 7799
 ISO 27001
34

35. Search for cooperation
ENISA
National initiatives
TF-CSIRT
WARPS
FIRST
35

36. Promoting your business plan
 It visualizes the trends in IT
security, especially the decrease
in the necessary skills to carry
out increasingly sophisticated
attacks.
 Another point to mention is the
continuously shrinking time
window between the availability
of software updates for
vulnerabilities and the starting
of attacks against them
36

37. Promoting your business plan
Viruses Timeline
Patch -> Exploit Spreading rate
Nimda 11 month Code red Days
Slammer 6 month Nimda Hours
Nachi 5 month Slammer Minutes
Blaster 3 weeks
Witty 1 day (!)
37

38. Business plan & Management
What is the problem?
What would you like to achieve with
your constituents?
What happens if you do nothing?
What happens if you take action?
What is it going to cost?
What is going to gain?
When do you start and when is it
finished?
38

39. Short wrap-up
 How is information handled within your
organization
 Do you have a Information security policy?
 Do you know other CSIRTs?
 Could you share incidents that can help the
promotion of a CSIRT business plan?
 Discuss your potential business plan
39

40. Operational Procedures
Focus on basic services first!
 Alerts and Warnings
 Incident handling
 Announcements
40

41. Information process flow
41

42. Information process flow
Information Sources:
• Vulnerability information
• Incident reports
• Public and closed sources
for vulnerability information:
- Public and closed mailing lists ! Vendor vulnerability
product information
- Websites
- Information on the Internet
- Public and private partnerships that provide
vulnerability information (FIRST, TF- CSIRT, CERT-
CC, US-CERT.)
42

43. Information process flow
 Identification
 Trustworthy source of information
 Correct information
• Cross checked with other sources
 Relevance
 Impact to the IT infrastructure of the constituent
 Classification of information
 Risk assessment & impact analysis
 Impact = Risk x potential damage
43

44. Information process flow
Risk assessment & impact analysis
RISK
Is the vulnarability widely known? No, limited 1 Yes, public 2
Is the vulnarability widely exploited? No 1 Yes 2
Is it easy to exploit the vulnerability? No, hacker 1 Yes, script kiddie 2 11,12 High
Precondition: default configuration? No. specific 1 Yes, standard 2 8,9,10 Medium 0
Precondition: physical access required? Yes 1 No 2 6,7 Low
Precondition: user account required? Yes 1 No 2
Damage
Unauthorized access to data No 0 Yes, read 2 Yes, read + write 4 6 t/m 15 High
DoS No 0 Yes, non-critical 1 Yes, critical 5 2 t/m 5 Medium 0
Permissions No 0 Yes, user 4 Yes, root 6 0,1 Low
OVERALL
High Remote root >> Imediately action needed!
Local root exploit (attacker has a user account on the machine)
Denial of Service
Medium Remote user exploit >> Action within a week
Remote unauthorized access to data
Unauthorized obtaining data
Local unauthorized access to data
Low Local unauthorized obtaining user-rights >> Include it in general process
Local user exploit
44

45. Information process flow
Distribution of information
 Website
 Email
 Reports
 Archiving and research
Title of the advisory
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
Reference number
ÉÉÉÉÉÉÉÉÉÉÉ
S ystems affected
- ÉÉÉÉÉÉÉÉÉÉÉ
- ÉÉÉÉÉÉÉÉÉÉÉ
Related OS + ve rsion
ÉÉÉÉÉÉÉÉÉÉÉ
Risk (Hi gh-Medium-Low)
ÉÉÉ
Impact/potenti al damage (Hi gh-Medium-Low)
ÉÉÉ
External idÕs
: (CVE, Vu lnerabi lity bullet in IDÕs)
É ÉÉ É
Overview of vu lnerability
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
ÉÉÉÉÉÉÉÉÉÉÉÉ ÉÉÉÉÉÉÉÉÉÉÉ
Impact
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
S olution
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
Description (details)
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ Example of an Advisory
Appendi x
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
É ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
ÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉÉ
45

46. Incident handling process
46

47. Incident Handling process
1. Receiving incident reports
 Email
 Phone
 Fax
2. Incident Evaluation
 Identification
 Relevance
 Classification
 Triage
3. Take action
47

48. Incident handling process
Actions
 Start incident ticket
 Essential for solving the incident and communicating
with the involved constituents.
 Solve the incident
 Preserving any information which may needed for
prosecution takes carefully planned action!
 Incident handling report
 Archiving
NOTE: Each type of incident calls for different actions!
48

49. Wrap-up
1. Understanding what a CSIRT is.
2. What sector do you deliver your services to?
3. What kinds of services can a CSIRT provide to its
constituents?
- Analysis of the environment and constituents
- Defining the mission statement
4. Defining your goals
- Defining your Cost model
- Defining the organizational model
- Starting to hire your staff
- Utilizing your office
- Defining the needed Security policy
- Looking for cooperation partners
5. Dealing with matters of project management
- Have the business case approved
- Fit everything into a project plan
6. Making the CSIRT operational.
- Creating workflows
- Implementing CSIRT tooling
The next step is: training your staff
49

50. Workflow 2nd example
Producing an advisory
Bullet in Microsoft Security Bullet in MS06-042
Identifier
Bullet in Title Cumulative Security Update for Internet Explorer (918899)
Executive T his update resolves s e
veral vulnerabilities in I nternet E xplorer that
Summa ry could allow remote code execution.
Maximum C riti al
c
Severity Rating
Impact of Remote Code Exec ut
ion
Vulnerability
A f fected Windows, Internet Explorer. For mo information, s ee the Affected
re
Software Software and Download Locations sec t
ion.
50

51. Workflow 2nd example
Collecting vulnerability
information
 Verify the authenticity on
vendor website
 Gather more details on
 The vulnerability
 Affected systems
51

52. Workflow 2nd example
Evaluate information
Assess the risk
RISK
Is the vulnerability well known? Y
Is the vulnerability widespread? Y
Is it easy to exploit the Y
vulnerability?
Is it a remotely exploitable Y
vulnerability?
Damage
Remote accessibility and chance of remote code execution.
This vulnerability contains multiple issues which make the damage
risk HIGH.
52

53. Workflow 2nd example
Distribution of information
Title of advisory
M ultiple vulnerabilities found in Internet explorer
Reference number
082006-1
S ystems affected
1. All desktop systems that run Microsoft
Related OS + version
 Microsoft Windows 2000 Service Pack 4
 Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
 Microsoft Windows XP Profes sional x64 Edition
 Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
 Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server
2003 with SP1 for Itanium-based Systems
 Microsoft Windows Server 2003 x64 Edition
Risk (High-Medium-Low)
HIGH
Impact/potenti al damage (High-Medium-Low)
HIGH
External idÕs
: (CVE, Vu lnerability bulletin IDÕs)
M S-06-42
Overview of vu lnerability
Microsoft has found several critical vulnerabilities in Internet Explorer which can lead too remote
code execution.
Impact
An attacker could take complete control over the system, installing programs, adding users and vie,
change or delete data. Mitigating factor is that the above only can take place if the user is logged in
with administrator rights. Users logged on with less rights could be less impacted.
S olution
Patch your IE immediately
Description (details)
See for more information ms06-042.mspx
Appendi x
See for more information ms06-042.mspx
53

54. ENISA and CSIRTs
Mission
 Promote and facilitate good practice in setting-up and running of
CSIRTs / WARPs / Abuse Teams / etc.
 Encourage cooperation between different actors
 Develop relations to the various CERT/CSIRT communities
 Support their activities
 Run a Working-Group with external experts

55. How ENISA supports CSIRT community?
Promote best practice!
2005: 2006: 2007: 2008: 2009: 2009:
Stocktaking Setting up & Support CERT Exercises CERT CERT Baseline
Cooperation Operation Exercises Capabilities
Quality Report Document
Assurance
[…]

56. Stay in touch with ENISA!
http://www.enisa.europa.eu/act/cert

57. THANK YOU!
Contact:
Andrea DUFKOVA
Section for Computer Security and
Incident Response
ENISA
cert-relations@enisa.europa.eu