16. Our Lego
Objects we care
- Timestamp
- (category – virus, break-in, DDoS, defacement, SSH doorknock)
- IP
- FQDN – fully qualified domain name
- URL (http://www.somewhat.md/infection.exe
- An executable (.exe)
- MD5("The quick brown fox jumps over the lazy dog")
= 9e107d9d372bb6826bd81d3542a419d6
17. Important considerations
Main equations
- technical control != content control
- IP address as private data? == a trap
18. Where to find information?
Passive DNS
Netflow statistics
Listening to the Ethernet directly
Webproxy logs,
Statistics, hostcount ...
...
These are standard tools present in router OS's.
Intel exchange with partners.
Honeypots.
19. Freedom on the Internet
Candidate information to be censored:
tax motivated sites
"bad" information:
- abortion
- pr0n, CP
- violence
"extremism"
- incl religious
- device design blueprints, incl. (c)
20. Freedom of information
methods of control
- surveillance
- filtering out (DNS or action based)
- redirection
- intrusion
- combined
It is extremely important to watershed between:
- Technical Monitoring (for viruses, for CNC IP)
- Content monitoring (for the word „terrorist“)
22. CERT vs LEO
• CERT and the community
Trusted communities
Data feeds
• CERT vs intel
Technical – IP, FQDN, ASN (vs content)
A nightman job – plumbing and pipes
- ассенизаторская работа
23. Philosophy behind the CERT
• Technical intelligence
is the foundation for any CERT
• Event vs incident. Ticketing.
15 min rule vs reporting&statistics needs
• Reporting
earning our salary
People are the heart of a CERT
24. Philosophy behind the CERT (2)
• Standard secrecy on the input
Takes time to declassify
Enables LEO and mil contacts
• Mobile threats
Cloud
Automated authentication, joint IDs
25. Incidents (1)
* DDoS (2007 and further)
* malware
- Zeus/SpyEye , Sinowal etc
- drive-by infections
- forum poisoning
- false positive on svchost.exe
- phishing letter from E-bay
- tax related mail accounts
26. Incidents (2)
- e-mail offending the President
- intrusion somewhere (a registrar, a webhoster)
- authentication library on “a system“
- an APT ( = Advanced Persistent Threat)
- Tasmanian BGP → core network routers down
- anchor related incidents (Baltic Sea)
27. Incidents (3)
- domain related incidents
- assessing technology incidents (RSA, DN, ID)
- comments on public and PR incidents (firesheep)
- testimonies at the court (Allaple)
- lecturing (at universities, schools …)
- i-voting tech support
28. What we do not do
(but sometimes we could intermediate)
- assist private persons (but sometimes ...)
- repairing somebody's installation
- copyright enforcement
- filtering
- content intelligence
- pr0n, CP handling
29. People
Seven (7) • Qualifications:
- HelpDesk capability
- network admin
- programmer, coder
- teacher, lecturer
- CIO or CISO or CISA
- system analyst
- technical writer
30. Duties
- contact point - consultancy
- incident handling - input to legislators
- advisories on threats - bringing people together
- reporting - awareness raising
- http://vimeo.com/22067817
- alerting
31. Systems
• Mostly free software
• Linux/BSD
• FireShark, tcpdump, ...
• AbuseHelper (see bitbucket, ClarifiedNetworks)
• S4A (Snort for all)
• VSR – Virtual Situation Room, (see bb, C)
35. CIIP
Critical Information Infrastructure Protection
• 2 whales: Communication & Energy
• The Emergency Law: Vital Services – 43 fields
- PVS - Provider of (a) vital service
- IOCO - The Institution Organizing the Continuous Operation (of vital
services)
- CI - Co-ordinating Institution (in charge to contain and resolve the
emergency)
http://valitsus.ee/en/government-office/government-communication/handbook/crisis-communication
http://ee.vlex.com/vid/emergency-act-siseministeeriumi-
204964755
36. CIIP workflow
Define vital (critical) areas
Analyze dependencies
- foundation: energy and communications
- ICT
- other, not directly related to ICT
Define or list vital providers
Communicate, analyze
38. Telco
• Vital providers in telco field:
- 420 of these in entrepeneurs DB
- 3-4-5 large ones
- by the definition
* has an interchange point
39. Supervision Dept
- ISKE - (IT Grundschutz by BSI, .de)
Information Systems Three Level Security Baseline
- Incident reports, CERT-EE Incidents DB
- Compliance
Problems / deficiencies noted by CERT or CIIP
https://www.bsi.bund.de/ContentBSI/Aktuelles/Veranstaltungen/gstag/gstag_201010.html
40. Thank You!
Anto Veldre
www.ria.ee | anto.veldre@cert.ee | +372 663 0200
Estonian Information System's Authority | Rävala 5, 10112
Tallinn, Estonia