140 likes | 276 Views
PTA CERT-Hungary's Incident handling practice. CERT Hungary. Incident descriptions. Computer fingerprinting: actions performed in order to gather information about a target Techniques : probing, scanning, DNS interrogation, Ping.
E N D
PTA CERT-Hungary's Incident handling practice CERT Hungary
Incident descriptions • Computer fingerprinting: actions performed in order to gather information about a target Techniques: probing, scanning, DNS interrogation, Ping. • Malicious code: Target host compromised via independent program execution. Techniques: Conscious or unconscious independent program execution. • Denial of Service: Repeated target access that overloads capacity or otherwise disrupts a service. Techniques: Execute programs which perform endless requests of computer resources such as: memory, CPU time, TCP–UDP connections, disk space.
Incident descriptions • Account compromise: Unauthorised access to a system, or system resource at sys-admin (root) or user level. Techniques: Exploit, either locally or remotely, software vulnerabilities in order to obtain unauthorised access to user accounts. The same result can also be obtained using credentials which have been illegally obtained (stolen, intercepted, coerced). • Intrusion attempt: Attempted unauthorised access to a computer system. Techniques: Either trying to gain access to a system by guessing users’ credentials , or trying to perform any of the attack vectors described herein, unsuccessfully.
Incident descriptions • Unauthorised access to information: Attempts to obtain unauthorised access to data. Techniques: Trying to gain access, either locally or remotely, to data circumventing access control mechanisms. • Unauthorised access to transmission: Interfering without right and by technical means, with non-public transmissions of computer data to, from, or withi n a computer system. Techniques: Intercepting network packets, injecting packets into traffic flow and removing packets from traffic flow.
Incident descriptions • Unauthorised modification of information: Unauthorised modification of information that is held electronically on a computer system. Techniques: Local or remote modification, or creation of any kind of data, which resides in a computer without the required authorisation. • Unauthorised access to communication systems: Unauthorised use of a communication system Techniques: Modify configuration settings of communication systems in order to gain personal advantage of their use.
Incident Handling • Incident handling involves receiving, triaging, and responding to requests and reports, and analyzing incidents and events. • Particular response activities can include: • taking action to protect systems and networks affected or threatened by intruder activity • providing solutions and mitigation strategies from relevant advisories or alerts • looking for intruder activity on other parts of the network
Incident Handling • filtering network traffic • rebuilding systems • patching or repairing systems • developing other response or workaround strategies • Since incident handling activities are implemented in various ways by different types of CSIRTs, this service is further categorized based on the type of activities performed and the type of assistance given
Incident Handling • Incident analysis: examination of all available information and supporting evidence or artifacts related to an incident or event • Forensic evidence collection • Tracking or tracing • Incident response on site: The CSIRT provides direct, on-site assistance to help constituents recover from an incident
Incident Handling • Incident response support: The CSIRT assists and guides the victim(s) of the attack in recovering from an incident via phone, email, fax, or documentation. • Incident response coordination: The CSIRT coordinates the response effort among parties involved in the incident. This usually includes the victim of the attack, other sites involved in the attack, and any sites requiring assistance in the analysis of the attack. GovCERTs are coordinating the whole incident response process as the National Point of Contact
CSIRT teams • International coordination centers:Obtain a knowledge base with a global perspective of computer security threats through coordination with other CSIRTs. • National teams: Maintain a national point of contact for computer security threats and reduce the number of security incidents perpetrated from or targeted at systems in that country. (GovCERTs) • Network Service Provider teams: Provide a secure environment for the connectivity of their customer base. Provide an effective response to their customers for computer security incidents.
CSIRT teams • IT vendors: Improve the security of its products. • Corporate teams: Improve the security of the corporation’s information infrastructure and minimize threat of damage resulting from attacks and intrusions. • GovCERTs: International coordination + National coordination + ISP coordination + Vendor coordination, based on the constituency's need
CERT-Hungary • Incident coordination as the Hungarian NPOC • Incident handling service for our constituency • Incident handling and coordination for hungarian Critical Information Infrastructure • Incident analysis service for constituency (based on contracts) • Daily reports to authorities • Trend reports
CERT-Hungary • Information sources: Constituency, CERT community, Shadowserver Found., other sources • Request Tracker for Incident Response (RTIR): incident handling system • Incident database: statistics and ternd reports • Sensor, early warning system • Hungarian vulnerability database