1 / 11

Founded in 1998, since 2008 have independent legal status Staff 5 ( full day ), 8 ( reserve )

Founded in 1998, since 2008 have independent legal status Staff 5 ( full day ), 8 ( reserve ) Constituency – all users of Russian Federation Incidents – almost all cases except SPAM Currently RU-CERT is the only official computer emergency response team in RF (FIRST+TI member).

ona
Download Presentation

Founded in 1998, since 2008 have independent legal status Staff 5 ( full day ), 8 ( reserve )

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Founded in 1998, since 2008 have independent legal status Staff • 5 (full day), • 8 (reserve) Constituency – all users of Russian Federation Incidents – almost all cases except SPAM Currently RU-CERT is the only official computer emergency response team in RF (FIRST+TI member)

  2. Incident processing Sources of information (INPUT) e-mail - about 75-80% RU-CERT initiated information request (e.g. phishtank) - 15-20 % phone calls - about 5%

  3. Incident response (OUTPUT) • E-mail message with request to block or remove source of incident and with information about malware/bot/virus on the source host for further investigation. • Consultation (extremely seldom) • Participation in blackouting of incidents (DDOS) • RU-CERT have no permissions to make resource owners to take any measures, we can only try to persuade them. • RU-CERT send notification after measures were taken on demand only • Main types of incidents – fishing, malware, scan/passwords bruteforcing , dos/ddos, leakage of personal and accounts data.

  4. Incident handling system – technical details • Software • FreeBSD,  postgres, perl, exim, apache, clamav + spamassasin, dovecot, pf • Applications used • IMAP4 (common folders, archive mail & delivery lists) • SSL frontend – stunnel + jail, offilne CA only for server certificates (yet) • Apache 2, Basic Auth , CGI/perl

  5. Incident handling system – main tasks • Mail messages parsing • Complain facts verification (if possible) • Chaining of similar incidents, duplication check, etc. • Best contacts search. • Complaints generation • Monitoring of the complaint status, waiting for response. • Closure of the compliant, archiving, statistics gathering

  6. Web-based interface provides all interaction

  7. Features • We use TOR infrastructure to monitor resources • Contact subsystem is integrated with (constantly improved) informational service (whois, cymru.com, ripe.net) • Resource monitoring to extract links regarding to RUNET (fishtank) • Contact database is corrected in depending on search results/responses • Calculation of a resource and contact «reaction index», resource «security index» (for future)

  8. Statistic Common

  9. E-mail response percentage • 2008 - 45 of 737 (6.1 %) • 2007 - 40 of 874 (4.6 %) • Incidents/complaints ratio  • 2008: 2966 incidents, 3706 complaints • 2007: 5693 incidents, 7782 complaints • Mail input/output ratio (per incident) • Quantity of mail recipients • 2008: 6072007: 498 • 6. Average time between sending of a notification and taking measures • 13 days • 30-35% during 24 hours

  10. Plans for the future RU-CERT has a chance (at least we think so) to play more significant role in RF computer security infrastructure than it has now RU-CERT ambition is to became CERT/CC Assistance in establishing trusted CSIRT-like teams infrastructure in RF Collaboration with largest providers in development DDOS attack counteraction Improvement of informational service to gather/accumulate information about network resources (black lists ??) Coordination activities different state and commercial organizations to combat cybercryme

More Related