Cooperation of CSIRTs : does it work ? does it help? - CERT · – 1996 Task Force “CERTs in Europe” Î • Result: – EuroCERT founded in 1997 • At first only collecting CSIRT

S-CURESecurity by Organisation

Cooperation of CSIRTs :does it work ?does it help?

Guilin, China, March 2005 (Lunar year 4703)

Don [email protected]


A short history of the Internet

& of incident response cooperation


1969 – 1988

• Internet childhoodsecurity is not an issue

• Arpanet 1969 USA only• 1969 – now : number of host doubles each year• TCP 1974• TCP/IP 1978• 1980s : growth outside USA but still research


1988 – 1992• the Internet loses its innocence

the foundation of FIRST• 70,000 hosts in 1988• 2 November 1988 : the Morris worm• December 1988 : CERT founded, soon followed

by other US teams• October 1989 : WANK worm• November 1990 : creation of FIRST

– 10 US teams, 1 from Europe (SPAN)


1992 – 1996

• The Internet maturesthe “CERT system” expands in other regions

• 1992 : CERT-NL founded (The Netherlands)• 1993 : AUSCERT founded (Australia)• Late 1993 : first meeting of European teams• 1996 : report “CERTs in Europe” basis for further

development in Europe• FIRST grows as only CSIRT forum worldwide


1996 – 2000• The Internet becomes business

FIRST grows global & regional initiatives thrive

• 1997-9 : EuroCERT– Failed due to “too much too soon”

• 2000 : TF-CSIRT & the Trusted Introducer• 1997 : APSIRC founded• 1998 : FIRST conference in Mexico

– beginning of “professionalisation”


2000 – today• The Internet becomes critical infrastructure

A grimmer world needs solid measures• 11 September 2001 marks a genuine change in security

awareness• Rise of government CSIRTs

– 2002 : GOVCERT.NL set up in 3 months– 2003 : APCERT founded in Asia-Pacific region

• Issues:– Critical infrastructure protection (CIP)– Global, regional and national cooperation– Crime fighting

• Organised crime exploits the Internet


Put in Perspective- 800,000 years : Lantian “homo erectus”- 80,000 y : Guangxi “homo sapiens”- 8,000 y : Yangshao and Longshan cultures- 800 y : Xia dynasty- 80 y : wars mark start of modern age- 36 y : birth of the Internet- 17 y : the Morris worm brings the Internet down- 8 y : the Internet becomes the foremost worldwide

communication tool for business and pleasure- 3 y : organized crime starts targeting companies through

the Internet


CSIRT Cooperation Examples


CERT (i)• Event:

– There may be a virus loose on the internet. (Andy Sudduth of Harvard, 34 minutes after midnight, 3 November1988 )

– A worm written by 23 year old Robert T Morris• Not meant to bring harm but only to spread• Took down systems due to programming errors

– 10% of the 70,000 Internet hosts went down, many more were taken offline• Follow-up:

– 8 November 1988: DARPA post mortem meeting:• Worm was analysed quickly, but:• Lack of communication between sites

– Coordination and research of incidents needed• Result:

– 17 November 1988: CERT created at SEI/CMU in Pittsburgh– http://www.cert.org/


CERT (ii)• Success factors:

– Caused by a shocking event– Longtime stable funding– Based in “feeding” environment (SEI)– Ability to adapt to changing needs

• Fail factors:– Original constituency (the Internet) became too big– Slowed down by own success– US centric

• Current status:– No longer focal point of vulnerability handling– Still the world’s foremost CSIRT– Most important source of thinking and courses in CSIRT area– Highly influential


FIRST (i)• Event:

– October 1989: WANK and OILZ worms infected DECNET systems– CERT, CIAC and NASA team researched the worms together and issued

warnings

• Follow-up:– Stimulated further cooperation

• Result:– November 1990: FIRST founded by 10 members from the US and 1 from

Europe– FIRST - the Forum of Incident Response and Security Teams


FIRST (ii)• Success factors:

– Caused by a shocking event followed by similar events– Built on the necessity for CSIRTs to work together– Only worldwide CSIRT forum– Brings together the top experts in the field– Neutral “interconnect” for vendors and others– Low cost / low overhead

• Fail factors:– Too much depends on too few– Reluctance of members to share information– lack of corporate & political influence– Too slow change into funded, service oriented organisation– Regional “competitors” (TF-CSIRT, APCERT)

• Current status– Still the foremost worldwide CSIRT forum– Grown to 180 members (March 2005)– Service orientation & professional attitude rapidly improving– Regional orientation (TCs, TRANSITS courses)


FIRST membershipFIRST Members by year

0

20

40

60

80

100

120

140

160

180

1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003

Year

Num

ber o

f FIR

ST T

eam

s

Latin AmericaAsia/PacificEuropeNorth America


EuroCERT (i)• Event:

– No significant event– Need to have European incident coordination independent from US funding

• Follow-up:– European CSIRTs worked together and with (mainly) CERT/CC, CIAC and

AusCERT from 1993 onwards– 1996 Task Force “CERTs in Europe”

• Result:– EuroCERT founded in 1997

• At first only collecting CSIRT data• Later to add incident coordination• Finally followed by support and research

– EuroCERT was conceived as a European CERT/CC, to coordinate with other regional peers

• Hierarchical coordination model as opposed to network model


EuroCERT (ii)• Success factors:

– Strong network of research/education CSIRTs – Supported by all opinion leaders

• Fail factors:– Not founded on shocking incidents “just” on vision– No willingness to “submit” to a coordinating team– Too ambitious for the time– Wrong idea of coordination and CERT/CC

• Current status:– Project ended in 1999 after 2 years cause of lack of interest and

funding


TF-CSIRT (i)• Event:

– The failure of EuroCERT & the real need for continued collaboration in Europe

• Follow-up:– Agreement reached on:

• Working groups with volunteers to achieve goals• Stimulate collaboration of teams instead of superposing one team• Together enable joint meetings

• Result:– TF-CSIRT started in 2000– TERENA (European Association for Research Networks) as facilitator– 3 meetings a year, with help of local hosts– http://www.terena.nl/tech/task-forces/tf-csirt/


TF-CSIRT (ii)• Success factors:

– Inspired by a marked event– Building on a collaboration dating back to 1993– Cooperation and collaboration instead of coordination

• matches European culture– Low cost, including low travel cost (regional)– Setting clear goals and achieving them (TI, IRT Object, IODEF,

TRANSITS)• Fail factors:

– Difficulty in addressing corporate and governmental needs• Current status:

– Still going strong (over a 100 attendees per meeting)– Gaining recognition at Eu and national levels– Possible cooperation with FIRST once a year


Trusted Introducer (i)• Event:

– The need to pursue EuroCERT’s maintained CSIRT database • Follow-up:

– Design of a CSIRT Accreditation process• Result:

– September 2000 : start of the Trusted Introducer ( TI )• Public database of all European CSIRTs• Accreditation process for established teams• Secure website and database for accredited teams• Teamdata are actively maintained• Subcontracted service but governed by accredited teams

– http://www.trusted-introducer.nl/


Trusted Introducer (ii)• Success factors:

– Continuing the good parts of a failed service– Quality and maintenance (up-to-date)– Accreditation fits into increasing accountability needs

• Possible future certification– Interaction with TF-CSIRT– Professionally operated, governed by accredited teams– Subcontractor part of the CSIRT scene (not “just” a company)

• Fail factors:– Difficult to identify teams who are “no good”

• Current status:– Successful: 42 accredited teams and growing (50% penetration)– IRT object promoted by the TI– 1 January 2005 : new services added ( in-band re-encrypting messaging, out-

of-band alerting, statistics, PKI)


Trusted Introducer – accredited teams# "Accredited" CSIRTs

0

5

10

15

20

25

0 20 40 60

# months after TI start

Research &EducationCommercial

Government &MilitaryMixed


APCERT• Event:

– no significant event, but need to grow system to next maturity level– Increased government support partially due to:

• a grimmer world (11 Sep 2001)• Critical Infrastructure Protection

• Follow-up:– APSIRC evolving into a formal structure

• Result:– APCERT founded in 2003

• Goals comparable to TF-CSIRT and FIRST, but also:• Coordination of incident response efforts

• Success factors:– Good coverage of Asia-Pacific countries– Coordination on national levels is enabler

• Fail factors:– Cultural differences

• Current status:– Started ambitiously– Good collaboration with FIRST and other bodies– Going strong !


• http://www.enisa.eu.int/• European Network and Information Security Agency • EC funded security thinktank

– Centre of expertise for all member states and sectors– Awareness raising with regards to security– E.g.: promoting member state CSIRT activities

• Andrea Pirotti (director) is touring Europe gaining support• Build up phase• Both on board level and in the PSG (permanent stakeholder

group) the CSIRT community has representatives

ENISA


Conclusions


The problems of 1973

• Internet consists of 31 hosts• RFC 602 complains about:

– weak passwords– „open“ addresses– system penetrations


The problems of 2005• All of the above and more …

– In 2004 up to 1000 security alerts• What’s new on the net:

– The incredible scale and reach of the Internet• GRID networking – as in botnets …• Legal boundaries clash with boundless Internet

– The Internet as element of Critical Infrastructure• Phone traffic over IP

– Organized crime– Terrorism ?

Tons of security incidents that MUST be handled


Core reasons to have a CSIRT

• To organise “authority”

• To organise “escalation”

• To organise internal and external contacts

• All with regards to prevention and resolution of information security incidents


Cooperation of CSIRTs : does it work ??

• CERT, FIRST, TF-CSIRT, APCERT etcetera etcetera

YES IT WORKS !!

(but major incidents help)


Cooperation of CSIRTs : does it help ??

• Most CSIRTs invest considerable effort in cooperating with other CSIRTs

• The trusted channels needed for incident handling require cooperation of teams

• No complex incident is handled by one team alone (local teams, vendor teams, police teams ….)

YES IT HELPS !!

• And by the way – we have no choice …


The road ahead


Challenges• Critical infrastructure protection• Build resilience against organised crime, terrorism

(and other warfare)• Foster (Inter)national cross-sector cooperation

– Legal boundaries tough issue : need international law??• Stop blaming the vendors

– Invest in security, based on risk management• Re-think security architecture

– Time for *genuine* security thinking again• Stop blaming the users

– the spyware/malware drama


International Boundaries

• Miscreants treat the Internet as their backyard – without boundaries

• CSIRTs deal with 100+ countries with 100+ laws and 1000+ CSIRTs

• What to do ?– Inventory of relevant laws– National Internet crime squads– Cooperation both on CSIRT and Law Enforcement levels

• Codes of conduct

– Harmonisation of essential laws “Internet law”– Role of United Nations ?


National Collaboration• Each country has industry, research, education,

government, military, law enforcement ….– Different needs and demands

• Collaboration on CSIRT level necessary• What to do ?

– National coordinating teams • feasible in AP region, Middle-East and possibly Africa• difficult in Western countries (culture and law)

– National cooperation and collaboration• Government teams driving factor since 11 September• Supportive measures (e.g. research)

– CSIRTs of last resort– Accreditation & certification


International Collaboration• The need is clear, but ….

– Cultural differences (example: the business card protocol)– Legal differences (example: credit card fraud)– Interest differences (example: multinationals)– Secrecy

• What to do?– CSIRT level: FIRST collaborate with regional fora– Law enforcement level: cut the red tape– Government level: stimulating measures & national CSIRT

cooperation & harmonising laws– Sector level: sectorial CSIRT cooperation ?– Accreditation & certification


And the techniques ?

• CSIRTs:– Mapping IP numbers to CSIRTs (IRT object)– Intrusion detection networks and automated collection

of data– Automated exchange of incident data (IODEF?)

• IPv6 ?• Vendor awareness• (dream:) secure software engineering


Can we win ?

• Too many legal and cultural differences ?– Re-think: consider each time what *binds* rather than

what *divides* and concentrate on the binding factors– Example: human culture and life

• Great variety • Binding factors: reproduction, immortality and friendship

• In real life : to win is not to lose


Thank you !

Contact:

Don Stikvoort

[email protected]

Documents

Cooperation of CSIRTs : does it work ? does it help? - CERT · – 1996 Task Force “CERTs in Europe” Î • Result: – EuroCERT founded in 1997 • At first only collecting CSIRT