developing csirts in brazilian nren - lacnic -...
TRANSCRIPT
![Page 1: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/1.jpg)
Developing CSIRTs in Brazilian NREN
![Page 2: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/2.jpg)
RNPMission: To promote the innovative use of advanced networks.
Education and research community:
Universities; National Libraries; Research Institutes; Museums; Teaching hospitals; Others;
![Page 3: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/3.jpg)
CAIS
![Page 4: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/4.jpg)
CAIS
Lines of action
Security Vulnerability
handling
Security IncidentHandling
CSIRT Development
Information Security
Awareness
TechnicalExpertise
![Page 5: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/5.jpg)
PFSIInformation Security Strengthening Program in RNP Customers
![Page 6: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/6.jpg)
Incident Security Management System (SGIS)
Malicious Activity Combat
Security Awareness Actions
Support to Develop Security Policy Documents
Support to Create and Develop CSIRTs
PFSIInformation Security Strengthening Program in RNP Customers
![Page 7: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/7.jpg)
Motivation
Corporate security team and CSIRT is
the same thing?
![Page 8: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/8.jpg)
Security incidents and critical vulnerabilities grew last years.
Need to increase InfoSec capability in Brazilian NREN.
Compliance with Brazilian legal regulations, especially for organizations that are part of Federal Public Administration
Corporate security team ≠ CSIRT
Motivation
Security overview
Security Strengthening
Brazilian NREN
Incident handling focus
CSIRTs in RNP CustomersPROJECT
![Page 9: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/9.jpg)
Create a default and generic template to CSIRT establishment, applicable to Brazilian NREN environment.
Define a security incident management template, with process and procedures to all steps of incident handling lifecycle.
Provide a guide and checklist to support establishment of new CSIRTs.
Promote interaction between new and existing CSIRT teams.
GoalsCSIRTs in RNP Customers Project
Template of CSIRT
IncidentManagement
Guide
Interaction
CSIRTs in RNP CustomersPROJECT
![Page 10: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/10.jpg)
ISO/IEC 27035:2016
Normative Instruction GSI/PR Nº1:2008
RFC 2350
ABNT ISO/IEC 27002:2013
Technical Background
Guidelines of Security Incident Management.- Procedures and responsibilities;
- Security Information Events evaluation;
- Security Information Incidents response;
- Evidence collection.
Standards
![Page 11: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/11.jpg)
Establishes guidelines for Incident Management in Brazilian Federal
Public Administration departments and entities.
Complementary Standardnº 08/IN01/DSIC/GSIPR
Disciplines creation of new CSIRT teams in Brazilian Federal Public Administration departments and
entities.
Complementary Standardnº 05/IN01/DSIC/GSIPR
Normative Instruction GSI/PR Nº1:2008
Technical Background
Standards
![Page 12: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/12.jpg)
RFC 2350
Technical Background
Mission statement and scope
CSIRT Policies and procedures
Security Communications
Relationships between different CSIRTs
Best Practices of CSIRTs
Standards
![Page 13: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/13.jpg)
ABNT ISO/IEC 27035:2016
Technical Background
Security Incident Management guideline to external organizations who provides Information security incident management services.
Standards
![Page 14: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/14.jpg)
Where to start?
???
??
![Page 15: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/15.jpg)
Planning
Development
Implementation
Operation
Methodology
![Page 16: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/16.jpg)
Methodology used to analyze internal and external
environment of an organization.
Data analysis with strategically positioning goal of an organization.
SWOT Analysis
Step 1: Planning
![Page 17: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/17.jpg)
Step 1: Planning
- Project team- Board of directors- InfoSec Management Commitee- Legal team- Heritage sector- IT Team- Employees- Students
Stakeholders
Interest
InfluenceNeed to be
continuously involved and keep informed of
all developmentKeep they informed,
without direct involvement
Keep they informed, without
critical responsibilities.
Monitor the attendance of its
needs.
![Page 18: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/18.jpg)
Step 2: Development
Name of CSIRT
![Page 19: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/19.jpg)
Step 2: Development
Mission
Vision
Constituency
Services
![Page 20: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/20.jpg)
Step 2: DevelopmentOrganizational Model
Organizational Structure
Authority
![Page 21: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/21.jpg)
1) Infrastructure
2) People Management
3) Funding
4) Policies and procedures
Step 3: Implementation
![Page 22: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/22.jpg)
Recursos- Hardware- Software- Network
/security
REDE EXTERNA
DMZ EXTERNA
REDE DE TESTES
SERVIDORES INTERNOS
REDELOCAL
FIREWALL
SERVIÇOS INTERNOS DO CSIRTTESTE DE SOLUÇÕES E NOVOS SERVIÇOS
SERVIÇOS PÚBLICOS DO CSIRT
REDE DE DADOS INTERNA DO CSIRT
- External network- DMZ- Internal Servers- Testing- LAN
Step 3: Implementation
Infrastructure
![Page 23: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/23.jpg)
Hiring- Curriculum analysis- Job interview- Contract details
* Career path* Workload (8x5? 24x7? Weekends?)
- Professional ethic
Firing- Delete user/e-mail account- Notice to organization
Step 3: Implementation
People Management
Professional development- Follow up / coaching- Events
* CERT.br Brazilian Forum of CSIRTs* SBSeg (Security Brazilian Society)* Security Leaders* LACNIC / LACSEC* FIRST Technical Colloquium
![Page 24: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/24.jpg)
FINANCIAMENTO- Specific budget to CSIRT- Partnership with other CSIRTs- Sale of services to customers- Submit projects to Research Funding Organizations
- Information handling / Information classification- Resources usage policies- Password policies- Communication Plan- Security Awareness Plan
Step 3: Implementation
Funding
Policies and Procedures
![Page 25: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/25.jpg)
Six main steps:
ESTRUTURA NORMATIVA – Planos de Gestão
Step 3: Implementation
Incident Management Plan
![Page 26: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/26.jpg)
ESTRUTURA NORMATIVA – Planos de Gestão
Security incident notification channels Communication systems; Malicious activity detection;
Security incident notification elements Incident description IP source / destination Ports / protocols / compromised services Date and time (with correct GMT)
Step 3: Implementation
Incident Management Plan
Six main steps:
![Page 27: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/27.jpg)
ESTRUTURA NORMATIVA – Planos de Gestão
Step 3: Implementation
Incident Management Plan
Six main steps:
![Page 28: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/28.jpg)
- CSIRT formalization document template
Step 4: Operation
Formalization Disclosure
Analysis
- E-mail marketing- Website- Awareness lectures
- Statistics* Incidents by time / category* More used protocols* IP address involved
- Indicators* Incidents closed in/out time* Incidents closed in certain period* Time spent to close incidents
![Page 29: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/29.jpg)
Formalização
Step 4: Operation
CSIRT formalization document sample
![Page 30: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/30.jpg)
– Establishment CSIRTs in Brazilian NREN Best Practices Guide
Results
![Page 31: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/31.jpg)
– Establishment CSIRT Checklist
Results
![Page 32: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/32.jpg)
– Documentation template
Results
![Page 33: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/33.jpg)
Results
![Page 34: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/34.jpg)
Results
![Page 35: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/35.jpg)
Results
![Page 36: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/36.jpg)
Cases
Salvador/BA Santa Maria/RS
![Page 37: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/37.jpg)
CasesTRIIF – Incident Response Team of Instituto Federal Farroupilha
![Page 38: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/38.jpg)
CasesTRIIF – Incident Response Team of Instituto Federal Farroupilha
http://triif.iffarroupilha.edu.br
![Page 39: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/39.jpg)
CasesUFBA – Federal University of Bahia
![Page 40: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/40.jpg)
CasesUFBA – Federal University of Bahia
![Page 41: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/41.jpg)
CasesUFBA – Federal University of Bahia
![Page 42: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/42.jpg)
![Page 43: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/43.jpg)
CSIRTs establishment support service
![Page 44: Developing CSIRTs in Brazilian NREN - LACNIC - SLIDESslides.lacnic.net/wp-content/uploads/2017/05/cais-csirts.pdf · Security incidents and critical vulnerabilities grew last years](https://reader033.vdocuments.mx/reader033/viewer/2022050412/5f88cff2e660ea546c55f5dc/html5/thumbnails/44.jpg)
Thanks!RNP – Brazilian Educational and Research Network
CAIS – RNP Incident Security Response Team
Yuri AlexandroSecurity Analyst
Rildo SouzaSecurity [email protected]