whois database for incident response & handling
TRANSCRIPT
![Page 1: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/1.jpg)
Issue Date:
Revision:
WHOIS Database For Incident Response & Handling
2015 CNCERT Annual Conference, Wuhan
Adli Wahid <[email protected]>
Security Specialist, APNIC
![Page 2: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/2.jpg)
Issue Date:
Revision:
⼤大家好
Hello Everyone!
![Page 3: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/3.jpg)
Presenter Adli Wahid (@adliwahid)
Security Specialist, APNIC Adli is responsible for the security outreach activities at APNIC. He engages with APNIC members, CSIRTs, Law Enforcement agencies in promoting security best practices.
Adli is also actively involved with the regional CSIRTs organisations such as APCERT, OIC-CERT and TF-CSIRT. He is currently a boar member of FIRST.org
Prior to joining APNIC, Adli was a regional Cyber Security Manager at Bank of Tokyo Mitsubishi – UFJ and Head of Malaysia CERT (MyCERT)
Areas of interests: CSIRTs, Honeypots, Malware, International Collaboration,
Contact: Email: [email protected]
![Page 4: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/4.jpg)
Agenda
1. About APNIC
2. Whois Database for Incident Handling & Response
3. Challenges
4. Conclusion
4
![Page 5: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/5.jpg)
Issue Date:
Revision:
Intro to APNIC
5
![Page 6: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/6.jpg)
What is APNIC?
• Regional Internet Registry (RIR) for the Asia Pacific region – Comprises 56 economies
• Secretariat located in Brisbane, Australia – Currently employs around 70 staff
• Not-for-profit, membership-based organization
• Governed by the Executive Council (EC), who are elected by the Members
6
![Page 7: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/7.jpg)
![Page 8: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/8.jpg)
The Regional Internet Registry for the Asia Pacific region
![Page 9: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/9.jpg)
How APNIC support the Internet community • Distribution and Registration of Internet Resources (v4,v6,
ASN)
• Facilitate the policy development process – Via mailing lists, conferences etc.
• Training services
• Information dissemination
• Collaboration & Liaison
![Page 10: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/10.jpg)
Security Initiatives @ APNIC
• Target Audience – Primarily Network Operators & Service Providers, APNIC members
Topics Domain
Resource Public Key Infrastructure (RPKI)
Routing
DNSSEC DNS
Source Address Validation Everywhere (SAVE)
DDoS Mitigation
Updating IRT References in APNIC Whois Database
Abuse Handling & Incident Response
http://www.apnic.net/security
![Page 11: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/11.jpg)
Issue Date:
Revision:
Incident Response & Handling
11
![Page 12: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/12.jpg)
The State of Security Incidents
• Increasing
• Greater Impact
• Types of Incidents
• Distributed in Nature
12
![Page 13: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/13.jpg)
Challenges to Security Responder
13
Analysis Fix / Recover
• Source of Attack • Modus Operandi • Command & Control • Indicators of Compromise • Number of Bots / Infected
Computers • Numbers of Samples
• Patch Vulnerable Systems • Apply Firewall Rules • Clean Infected Computers • Disable Vulnerable Services • Remove Malicious Page
![Page 14: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/14.jpg)
14
Recursive DNS Servers: https://dnsscan.shadowserver.org
![Page 15: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/15.jpg)
Where to find information ?
• Whois Database – Domain (Names) & Numbers – Security point of contact for a domain?
• Regional Internet Registry – Maintains information related to IP Address & AS Numbers – Including point of contact for Security
• Incident Response Teams (IRT) Object – Specialized Mandatory IRT contacts for inetnum, inet6num & aut-
num – https://www.apnic.net/services/manage-resources/abuse-contacts – https://www.apnic.net/apnic-info/whois_search/using-whois/guide/irt
15
![Page 16: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/16.jpg)
whois –h whois.apnic.net 202.12.29.175
irt: IRT-APNIC-IS-AP address: South Brisbane, Australia e-mail: [email protected] abuse-mailbox: [email protected] admin-c: AIC1-AP tech-c: AIC1-AP auth: # Filtered remarks: APNIC Infrastructure Services mnt-by: MAINT-APNIC-IS-AP changed: [email protected] 20110704 source: APNIC
16
![Page 17: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/17.jpg)
Challenges with Information in the Whois Database 1. Information not available
2. Information not accurate – There’s mechanism to update information or report
3. No guarantee recipient know what to do or expected of them
17
![Page 18: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/18.jpg)
Examples Dear IRT,
[ We have identified a command & control on your network that is related to the XYZ malware. Please do the necessary] [A host (a.c.d.e) on your network is hosting a phishing site of Bank BBB. Please remove the phishing site immediately. Refer to screenshots] [The following IP addresses on your network is running an open DNS resolver that could be used in an DDoS amplification attack]
18
![Page 19: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/19.jpg)
Security Awareness & Incident Management for Network Operators / Providers • Understanding different types of incidents & Reports
– Malware, DDoS, Data Breaches, Phishing etc – Suspicious Activities: Scanning
• Impact of Different Types of Incidents – How do I prioritize?
• Expectations : Process – Take down or Investigate
• Best Practices for Incident Handling – Policy or Procedures
19
![Page 20: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/20.jpg)
Best Practices
1. Mobile Messaging Best Practices for Service Providers – https://www.m3aawg.org/sites/maawg/files/news/
M3AAWG_Mobile_Messaging_Best_Practices_Service_Providers-2015-04.pdf
2. M3AAWG Anti-Abuse Best Common Practices for Hosting & Cloud Services
– https://www.m3aawg.org/sites/maawg/files/news/M3AAWG_Hosting_Abuse_BCPs-2015-03.pdf
3. Many more here: – https://www.m3aawg.org/published-documents
20
![Page 21: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/21.jpg)
Role of National CERT / CSIRT
• Help to reach out to the relevant person in the organization – Translate – Explain – Incident Response Framework, Capacity Development, Information
Sharing
• What if there is no National CERT / CSIRT ? – See Previous Slides – NZITF is a good model (http://www.nzitf.org.nz)
21
![Page 22: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/22.jpg)
Conclusion
• There is a need to have accurate information in the whois database for dealing with abuses & security incidents
• Training & creating awareness that the IRT / Abuse contacts know what do will make a huge difference
• Let’s work together!
![Page 23: WHOIS Database for Incident Response & Handling](https://reader030.vdocuments.mx/reader030/viewer/2022032618/55b6f816bb61ebfc6e8b47a0/html5/thumbnails/23.jpg)
More Information
• Providing Abuse Contact Information – https://www.apnic.net/services/manage-resources/abuse-contacts – https://www.apnic.net/apnic-info/whois_search/using-whois/abuse-
and-spamming – https://www.apnic.net/apnic-info/whois_search/using-whois/abuse-
and-spamming/invalid-contact-form
• E-Learning on Establishing CSIRT – https:/training.apnic.net
• APCERT – http://www.apcert.org
• FIRST – http://www.first.org
23