TLP:Green FIRST/TF-CSIRT Technical Colloquium January 25 th – 27 th, 2016 Prague, CZ TLP:Green.

Slides:

Advertisements

Similar presentations

Clara CSIRTs in Latin America and the Caribbean CCIRN 2004 Cairns, Australia July 2004 Michael Stanton CLARA Technical Committee RNP- Brazil (material.

Advertisements

1 ASEAN Regional Forum Meeting 28 – 30 April 2010 Bandar Seri Begawan, Brunei CERT-Ins Initiative on International Information Security Dr A S Kamble Director.

Philippine Cybercrime Efforts

International Telecommunication Union An Insight into BDT Programme 3 Marco Obiso ICT Applications and Cybersecurity Division Telecommunication Development.

Homeland Security at the FCC July 10, FCCs Homeland Security Focus Interagency Partnerships Industry Partnerships Infrastructure Protection Communications.

Government Information Assurance (GIA) Policy. 2 Current Scenario  It is a connected world!  More and More services are being provided online  Continuous.

ENISA Cyber Security Strategies Workshop November 27, 2014 Brussels

1 StAR Initiative Progress and Next Steps November 2009.

Cyber and Maritime Infrastructure

DHS, National Cyber Security Division Overview

Speaker: Tamar Shapatava

MINISTRY OF NATIONAL DEFENCE REPUBLIC OF POLAND CLASSIFIED INFORMATION PROTECTION DEPARTMENT COL. PIOTR GRZYBOWSKI, Director, Classified Information Protection.

Framework for Improving Critical Infrastructure Cybersecurity NIST Feb 2014.

© 2011 Delmar, Cengage Learning Part I The Nature and Setting of Police Administration Chapter 3 Police Administration and Homeland Security.

Cyberspace and the Police Mamoru TAKAHASHI Head of Computer Forensic Center, Hi-tech Crime Technology Division National Police Agency, Japan.

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

Geneva, Switzerland, September 2014 Critical telecommunication infrastructure protection in Brazil Antonio Guimaraes / Paulo Moura National Telecommunication.

ABOUT THE MEDIA By Deo ODIE. Outline By the end of this session, the participant should be able to; a.Identify relevant media for their engagement b.Have.

UNCLASSIFIED Strategies for leading crisis command across organisations for greater interoperability Superintendant Michael Chew AFP ACTP – Counter Terrorism.

EDS Tactical Communication Tabletop Exercise [Exercise Location] [Exercise Date] [Insert Logo Here]

EPR-Public Communications L-05

Network security policy: best practices

Supportive Housing as a Foundation for Recovery: Homelessness, Co-Occurring Disorders, and Housing Laura Gillis, RN, MS HRC Project Director.

NGAC Interagency Data Sharing and Collaboration Spotlight Session: Best Practices and Lessons Learned Robert F. Austin, PhD, GISP Washington, DC March.

Session 4.2: Creation of national ICT security infrastructure for developing countries National IP-based Networks Security Centres for Developing Countries.

WHAT IS “CLASS”? A BRIEF ORIENTATION TO THE CLASS METHODOLOGY.

Part of a Broader Strategy

UNDP Support to UN Cooperation in Moldova Annual Programme Review UNDP Moldova 18 December, 2003.

2014 E DUCATIONAL T ECHNOLOGY P LAN P ROJECT K ICKOFF.

Perinatal and Infant Oral Health Quality Improvement National Learning Network Estimated Number Awards: One (1) Type of Award: Cooperative Agreement Estimated.

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013 DRAFT.

October 27, 2005 Contra Costa Operational Area Homeland Security Strategic and Tactical Planning and Hazardous Materials Response Assessment Project Overview.

Network Security Resources from the Department of Homeland Security National Cyber Security Division.

Nuclear Power Plant/Electric Grid Regulatory Coordination and Cooperation - ERO Perspective David R. Nevius and Michael J. Assante 2009 NRC Regulatory.

PREPAREDNESS AND RESPONSE TO CYBER THREATS REQUIRE A CSIRT By Jaco Robertson, Marthie Lessing and Simon Nare*

Self-Assessment and Formulation of a National Cyber security/ciip Strategy: culture of security.

EDS Inventory Management Tabletop Exercise [Exercise Location] [Exercise Date] [Insert Logo Here]

ITUC Human and Trade Union Rights Report of the PERC HTUR Network Meeting PERC HTUR Network PERC Summer School, Bratislava September

GGF Fall 2004 Brussels, Belgium September 20th, 2004 James Marsteller Pittsburgh Supercomptuing Center

Joanna Fiedler Enlargement and Neighbouring Countries Unit DG Environment European Commission REReP → RENA Vision of the European Commission PEIP Regional.

© 2009 Level 3 Communications, LLC. All Rights Reserved. Level 3 Communications, Level 3, the red 3D brackets, the (3) mark and the Level 3 Communications.

Status Report for Critical Infrastructure Protection Advisory Group

H UMAN R ESOURCES M ANAGEMENT Beki Webster Director, HR, Intelligence Systems Division Northrop Grumman Information Systems July 31, 2009.

The Next Stage for Results in Africa. Context 2005 Paris Declaration on Aid Effectiveness 2006 Mutual Learning Events Uganda & Burkina Faso 2007 Hanoi.

NSF Cybersecuity Summit May REN-ISAC Goal The goal of the REN-ISAC is to aid and promote cyber security protection and response within the higher.

Conficker Update John Crain. What is Conficker? An Internet worm  Malicious code that is self-replicating and distributed over a network A blended threat.

How we work as a national CERT in China ZHOU Yonglin CNCERT/CC, China 2 Addressing security challenges on a global scaleGeneva, 6-7 December 2010.

Campus Network upgrade and Wi-Fi Rollout REVIEW AND PHASE 3 PROJECT MANAGER TASKS.

What is “national security”?  No longer defined only by threat of arms  It really is the economy  Infrastructure not controlled by the government.

UNCLASSIFIED Homeland Security Introduction to the National Cybersecurity & Communications Integration Center (NCCIC) “A Partnership for Strength” 1.

International Cyber Warfare & Security and B2B Conference Participation of Brazilian Cyber Defense Centre ( )

1 CREATING AND MANAGING CERT. 2 Internet Wonderful and Terrible “The wonderful thing about the Internet is that you’re connected to everyone else. The.

0  Support IPC-IG’s mission as a global forum for South-South learning on innovative development practices  Disseminate the knowledge generated by IPC-

LSEC H2020-DS - & CIP Ulrich Seldeslachts, Brussels, January 27th, 2016.

Regional Cyber Crime Unit

Cybersecurity Strategy in Japan May 2016 Yasu TANIWAKI Deputy Director-General National center of Incident readiness and Strategy for Cybersecurity (NISC)

Cyber Crime in China: Current Situation and Countermeasures He Xing Cyber Crime Investigation Division Ministry of Public Security, China.

M O N T E N E G R O Negotiating Team for the Accession of Montenegro to the European Union Working Group for Chapter 10 – Information society and media.

2 United States Department of Education, Privacy Technical Assistance Center 1 Western Suffolk BOCES Data Breach Exercise.

April 19 th, 2016 Governors Homeland Security and All-Hazards Cyber Security Sub-Committee.

EU PROMETHEUS 2014 Communication Strategy KICK OFF MEETING Brussels April 9 th, 2013.

Cybersecurity, competence and preparedness

Team 1 – Incident Response

INFORMATION SECURITY IN ARMENIA: PRESENT STATUS AND TASKS

The Forum of Incident Response and Security Teams (FIRST)

Cyber Security coordination in Europe CERT-EU’s perspective

Cyber attacks on Democratic processes

Protective Security Advisor Program Brief

The National Network of

The Forum of Incident Response and Security Teams (FIRST)

Presentation transcript:

TLP:Green FIRST/TF-CSIRT Technical Colloquium January 25 th – 27 th, 2016 Prague, CZ TLP:Green

Incident Handling in High Profile International Events: Lessons Learned and the Road Ahead Lucimara Desiderá, M.Sc.

TLP:Green International Events in Brazil 2012 – Rio – FIFA Confederations Cup World Youth Day 2013 (including the Pope’s visit) 2014 – FIFA 2014 World Cup 2016 – Summer Olympics

TLP:Green Facts to Consider These events attract the attention of the world and of the attackers as well dates and times are well known Media coverage of attacks is a given Incidents impact the country’s image The Internet is a critical infrastructure for TV transmission, webcast or other forms of remote participation journalists’ communication communication of all events’ coordination entities But the Internet does not change because of all this we still rely on ISPs, vendors, and the events organizers’ own infrastructures, policies and partners

TLP:Green Brazilian Organizational Structure Special Secretariat for Security of Major Events to coordinate all security efforts for major events up until 2016 paralympic games part of the Ministry of Justice (MJ) defined that the protection of the “cyberspace” would be the mission of the Ministry of Defense (MD) Cyber Defense Center (CDCiber) Real life is more complex the owner of the asset is the only one that can actually secure the asset and respond to any incident the international organizations are not really open for information sharing the events’ infrastructures are not the only targets [h]ac[k]tivism changed the targets

TLP:Green How Incident Handling Coordination Evolved Leverage what each organization can do best CDCiber changed its own mission from “protecting” to “integrating and coordinating” with all parties its focus is incident detection and coordination in the Government Security Command&Control centers online intelligence gathering for physical security CTIR Gov – Brazilian Federal Public Administration CSIRT focus on incidents targeting government sites CERT.br training for all CDCiber personnel stationed at the CDCiber C&C international coordination, takedowns facilitate communication and coordination situational awareness and monitoring including honeypots, IRC, twitter, etc

TLP:Green Attacks Seen During the World Cup “Hacktivism” coordinated with street demonstrations Most targets were not related to the World Cup  any “gov.br”, universities, sponsors and political parties information leak defacements DDoS using amplification (Chargen, DNS, SNMP) reports of 4Gbps peaks some targets not even related to Brasil or the World Cup as the “elections.ny.gov” website pictures of the stadiums wi-fi passwords phishings related to FIFA, midia outlets and the Brazilian Soccer Federation Midia coverage of the attacks before the event this was the most intense period of attacks

TLP:Green Lessons Learned: CDCiber Perspective Preparation, including risk analysis, asset mapping and intelligence gathering was essential and needs to be enhanced To increase the collaborative action and the trust relationships among the organizations is not only relevant, it is essential Some highlights of big impact events Attacks to the Army Website Federal Police twitter account compromised Leak of information from the Ministry of Foreign relations Source (in Portuguese):

TLP:Green Lessons Learned: CTIR Gov Perspective What worked well: Integration of CDCiber, CERT.br and CTIR Gov Teams Team members with technical readiness, that know each other, have a trusted relationship and focus on each teams strengths Proactivity was key Some highlights of big impact events Government sites were targets of most hacktivism demonstrations, focusing on DDoS, Spear Phishing and leaks The social media monitoring performed by CDCiber and CERT.br reduced significantly the incident response time Source (in Portuguese):

TLP:Green Lessons Learned: CERT.br Perspective Cooperation among CERT.br, CTIR Gov and CDCiber was already big, but was strengthened there was information exchange and task division Some highlights of big impact events Work load was even bigger than anticipated had to allocate extra people to social network monitoring extra hours last minute requests from the Federal Police and other organizations Reaching out to international organizations, sponsors and some ISPs was a challenge no clear point of contact no information sharing but requests for “information giving”

27 weeks

TLP:Green Changes for the Olympic Games The Games are more reliant on technology Rio2016 is the not for profit local organizing organization Fully operational CSIRT, on-site 8x5 since September/2015 24/7 from March to September/2016 Working in coordination with CERT.br, CTIR Gov and CDCiber A Cyber Security Core Team, with members from several organizations, is coordinating preparation, risk analysis, incident response plans and exercises Other coordination and cooperation structures will function in a similar model to that of the 2014 World Cup

TLP:Green

Obrigada! Thank you! Děkuji! January 26 th, 2016