1 Exercise: Large Scale Incident Handling Main Objective Targeted Audience Total Duration Time Schedule The main objective of the exercise is to teach incident handlers the key information and actions required for the successful resolution of large-scale incidents. Technical CERT staff Roughly 5 hours Introduction to the exercise PART 1 LARGE SCALE PHISHING ATTACK Task 1: Source of information Task 2: Initial investigation Task 3: Takedown Task 4: Warning & mitigation PART 2 LARGE BOTNET SPREADING THROUGH A NEW VULNERABILITY Task 1: Source of information Task 2: Initial investigation Task3: Takedown Task 4: Warning & mitigation PART 3 INTERNAL WORM OUTBREAK Task 1: Internal worm outbreak Task 2: Type of attack Task 3: Malware capture & analysis Task 4: Worm/botnet controller identification PART 4 LARGE SCALE DDoS ATTACK AGAINST AN ENTIRE COUNTRY Task 1: Case study: hypothetical cyber attack against country Task 2: Another X perspective: your country is under cyberattack Task 3: Analysis of a particular DDoS method Task 4: Lessons learned Summary of the exercise 15 min. 60 min. 30 min. 30 min. 15 min. 15 min.
2 96 CERT Exercises Handbook Frequency The exercise should be carried out when the team is first setup or whenever new team members arrive or a new type of threat appears. (In the last case you should expand the exercise to accommodate this threat.) 9.1 GENERAL DESCRIPTION The purpose of the exercise is to introduce incident handlers to the complexity of handling large-scale incidents. After completion of this exercise, the students should be able to: Understand the nature and the consequences of a common large-scale incident; Determine the key information required for the successful resolution of such incidents; and Coordinate the exchange of information with various authorities. This exercise does not require Internet access. It is recommended that you, the trainer, carefully read through the handbook to understand what is required from you. The exercise is split into four different parts, concerning different types of large-scale incidents. The exercises listed here are intended as examples, so you are welcome to create additional examples of your own. Similarly, any solutions presented are not intended to be complete you and the students are encouraged to present solutions of your own. The form of the exercise is a moderated discussion, led by the trainer. EXERCISE COURSE The course of this exercise is as follows. 9.2 Introduction to the exercise At the beginning, introduce the students to the exercise, outlining its main parts and how the exercise will be carried out. This exercise consists of four main parts: PART 1: Large scale phishing attack; PART 2: Large botnet spreading through a new vulnerability; PART 3: Internal worm outbreak; and PART 4: Large scale DDoS attack against an entire country. 9.3 PART 1 LARGE SCALE PHISHING ATTACK This exercise is meant to be carried out with the help of a trainer. As the trainer, your role is to present a step-by-step description of a potential phishing attack. At the beginning, you are expected to give a short overview of what phishing is. The form of the exercise is somewhat similar to role-playing. You are expected to give a short introduction to the particular incident, asking the students what they should do next to move forward with the incident handling process. Once the students solve a certain phase, they
3 97 97 should be introduced to the next phase of the incident handling process and the problems encountered there. If students have problems answering certain questions, you should provide leading questions that help them solve the problem. To help you, some example answers are also provided. Remember that other variants are possible feel free to lead the investigation in the manner you see fit Task 1 Source of information Step 1 is the reporting of the incident. Ask the students, how they could become aware of the attack. Various possible ways are listed below. Did the students cover these variants? Did they suggest other ones? What should be the result of this step? Variant 1.1 The CERT team starts receiving reports about a phishing campaign from its constituency. These reports contain full phishing with headers and body including URL to phishing site. Variant 1.2 The CERT team find a phishing attempt by themselves for example through spam traps or some of the team members received phishing s in their mailboxes. The s have URLs embedded in them, which point to a phishing site. Variant 1.3 A phishing URL was reported by a bank, whose customers are being targeted. Results (for all three variants are the same): The CERT team has obtained a URL or URLs pointing to phishing site(s) Task 2 Initial investigation Next step is to find out a) if this is not a false alert, b) where the phishing sites are located, and c) how the attack is carried out. The answers may overlap, so all are included in one step. Questions that can help students find out what is going on: 1. Are the phishing sites still active or alive? How to check this? (Answer: the simplest way is to get there by the most popular browsers: IE, Firefox, Opera, and Chrome. It is recommended that these sites be checked with wget. Remember to be careful; the sites could be malicious, so using a specially prepared machine for this action would be advisable.) 2.1 Leading questions: Are they active in all popular browsers or just in a particular one? What about wget? Maybe the phishing site requires a specific user agent field set or another (for example referer )? 3. Where are the phishing sites (logically and physically) located? How to find out?
4 98 CERT Exercises Handbook 3.1 Leading questions: What is the domain and IP address of the www server? To whom does the IP and domain name belong? Who is the host-master? Who is the ISP? (Answer: look at the URL. Is there an IP address or domain name? Use tools like dig, host, etc. Next when you get an IP use the whois database and traceroute tool. Look at the main page of this domain: after and before the next slash /.) 4. How is the attack being carried out? What technique is used to serve the phishing site? How to check this? 4.1 Leading questions: Is the fast-flux technique used? Does every IP returned from the dns query lead to a response? Are there other sites on this server (IP)? What about the main page from the phishing URL? (Answer: the results of dig or host could be helpful in determining fast-flux. In the context of other sites: go to the main page of the phishing URL, for example: if the phishing URL is go to the URL and analyse it.) Result: There could be numerous answers to the above questions. A couple of them are listed below. Did the students cover these or suggest something new? Variant 2.1 The URL is On the there is a web page that is typical of some small business. There is a strong possibility that the administrator or webmaster of this site does not know about this situation. In most cases this server was compromised by a miscreant. There are three subvariants of this scenario: Variant 2.1a The compromised server is in your network (for example you are the CERT team of a large ISP or hosting centre). The owner of the site potentially one of the victims is your customer. Variant 2.1b The compromised server belongs to some large ISP in your country. The victims are not your customers. Variant 2.1c The compromised server is located in another country. Variant 2.2 The domain name resolves to many and various IPs. There is a strong possibility of fast-flux. The IPs belong to different ISPs, perhaps in a different country. There is no main page on the server.
5 99 99 Digression: Why are there so many IPs and why do some of them do not respond? Why do the miscreants use fast-flux? (Answer: these IPs are probably zombies from some botnet. They are probably desktopcomputers infected by special malware. Some of them are simply switched off.) Task 3 Take down The next step is to organize the takedown of this site as soon as possible. It is recommended that an attempt be made to try to track down the miscreants and victims of the phishing. Questions for the students: 1. How to take down the phishing site in variants 2.1.a to c? What is the fastest way to communicate with the administrator of the site? From which source can you get contact information? (Answer: in variant 2.1a there is no problem you should contact your administrator. In 2.1b you should search contact with admin on the main page or about page. You could also check the whois database. The fastest way for contacting is by telephone. Many times it is better to send details via and call to inform that there was a phishing and details were sent via . Maybe there is an abuse-team or CERT team operating at the ISP? In variant 2.1c you must take language and time differences into account. In this case it is recommended that another CERT team from that country be involved you could look one up on the FIRST site, 2. Is the deletion of the phishing site by the administrator of a compromised site enough? Leading question: What about the vulnerability that was exploited to compromise the server and upload the phishing site? (Answer: in variant 2.1a you must, together with your administrators, find and patch this vulnerability. In variants b and c you must explain this possibility with hints to the server administrator, perhaps offering help.) 3. Where could you search for information about the break-in to the server and the vulnerability? Leading question: If there could be a vulnerability in the www server or in the PHP scripts or in the database, etc, where can you find information about suspicious requests, form entries, errors, etc? (Answer: inadequate server logs, etc.) 4. How to track down the miscreants? Where can you find some information about them? Where are the drop sites of the miscreants? (Answer: you must analyse the source code of the phishing site, as there may be information about where stolen data is sent. Other scripts on the compromised server, as well as server and logs could be helpful.) 5. Where to find information about victims?
6 100 CERT Exercises Handbook 6. What to do with this information? 7. Are these steps enough? What about cases, when we were unable to take the site down? 8. Should law enforcement become involved? 9. How to take down the phishing site in variant 2.2? Task 4 Warning & Mitigation It is strongly recommended that potential victims be warned. 1. Does the bank know about the phishing? (Answer: phishing should be reported to the bank) 2. Should you write an alert on your webpage? Who should first know about this: the bank or the people reading your site? 3. How to alert people who have visited phishing site(s)? Leading questions: Most popular browsers can warn people how do you get them to do this? In which external services can you report phishing URL(s)? (Answer: phishing sites should be reported to Google Safe Browsing (used by Firefox, Netcraft (http://toolbar.netcraft.com/report_url), PhishTank (www.phishtank.com), Microsoft PhishingFilter (https://phishingfilter.microsoft.com/faq.aspx). Where else? Students could propose their own.) 9.4 PART 2 LARGE BOTNET SPREADING THROUGH A NEW VULNERABILITY Once the first exercise has been completed, the students should be presented with another scenario. Again, the trainer should serve as a mentor of the exercise but this time allow students more flexibility. Scenario outline and leading questions are proposed below. The trainer should be prepared to explain concepts such as honeypots, sandboxes, BGP and DNS blackholing. The second exercise involves a botnet that spreads through a new vulnerability in a Windows service, available on port 42/TCP Task 1 Source of information The CERT team starts to receive reports about a series of new hacking incidents from its constituency. The first question that can be asked is how the team can get more information about what is going on: What (open) discussion lists could supply some supporting information? What public websites could provide extensive information?
7 What kind of detection systems could the team operate to get more information by itself? Task 2 Initial investigation Once the students identify some sources, point out useful ones they have missed. After this, you should provide some supporting information, such as: observed controllers. Once the controller is identified: How can the team identify which sources in their constituency are infected? (hint: netflow) In what way could the team obtain a malware sample to verify or discover new controllers? If the students miss this, introduce the idea of honeypots and sandboxes Task 3 Takedown This task concerns the takedown of the controller. How could the controller be taken down? What happens if it is in your constituency, or in another ISP in your country, or abroad in the USA, or in China? What research could be carried out to determine the botnet owner? How could law enforcement become involved? It turns out that the controller is fast flux. How could that have been determined? What implication does it have for containment and takedown? Task 4 Warning & Mitigation A list of infected IPs related to the constituency is obtained. In the case of a national CERT: How could the identified IPs be assigned to specific ISPs? How could contact addresses for CERT or abuse teams of these ISPs be obtained? Once these infected hosts are assigned and the administrators or abuse teams notified: How the threat could be contained, especially if taking it down turns out to be impossible? Explain BGP and DNS blackholing to the students. 9.5 PART 3 Internal worm outbreak This part of the exercise deals with a different case than the two previous parts. Those involved handling incidents external to a CERT. But what if an attack is happening in a network of a corporate CERT?
8 102 CERT Exercises Handbook In this scenario, you should: present the students with a hypothetical scenario of a worm entering a corporate network; present a diagram of a hypothetical organization s network; give general information about the initial situation; and guide the students in a step-by-step manner by providing leading questions to make them understand what is happening and how to resolve the situation. What follows is an example scenario for the exercise. Note that this is a hypothetical scenario, loosely based on facts Introduction to the scenario The incident that we are going to analyse happens in a hypothetical company called Innovative Software. Figure 1 depicts the diagram of the network X R1 router R2 router X F2 Firewall X IDS X F1 Firewall Content switch X.X/20 Corporate Network End User Network Development Network Authentication server Database servers Production Network Application servers Figure 1: Network map
9 Conduct a general introduction and explain the above network diagram. Innovative Software has two redundant Internet connections from two independent ISPs. When the network is operating normally, only the connection through router R1 is used. Router R2 is used only in case of problems with the first connection. There are two main networks in the company: Production Network and Corporate Network. Production Network is supposed to be available externally - for clients using Innovative Software services. Aside from application and database servers there are also authentication servers that allow authentication with advanced credentials using TACACS+ and RADIUS protocols. Corporate Network is divided into two sub-networks - End User Network and Development Network. The distinction is that users from the End User Network cannot reach the Production Network through firewall F1. Development Network is used by the R&D department. The access control lists on both routers and firewalls are configured in a denybase setup. This means that only necessary traffic is allowed. The access for customers is strictly a web interface so only HTTP traffic is allowed to Production Network through F2 firewall. We will not analyse the access list thoroughly - entry by entry, as this is not important for the exercise. Moreover, when dealing with the attack performed on a large scale, security specialists often do not know the details of network configuration immediately and have no time to become familiar with it. Therefore being able to estimate possible security flaws based only on general knowledge of the network structure is very important. Innovative Software has experienced performance problems recently. Investigation of logs on machines in the Production Network revealed that the problem came from sluggish MS-SQL servers that play a critical role in the entire service. Administrators checked to see if there were any recent updates or configuration changes. Nothing appeared to be suspicious so they tried the desperate step of rebooting. At first it looked as if that solved the problems so the administrators sequentially rebooted all of the servers. Unfortunately, it only took minutes for the servers to slow down again to an unacceptable rate of processed requests. Administrators suspected that the network configuration was causing delays. However, running a few pings, traceroutes and DNS lookups at various points on the network did not reveal any problems. At this point administrators brought up the possibility of compromise. Security engineers from the local CERT team were contacted Task 1 Possible source of the attack At this step, ask the students to speculate on the possible source of the attack. Encourage them to ask questions, provide them with answers and guide them through, asking leading questions if necessary. The Innovative Software network seems to be secured enough. The external firewalls appear to be configured properly, and they do filter traffic to MS-SQL ports. Task: Estimate where the attack could come from?
10 104 CERT Exercises Handbook Solution: The only users that can reach the Production Network are the developers working in the R&D department. Do they use MS-SQL servers in the Development Network? (Yes) Do they have any access to the Internet beside the two firewalled connections? (No) Can R&D employers take their laptops home and bring them back infected with viruses? (Yes) Task 2 Type of attack As it becomes clearer that users from the Development Network could be the source of compromise, further investigation is needed to see if this really is the case. Task: If a virus came from the development network, as we suspect, then how can you find out more information about the attack, especially the kind of threat you face? Why does the IDS not signal anything? Answer: The first thing that could be done is to check the logs on all the network nodes that could see anything interesting. Logs of neither firewall F1 nor router R1 contain any useful information. Interesting entries, however, can be found on firewall F2 a huge amount of denied outbound UDP connections to port 1434 to hosts that appear to be random. This is a clear indication that some type of exploit had compromised the SQL servers. Does the IDS have updated signatures? It is very important at this point to stop the worm from spreading in the network. We know that firewall F2 stops the traffic, but the original source of attack can still be active and the worm is probably propagating through firewall F1. The following deny statements could be added to the firewall F1 outbound interface (from the network): deny tcp any eq 1434 any any log deny tcp any eq 1434 any any log That way you stop the network from propagating the worm and the host that caused infection can be localized through firewall logs. Next, we should investigate the vulnerability and, especially, try to find out from the controller if the compromised systems are part of a botnet Task 3 Malware capture & analysis Task: Investigate the hosts to which the exploit is trying to connect and try to gain some information from the data that the exploit sends. Solution: We may want to separate the exploited server from the production network. To catch the traffic that the exploit sends, it is necessary to set up an environment for the worm to propagate. Such an environment could be a honeypot or sandbox system.
11 Honeypot/HoneyNet Network Analyzer Span port Switch Compromised server Figure 2: Network map The network analyser is connected to the switch SPAN port. (Traffic from all other ports is forwarded to the SPAN port.) Due to the network analyser on the SPAN port, all the communications from and to the compromised SQL server can be observed. You would need a honeypot that emulates the vulnerability used by the worm to obtain a copy and to understand the infection process. What honeypots do the students know about? What is the difference between a honeypot and a sandbox? If the students are not familiar with the concept of honeypots and sandboxes, you should introduce these to them Task 4 Worm/botnet controller identification Task: To find out with whom the malware communicates and to try to identify other nodes on the malware network. Solution: First of all, you should investigate the range of the IP addresses that are attacked. Do they belong to any particular sub-network or does it look like they are chosen at random? All requests to the DNS server should also be reported. The technique that could be used to catch the URL requests and forward them to a specific IP address is called DNS blackholing. (In this solution the DNS server replies with a preconfigured IP address on specified URLs instead of resolving it.) There is a chance that the worm is actually a botnet and has the address of its controller as a URL rather than an IP address. First of all, IP addresses to which the worm tries to connect often should be considered suspicious. We know that the vulnerable service works on port 1434, so connections to other ports may imply communication with the controller. If no suspicious IP addresses can be found this way, the payload of connections can be analysed. Communication with the controller is different than packets containing exploit payload. So, theoretically, it should be possible to differentiate attack vectors from any other communication. As you have the list of IP addresses, you should check who they belong to.
12 106 CERT Exercises Handbook Usually the data you get from whois points to an ISP. In such a case, your role is to notify the ISP of the incident. We are considering the case of the Innovative Software company network, so the last phase is to secure the network. First of all patches from the vendor should be applied (Microsoft in this case). The second problem is that the network is not secured properly. It should not be possible for the users to connect their laptops (potentially compromised) to the network and have unrestricted access to the production network. There are remedies for this, but they are another large topic which is beyond the scope of this exercise. 9.6 PART 4 LARGE SCALE DDoS ATTACKS AGAINST AN ENTIRE COUNTRY This part of the exercise is devoted particularly to developing skills and ideas on handling DDoS attacks. The exercise should start with a short reminder of examples of cyber attacks against Estonia in 2007, Georgia in 2008, and many recent global politically-motivated DDoS attacks. Before the exercise, students can get familiar with, eg, the report  prepared by Georgian CERT-GE about the cyber attack against Georgian network infrastructure in 2008, its effects and the actions used to mitigate it. During the exercise, students will learn how to: develop a defence strategy for the large-scale attacks (particularly DDoS attacks); prepare for cyber warfare in the future (procedures, tools, contact lists); and recognize and overcome various types of difficulties Task 1 Case study: hypothetical cyber-attack against country X Present a hypothetical large-scale cyber-attack that happens to some country X, described below. The attack progress (conflict, attack synopsis) could be presented on a whiteboard as a timeline of the main events. Additionally, give each student a copy of a detailed description of the attack. This case study describes a hypothetical cyber-attack against country X: Country X is a medium size country with a quite advanced network infrastructure designed to allow consumers, businesses and government to use high bandwidth wire and mobile Internet connectivity. Country X has a substantial (10%) ethnic minority from country Y. Country X has two CERT teams: one ISP CERT and the GOV CERT. In the CERT of the ISP (which is the largest Internet provider in country X) there are some people of nationality Y. The national CERT, the GOV CERT, is a newly established team (three months ago). Country X has no cyber security policy yet. For a couple of years, country X and country Y have been candidates for the Famous International Organization (FIO). One day, country X becomes a member of FIO, while country Y does not. Just after this momentous event, the authorities of country X start to increase discrimination against the minority from country Y. The names of streets (in districts where
13 most of minority Y lives) are replaced with the names in the official language of country X. Shops and schools of country Y are forced to close. Moreover, speaking the language of country Y in offices, shops, and in the streets is forbidden. Subtitles in language Y are eliminated from all TV programs. These government actions are an immediate reason for the start of the conflict. Within a few days, there are a lot of protests by people of nationality Y against these decisions (protest marches, etc.). Almost simultaneously, the conflict in cyberspace begins. Cyber conflict (Phase I) During the first week, there are the following incidents: - The government of country X receives millions of s of protest from all over world, so government mail servers go down. - There are a few cases of defacement attacks targeted again websites of the majority government. - There are some DDoS attacks against government web servers, so they go off-line. - Offensive texts in the language of country X are put on some popular country X websites. - Some content on news portals of country X is replaced with new content in the language of country Y. Cyber conflict (Phase II) The following week, after some relatively simple incidents, cyber attacks increase. There are many sophisticated and well coordinated attacks. Many of them use large international botnets (a few thousand compromised machines) controlled by five virtual domain name servers (from abroad). DDoS attacks are launched against the critical national information infrastructure of country X: - Many government sites are overwhelmed by a series of DDoS attacks. - The computer systems of the largest TV station are attacked and remain unavailable. - The five biggest banks become unreachable and most banking transactions are paralysed. - The police network infrastructure is under constant attack. - Information services, news portals and press agencies are under heavy DDoS attacks. - On-line shops stop offering electronic services. - Besides the attacks of botnets, detailed instructions (in many languages) on how to launch attacks and the tools to carry out these attacks, together with a list of objectives, circulate on the Internet and are readily available, so even persons not familiar with hacker techniques take part in attacks. - The ISP is overwhelmed, so Internet access is limited. Cyber conflict (Phase III) After two weeks, the attacks continue. There is the beginning of complete information chaos and on-line communication is limited. Most of the important websites and networks (government, information services, police, banks, etc) remain unavailable. GOV CERT comes under heavy DDoS attack.
14 108 CERT Exercises Handbook After sketching the attack synopsis, split the students into three groups. The task of each group is to develop the defence strategy for country X. The appropriate actions should be proposed for each phase separately. In particular, the students should prepare and state their opinion about: Is it possible to mitigate (if yes how?) the particular attacks described in the synopsis? What kind of measurements would you use for particular attacks? What kind of response actions could be taken? What kind of difficulties would you expect to face (regarding attacks, specific procedures)? The students should consider the consequences of situations described (eg, disabled on-line news sources), explaining the reasons for the actions proposed, and the potential difficulties (lack of tools, no possibility of control, etc). Students have up to 45 minutes for completing this task. When all groups are ready, the representative of each group presents its strategy to the whole exercise group. The whole presentation should end up with your conclusion about the ideas proposed and a moderated discussion. You should indicate the points missed in the proposed strategies, note the mistakes, and evaluate whether the ideas presented are feasible and appropriate, referring to the cyber law of the country represented by the participants. During the discussion, you can ask the group to address more aspects (both operational and technical). 1. What priorities would you assign to the proposed actions in mitigation? 2. Who do you think should be a coordinator of mitigating actions in country X? 3. What kind of support can be offered or are you able to offer (as a representative of a CERT team), to country X? How would you organize the support? 4. What kind of problems, which are different or more serious than those that took place in Estonia or Georgia, can you image? How would you handle them? 5. What difficulties can occur during the recovery process? Task 2 Another perspective: your country is under cyber attack Ask participants to imagine that a similar attack occurs in their own country or happens to their constituency. What would be their actions? Ask them to develop the basic defence procedure for their CERT team, considering issues that include the following: 1. Who and how would you notify about the problems or actions? 2. What should you do when there is a lack of necessary information about the situation inside the country or abroad?
15 How and what type of information about the situation would you report to the media? 4. How would you organize effective communication? How would you propagate the necessary information quickly? 5. On the other hand, what are your ideas for dealing with information (notifications) overload and communications overload? Task 3 Analysis of a particular DDoS method Ask participants to consider some specific DDoS attacks. 1. How would they analyse the attack method used and determine the source of the attacks? 2. What would be their actions to defend against these attacks? 3. What type of control would work best against distributed coordinated attacks? Task 4 Lessons learned At the end, discuss with participants the lessons learned regarding the following aspects: What should a national and international response to large scale attacks be? How can we be better prepared to defend ourselves future large-scale attacks? Consider issues related to prevention, preparedness and sustainability (eg, checking the national infrastructures for DDoS weaknesses; for CERT: taking actions by scanning all networks for which it is responsible, etc). List the most important aspects, such as government support (national strategy), crisis management plan, early warning systems, national coordination, involvement of international CERTs, communication plans, arrangements for close cooperation and cooperation between strategic partners, and regular exercises Summary of the exercise Now is the time for the exercise summary. Encourage students to exchange their opinions, ask questions, and give their feedback about the exercise. 9.8 EVALUATION METRICS It is suggested that at the end of the exercise, students take a test quiz that is available on the Virtual Image. The results of this quiz could be part of the evaluation process. 13 EU Workshop on Learning from large scale attacks on the Internet - Policy Implications. Brussels, January Presentations and a workshop report available at :http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/large_scale/index_en.htm
16 110 CERT Exercises Handbook Furthermore, in evaluating the results of this exercise, you should take into consideration the following aspects: PART 1 PART 2 PART 3 PART 4 How many variants of each step and solutions did the students enumerate by themselves? Did the students propose something different than what is outlined in the handbook? Were students able to repeat the steps from Part 1? Did they understand the concept of fast-flux networks introduced in Part 1? How many variants of each step and the solutions did the students enumerate by themselves? Did the students consider the need for a national coordinator in responding to the attacks? Did they consider the involvement and specific roles of various entities (ISP, FIRST, TF- CERT, LEA, NATO) including the notification of systems administrators, filing cases against unknown attackers with the police, etc? Were the proposed measurements for specific attacks appropriate (statistics, botnet infiltration, command tracking, flow data, news monitoring, keywords triggers, eg, gov in commands)? Did they consider the problem that some things can be invisible from inside the country? Did they propose appropriate or feasible defence actions (filtering traffic, localization and shutting down virtual DNSs, localization of compromised machines, research, investigations, collaboration)? Did they consider implementing BCP38 14? 9.9 REFERENCES 1. Russian Invasion of Georgia. Russian Cyberwar on Georgia. Report of the Government of Georgia. Available at: %20fd_2_new.pdf (October, 2008) 2. EU Workshop on Learning from large scale attacks on the Internet - Policy Implications. Brussels, January Presentations and a workshop report available at :http://ec.europa.eu/information_society/policy/nis/strategy/activities/ciip/large_s cale/index_en.htm 14 BCP38, Defeating Denial of Service Attacks which employ IP Source Address Spoofing. Available at
17 BCP38, Defeating Denial of Service Attacks which employ IP Source Address Spoofing. Available at Additional materials: The official document of the Estonian Ministry of Defence about Estonian Cyber Security Strategy (prepared in the context of the cyber attack on Estonia) is available at
CERT Exercises Toolset 91 9. Exercise: Large Scale Incident Handling Main Objective Targeted Audience Total Duration Time Schedule Frequency The main objective of the exercise is to teach incident handlers
CERT Exercises Toolset 49 49 6. Exercise: Writing Security Advisories Main Objective Targeted Audience Total Duration Time Schedule Frequency The objective of the exercise is to provide a practical overview
Denial of service attacks: what you need to know Contents Introduction... 2 What is DOS and how does it work?... 2 DDOS... 4 Why are they used?... 5 Take action... 6 Firewalls, antivirus and updates...
Pioneering Technologies for a Better Internet Cs3, Inc. 5777 W. Century Blvd. Suite 1185 Los Angeles, CA 90045-5600 Phone: 310-337-3013 Fax: 310-337-3012 Email: firstname.lastname@example.org The Reverse Firewall: Defeating
JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router
Security Toolsets for ISP Defense Backbone Practices Authored by Timothy A Battles (AT&T IP Network Security) What s our goal? To provide protection against anomalous traffic for our network and it s customers.
Tunisia s experience in building an ISAC Haythem EL MIR Technical Manager NACS Head of the Incident Response Team cert-tcc 1 Agenda Introduction ISAC objectives and benefits Tunisian approach SAHER system
WildFire Reporting When malware is discovered on your network, it is important to take quick action to prevent spread of the malware to other systems. To ensure immediate alerts to malware discovered on
Protecting Your Organisation from Targeted Cyber Intrusion How the 35 mitigations against targeted cyber intrusion published by Defence Signals Directorate can be implemented on the Microsoft technology
Country Case Study on Incident Management Capabilities CERT-TCC, Tunisia Helmi Rais CERT-TCC Team Manager National Agency for Computer Security, Tunisia email@example.com firstname.lastname@example.org Framework
Firewall August, 2003 1 Firewall and Access Control This product also serves as an Internet firewall, not only does it provide a natural firewall function (Network Address Translation, NAT), but it also
INDUSTRIAL CONTROL SYSTEMS CYBER SECURITY DEMONSTRATION Prepared for the NRC Fuel Cycle Cyber Security Threat Conference Presented by: Jon Chugg, Ken Rohde Organization(s): INL Date: May 30, 2013 Disclaimer
the Availability Digest @availabilitydig Surviving DNS DDoS Attacks November 2013 DDoS attacks are on the rise. A DDoS attack launches a massive amount of traffic to a website to overwhelm it to the point
CSE 3482 Introduction to Computer Security Denial of Service (DoS) Attacks Instructor: N. Vlajic, Winter 2015 Learning Objectives Upon completion of this material, you should be able to: Explain the basic
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
Exercise 7 Network Forensics What Will You Learn? The network forensics exercise is aimed at introducing you to the post-mortem analysis of pcap file dumps and Cisco netflow logs. In particular you will:
HOW TO PREVENT DDOS ATTACKS IN A SERVICE PROVIDER ENVIRONMENT The frequency and sophistication of Distributed Denial of Service attacks (DDoS) on the Internet are rapidly increasing. Most of the earliest
SECURING APACHE : DOS & DDOS ATTACKS - II How DDoS attacks are performed A DDoS attack has to be carefully prepared by the attackers. They first recruit the zombie army, by looking for vulnerable machines,
co Characterizing and Tracing Packet Floods Using Cisco R Table of Contents Characterizing and Tracing Packet Floods Using Cisco Routers...1 Introduction...1 Before You Begin...1 Conventions...1 Prerequisites...1
Section III - Cyber-Attacks Evolution and Cybercrime Trends Report on Cyber Security Alerts Processed by CERT-RO in 2014 Romanian National Computer Security Incident Response Team email@example.com The
DDoS Attacks: The Latest Threat to Availability Dr. Bill Highleyman Managing Editor Availability Digest The Anatomy of a DDoS Attack Sombers Associates, Inc. 2013 2 What is a Distributed Denial of Service
SECURITY FLAWS IN INTERNET VOTING SYSTEM Sandeep Mudana Computer Science Department University of Auckland Email: firstname.lastname@example.org Abstract With the rapid growth in computer networks and internet,
DDoS Attacks Can Take Down Your Online Services Dr. Bill Highleyman Managing Editor, Availability Digest Continuity Insights New York 2014 October 8, 2014 email@example.com Who Am I? Dr. Bill
A Decision Maker s Guide to Securing an IT Infrastructure A Rackspace White Paper Spring 2010 Summary With so many malicious attacks taking place now, securing an IT infrastructure is vital. The purpose
Information Technology Information and Systems Security/Compliance Northwestern University 1800 Sherman Av Suite 209 Evanston, IL 60201 Email David-Kovarik@northwestern.edu Phone 847-467-5930 Fax 847-467-6000
KEY STEPS FOLLOWING A DATA BREACH Introduction This document provides key recommended steps to be taken following the discovery of a data breach. The document does not constitute an exhaustive guideline,
KASPERSKY DDoS PROTECTION Protecting your business against financial and reputational losses A Distributed Denial of Service (DDoS) attack is one of the most popular weapons in the cybercriminals arsenal.
Current Threat Scenario and Recent Attack Trends Anil Sagar Additional Director Indian Computer Emergency Response Team (CERT-In) Objectives Current Cyber space Nature of cyberspace and associated risks
Firewall and UTM Solutions Guide Telephone: 0845 230 2940 e-mail: firstname.lastname@example.org Web: www.lsasystems.com Why do I need a Firewall? You re not the Government, Microsoft or the BBC, so why would hackers
Strategies to Protect Against Distributed Denial of Service (DD Table of Contents Strategies to Protect Against Distributed Denial of Service (DDoS) Attacks...1 Introduction...1 Understanding the Basics
Proxy Blocking: Preventing Tunnels Around Your Web Filter Information Paper August 2009 Table of Contents Introduction... 3 What Are Proxies?... 3 Web Proxies... 3 CGI Proxies... 4 The Lightspeed Proxy
For assistance with your computer, software or router we have supplied the following information: Tech Support 1-855-546-5000, press 1 Talk America Services Customer Service 1-855-546-5000, press 3 TALK
Introduction: SiteLock scans your website to find and fix any existing malware and vulnerabilities followed by using the protective TrueShield firewall to keep the harmful traffic away for good. Moreover
home Network Vulnerabilities Detail Report Grouped by Vulnerability Report Generated by: Symantec NetRecon 3.5 Licensed to: X Serial Number: 0182037567 Machine Scanned from: ZEUS (192.168.1.100) Scan Date:
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
Cyber Security & Role of CERT-In Dr. Gulshan Rai Director General, CERT-IN Govt. of India email@example.com Web Evolution Web Sites (WWW) 1993 Web Invented and implemented 130 Nos. web sites 1994 2738 Nos.
INFORMATION SECURITY REVIEW 14.10.2008 CERT-FI Information Security Review 3/2008 In the summer, information about a vulnerability in the internet domain name service (DNS) was released. If left unpatched,
100% Malware-Free E-mail: A Guaranteed Approach 2 100% Malware-Free E-mail: A Guaranteed Approach Panda Security's Mail Filtering Managed Service Guarantees Clean E-mail Table of Contents Table of Contents...
How to build and use a Honeypot By Ralph Edward Sutton, Jr DTEC 6873 Section 01 Abstract Everybody has gotten hacked one way or another when dealing with computers. When I ran across the idea of a honeypot
: DDOS ATTACKS DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS 1 DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS NTT is one of the largest Internet providers in the world, with a significant share of the world s
HoneyBOT User Guide A Windows based honeypot solution Visit our website at http://www.atomicsoftwaresolutions.com/ Table of Contents What is a Honeypot?...2 How HoneyBOT Works...2 Secure the HoneyBOT Computer...3
Content 1 Spam detection problem 1.1 What is spam? 1.2 How is spam detected? 2 Infomail 3 EveryCloud Spam Filter features 3.1 Cloud architecture 3.2 Incoming email traffic protection 3.2.1 Mail traffic
SECURITY TERMS: Advisory - A formal notice to the public on the nature of security vulnerability. When security researchers discover vulnerabilities in software, they usually notify the affected vendor
E-Guide Signature vs. anomaly-based behavior analysis News of successful network attacks has become so commonplace that they are almost no longer news. Hackers have broken into commercial sites to steal
IBM Vulnerability scanning and best practices ii Vulnerability scanning and best practices Contents Vulnerability scanning strategy and best practices.............. 1 Scan types............... 2 Scan duration
Detecting peer-to-peer botnets Reinier Schoof & Ralph Koning System and Network Engineering University of Amsterdam mail: firstname.lastname@example.org, email@example.com February 4, 2007 1 Introduction Spam,
International Journal of Research Studies in Science, Engineering and Technology Volume 1, Issue 9, December 2014, PP 139-143 ISSN 2349-4751 (Print) & ISSN 2349-476X (Online) A Novel Distributed Denial
Seminar Computer Security DoS/DDoS attacks and botnets Hannes Korte Overview Introduction What is a Denial of Service attack? The distributed version The attacker's motivation Basics Bots and botnets Example
Operation Liberpy : Keyloggers and information theft in Latin America Diego Pérez Magallanes Malware Analyst Pablo Ramos HEAD of LATAM Research Lab 7/7/2015 version 1.1 Contents Introduction... 3 Operation
Network Instruments white paper USING A NETWORK ANALYZER AS A SECURITY TOOL Network Analyzers are designed to watch the network, identify issues and alert administrators of problem scenarios. These features
SECURING YOUR SMALL BUSINESS Principles of information security and risk management The challenge Information is one of the most valuable assets of any organization public or private, large or small and
Implementing the latest anti-virus software and security protection systems can prevent many internal and external threats. But these security solutions have to be updated regularly to keep up with new
Firewalls Network Security: Firewalls, VPNs, and Honeypots CS 239 Computer Security March 7, 2005 A system or combination of systems that enforces a boundary between two or more networks - NCSA Firewall
Evading Infrastructure Security Mohamed Bedewi Penetration Testing Consultant What infrastructure security really means? Infrastructure Security is Making sure that your system services are always running
TrusGuard DPX: Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls...
2 Denial of Service Attacks : IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013 its335y13s2l06, Steve/Courses/2013/s2/its335/lectures/malicious.tex,
Fighting Advanced Threats With FortiOS 5 Introduction In recent years, cybercriminals have repeatedly demonstrated the ability to circumvent network security and cause significant damages to enterprises.
Frequent Denial of Service Attacks Aditya Vutukuri Science Department University of Auckland E-mail:firstname.lastname@example.org Abstract Denial of Service is a well known term in network security world as
White paper Combating DoS/DDoS Attacks Using Cyberoam Eliminating the DDoS Threat by Discouraging the Spread of Botnets www.cyberoam.com Introduction Denial of Service (DoS) and Distributed Denial of Service
Attacks on Large US Bank During Operation Ababil March 2013 Table of Contents Executive Summary... 3 Background: Operation Ababil... 3 Servers Enlisted to Launch the Attack... 3 Attack Vectors... 4 Variations
Project Proposal Active Honeypot Systems By William Kilgore University of Advancing Technology Project Proposal 1 Project Proposal 2 Abstract Honeypot systems are readily used by organizations large and
Complete Protection against Evolving DDoS Threats AhnLab, Inc. Table of Contents Introduction... 2 The Evolution of DDoS Attacks... 2 Typical Protection against DDoS Attacks... 3 Firewalls... 3 Intrusion
SPEAR PHISHING UNDERSTANDING THE THREAT SEPTEMBER 2013 Due to an organisation s reliance on email and internet connectivity, there is no guaranteed way to stop a determined intruder from accessing a business
White Paper Comparison of Firewall, Intrusion Prevention and Antivirus Technologies How each protects the network Juan Pablo Pereira Technical Marketing Manager Juniper Networks, Inc. 1194 North Mathilda
CERT- EE report: DDoS attacks, e- mail messages with forged sender address and defacements on 1-7 November 2013, aka #OpIndependence Introduction... 1 1. Chronology... 1 2. Scope and impact of incidents...
29 29 4. Exercise: Developing CERT Infrastructure Main Objective Targeted Audience Total Duration To learn what kind of software and hardware solutions could be used to provide a particular CERT service
Hong Kong Information Security Outlook 2015 香 港 資 訊 保 安 展 望 Agenda Information Security Trends Year 2014 in Review Outlook for 2015 Advice to the Public Hong Kong Computer Emergency Response Team Coordination
VIDEO Intypedia013en LESSON 13: DNS SECURITY AUTHOR: Javier Osuna García-Malo de Molina GMV Head of Security and Process Consulting Division Welcome to Intypedia. In this lesson we will study the DNS domain
Cyber Security and Critical Information Infrastructure Dr. Gulshan Rai Director General Indian Computer Emergency Response Team (CERT- In) grai [at] cert-in.org.in The Complexity of Today s Network Changes
Available online at www.ijiere.com International Journal of Innovative and Emerging Research in Engineering e-issn: 2394-3343 p-issn: 2394-5494 Survey on DDoS in Cloud Environment Kirtesh Agrawal and Nikita
FortKnox Personal Firewall User Manual Document version 1.4 EN ( 15. 9. 2009 ) Copyright (c) 2007-2009 NETGATE Technologies s.r.o. All rights reserved. This product uses compression library zlib Copyright
Running head: UNIT 3 RESEARCH PROJECT 1 Unit 3 Research Project Eddie S. Jackson Kaplan University IT540: Management of Information Security Kenneth L. Flick, Ph.D. 10/07/2014 UNIT 3 RESEARCH PROJECT 2
DDoS Basics Introduction Distributed Denial of Service (DDoS) attacks are designed to prevent or degrade services provided by a computer at a given Internet Protocol 1 (IP) address. This paper will explain,
Second-generation (GenII) honeypots Bojan Zdrnja CompSci 725, University of Auckland, Oct 2004. email@example.com Abstract Honeypots are security resources which trap malicious activities, so they
Intrusion Detection & SNORT Fakrul Alam firstname.lastname@example.org Sometimes, Defenses Fail Our defenses aren t perfect Patches weren t applied promptly enough Antivirus signatures not up to date 0- days get through
User Documentation Web Traffic Security University of Stavanger Table of content User Documentation... 1 Web Traffic Security... 1 University of Stavanger... 1 UiS Web Traffic Security... 3 Background...
Threat Paper Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks Federal Computer Incident Response Center 7 th and D Streets S.W. Room 5060 Washington,
3GPP TSG SA WG3 Security S3#34 S3-040682 6-9 Jul 2004 updated S3-040632 Acapulco, Mexico Title: Selective Disabling of UE Capabilities; updated S3-040583 based on the comments in SA3#34 meeting Source:
A SECURITY GUIDE TO PROTECTING IP PHONE SYSTEMS AGAINST ATTACK With organizations rushing to adopt Voice over IP (VoIP) technology to cut costs and integrate applications designed to serve customers better,
TDC s perspective on DDoS threats DDoS Dagen Stockholm March 2013 Lars Højberg, Technical Security Manager, TDC TDC in Sweden TDC in the Nordics 9 300 employees (2012) Turnover: 26,1 billion DKK (2012)
WEB ATTACKS AND COUNTERMEASURES February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced in whole or in
PREVENTIA Forward Thinking Security Solutions Stop DDoS Attacks in Minutes 1 On average there are more than 7,000 DDoS attacks observed daily. You ve seen the headlines. Distributed Denial of Service (DDoS)