POLISH TELECOM SECURITY INCIDENT RESPONSE TEAM

Transcription

1 POLISH TELECOM SECURITY INCIDENT RESPONSE TEAM Incident handling, statistics and procedures Warsaw, May 2003

2 TABLE OF CONTENTS I. INFORMATION ABOUT TP SECURITY INCIDENT RESPONSE TEAM 3 II. TP NETWORK 4 1. Technologies 4 2. Structure of the network 5 3. Access to the Internet 6 III. INCIDENT HANDLING 7 1. Incident classification 7 2. Incident handling - support computing 8 IV. STATISTICS OF INCIDENTS Total number of registered incidents in Total number of registered incidents - type of events (I-IV.2003) Number attacks profile Percent of recognised categories of the incidents Complaints sender Source of attack 18 V. INCIDENT HANDLING - INCIDENT RESPONSE Cooperation Incident response Cooperation with Polish Police and Public Prosecutor 21 VI. CONCLUSION 23 2

3 I. Information about... I. Information about... TP Security Incident Response Team INFORMATION ABOUT TP SECURITY INCIDENT RESPONSE TEAM TP Security Incident Response Team* History of the team start structure Team s activities registration and classification of incidents localisation of an intruder incident response analysis of new threats others (conferences, working meetings, mass-media) Basic rules of incidents handling gathering information from users, administrators, the police and other institutions about incidents concerning all addresses within Polish Telecom IP range incidents reported by government institutions are handled first 3

4 II. TP Network 1. Technologies Technologies TECHNOLOGIES VSAT X.25, TCP/IP Internet TCP/IP Frame Relay / ATM, X.25, TCP/IP X.25, X.28, X.32 X.400, X.500, EDI 4

5 II. TP Network 2. Structure of the network POLPAK Network POLPAK NETWORK Slupsk Gdansk Elblag Suwalki Koszalin Olsztyn Szczecin Torun Pila Bydgoszcz X2 Ciechanów Ostroleka Lomza Bialystok Gorzów Wlkp. Poznan Wloclawek Plock Warszawa Zielona Góra Leszno Konin Kalisz Skierniewice Lódz Siedlce Biala Podlaska LEGEND: MAN 2,5 Legend: Gb/s 155 Mb/s MAN 2,5Gb/s amount of links 155 Mb/s 34 Mb/s X2 amount of links Legnica Zgorzelec Jelenia Góra Lubin Walbrzych Wroclaw Opole Sieradz Katowice Bielsko Biala Piotrków Trybunalski Czestochowa Kraków X2 Kielce Nowy Sacz Radom Tarnobrzeg Tarnów Krosno Lublin Chelm Zamosc Rzeszów Przemysl Topology of the POLPAK-T (date: ) 5

6 II. TP Network 3. Access to the Internet Access to the Internet ACCESS TO THE INTERNET ISP INTERNET NSP Telia&OpenTransit (FT) 2,5 Gb/s LAN SUBSCRIBER TCP/IP LAN LMDS Terminal abonencki VSAT POLPAK do 2 Mb/s Frame Relay SUBSCRIBER Frame Relay MODEM PPP PSTN CVX-1800 MODEM LAN SUBSCRIBER TCP/IP VIDEO SUBSCRIBER TCP/IP MODEM ISDN PPP ISDN TELEPHON SPLITER do 8 Mb/s ADSL TERMINAL HIS HIS do 115 kb/s do 155 Mb/s ATM SUBSCRIBER ATM MODEM ADSL TELEPHON LAN 6

7 III. Incident handling 1. Incident classification Incident classification POLISH TELECOM CLASSIFICATION OF INCIDENTS H - The most dangerous incidents (hacking, breaking in, modifying, deleting, stealing) P Type of events concerning hacking attempts (scan, probe) T - Copyright and special incidents (requests of the Police, plagiarism, piracy) B - Denial of service incidents (flood, DoS, DDoS, mailbombing) O - Violation of the netiquette (offensive words, pornography) M - Spam incidents (spam to advertise) R - Spam-relay incidents (open relay, open proxy)* STARTING THE 3rd QUARTER OF 2002 TP RESPONSE TEAM USE COMMON LANGUAGE CLASSFICATION IN THEIR PROCEDURES 7

8 III. Incident handling 2. Incident handling... Incident Service System INCIDENT SERVICE SYSTEM (ISS) Incident Service System (ISS): Is a database which allows gathering, registering and classifying of incidents Contains an advanced administration mechanisms and access control Automates incident handling process by: tracking incident handling process quick access to stored incidents Accelerates incident handling 8

9 III. Incident handling 2. Incident handling... ISS function ISS FUNCTION Basic system function : incident importing from web site incident data inputting (from different sources) incident analysing incident searching printing warnings, reports, statistics sending reply intruder history Other system function: contacts and information management incident handling process management task planning 9

10 III. Incident handling 2. Incident handling... ISS structure diagram ISS STRUCTURE DIAGRAM INCIDENTS Phone call, fax Phone call, fax Internet users Letter Letter INTERNET Web browser Web Reporting browser form Reporting form Web browser Web Reporting browser form Reporting form INCIDENT HANDLING System operators ISS operator ISS operator ISS operator ISS LAN or WAN System administration 10

11 III. Incident handling 2. Incident handling... ISS incident handling process diagram ISS INCIDENT HANDLING PROCESS DIAGRAM STAGE 1 Registration, reply, analysis, classification, back up Incidents: - Phone - Fax - Letter Incidents: - - Reporting form Legend: Start states Working states Final states STAGE 2 Introduction, automatic reply, analysis, classification, back up INTRODUCTION STAGE 3 Locating, modification WITHOUT PHONE NUMBER LOCATING LOCATION SUSPENSION STAGE 4 analysis continuation, modification VERIFICATION STAGE 5 Response, information, modification PHONE CALL PRINTING TO ADMIN STAGE 6 Back up, blockade ENDED SUSPENSION CLOSED BLOCKED Process administration 11

12 III. Incident handling 2. Incident handling... ISS incident handling process diagram ISS INCIDENT HANDLING PROCESS DIAGRAM STAGE 1 Registration, reply, analysis, classification, back up Incidents: - Phone - Fax - Letter Incidents: - - Reporting form Legend: Start states Working states Final states STAGE 2 Introduction, automatic reply, analysis, classification, back up INTRODUCTION STAGE 3 Locating, modification WITHOUT PHONE NUMBER LOCATING LOCATION SUSPENSION STAGE 4 analysis continue, modification VERIFICATION STAGE 5 Response, information, modification - incidents: registration, introduction, analysis, modification - incidents : alarm system A - incidents number exceeded PHONE CALL PRINTING TO ADMIN STAGE 6 Back up, blockade - incidents : alarm system B - waiting time exceeded Process administration ENDED SUSPENSION CLOSED BLOCKED 12

13 IV. Statistics of incidents 1. Total number of... Number of incidents TOTAL NUMBER OF REGISTERED INCIDENTS IN Number of incidents Total number of incidents Number of spamrelay incidents* Year Number of other incidents */ Starting 2001 spam-relay events are not counted together with other incidents. 13

14 IV. Statistics of incidents 2. Total number of... Number of incidents - type of events NUMBER OF REGISTERED INCIDENS - TYPE OF EVENTS (I-IV.2003) IV.2003) 0,5% 2,0% 0,3% 0,1% 31,5% T O H M P B 65,7% Spam-relay events were not included 14

15 IV. Statistics of incidents 3. Number attack profile Number attack profile PROFILE OF ATTACKS (I-IV.2003) IV.2003) Number of incidents Scan Probe Internet worms Hacking Denial of Service Virus Mailbombing Spam* Other Attack profile */ Spam-relay events were not included 15

16 IV. Statistics of incidents 4. Percent of recognised... Percent of recognised categories of the incidents PERCENTAGE OF RECOGNISED INCIDENTS CATEGORIES (I-IV.2003) IV.2003) ACCORDING TO THE COMMON LANGUAGE CLASSIFICATION ,0% 81,7% 100,0% 100,0% 79,8,% Number of incidents[%] ,9% ,5% 0 Attackers Tool Vulnerability Action Target Unauthorized Result Objectives Category 16

17 IV. Statistics of incidents 5. Complaints sender Complaints sender SOURCE OF COMPLAINTS (I-IV.2003) IV.2003) 17% 83% Complaints from Poland Complaints from abroad 17

18 IV. Statistics of incidents 6. Source of attack Source of attack SOURCE OF ATTACKS (I-IV.2003) IV.2003) 8% 8% 31% 53% Dial-up ( /24/30) Leased lines (FR) Home Internet Solution (HIS) Asynchronous Digital Subscriber Line (ADSL) 18

19 V. Incident handling Cooperation Cooperation COOPERATION CERT Team (e.g. CERT Polska) The police Public Prosecutors Other government Institutions Other Polish ISPs 19

20 V. Incident handling Incident response Incident response INCIDENT RESPONSE I. Information/Warning 1. Phone Letter II. Blockade - discharge 20

21 V. Incident handling Cooperation with... Number of requests NUMBER OF REQUESTS FROM POLISH POLICE AND PUBLIC PROSECUTOR

22 V. Incident handling Cooperation with... Registered data and information REGISTRATION OF DATA AND INFORMATION SENT THROUGH THE NETWORK According to new regulations operators are obliged to enable selected government institution access to the following: Data subscriber / user identification location and identification connections between nodes in the network type of connection and other data Information sent through the network 22

23 VI. Conclusion Conclusion Conclusion - TP Security Incident Response Team CONCLUSION TP Security Incident Response Team* Operate against network abuse incidents, the additional role is to prevent, educate and inform. Team`s Web site, special line for victims, s, warnings. Trace kinds and ways of network abuse and adapt its procedures to current demands. CERT Cooperation, Security sites in the internet. Take active part in implementing standards of handle and incident classification. Implementing the Common Language classification. Cooperate with security institutions: the police, public prosecutors and network administrators. 23

24 HOW TO CONTACT TP SECURITY INCIDENT RESPONSE TEAM - INCIDENT REPORTING Incidents can be reported by: Web site (On-line Form): Address: - [email protected] - [email protected] - [email protected] TP S.A. - POLPAK Network Security Department ul. Nowogrodzka Warszawa POLAND Phone: +48 /22/ Fax: +48 /22/

25 ADDRESS SHEET PRESENTATION DEVELOPED BY: Division: Department: Phone #: Web site: TP SA - POLPAK Network Security +48 /22/ [email protected] 25