CSIRT-MU Computer security at Masaryk University Jan Soukal soukal@ics.muni.cz April 11, 2014 What can you expect? I am going to: — show how a computer security is managed at Masaryk University, — describe activities of the CSIRT-MU in detail, — point out typical benefits and/or issues you should expect when establishing a CSIRT team. Jan Soukal ·CSIRT-MU ·April 11, 2014 2 / 26 CSIRT-MU Overview — Computer Security Incident Response Team of Masaryk University. — Established in 2009. — Accredited by the Trusted Introducer in Februrary 2011. — Operated by the Institute of Computer Science, Masaryk University. — http://csirt.muni.cz/ Jan Soukal ·CSIRT-MU ·April 11, 2014 3 / 26 CSIRT-MU Constituency — All users of the Masaryk University’s network – 40.000 users per day. Network — Up to 20.000 active computers per day, — 147.251.0.0/16, — domain muni.cz. Jan Soukal ·CSIRT-MU ·April 11, 2014 4 / 26 CSIRT-MU — Team members are not local administrators. Goals — To create trustworthy central contact point for the MU’s network, — to manage and prevent computer security incidents in the MU’s network, — to help increase security level of IT infrastructure at the MU, — to increase elementary IT security knowledge among ordinary users at the MU. Jan Soukal ·CSIRT-MU ·April 11, 2014 5 / 26 CSIRT-MU Activities 1. Network traffic monitoring – to see what’s going on, 2. Incident Handling – to manage detected threats, 3. Research – to keep pace with attackers, 4. Development – to develop tools that suit our needs, 5. Cooperation – to share expertise and experience, 6. Education – mitigation of risks. Jan Soukal ·CSIRT-MU ·April 11, 2014 6 / 26 CSIRT-MU Structure 1. CSIRT-MU group – operational tasks, 2. Network Traffic Analysis Group – research and development, 3. Incident Analysis Group – forensics experts. Resources — Operational, cca 4 FTEs. — Research, cca 10 FTEs – greatly depends on projects. Jan Soukal ·CSIRT-MU ·April 11, 2014 7 / 26 Network traffic monitoring Purpose of monitoring — You need to know what is happening in your network. — You can detect threats and attacks or investigate reported events. — You protect your users. — (Czech) law aspect – you do your best to secure the network. — No personal data is collected, just network flows are analyzed. Jan Soukal ·CSIRT-MU ·April 11, 2014 8 / 26 Network traffic monitoring Users and the network — 40.000 users per day, — Up to 20.000 active computers per day, — IPv4 range of 147.251.0.0/16, — domain muni.cz. Monitoring infrastrucure — 24 FlowMon probes, — 3 main FlowMon collectors, — IPFIX format. Jan Soukal ·CSIRT-MU ·April 11, 2014 9 / 26 Network traffic monitoring Anomaly detection — Analysis of traffic data allows you to detect malicious activities. — We have developed and implemented several methods: — "generic" attacks detection – RDP and SSH brute-force, port scanning, etc., — suspicious activities detection – communication with C&C, etc., — even misconfigured or unsecured computers can be detected – open administration interfaces, etc. — However, detected anomalies still have to be handled somehow... Jan Soukal ·CSIRT-MU ·April 11, 2014 10 / 26 Incident Handling — CSIRT-MU is the central security authority in the MU’s network. — The main task is to coordinate resolution of security incidents. Request Tracker – Ticketing system — Operated by one or more incident handlers. — No personal e-mails. One single contact instead. — All issues are tracked and archived. — Detection tools send reports to RT via e-mail. Jan Soukal ·CSIRT-MU ·April 11, 2014 11 / 26 Incident Handling Security incident resolution — Rougly 1.000 incidents per week – vast majority are "generic" incidents. — Automated resolution of generic incidents is crucial. — Specialists can focus on difficult and unusual cases. — Example: PhiGARo anti-phishing tool – decreasing time needed for resolution from hours to minutes. Jan Soukal ·CSIRT-MU ·April 11, 2014 12 / 26 Incident Handling Typical issues and Lessons learned — Clear responsibility – list of responsible administrators, IT security directives, etc. — Communication issues – either local admins and users often see the CSIRT team as an "enemy". — Vulnerable users – low IT security knowledge, BYODs full of malware, etc. — People often do not care about security until something goes wrong. Jan Soukal ·CSIRT-MU ·April 11, 2014 13 / 26 Research Importance of research projects — Setting trends rather than following them. — Allows team to have more specialists and to raise their own. — Increasing team’s reputation. — Creating precious contacts and relationships. — Wider funding options. Risks — Project-based funding is not reliable in a long term. Jan Soukal ·CSIRT-MU ·April 11, 2014 14 / 26 Research Partners and Projects — NSA, NCSC (Govcert) – C4e, CPG. — Czech Ministry of Defense, U.S. Army – CIRC, CYBER, CAMNEP. — Ministry of Interior – Security of optical components. — Faculty of Informatics, other universities, etc. — Other CSIRT teams – Project WARDEN. Details http://www.muni.cz/ics/services/csirt/research Jan Soukal ·CSIRT-MU ·April 11, 2014 15 / 26 Research Key advantages — Having CSIRT team allows you to battle-test results of your research in a "real life network". — You can use results of your research in operational activities of your CSIRT team – just hitting two birds with one stone. Jan Soukal ·CSIRT-MU ·April 11, 2014 16 / 26 Development Based on — knowledge of our network – monitoring, — operational experience – incident handling, — possible threats and solutions – research. Goals — Automation of generic incidents’ resolution – our own extensions of the Request Tracker. — Specialized tools fitting our needs. — Proof-of-concept implementation of proposed methods. — Identification and attraction of talented students. Jan Soukal ·CSIRT-MU ·April 11, 2014 17 / 26 Development Our tools — RdpMonitor – RDP brute-force attacks detection plugin for NfSen. — SSHMonitor – SSH brute-force attacks detection plugin for NfSen. — PhiGARo – tool for phishing incidents’ management and resolution. — Honeyscan – honeynet monitoring plugin for NfSen. — Time series solver – network flow time series analysis tool. Download http://www.muni.cz/ics/services/csirt/tools Jan Soukal ·CSIRT-MU ·April 11, 2014 18 / 26 Cooperation Motivation — Sharing experience, expertise, tools and useful data is always a good choice – there is no need to reinvent the wheel. — Having sufficient CSIRT-community around your team. — Also we like to cooperate with students on their bachelor or diploma theses – of course we try to attract the best of them to our team ;) Jan Soukal ·CSIRT-MU ·April 11, 2014 19 / 26 Cooperation Partners — National Security Authority – together we educate security experts. — CESNET-CERTS – our "parent" NREN CSIRT team. — TEAM CYMRU – exchange of honeypots’ data, botnet C&C contacts, etc. — TF-CSIRT – enhancing of large scale communication between CSIRT teams. — INVEA-TECH – university spin-off. Jan Soukal ·CSIRT-MU ·April 11, 2014 20 / 26 Education Motivation — Educating your users should be less expensive than resolving "their" security incidents. — You (CSIRT team) should be recognized by your users – users should know you. Jan Soukal ·CSIRT-MU ·April 11, 2014 21 / 26 Education Activities — Educational web https://security.ics.muni.cz – interactive animations, explanations and warnings. — Phishing at your own risk – interactive anti-phishing workshop. — Seminars – for instance "We know about you". Jan Soukal ·CSIRT-MU ·April 11, 2014 22 / 26 Education Reality — Educational activities have low impact while being very resource consuming. — CSIRT team is recognized by local administrators but rarely by end users. Jan Soukal ·CSIRT-MU ·April 11, 2014 23 / 26 Summary — It is possible to run CSIRT team in a campus network. — Having an operational CSIRT team supported by network monitoring can greatly help you to extend your IT security research. — And vice-versa, an operational CSIRT team can deeply benefit from security research. — Having contacts in the field of IT security research is also essential. — Think twice when planning educational activities. Jan Soukal ·CSIRT-MU ·April 11, 2014 24 / 26 Questions & Answers Jan Soukal soukal@ics.muni.cz Thank you for your attention. Jan Soukal soukal@ics.muni.cz