Episode 89: How to Create a CSIRT
Amrit Williams, BigFix CTO, discusses the details of how to create a successful CSIRT with Ireland’s own Brian Honan of The Irish Reporting and Information Security Service.
Subscribe in iTunes:
Subscribe with XML:
TRANSCRIPT
Amrit Williams: Welcome, this is Amrit Williams, your host on “Beyond the Perimeter”, and today I am joined by Brian Honan, an independent security consultant in Dublin, Ireland. And Brian is also one of the members who helped found, and create and manage and maintain and get the word out about Ireland CSIRT program, the Irish Reporting and Information Security Service.
Brian, thanks for joining me today; I really appreciate your time. Talk about some of the mechanics of CSIRT programs. I know there is a lot of folks out here. One of the things I’ve always been impressed with with the security industry is the number of people that are willing to invest their time and resources in supporting causes for the greater community. And I think there’s a lot of folks that really would like to get involved, even locally, in their own potential CERT programs, either fostering them or better enabling them or helping to create them in areas where they are not created.
So why don’t you dig in a little bit, Brian, about your experience in the whole process of creating an infrastructure there for CSIRT? And you mentioned a couple of things here, love to get your take on how these things get funded, how do you start it, how do you coordinate with others. So just start painting a picture here about how one goes about creating a CSIRT program and some of the obstacles and challenges and experiences you’ve had.
Brian Honan: Okay. I suppose the first thing you need to do is to identify the constituency that you’re going to serve; so who are you going to serve: is it going to be businesses, is it going to be the consumer, is it going to be government bodies, is it going to be educational bodies? So identify what is your constituency and focus in on that.
Next, identify what services does that community need from the CSIRT? Different CERTs provide different types of services. Are you going to be just doing, sending out alerts to people; or are you going to coordinate incidents, whereby you can have a victim company talk to an ISP in a given jurisdiction to get an attack shut down from that area; or do you provide triage services, whereby either remotely or you send somebody out to sites where you can have people hands-on be able to issue. Are you going to do malware handling and malware analysis, et cetera, from a big reporting?
So figure out, A, what you community is; and, B, what that community wants from you. And then when you have that, sit down and try to figure out, well, what resources do you have to be able to provide those services to that community.
Resources can be very different things: it can be tools, it can be equipment, it can be offices. It’s also money, because invariably along the way you have to spend money somewhere; but it’s also having staff as well.
So from an IRISS point of view when I sat down and sort of said, “Okay, let’s set this up and get it running”, the big challenge for me was, I had already identified what the community was, because that’s going to be the Irish business community. We identified what the services were, because that was all the work we had done previously already. And the next part was, well, what resources do I have to put in place?
And I have been very lucky. I have been dealing a lot with the UK’s CPNI; they’re the part of the UK Government that looks after critical network infrastructure, and they have what’s called a WARP program — that’s the Warning, Advice, Reporting Points. Their website is www.warp.gov.uk. And they actually provide a package and a tool that you can use to have people subscribe to the service to get alerts and warnings out to them. And that service gets fed by other services such as US-CERT, Microsoft, Symantec, on all the different types of communities that are out there. So it’s a very, very effective platform to get up and running very quickly. That was the tool I identified as being the most cost-effective one for us to use.
I was also extremely lucky in that, as you mentioned, Amrit, Internet security industry is probably unique in a lot of ways, and one of them being the way people want to give so much back to the community. So I actually have 15 other volunteers working with me who have given up their time for free, for no reward at all, to help manage and learn IRISS on a daily basis.
So we provide our service 9:00 to 5:00 every business day. We have two volunteers working and managing the system each day. And then outside of that, then we have project 4:44 to keep things going as well. So we have been very lucky from that point of view.
(00:04:50)
So once you’ve got your tools and your resources, then figure out how much money you are going to need and try and get the money from somewhere. Again, I’ve been very lucky in that how we provide our service to our community is by sponsorship. We have some very good sponsors with us. We have the SANS Institute, have been a great help; without SANS, IRISS would not be up and running.
And we’ve also been very lucky with other sponsors. A local security firm here called Intelligent Solutions and NetWitness have also provided us with some sponsorship as well. So thanks to our sponsors, we’ve been able to continue getting our services out to the community.
Amrit Williams: It’s interesting as you are talking, obviously as I am talking with others, this is really a common theme. There is a lot of different services out there, there is a lot of sources of information. What do you think is… in terms of coordination of all this information, how does that work, specifically with the IRISS CSIRT program? How easy is it to coordinate with either the private sector, like a Symantec, McAfee or Microsoft, or some of the other CERT programs around the world? Can you talk a little bit about coordination or information coordination?
Brian Honan: Yeah, well, I suppose the first thing about getting information out to the users is that with the WARP platform that we’re using, when you sign up for the service, you’re given a logon ID and you can sign into the system. And then you’re given a choice of software, hardware and types of threats that you can receive the warning on.
So if you’re a Microsoft house with Cisco and Oracle, well, you just click those; you just highlight those buttons, and they’re the only ones you’re going to get from IRISS about software vulnerability or attacks. We also send out alerts.
So from the end user point of view, they get an email in their Inbox from IRISS; they know that it’s been embedded, because all those vulnerabilities are set into the WARP platform and are rated and identified as to how critical they are and then fed out ultimately through the system as well.
We can send out our own localized alerts, being the stuff that we’ve seen, and that can go out to people in their Inbox as well. So it’s a very effective way of cutting through all the noise and getting information to people the way they need it.
We coordinate with other CERTs. we have a dedicated email and 7:32 as far as the other CERTs are concerned, 07:34 that’s particularly issues going on or they have identified stuff that they want us to help them out with. And likewise, we have contacts in those CERTs to reciprocate the problem as well, the service as well.
All the time within the community here in Ireland, we’ve established relationships with the ISPs and the telcos and the bodies responsible for the infrastructures, and hopefully over time they’ll begin to trust the quality information that we’re giving them so that they can react appropriately as well.
Amrit Williams: Switch gears just a little bit, Brian. I know you get a lot of information; you are exposed to a lot of incidents that happen, not only in your neck of the woods, but around the world. What type of trends are you seeing over the last couple of years? Has there really been a significant shift in malware? A lot of people talk about it; but you’re sitting there on the frontline seeing a lot of the stuff happen. Can you talk a little bit about what your experience has been with the actual incidents themselves?
Brian Honan: The major incidents we’ve seen is the increase in compromise of websites to help either malware or phishing sites. So a lot of the incidents that we’re dealing with, we‘re getting notified by CERTs in other countries or CERTs within the financial organizations to alert us that a small website belonging to a small company in Ireland has been hacked; the criminals have pushed a phishing site in the backend. So unbeknownst to the owner of that site, they are now hosting a phishing site that has been used to attack the clients of a certain bank in different countries. So we’re seeing quite a lot of that. So when we get that information, we contact the ISPs responsible, and they have their client take the offending site down.
We’ve also seen a lot of sites being compromised to host malware for a drive-by download as well. So again, the targets tend to be the small and medium companies who have a web presence, may not be very technically savvy, and their sites have been compromised unbeknownst to the host owner too.
We have seen other types of attacks as well, but they have been the majority of attacks that we’ve seen.
Amrit Williams: Anything specific to Ireland?
(00:09:54)
Brian Honan: Well, I suppose the funniest one we’ve seen has been phishing emails in the Irish language. That’s a targeted attack of the 10:00. There’s only a few hundred thousand people who speak Irish fluently in the world, and most of them live in Ireland; so to see a phishing email ask 10:12 is unusual in itself (laughing).
Amrit Williams: I have to ask: do they have as bad spelling and grammar when they speak the Irish language as they do in (laughing)…
Brian Honan: Well, like we have one or two native speakers on our team, and though it wasn’t fluent, it was actually — it wasn’t a Google translation (laughing). It was quite good, but it wasn’t done by a native speaker; they actually must have contacted somebody somewhere, but it was 10:41 so you have that.
Other attacks we’ve seen here in Ireland and I can talk about because they’ve been in the newspapers here is that small companies here were attacked whereby the criminals hack into their network, modify their backup so that when the backup would continue every night for a period of two weeks, the backups actually wouldn’t back up anything. So the source data wasn’t being backed up. And after a period of two or three weeks, the criminals will come back into the network again, and they then encrypted the data on the network and sent the victims an email saying, “You pay us $700 or you won’t get your data back”.
Now, of course, everybody’s reaction was, “Oh, well, I don’t have to worry about that; I have a backup”. And of course they go to their backup, and none of the tapes are on the disk, because they haven’t been… their backups have been altered.
So that was an attack that I haven’t heard — I’ve heard of ransomware attacks against individuals; but that was the first time I had seen a specific attack like that that was all thought out, whereby the backups were encrypted first and then the data encrypted and then the ransom note sent to the victims.
Amrit Williams: You know, as bad as this may sound, I never tire at listening to the creativity of the attackers, they’re extremely creative (laughing). I find it fascinating, and sometimes it makes me giddy; I don’t know why, but that’s probably a bad thing.
I wanted to touch base a little bit on what do you see as moving forward, the future. What type of things are you hoping to see happen with either the CSIRT programs or Information Security in general? How do we start changing this a little bit so that we can get ahead of what has generally been a very reactive industry?
Brian Honan: Well, with IRISS, our plan for the future is we want to develop and grow the maturity and the capabilities that we provide, and we’ve taken steps already. There is a community of CERTs within Europe called the TF-CSIRT, and we have just recently been accredited with full CERT status within that community, which has been a great milestone for us to achieve.
Our next milestone is to become members of FIRST, first.org, and provide more tools and better quality of service as a result of that out to our members.
We’re hoping to cooperate and partner more with organizations in Ireland to try and better provide services to the community and to better educate the community as well. And of course become more active and more involved in the international CERT community, whereby we can attend CERT meetings and conferences and be able to have that level.
Again, unfortunately, all of those things cost money; so we need to take small steps first, and over time hopefully funding will allow and we can achieve those.
On the greater scheme of things, Information Security in general, I would like to see us take a more risk and business approach to security. I think when people mention Information Security, even the business in a lot of places, their first reaction is, “It’s a computer problem, it’s an IT problem”.
Information Security is not an IT problem; it is very much a business problem. If somebody gets into your network, steals your comprising data, steals your customer list, gets into your bank account and enters your bank account, that is not an IT problem; that is a business problem, because you could be out of business the next morning. So we need to better engage with the business and the community so that they’re more aware of the actual threats that are out there and they’re able to deal with it as well.
Amrit Williams: I really like the way that was stated, Brian, and I think oftentimes in the Security industry, I think a lot of us feel that way; but there is always that challenge of convincing the business owners themselves or the greater community, the greater business, commercial, government, whatever it is, that this isn’t a computer problem. This is a business problem. This is a problem that affects our ability to continue delivering services and doing what we are supposed to be doing, and driving that awareness has been quite difficult.
(00:15:01)
Brian Honan: It has been. It’s not even just a business problem. At a bigger scheme of things, it’s a society problem as well. A business can’t do what they’re supposed to be doing in a safe and secure manner, well, society in general is going to be impacted as well.
Let’s not go into the, as you said, the cyberwar or cyber espionage stuff, which is higher-level stuff than just the basic keeping the wheels turning and keeping the lights on. Business and the community need to realize that the threats are out there and they have to deal with them as well.
Amrit Williams: Brian, I really appreciate you joining me today. If folks want to interact with you, get some more information, reach out to you, do you have a place they can do that? Are you willing to talk to folks if they’ve got some more questions?
Brian Honan: Yeah. Well, my email is brian.honan@bhconsulting.ie. If you want to see IRISS, it’s www.iriss.ie. I’m also on Twitter; so if you want to listen to me rant and rave electronically, my Twitter handle is @brianhonan.
Amrit Williams: And that’s B-R-I-A-N, H-O-N-A-N.
Brian Honan: That’s correct, yeah.
Amrit Williams: Brian, fabulous conversation. I really appreciate you taking time today and hope to have you back on soon. Thanks a lot. I guess right now, I guess it’s… what kind of beer do you drink in Ireland there, Brian, at almost 6:00 o’clock on a Friday night?
Brian Honan: I drink Guinness.
Amrit Williams: Guinness (laughing)?
Brian Honan: Guinness for beer. Yeah, it has to be Guinness (laughing).
Amrit Williams: Hey, it’s like dinner, right (laughing)?
Brian Honan: Yeah, you drink enough that you don’t care about food any more.
(Laughter.)
Amrit Williams: Fantastic. Really appreciate your time, Brian; thanks a lot.
Brian Honan: No problem, Amrit. Thank you.
Announcer: You have just listened to “Beyond the Perimeter”, sponsored by BigFix Inc. Views expressed on this podcast are the personal opinions of podcast participants and do not reflect official positions of their employers or BigFix.
Thanks for listening!
