Post on 28-Jul-2015
Issue Date:
Revision:
WHOIS Database For Incident Response & Handling
2015 CNCERT Annual Conference, Wuhan
Adli Wahid <adli@apnic.net>
Security Specialist, APNIC
Issue Date:
Revision:
⼤大家好
Hello Everyone!
Presenter Adli Wahid (@adliwahid)
Security Specialist, APNIC Adli is responsible for the security outreach activities at APNIC. He engages with APNIC members, CSIRTs, Law Enforcement agencies in promoting security best practices.
Adli is also actively involved with the regional CSIRTs organisations such as APCERT, OIC-CERT and TF-CSIRT. He is currently a boar member of FIRST.org
Prior to joining APNIC, Adli was a regional Cyber Security Manager at Bank of Tokyo Mitsubishi – UFJ and Head of Malaysia CERT (MyCERT)
Areas of interests: CSIRTs, Honeypots, Malware, International Collaboration,
Contact: Email: adli@apnic.net
Agenda
1. About APNIC
2. Whois Database for Incident Handling & Response
3. Challenges
4. Conclusion
4
Issue Date:
Revision:
Intro to APNIC
5
What is APNIC?
• Regional Internet Registry (RIR) for the Asia Pacific region – Comprises 56 economies
• Secretariat located in Brisbane, Australia – Currently employs around 70 staff
• Not-for-profit, membership-based organization
• Governed by the Executive Council (EC), who are elected by the Members
6
The Regional Internet Registry for the Asia Pacific region
How APNIC support the Internet community • Distribution and Registration of Internet Resources (v4,v6,
ASN)
• Facilitate the policy development process – Via mailing lists, conferences etc.
• Training services
• Information dissemination
• Collaboration & Liaison
Security Initiatives @ APNIC
• Target Audience – Primarily Network Operators & Service Providers, APNIC members
Topics Domain
Resource Public Key Infrastructure (RPKI)
Routing
DNSSEC DNS
Source Address Validation Everywhere (SAVE)
DDoS Mitigation
Updating IRT References in APNIC Whois Database
Abuse Handling & Incident Response
http://www.apnic.net/security
Issue Date:
Revision:
Incident Response & Handling
11
The State of Security Incidents
• Increasing
• Greater Impact
• Types of Incidents
• Distributed in Nature
12
Challenges to Security Responder
13
Analysis Fix / Recover
• Source of Attack • Modus Operandi • Command & Control • Indicators of Compromise • Number of Bots / Infected
Computers • Numbers of Samples
• Patch Vulnerable Systems • Apply Firewall Rules • Clean Infected Computers • Disable Vulnerable Services • Remove Malicious Page
14
Recursive DNS Servers: https://dnsscan.shadowserver.org
Where to find information ?
• Whois Database – Domain (Names) & Numbers – Security point of contact for a domain?
• Regional Internet Registry – Maintains information related to IP Address & AS Numbers – Including point of contact for Security
• Incident Response Teams (IRT) Object – Specialized Mandatory IRT contacts for inetnum, inet6num & aut-
num – https://www.apnic.net/services/manage-resources/abuse-contacts – https://www.apnic.net/apnic-info/whois_search/using-whois/guide/irt
15
whois –h whois.apnic.net 202.12.29.175
irt: IRT-APNIC-IS-AP address: South Brisbane, Australia e-mail: helpdesk@apnic.net abuse-mailbox: helpdesk@apnic.net admin-c: AIC1-AP tech-c: AIC1-AP auth: # Filtered remarks: APNIC Infrastructure Services mnt-by: MAINT-APNIC-IS-AP changed: hm-changed@apnic.net 20110704 source: APNIC
16
Challenges with Information in the Whois Database 1. Information not available
2. Information not accurate – There’s mechanism to update information or report
3. No guarantee recipient know what to do or expected of them
17
Examples Dear IRT,
[ We have identified a command & control on your network that is related to the XYZ malware. Please do the necessary] [A host (a.c.d.e) on your network is hosting a phishing site of Bank BBB. Please remove the phishing site immediately. Refer to screenshots] [The following IP addresses on your network is running an open DNS resolver that could be used in an DDoS amplification attack]
18
Security Awareness & Incident Management for Network Operators / Providers • Understanding different types of incidents & Reports
– Malware, DDoS, Data Breaches, Phishing etc – Suspicious Activities: Scanning
• Impact of Different Types of Incidents – How do I prioritize?
• Expectations : Process – Take down or Investigate
• Best Practices for Incident Handling – Policy or Procedures
19
Best Practices
1. Mobile Messaging Best Practices for Service Providers – https://www.m3aawg.org/sites/maawg/files/news/
M3AAWG_Mobile_Messaging_Best_Practices_Service_Providers-2015-04.pdf
2. M3AAWG Anti-Abuse Best Common Practices for Hosting & Cloud Services
– https://www.m3aawg.org/sites/maawg/files/news/M3AAWG_Hosting_Abuse_BCPs-2015-03.pdf
3. Many more here: – https://www.m3aawg.org/published-documents
20
Role of National CERT / CSIRT
• Help to reach out to the relevant person in the organization – Translate – Explain – Incident Response Framework, Capacity Development, Information
Sharing
• What if there is no National CERT / CSIRT ? – See Previous Slides – NZITF is a good model (http://www.nzitf.org.nz)
21
Conclusion
• There is a need to have accurate information in the whois database for dealing with abuses & security incidents
• Training & creating awareness that the IRT / Abuse contacts know what do will make a huge difference
• Let’s work together!
More Information
• Providing Abuse Contact Information – https://www.apnic.net/services/manage-resources/abuse-contacts – https://www.apnic.net/apnic-info/whois_search/using-whois/abuse-
and-spamming – https://www.apnic.net/apnic-info/whois_search/using-whois/abuse-
and-spamming/invalid-contact-form
• E-Learning on Establishing CSIRT – https:/training.apnic.net
• APCERT – http://www.apcert.org
• FIRST – http://www.first.org
23
Issue Date:
Revision:
谢谢 Adli Wahid <adli@apnic.net>