CERT-RO

Romanian Approach in Cyber Security

Catalin PATRASCU

catalin.patrascu@cert-ro.eu

http://www.cert-ro.eu

About CERT–RO

COM (2010) 2020: Europe 2020 Strategy & COM (2010) 245: A

Digital Agenda for Europe

– Action area #3, Trust and Security: Member States should establish by 2012

a well-functioning network of CERTs at national level covering all of Europe

H.G. 494 / 2011

– Prevent, analyze, identify and react to cyber security incidents related to

public IT&C infrastructure (not military, public safety, national security)

– National contact point for similar structures

– Elaborate and distribute public cyber security policies

– Analyze technical and procedural problems within cyber infrastructures.

CERT-RO Partenrs

CERT-RO Services

Proactive Reactive Support

• Alerts on new threats and vulnerabilities that may affect national cyberspace.

• Notices regarding the possibility of major cyber security incidents occurrence.

• Study guides and documentation on recent developments in the field of IT & C. security.

• Security assessment for partners (audits, network and application pentests etc.).

• Alerts and warnings on the occurrence of major attacks preceding activities.

• Alerts and warnings related to cyber security incidents occurrence.

• Management of a database with nationalcyber security incidents.

• Security incidents investigation and results dissemination.

• Awareness activities for the government and partners.

• Risk assessments• Support the partners in

development of their own CERT teams.

• Consulting services forsecuring criticalinfrastructures.

• Development of the national policy and security strategy with partners.

Ticketing System

CERT-RO uses Request Tracker for Incident Response (RTIR), a customised

user interface which sits on top of Request Tracker (RT), a popular ticketing

system.

Everyday use of RTIR is through a web interface and does not require any

additional software to be installed on the user’s machine.

RT and RTIR are open-source projects supported by Best Practical Solutions LLC

and can be obtained from the company website:

http://bestpractical.com/rt/ - current stable release is RT 4.0.17

http://bestpractical.com/rtir/ - current stable release is RTIR 3.0.0

RTIR Interface - homepage

Incident Handling Workflow

RTIR’s incident handling system relies primarily on e-mail.

E-mail messages reporting incidents, called Incident Reports, are sent to an

email address configured by CERT/CSIRT (alerts@cert-ro.eu).

Messages that constitute on-going correspondence in the handling of a ticket

include a number in the form [CERT-RO #34159] and are automatically

appended to the corresponding RTIR ticket.

All new messages that do not include a number in the form [CERT-RO #34159]

are stored as new Incident Reports and appear in the New unlinked Incident

Reports section of the RTIR homepage.

Incident Handling Workflow

Dealing with Structured Data Feeds

CERT-RO receives daily reports (files with structured data) that together

contain 50,000 to 100,000 records related to cyber security events.

For that amount of data is needed an automated processing system.

Currently we use an in house developed solution to automatically:

• collect all data feeds;

• store them in a relational database (MySQL);

• perform data enrichment;

• distribute alerts to the affected parties

Right now we are working on adopting STIX (Structured Threat Information

eXpression) - http://stix.mitre.org/, supported by MITRE, which is a

collaborative community-driven effort to define and develop a standardized

language to represent structured cyber threat information.

Report on cyber security alerts received by

CERT-RO in the first 6 months of 2013

Report on cyber security alerts received by

CERT-RO in the first 6 months of 2013

Number of alerts

Number of unique IP’s

Advanced Persistent Threaths – APT’s

In the first two months of 2013 where discovered two cyber espionage campaigns that targeted public institutions from Romania.

Red October (ROCRA)• Infection vector: email message with malicious document attached• Exploited vulnerabilities: CVE-2009-3129 (Excel), CVE-2010-3333 (Word), CVE-2012-0158 (Word)

MiniDUKE• Infection vector : email message with malicious document attached• Exploited vulnerabilities : exploit 0-day CVE-2013-0640/641 (Adobe Reader)

Conclusions

Based on the analysis of data held by CERT-RO, it appears that computer

science threats to the national cyberspace have diversified and evolutionary

trends was observed, both in terms of quantity and in terms of technical

complexity.

THANK YOU!