POLISH TELECOM SECURITY INCIDENT RESPONSE TEAM … · POLISH TELECOM SECURITY INCIDENT RESPONSE...

POLISH TELECOMPOLISH TELECOMSECURITY INCIDENT RESPONSE TEAMSECURITY INCIDENT RESPONSE TEAM

Warsaw, May 2003

Incident handling, statistics and procedures

2

TABLE OF CONTENTS

I. INFORMATION ABOUT TP SECURITY INCIDENT RESPONSE TEAM 3II. TP NETWORK 4

1. Technologies 42. Structure of the network 53. Access to the Internet 6

III. INCIDENT HANDLING 71. Incident classification 72. Incident handling - support computing 8

IV. STATISTICS OF INCIDENTS 131. Total number of registered incidents in 1997 - 2003 132. Total number of registered incidents - type of events (I-IV.2003) 143. Number attacks profile 154. Percent of recognised categories of the incidents 165. Complaints sender 176. Source of attack 18

V. INCIDENT HANDLING - INCIDENT RESPONSE 191. Cooperation 192. Incident response 203. Cooperation with Polish Police and Public Prosecutor 21

VI. CONCLUSION 23

Regarding: TP Security Incident Response Team

3

INFORMATION ABOUT TP SECURITY INCIDENT RESPONSE TEAMINFORMATION ABOUT TP SECURITY INCIDENT RESPONSE TEAM

I. Information about ... I. Information about ... TP Security Incident Response Team

§ History of the team� 1997 - start� structure

§ Team’s activities� registration and classification of incidents� localisation of an intruder� incident response� analysis of new threats� others (conferences, working meetings, mass-media)

§ Basic rules of incidents handling� gathering information from users, administrators, the police and other institutions

about incidents concerning all addresses within Polish Telecom IP range� incidents reported by government institutions are handled first

TP Security Incident Response Team*


4

TECHNOLOGIESTECHNOLOGIES

InternetTCP/IP

Frame Relay / ATM, X.25, TCP/IP

X.25, X.28, X.32X.400, X.500, EDI

X.25, TCP/IP

VSATVSATVSAT

II. TP Network 1. Technologies Technologies


5

POLPAK NETWORKPOLPAK NETWORK

II. TP Network 2. Structure of the network POLPAK Network

Legend:

Topology of the POLPAK-T (date: 02.01.2002)

amount of links

Pila

Zamosc

Lomza

Przemysl

Ostroleka

Konin

Krosno

Siedlce

Sieradz

Tarnów

Wloclawek

Walbrzych

Plock

ZielonaGóra

Lubin

Torun

Koszalin

GorzówWlkp.

Nowy Sacz

BialaPodlaska

Suwalki

Bialystok

Elblag

BielskoBiala

TarnobrzegOpole

Czestochowa

155 Mb/s

34 Mb/s

MAN

Jelenia Góra

Chelm

Slupsk

Leszno

KaliszSkierniewice

Kielce

PiotrkówTrybunalski

Radom

Legnica

X2

X2

X2

Rzeszów

KrakówKatowice

Wroclaw

Lódz

Olsztyn

Szczecin

Poznan

Bydgoszcz

Gdansk

Lublin

Warszawa

2,5Gb/s

Ciechanów

Zgorzelec

MAN

2,5 Gb/s

155 Mb/s

amount of links

LEGEND:


6

ACCESS TO THE INTERNET ACCESS TO THE INTERNET

II. TP Network 3. Access to the Internet Access to the Internet

POLPAK

ADSLHIS

SPLITER

MODEMADSL

TELEPHON

do 8 M

b/s

do 1

15

kb/s

TERMINALHIS

TELEPHON

CVX-1800

ISDN

PSTN

SUBSCRIBERTCP/IP

MODEMISDN

PPP

MODEM PPP

SUBSCRIBERTCP/IP

VIDEO

LAN

ATM

do 155 Mb/s SUBSCRIBERATM

SUBSCRIBERFrame Relay

MODEM

FrameRelay

do 2 Mb/s

LAN

Terminal abonencki

LMDS

VSAT

LAN

SUBSCRIBERTCP/IP

LAN

ISP INTERNET

NSPTelia&OpenTransit (FT)

2,5 Gb/s


7

POLISH TELECOM CLASSIFICATION OF INCIDENTSPOLISH TELECOM CLASSIFICATION OF INCIDENTS

HH - The most dangerous incidents (hacking, breaking in, modifying, deleting, stealing)

PP – Type of events concerning hacking attempts (scan, probe)

TT - Copyright and special incidents (requests of the Police, plagiarism, piracy)

BB - Denial of service incidents (flood, DoS, DDoS, mailbombing)

OO - Violation of the netiquette (offensive words, pornography)

MM - Spam incidents (spam to advertise)

RR - Spam-relay incidents (open relay, open proxy)*

III. Incident handling Incident classification1. Incident classification

STARTING THE 3rd QUARTER OF 2002 TP RESPONSE TEAM USE COMMON LANGUAGE CLASSFICATION IN THEIR PROCEDURES


8

INCIDENT SERVICE SYSTEM (ISS)INCIDENT SERVICE SYSTEM (ISS)

2. Incident handling ... Incident Service System

§ Is a database which allows gathering, registering and classifying of incidents

§ Contains an advanced administration mechanisms and access control

§ Automates incident handling process by:� tracking incident handling process� quick access to stored incidents

§ Accelerates incident handling

Incident Service System (ISS):Incident Service System (ISS):

III. Incident handling


9

ISS FUNCTIONISS FUNCTION

§ incident importing from web site§ incident data inputting (from different sources)§ incident analysing§ incident searching§ printing warnings, reports, statistics § sending reply§ intruder history

Basic system function :Basic system function :

Other system function:Other system function:

§ contacts and information management§ incident handling process management § task planning

ISS functionIII. Incident handling 2. Incident handling ...


10

ISS STRUCTURE DIAGRAMISS STRUCTURE DIAGRAM

ISS structure diagramIII. Incident handling 2. Incident handling ...

INTERNET

ISS

Web browserReporting formWeb browser

Reporting form

ISSoperator

INCIDENTS

INCIDENT HANDLING

Sys

tem

op

erat

ors

Internet users

Phone call, faxPhone call, fax

LetterLetter

Web browserReporting formWeb browser

Reporting form

LAN or WAN

Sys

tem

ad

min

istr

atio

nS

yste

m a

dm

inis

trat

ion

ISSoperator

ISSoperator

E-mailE-mail


11

ISS INCIDENT HANDLING PROCESS DIAGRAMISS INCIDENT HANDLING PROCESS DIAGRAM

ISS incident handling process diagram

Legend:

INT

RO

DU

CT

ION EN

DE

DS

US

PE

NS

ION

CL

OS

ED

Start states Working states Final states

Incidents:- E-mail- Reporting form

Incidents:- Phone- Fax- Letter

BLO

CK

ED

E-M

AIL

TO

AD

MIN

WIT

HO

UT

PH

ON

E

NU

MB

ER

PH

ON

E C

ALL

LO

CA

TIN

GLO

CA

TIO

N

SU

SP

EN

SIO

N

VE

RIF

ICA

TIO

N

PR

INT

ING

STAGE 1STAGE 1Registration, reply, analysis, classification, back up

STAGE 2STAGE 2Introduction, automatic reply, analysis, classification, back up

STAGE 3STAGE 3Locating, modification

STAGE 4STAGE 4analysis continuation, modification

STAGE 5STAGE 5Response, information, modification

STAGE 6STAGE 6Back up, blockade

N Process administration N

III. Incident handling 2. Incident handling ...


12

ISS INCIDENT HANDLING PROCESS DIAGRAMISS INCIDENT HANDLING PROCESS DIAGRAM

INT

RO

DU

CT

ION EN

DE

DS

US

PE

NS

ION

CL

OS

ED

Start states Working states Final states

Incidents:- E-mail- Reporting form

Incidents:- Phone- Fax- Letter

BLO

CK

ED

E-M

AIL

TO

AD

MIN

WIT

HO

UT

PH

ON

E

NU

MB

ER

PH

ON

E C

ALL

LO

CA

TIN

GLO

CA

TIO

N

SU

SP

EN

SIO

N

VE

RIF

ICA

TIO

N

PR

INT

ING

STAGE 1STAGE 1Registration, reply, analysis, classification, back up

STAGE 2STAGE 2Introduction, automatic reply, analysis, classification, back up

STAGE 3STAGE 3Locating, modification

STAGE 4STAGE 4analysis continue, modification

STAGE 5STAGE 5Response, information, modification

STAGE 6STAGE 6Back up, blockade

Legend:

ISS incident handling process diagram

N Process administration N

- incidents: registration, introduction, analysis, modification

- incidents : alarm system A - incidents number exceeded

- incidents : alarm system B - waiting time exceeded

III. Incident handling 2. Incident handling ...


13

TOTAL NUMBER OF REGISTERED INCIDENTS IN 1997 TOTAL NUMBER OF REGISTERED INCIDENTS IN 1997 -- 04.200304.2003

IV. Statistics of incidents 1. Total number of ... Number of incidents

324 928 2899 10401

24820

10983 57881

109981

52245

63146

0

20000

40000

60000

80000

100000

120000

140000

160000

180000

Numberof incidents

1997 1998 1999 2000 2001 2002 04.2003

Year

Total number ofincidents

Number of spam-relay incidents*

Number of otherincidents

*/ Starting 2001 spam-relay events are not counted together with other incidents.


14

NUMBER OF REGISTERED INCIDENS NUMBER OF REGISTERED INCIDENS -- TYPE OF EVENTS TYPE OF EVENTS (I(I--IV.2003)IV.2003)

IV. Statistics of incidents Number of incidents - type of events

Spam-relay events were not included

2. Total number of ...

31,5%

65,7%

0,3%

0,1%

2,0%

0,5%

TOHMPB


15

PROFILE OF ATTACKS PROFILE OF ATTACKS (I(I--IV.2003)IV.2003)

IV. Statistics of incidents Number attack profile

*/ Spam-relay events were not included

3. Number attack profile

2156 206

30260

62 201 647 35

16437

2241

0

5000

10000

15000

20000

25000

30000

35000

Numberof incidents

Sca

n

Pro

be

Inte

rnet

wor

ms

Hac

kin

g

Den

ial o

fS

ervi

ce

Vir

us

Mai

lbo

mb

ing

Sp

am*

Oth

er

Attack profile


16

PERCENTAGE OF RECOGNISED INCIDENTS CATEGORIES PERCENTAGE OF RECOGNISED INCIDENTS CATEGORIES (I(I--IV.2003)IV.2003)ACCORDING TO THE COMMON LANGUAGE CLASSIFICATIONACCORDING TO THE COMMON LANGUAGE CLASSIFICATION

IV. Statistics of incidents Percent of recognised categories of the incidents4. Percent of recognised ...

0

20000

40000

60000

80000

100000

120000

Numberof incidents[%]

Att

acke

rs

To

ol

Vul

nera

bilit

y

Act

ion

Tar

get

Un

auth

ori

zed

Res

ult

Ob

ject

ives

Category

0,5%

96,0%

81,7%

100,0% 100,0%

79,8,%

40,9%


17

SOURCE OF COMPLAINTS SOURCE OF COMPLAINTS (I(I--IV.2003)IV.2003)

17%

83%

Complaints from PolandComplaints from abroad

IV. Statistics of incidents 5. Complaints sender Complaints sender


18

SOURCE OF ATTACKS SOURCE OF ATTACKS (I(I--IV.2003)IV.2003)

IV. Statistics of incidents 6. Source of attack Source of attack

8%

31%

53%

8%

Dial-up (0-20-21-22/24/30)Leased lines (FR)Home Internet Solution (HIS)Asynchronous Digital Subscriber Line (ADSL)


19

COOPERATIONCOOPERATION

§ CERT Team (e.g. CERT Polska)

§ The police

§ Public Prosecutors

§ Other government Institutions

§ Other Polish ISPs

V. Incident handling ... 1. Cooperation Cooperation


20

INCIDENT RESPONSEINCIDENT RESPONSE

2. Incident response Incident response

I. Information/Warning

1. Phone

2. E-mail

3. Letter

II. Blockade - discharge

��É

V. Incident handling ...


21

NUMBER OF REQUESTS FROM POLISH POLICE AND PUBLIC PROSECUTORNUMBER OF REQUESTS FROM POLISH POLICE AND PUBLIC PROSECUTOR

3. Cooperation with ... Number of requests

0

50

100

150

200

250

300

350

400

450

1998 1999 2000 2001 2002 03.2003

V. Incident handling ...


22

REGISTRATION OF DATA AND INFORMATION SENT THROUGH THE NETWORKREGISTRATION OF DATA AND INFORMATION SENT THROUGH THE NETWORK

3. Cooperation with ... Registered data and informationV. Incident handling ...

§ Data� subscriber / user identification� location and identification connections between nodes in the network� type of connection and other data

§ Information sent through the network

According to new regulations operators are obliged to enable selected government institution access to the following:


23

CONCLUSIONCONCLUSION

VI. Conclusion Conclusion Conclusion - TP Security Incident Response Team

§ Operate against network abuse incidents, the additional role is to prevent, educate and inform. Team`s Web site, special line for victims, e-mails, warnings.

§ Trace kinds and ways of network abuse and adapt its procedures to current demands. CERT Cooperation, Security sites in the internet.

§ Take active part in implementing standards of handle and incidentclassification. Implementing the Common Language classification.

§ Cooperate with security institutions: the police, public prosecutors andnetwork administrators.

TP Security Incident Response Team*


24

HOW TO CONTACT TP SECURITY INCIDENT RESPONSE TEAM HOW TO CONTACT TP SECURITY INCIDENT RESPONSE TEAM -- INCIDENT INCIDENT REPORTINGREPORTING

§ E-mail: - [email protected] [email protected] [email protected]

§ Web site (On-line Form): http://www.tpnet.pl/eng_ver/abuse/php

§ Address: TP S.A. - „POLPAK”Network Security Departmentul. Nowogrodzka 4700-695 WarszawaPOLAND

§ Phone: +48 /22/ 58-50-777

§ Fax: +48 /22/ 824-14-52

Incidents can be reported by:


25

ADDRESS SHEETADDRESS SHEET

TP SA - „POLPAK”Division:

[email protected]:

+48 /22/ 58 50 777Phone #:

Network SecurityDepartment:

PRESENTATION DEVELOPED BY:

http://www.tpnet.pl/eng_ver/abuse/phpWeb site:


POLISH TELECOM SECURITY INCIDENT RESPONSE TEAM … · POLISH TELECOM SECURITY INCIDENT RESPONSE...

Documents

Transcript of POLISH TELECOM SECURITY INCIDENT RESPONSE TEAM … · POLISH TELECOM SECURITY INCIDENT RESPONSE...