Issue Date:

Revision:

WHOIS Database For Incident Response & Handling

2015 CNCERT Annual Conference, Wuhan

Adli Wahid <adli@apnic.net>

Security Specialist, APNIC

Issue Date:

Revision:

⼤大家好

Hello Everyone!

Presenter Adli Wahid (@adliwahid)

Security Specialist, APNIC Adli is responsible for the security outreach activities at APNIC. He engages with APNIC members, CSIRTs, Law Enforcement agencies in promoting security best practices.

Adli is also actively involved with the regional CSIRTs organisations such as APCERT, OIC-CERT and TF-CSIRT. He is currently a boar member of FIRST.org

Prior to joining APNIC, Adli was a regional Cyber Security Manager at Bank of Tokyo Mitsubishi – UFJ and Head of Malaysia CERT (MyCERT)

Areas of interests: CSIRTs, Honeypots, Malware, International Collaboration,

Contact: Email: adli@apnic.net

Agenda

1.  About APNIC

2.  Whois Database for Incident Handling & Response

3.  Challenges

4.  Conclusion

4

Issue Date:

Revision:

Intro to APNIC

5

What is APNIC?

•  Regional Internet Registry (RIR) for the Asia Pacific region –  Comprises 56 economies

•  Secretariat located in Brisbane, Australia –  Currently employs around 70 staff

•  Not-for-profit, membership-based organization

•  Governed by the Executive Council (EC), who are elected by the Members

6

The Regional Internet Registry for the Asia Pacific region

How APNIC support the Internet community •  Distribution and Registration of Internet Resources (v4,v6,

ASN)

•  Facilitate the policy development process –  Via mailing lists, conferences etc.

•  Training services

•  Information dissemination

•  Collaboration & Liaison

Security Initiatives @ APNIC

•  Target Audience –  Primarily Network Operators & Service Providers, APNIC members

Topics Domain

Resource Public Key Infrastructure (RPKI)

Routing

DNSSEC DNS

Source Address Validation Everywhere (SAVE)

DDoS Mitigation

Updating IRT References in APNIC Whois Database

Abuse Handling & Incident Response

http://www.apnic.net/security

Issue Date:

Revision:

Incident Response & Handling

11

The State of Security Incidents

•  Increasing

•  Greater Impact

•  Types of Incidents

•  Distributed in Nature

12

Challenges to Security Responder

13

Analysis Fix / Recover

•  Source of Attack •  Modus Operandi •  Command & Control •  Indicators of Compromise •  Number of Bots / Infected

Computers •  Numbers of Samples

•  Patch Vulnerable Systems •  Apply Firewall Rules •  Clean Infected Computers •  Disable Vulnerable Services •  Remove Malicious Page

14

Recursive DNS Servers: https://dnsscan.shadowserver.org

Where to find information ?

•  Whois Database –  Domain (Names) & Numbers –  Security point of contact for a domain?

•  Regional Internet Registry –  Maintains information related to IP Address & AS Numbers –  Including point of contact for Security

•  Incident Response Teams (IRT) Object –  Specialized Mandatory IRT contacts for inetnum, inet6num & aut-

num –  https://www.apnic.net/services/manage-resources/abuse-contacts –  https://www.apnic.net/apnic-info/whois_search/using-whois/guide/irt

15

whois –h whois.apnic.net 202.12.29.175

irt: IRT-APNIC-IS-AP address: South Brisbane, Australia e-mail: helpdesk@apnic.net abuse-mailbox: helpdesk@apnic.net admin-c: AIC1-AP tech-c: AIC1-AP auth: # Filtered remarks: APNIC Infrastructure Services mnt-by: MAINT-APNIC-IS-AP changed: hm-changed@apnic.net 20110704 source: APNIC

16

Challenges with Information in the Whois Database 1.  Information not available

2.  Information not accurate –  There’s mechanism to update information or report

3.  No guarantee recipient know what to do or expected of them

17

Examples Dear IRT,

[ We have identified a command & control on your network that is related to the XYZ malware. Please do the necessary] [A host (a.c.d.e) on your network is hosting a phishing site of Bank BBB. Please remove the phishing site immediately. Refer to screenshots] [The following IP addresses on your network is running an open DNS resolver that could be used in an DDoS amplification attack]

18

Security Awareness & Incident Management for Network Operators / Providers •  Understanding different types of incidents & Reports

–  Malware, DDoS, Data Breaches, Phishing etc –  Suspicious Activities: Scanning

•  Impact of Different Types of Incidents –  How do I prioritize?

•  Expectations : Process –  Take down or Investigate

•  Best Practices for Incident Handling –  Policy or Procedures

19

Best Practices

1.  Mobile Messaging Best Practices for Service Providers –  https://www.m3aawg.org/sites/maawg/files/news/

M3AAWG_Mobile_Messaging_Best_Practices_Service_Providers-2015-04.pdf

2.  M3AAWG Anti-Abuse Best Common Practices for Hosting & Cloud Services

–  https://www.m3aawg.org/sites/maawg/files/news/M3AAWG_Hosting_Abuse_BCPs-2015-03.pdf

3.  Many more here: –  https://www.m3aawg.org/published-documents

20

Role of National CERT / CSIRT

•  Help to reach out to the relevant person in the organization –  Translate –  Explain –  Incident Response Framework, Capacity Development, Information

Sharing

•  What if there is no National CERT / CSIRT ? –  See Previous Slides –  NZITF is a good model (http://www.nzitf.org.nz)

21

Conclusion

•  There is a need to have accurate information in the whois database for dealing with abuses & security incidents

•  Training & creating awareness that the IRT / Abuse contacts know what do will make a huge difference

•  Let’s work together!

More Information

•  Providing Abuse Contact Information –  https://www.apnic.net/services/manage-resources/abuse-contacts –  https://www.apnic.net/apnic-info/whois_search/using-whois/abuse-

and-spamming –  https://www.apnic.net/apnic-info/whois_search/using-whois/abuse-

and-spamming/invalid-contact-form

•  E-Learning on Establishing CSIRT –  https:/training.apnic.net

•  APCERT –  http://www.apcert.org

•  FIRST –  http://www.first.org

23

Issue Date:

Revision:

谢谢 Adli Wahid <adli@apnic.net>