A building is only as strong as its foundation. A server is only as secure as its most vulnerable point of access. A team is only strong if it works together.
No matter the language, culture, or industry, 10 different speakers from nine economies referred to one of these similar references during their presentations at the recent FIRST Technical Colloquia (TC).
Held on the eve of APRICOT 2016 in Auckland, New Zealand, the FIRST TC provided a discussion forum for FIRST members and guests to share information about vulnerabilities, incidents, tools and all other issues that affect the operation of incident response and security teams.
Attending a security event like this for the first time, you quickly recognize that the majority of the people in the room are very much on the same wavelength. Most have crossed paths multiple times and take the opportunity between sessions to over lean to their neighbour to catch up since their last shared meeting. Such a community can seem closed – a quality that is far from the truth – but with every presentation the nature of their closeness becomes apparent.
Security is firmly built on trust, and that is what these people have built between their familiar colleagues and what they seek to build with new colleagues in a bid to broaden their front against cybercriminals.
Chains of trust
Edward Lewis, a Senior Technologist from ICANN, introduced the concept of trust as the first speaker of the day, discussing ICANN’s role in the chain as manager of the Root Zone Key Signing Key (Geoff Huston, APNIC’s Chief Scientist, describes the KSK in detail in his post Measuring the Root KSK Keyroll).
ICANN recognizes this chain of trust still needs attention and is working with software developers, distributors as well as seeking feedback from the community as to how to improve the reliability of validation.
Automating information sharing
From chains of trust to ‘pyramids of pain’ – Jason Smith, Senior Technical Director from CERT Australia, talked about the levels of threat ranging from the easy hijacks to the apex TTPs, a harder nut to crack – which is more appealing to the more seasoned hacker.
CERT Australia advises more than 500 businesses and government departments in Australia and participates in a global network of national and regional CERTs, including APCERT. Informing such a broad and growing network in a timely manner has required them to reassess the way they collect and share traditional cyber threat intelligence, opting for a more automated system.
Since 2014, CERT Australia has implemented a set of automated communication and information standards which they hope their business and government partners will implement as a means to search, gather and share threat intelligence with the network.
TAXII™, the Trusted Automated eXchange of Indicator Information; STIX™, the Structured Threat Information eXpression; and CybOX™, the Cyber Observable eXpression are the three standards that CERTs around the world, including CERT Australia, are using to automate their cybersecurity information sharing.
Automated threat intelligence sharing is a relatively new area that other CERTs are circling with interest, waiting for more mature versions of the standards.
Measuring and mitigating cyber threats throughout Asia
Other regional CERTs from Korea (KrCERT/CC), Taiwan (TWNCERT) and China (CNCERT) also presented through the day, sharing with the audience case studies of intelligence gathering and mitigation programs they have been enacting over the past three years.
Below I’ve listed points of interest from these presentations:
- Phishing and spoofing account for two thirds of the 2,000 malicious websites KrCERT exposed in 2015.
- APT (Advance Persistent Threat) attacks are the main cyber threat for the Taiwan government according to TWNCERT. These attacks are particularly difficult to detect; on average it takes 205 days to detect these attacks.
- CNCERT estimated 1,491 attacks occurred in China per day between Jan-Aug 2015. In a move to reduce this, CNCERT and ISOC China implemented a 6-month cyber threat ‘clean up program’, exposing 61,596 incidents and reducing DDoS attacks by 82%.
Teamwork is worth investing in
With everyone investing time in building trust with other partners and money developing software packages, a team and its resources can sometimes become forgotten. Given that many security teams are already working with limited resources, this can have a rather large and immediate impact.
Hinne Hettema is the IT Security team leader at the University of Auckland, and has made it his mission to nurture and grow his own, largely graduate-based team, as well as inform other businesses about best practices for cybersecurity teams.
During his presentation he shared his four steps for an effective security service team:
- Secure by design – strategy, policy and architecture
- Secure in deployment – testing and remediation
- Secure in operation – monitoring and alerts
- Secure in breach – response
Geoffroy Thonon, Center Manager of Macau CERT (MOCERT), also talked about the need to invest in your team, describing his involvement in a set of simulated drills coordinated by APCERT to help 28 teams in Asia Pacific to learn and improve their responses. The drills allowed teams to not only test their own systems, but to also learn from other participating teams – another opportunity to form relationships and build trust with current and potential collaborators.
As Adli Wahid, our facilitator and FIRST board Member, acknowledged that training opportunities like these – and indeed meetings like FIRST’s TC – are vital and encouraged all Members and interested parties in the security community to get involved to share experience and build relationships.
Note: Check back in the next week for links to the slides of the presenters
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.