Website defacement is a common form of security breach in Nepal. Last year, over 750 ‘.np’ websites were defaced, one in five of them government websites.
Although these and other more malicious threats are becoming more prevalent in Nepal, it still remains as one of a handful of economies in the Asia Pacific region that do not have a (national) Computer Emergency Response Team (CERT) or a coordinated body to identify and mitigate against cyber threats. For this reason, a growing number of private organizations are taking it upon themselves to initiate a coordinated response.
Speaking at the FIRST TC Kathmandu, which was held during APRICOT 2018 last week, local cybersecurity experts Saroj Lamichhane (Rigo Technologies Limited) and Rajan Pant (ITSERT-NP) shared their organization’s experiences with over 60 national and international cybersecurity experts.
Saroj shared some statistics highlighting issues related to defacement, malware infection risks, exposure to new and old threats such as WannaCry and Heartbleed, as well as the security culture in organizations in Nepal.
Rajan spoke about the evolution of cybersecurity and issues within the banking sector in Nepal. According to a recent survey, there had been instances of clickjacking, poodling, and CRLF injection in the past 12 month.
It was rather interesting to see that both speakers arrived at a common conclusion in term of the challenges organizations in Nepal face (human resources and awareness) and the need to do more: that is, community building, capacity building and information sharing.
While there’s a lot that needs to be done moving forward, I am also very positive that the regional and global security community is ready to lend a hand and support. This was evident the presentations by representatives from APCERT, Cisco’s CSIRT and ICANN.
C is for community
The FIRST TC Kathmandu provided a forum for attendees and presenters to discuss information about vulnerabilities, incidents, tools and other issues that affect the operation of incident response and security teams.
Thank you to all speakers and participants of FIRST TC Kathmandu! Keep calm and incident response: See you again next time! #apricot2018 @FIRSTdotOrg pic.twitter.com/GDyziAho4B
— Adli Wahid (@adliwahid) February 25, 2018
Tom O’Brien (CERT Australia) shared with the audience some of the recent activities carried out by the Asia Pacific Computer Emergency Response Team (APCERT). Currently, with 30 teams from 21 economies, APCERT members collaborate in different areas including providing assistance to CERTs/CSIRTs in the region, training, information sharing and an annual security incident response exercise. I was also excited to hear that APCERT is expanding their reach through the introduction of new categories of partners (Liason, Strategic and Corporate).
Continuous improvement is a thing
Security incidents such as the WannaCry infection can have a devastating impact on organizations. However, life goes on and we all must reflect on the lessons learned and improve.
One area that could be improved on, according to Yasunari Momoi from Internet Initiative Japan, is information sharing. This is because the sharer and recipient of information are not clear on the methodology and expectations. In addition, there is always a dilemma between accuracy, comprehensiveness and speed.
To address this challenge, the Information Security Operation providers Group Japan (ISOG-J) recently released a paper on the Six Ws on Cybersecurity Information Sharing. ISOG-J is also asking the community to provide feedback on the document, so please have a look.
Nurul Husna, from CyberSecurity Malaysia, also spoke about process improvement that took place in the organization. After many years of providing incident response services for the critical infrastructure sector, CyberSecurity Malaysia has introduced a new service combining incident response and forensics with the aim of sharing the threat information gathered to a wider set of audience.
Jordi Aguila, from eLC CSIRT Caixabank, shared his experience setting up a ‘red team’ at the bank to identify vulnerabilities and keep their defences or ‘blue team’ on alert. Jordi demonstrated some scenarios they have implemented and it was pretty obvious that if the good guys are not doing them, the miscreants will most likely try them.
CNCERT/CC’s Han-Bing Yan spoke about the challenge of dealing with DDoS attacks, one of the ‘evergreen’ topics in the security world. Everyone knows how DDoS works because we hear it often enough. However, the main problems are in remediating the zombies or computing devices (not just computers but IoT devices) that are part of botnets launching the attacks. This requires working with many stakeholders, not just the owners of the devices. According to Han-Bing, CNCERT/CC will be publishing a report of their work in June this year. Hopefully, there will be some practical recommendations that will come out of it.
Sharing is caring
One of the benefits of attending community events like the FIRST TC is the opportunity to get insights on how problems are managed, and hear behind the scenes stories.
Kiran S Narayanan and Archana Mendon from the Cisco CSIRT spoke about their incident response playbook — a collection of queries formulated and run against a variety of data sources to discover security incidents. Both speakers also shared how their playbook is being implemented in-house using freely available tools. If you are interested to learn more, then I recommend your read ‘Crafting the Infosec Playbook‘ by Jeff Bollinger, Brandon Enright, and Matthew Valites who are also members of the Cisco CSIRT. Alternatively, check out their series of blog posts.
bdCERT’s Suman Kumar Saha talked about the CERT’s experience in implementing Bind with Response Policy Zones. He mentioned this can be a quick win for organizations that would like to detect infected end-points or even prevent them from connecting to known malicious domains.
Speaking of domains, John Crain (ICANN) gave a heads up of his team new initiative called the Domain Abuse Activity Reporting System (DAAR). This system uses data from public, open and commercial sources and can generate different types of reports such as threat activity at a TLD or registrar level, histories of security threats or domain registration activities and many more. The possibilities are many, and John showed several visualizations from DAAR’s datasets during his talk.
Last but not least, Vicky Ray (Unit42, PaloAlto Networks) shared his team’s analysis on a RAT (Remote Access Trojan) that was sold openly on the market. What was also interesting was the interaction they had with the RAT’s author, who seemed to not feel that they were doing anything wrong or illegal. If you are interested in this story, check out his team’s blog.
Overall it was a great day. I observed a lot of interaction during the Q&A session and also near the watering hole (thank you Netflix and Kathmandu Coffee baristas!). For many participants, this was their first experience with the CSIRT/CERT community and many good things come out of FIRST meetings.
Note: Slides from the presentations mentioned above will be made available on www.first.org website shortly.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.