Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case...
Transcript of Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case...
![Page 1: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/1.jpg)
Incident
Response
EGYPTNational Telecom Regulatory Authority
![Page 2: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/2.jpg)
Proactive VS. Reactive services
National Telecom Regulatory Authority - EGYPT
2
![Page 3: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/3.jpg)
Proactive Services
Designed to improve security capabilities before any
incident occurs or is detected. The main goals are to
avoid incidents, and to reduce their impact and scope
when they do occur.
Penetration testing, malware analysis and awareness
teams perform proactive services.
National Telecom Regulatory Authority - EGYPT
3
![Page 4: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/4.jpg)
Reactive Services
Reactive services are designed to respond to requests
for assistance, reports of incidents from the EG-CERT
constituency, and any threats or attacks against
Egyptian critical information infrastructure.
Incident Response and Cyber Forensics teams perform
reactive services.
National Telecom Regulatory Authority - EGYPT
4
![Page 5: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/5.jpg)
EG-CERT
scope
National Telecom Regulatory Authority - EGYPT
5
![Page 6: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/6.jpg)
CRITICAL INFRASTRUCTURE
![Page 7: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/7.jpg)
Cybersecurity Risk Landscape
![Page 8: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/8.jpg)
Different Types of Incidents
National Telecom Regulatory Authority - EGYPT
8
Incident
Type
Malware
URLDDOS
attack
Abusive
content
Website
Defacement
![Page 9: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/9.jpg)
Different Types of Incidents
National Telecom Regulatory Authority - EGYPT
9
Incident
Type
SQL
Injection
RFI
Authentication
bypass
![Page 10: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/10.jpg)
APTs constitute a mature attack and
introduce a new paradigm of cyber
security threats
Examples:
Generic phishing scams
Attacks against
organizations with little-to-
no security – weakest in
the heard/opportunistic
approach
Cyber techniques
available on internet/open
source
Types of Attackers:
Amateur hackers
Scam artists
Examples:
Distribute Denial of
Service
Targeted private data
extraction
Extortion as motive
Customized tools
Developed techniques
Types of Attackers:
Extortionists
Mature cyber criminals
Examples:
Highly sophisticated
adversaries who can bypass
virtually all of today’s “best
practice” security controls
Primary goal is long-term,
persistent occupation for
data theft, intelligence
espionage, and other
malicious activities
Types of Attackers:
Nation states
Sophisticated adversaries
Sophisticated, planned
over long-periods,
complex, and targeted
Technical mature, developed by
advanced individuals or teams,
but not coordinated or extremely
targeted
Simple, easily
accessed tools, done
by amateur hacker
and not particularly
targeted
Basic Advanced APTs
Maturity Level
![Page 11: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/11.jpg)
Organizations with sensitive data need to be especially wary
of APTs: marginal improvements in traditional security are not
enough
2008: Large Oil Companies
2010: Sophisticated
Technology Companies
Target Result Motivation
Companies unaware of extent of
attack until alerted by FBI; APTs
had been persistent since 2008
and actively exfiltrating e-mails
and passwords of senior
executives
Chinese attackers successfully
exfiltrated sensitive data from
Google, Adobe, Yahoo, Dow
Chemical, and Symantec (a
leading manufacturer of
computer security products)
servers
Attackers sought
valuable data about
new discoveries of
oil deposits (this
data can cost
hundreds of millions
of dollars to
produce)
Attackers sought
persistent access to
cutting-edge
intellectual capital
Attackers successfully infiltrated
several nuclear sites and
damaged uranium enrichment
facilities
Cited as one of the most refined
pieces of malware ever
discovered, experts believe only a
nation state would be able to
produce it
Attackers sought to
disrupt critical
industrial
infrastructure,
specifically targeting
nuclear facilities
2010: Stuxnet
![Page 12: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/12.jpg)
Cyber Security has to be animportant part of the development
of Information Society&
Digital Transformation era.
![Page 13: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/13.jpg)
Our Mission (Feeds)
![Page 14: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/14.jpg)
Sample Incident Response Scenario
![Page 15: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/15.jpg)
INCIDENT HANDLING 2019
15
![Page 16: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/16.jpg)
INCIDENT CHART 2018
16
![Page 17: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/17.jpg)
HOW TO REDUCE NUMBER OF INCIDENT
17
![Page 18: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/18.jpg)
Cyber ForensicsDec. 2019
EGYPTNational Telecom Regulatory Authority
![Page 19: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/19.jpg)
Sample Incident Response Scenario
![Page 20: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/20.jpg)
Digital Forensics
Receiving Digital Evidences:
Evidence Acquisition and analysis:
Reporting
National Telecom Regulatory Authority - EGYPT
20
![Page 21: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/21.jpg)
Cases Categories
The Digital Forensic Department is working on different
types of cases:
National Telecom Regulatory Authority - EGYPT
21
21%
8%
8%
33%
8%
21%
Information Leakage andBussniss Damage
Internet Banking theft
Encryption Cracking
Harassemnt
Internet Fraud
Hacking
![Page 22: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/22.jpg)
THE FOLLOWING CHART INDICATES THE WORKING HOURS/TASK:
22
5%
3% 1%
15%
23%
13%
1%
29%
6%
1%
3%
Case number 17569 alkanater
Case number 8337 public funds
Case number 3452
Case number 4992 South Cairo
Case number 955
Case number 14564
Case number 3505
Case Number 21
Case number 1824
Case number4282
Case number 1 Elshrouk
![Page 23: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/23.jpg)
THE FOLLOWING CHART INDICATES THE CASES PERCENTAGE /CASE CATEGORY:
23
Data Exfiltration, 3
Forgery, 2Cloud
Investigation, 2
Drugs, 1
Illegal Call Forwarding, 2Harrassement, 2
0
0.5
1
1.5
2
2.5
3
3.5
Data Exfiltration Forgery CloudInvestigation
Drugs Illegal CallForwarding
Harrassement
TYPE OF CASE
![Page 24: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/24.jpg)
PhishPhry…
National Telecom Regulatory Authority - EGYPT
24
In Oct 2009, Egypt-US identity
theft ring: “Authorities arrested
100 Americans and Egyptians
in the smashing of an
international identity theft ring
publicized as one of the largest
cybercrime cases ever
![Page 25: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/25.jpg)
National Telecom Regulatory Authority - EGYPT
25
![Page 26: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/26.jpg)
PhishPhry…
Our first case was one of largest phishing case which
required:
Forensics analysis on HD, mobile phones and e-mails.
Forensics report: over400 pages.
1600 working hours.
12 dedicated specialists.
A model for cooperation within and across boarders.
EG-CERT received special thanks from the US Department
of Homeland Security for the work and the detailed report.
National Telecom Regulatory Authority - EGYPT
26
![Page 27: Incident Response - Eg-CERT · 3% 1% 15% 23% 13% 1% 29% 6% 1% 3% Case number 17569 alkanater Case number 8337 public funds Case number 3452 Case number 4992 South Cairo Case number](https://reader034.fdocuments.net/reader034/viewer/2022050419/5f8e9576df58550aff7b4aef/html5/thumbnails/27.jpg)
EG-CERT Short-term Goals
Target achievements:1. Egypt Botnet free within 5 years
Structure:o Launch the Awareness program in 2020;
o Reactivate the National Committee on Child Online Protection (COP)
Capacity Building:
o Increase the number of the Public Awareness campaigns.
o Develop National Cyber Drill for CNI.
o Develop National training program for Cybersecurity
National Telecom Regulatory Authority - EGYPT
27