POLISH TELECOM SECURITY INCIDENT RESPONSE TEAM … · POLISH TELECOM SECURITY INCIDENT RESPONSE TEAM Warsaw, May 2003 Incident handling, ... Tarnobrzeg Opole Czestochowa 155 Mb/s
Post on 17-Aug-2018
216 Views
Preview:
Transcript
POLISH TELECOMPOLISH TELECOMSECURITY INCIDENT RESPONSE TEAMSECURITY INCIDENT RESPONSE TEAM
Warsaw, May 2003
Incident handling, statistics and procedures
2
TABLE OF CONTENTS
I. INFORMATION ABOUT TP SECURITY INCIDENT RESPONSE TEAM 3II. TP NETWORK 4
1. Technologies 42. Structure of the network 53. Access to the Internet 6
III. INCIDENT HANDLING 71. Incident classification 72. Incident handling - support computing 8
IV. STATISTICS OF INCIDENTS 131. Total number of registered incidents in 1997 - 2003 132. Total number of registered incidents - type of events (I-IV.2003) 143. Number attacks profile 154. Percent of recognised categories of the incidents 165. Complaints sender 176. Source of attack 18
V. INCIDENT HANDLING - INCIDENT RESPONSE 191. Cooperation 192. Incident response 203. Cooperation with Polish Police and Public Prosecutor 21
VI. CONCLUSION 23
Regarding: TP Security Incident Response Team
3
INFORMATION ABOUT TP SECURITY INCIDENT RESPONSE TEAMINFORMATION ABOUT TP SECURITY INCIDENT RESPONSE TEAM
I. Information about ... I. Information about ... TP Security Incident Response Team
§ History of the team� 1997 - start� structure
§ Team’s activities� registration and classification of incidents� localisation of an intruder� incident response� analysis of new threats� others (conferences, working meetings, mass-media)
§ Basic rules of incidents handling� gathering information from users, administrators, the police and other institutions
about incidents concerning all addresses within Polish Telecom IP range� incidents reported by government institutions are handled first
TP Security Incident Response Team*
Regarding: TP Security Incident Response Team
4
TECHNOLOGIESTECHNOLOGIES
InternetTCP/IP
Frame Relay / ATM, X.25, TCP/IP
X.25, X.28, X.32X.400, X.500, EDI
X.25, TCP/IP
VSATVSATVSAT
II. TP Network 1. Technologies Technologies
Regarding: TP Security Incident Response Team
5
POLPAK NETWORKPOLPAK NETWORK
II. TP Network 2. Structure of the network POLPAK Network
Legend:
Topology of the POLPAK-T (date: 02.01.2002)
amount of links
Pila
Zamosc
Lomza
Przemysl
Ostroleka
Konin
Krosno
Siedlce
Sieradz
Tarnów
Wloclawek
Walbrzych
Plock
ZielonaGóra
Lubin
Torun
Koszalin
GorzówWlkp.
Nowy Sacz
BialaPodlaska
Suwalki
Bialystok
Elblag
BielskoBiala
TarnobrzegOpole
Czestochowa
155 Mb/s
34 Mb/s
MAN
Jelenia Góra
Chelm
Slupsk
Leszno
KaliszSkierniewice
Kielce
PiotrkówTrybunalski
Radom
Legnica
X2
X2
X2
Rzeszów
KrakówKatowice
Wroclaw
Lódz
Olsztyn
Szczecin
Poznan
Bydgoszcz
Gdansk
Lublin
Warszawa
2,5Gb/s
Ciechanów
Zgorzelec
MAN
2,5 Gb/s
155 Mb/s
amount of links
LEGEND:
Regarding: TP Security Incident Response Team
6
ACCESS TO THE INTERNET ACCESS TO THE INTERNET
II. TP Network 3. Access to the Internet Access to the Internet
POLPAK
ADSLHIS
SPLITER
MODEMADSL
TELEPHON
do 8 M
b/s
do 1
15
kb/s
TERMINALHIS
TELEPHON
CVX-1800
ISDN
PSTN
SUBSCRIBERTCP/IP
MODEMISDN
PPP
MODEM PPP
SUBSCRIBERTCP/IP
VIDEO
LAN
ATM
do 155 Mb/s SUBSCRIBERATM
SUBSCRIBERFrame Relay
MODEM
FrameRelay
do 2 Mb/s
LAN
Terminal abonencki
LMDS
VSAT
LAN
SUBSCRIBERTCP/IP
LAN
ISP INTERNET
NSPTelia&OpenTransit (FT)
2,5 Gb/s
Regarding: TP Security Incident Response Team
7
POLISH TELECOM CLASSIFICATION OF INCIDENTSPOLISH TELECOM CLASSIFICATION OF INCIDENTS
HH - The most dangerous incidents (hacking, breaking in, modifying, deleting, stealing)
PP – Type of events concerning hacking attempts (scan, probe)
TT - Copyright and special incidents (requests of the Police, plagiarism, piracy)
BB - Denial of service incidents (flood, DoS, DDoS, mailbombing)
OO - Violation of the netiquette (offensive words, pornography)
MM - Spam incidents (spam to advertise)
RR - Spam-relay incidents (open relay, open proxy)*
III. Incident handling Incident classification1. Incident classification
STARTING THE 3rd QUARTER OF 2002 TP RESPONSE TEAM USE COMMON LANGUAGE CLASSFICATION IN THEIR PROCEDURES
Regarding: TP Security Incident Response Team
8
INCIDENT SERVICE SYSTEM (ISS)INCIDENT SERVICE SYSTEM (ISS)
2. Incident handling ... Incident Service System
§ Is a database which allows gathering, registering and classifying of incidents
§ Contains an advanced administration mechanisms and access control
§ Automates incident handling process by:� tracking incident handling process� quick access to stored incidents
§ Accelerates incident handling
Incident Service System (ISS):Incident Service System (ISS):
III. Incident handling
Regarding: TP Security Incident Response Team
9
ISS FUNCTIONISS FUNCTION
§ incident importing from web site§ incident data inputting (from different sources)§ incident analysing§ incident searching§ printing warnings, reports, statistics § sending reply§ intruder history
Basic system function :Basic system function :
Other system function:Other system function:
§ contacts and information management§ incident handling process management § task planning
ISS functionIII. Incident handling 2. Incident handling ...
Regarding: TP Security Incident Response Team
10
ISS STRUCTURE DIAGRAMISS STRUCTURE DIAGRAM
ISS structure diagramIII. Incident handling 2. Incident handling ...
INTERNET
ISS
Web browserReporting formWeb browser
Reporting form
ISSoperator
INCIDENTS
INCIDENT HANDLING
Sys
tem
op
erat
ors
Internet users
Phone call, faxPhone call, fax
LetterLetter
Web browserReporting formWeb browser
Reporting form
LAN or WAN
Sys
tem
ad
min
istr
atio
nS
yste
m a
dm
inis
trat
ion
ISSoperator
ISSoperator
E-mailE-mail
Regarding: TP Security Incident Response Team
11
ISS INCIDENT HANDLING PROCESS DIAGRAMISS INCIDENT HANDLING PROCESS DIAGRAM
ISS incident handling process diagram
Legend:
INT
RO
DU
CT
ION EN
DE
DS
US
PE
NS
ION
CL
OS
ED
Start states Working states Final states
Incidents:- E-mail- Reporting form
Incidents:- Phone- Fax- Letter
BLO
CK
ED
E-M
AIL
TO
AD
MIN
WIT
HO
UT
PH
ON
E
NU
MB
ER
PH
ON
E C
ALL
LO
CA
TIN
GLO
CA
TIO
N
SU
SP
EN
SIO
N
VE
RIF
ICA
TIO
N
PR
INT
ING
STAGE 1STAGE 1Registration, reply, analysis, classification, back up
STAGE 2STAGE 2Introduction, automatic reply, analysis, classification, back up
STAGE 3STAGE 3Locating, modification
STAGE 4STAGE 4analysis continuation, modification
STAGE 5STAGE 5Response, information, modification
STAGE 6STAGE 6Back up, blockade
N Process administration N
III. Incident handling 2. Incident handling ...
Regarding: TP Security Incident Response Team
12
ISS INCIDENT HANDLING PROCESS DIAGRAMISS INCIDENT HANDLING PROCESS DIAGRAM
INT
RO
DU
CT
ION EN
DE
DS
US
PE
NS
ION
CL
OS
ED
Start states Working states Final states
Incidents:- E-mail- Reporting form
Incidents:- Phone- Fax- Letter
BLO
CK
ED
E-M
AIL
TO
AD
MIN
WIT
HO
UT
PH
ON
E
NU
MB
ER
PH
ON
E C
ALL
LO
CA
TIN
GLO
CA
TIO
N
SU
SP
EN
SIO
N
VE
RIF
ICA
TIO
N
PR
INT
ING
STAGE 1STAGE 1Registration, reply, analysis, classification, back up
STAGE 2STAGE 2Introduction, automatic reply, analysis, classification, back up
STAGE 3STAGE 3Locating, modification
STAGE 4STAGE 4analysis continue, modification
STAGE 5STAGE 5Response, information, modification
STAGE 6STAGE 6Back up, blockade
Legend:
ISS incident handling process diagram
N Process administration N
- incidents: registration, introduction, analysis, modification
- incidents : alarm system A - incidents number exceeded
- incidents : alarm system B - waiting time exceeded
III. Incident handling 2. Incident handling ...
Regarding: TP Security Incident Response Team
13
TOTAL NUMBER OF REGISTERED INCIDENTS IN 1997 TOTAL NUMBER OF REGISTERED INCIDENTS IN 1997 -- 04.200304.2003
IV. Statistics of incidents 1. Total number of ... Number of incidents
324 928 2899 10401
24820
10983 57881
109981
52245
63146
0
20000
40000
60000
80000
100000
120000
140000
160000
180000
Numberof incidents
1997 1998 1999 2000 2001 2002 04.2003
Year
Total number ofincidents
Number of spam-relay incidents*
Number of otherincidents
*/ Starting 2001 spam-relay events are not counted together with other incidents.
Regarding: TP Security Incident Response Team
14
NUMBER OF REGISTERED INCIDENS NUMBER OF REGISTERED INCIDENS -- TYPE OF EVENTS TYPE OF EVENTS (I(I--IV.2003)IV.2003)
IV. Statistics of incidents Number of incidents - type of events
Spam-relay events were not included
2. Total number of ...
31,5%
65,7%
0,3%
0,1%
2,0%
0,5%
TOHMPB
Regarding: TP Security Incident Response Team
15
PROFILE OF ATTACKS PROFILE OF ATTACKS (I(I--IV.2003)IV.2003)
IV. Statistics of incidents Number attack profile
*/ Spam-relay events were not included
3. Number attack profile
2156 206
30260
62 201 647 35
16437
2241
0
5000
10000
15000
20000
25000
30000
35000
Numberof incidents
Sca
n
Pro
be
Inte
rnet
wor
ms
Hac
kin
g
Den
ial o
fS
ervi
ce
Vir
us
Mai
lbo
mb
ing
Sp
am*
Oth
er
Attack profile
Regarding: TP Security Incident Response Team
16
PERCENTAGE OF RECOGNISED INCIDENTS CATEGORIES PERCENTAGE OF RECOGNISED INCIDENTS CATEGORIES (I(I--IV.2003)IV.2003)ACCORDING TO THE COMMON LANGUAGE CLASSIFICATIONACCORDING TO THE COMMON LANGUAGE CLASSIFICATION
IV. Statistics of incidents Percent of recognised categories of the incidents4. Percent of recognised ...
0
20000
40000
60000
80000
100000
120000
Numberof incidents[%]
Att
acke
rs
To
ol
Vul
nera
bilit
y
Act
ion
Tar
get
Un
auth
ori
zed
Res
ult
Ob
ject
ives
Category
0,5%
96,0%
81,7%
100,0% 100,0%
79,8,%
40,9%
Regarding: TP Security Incident Response Team
17
SOURCE OF COMPLAINTS SOURCE OF COMPLAINTS (I(I--IV.2003)IV.2003)
17%
83%
Complaints from PolandComplaints from abroad
IV. Statistics of incidents 5. Complaints sender Complaints sender
Regarding: TP Security Incident Response Team
18
SOURCE OF ATTACKS SOURCE OF ATTACKS (I(I--IV.2003)IV.2003)
IV. Statistics of incidents 6. Source of attack Source of attack
8%
31%
53%
8%
Dial-up (0-20-21-22/24/30)Leased lines (FR)Home Internet Solution (HIS)Asynchronous Digital Subscriber Line (ADSL)
Regarding: TP Security Incident Response Team
19
COOPERATIONCOOPERATION
§ CERT Team (e.g. CERT Polska)
§ The police
§ Public Prosecutors
§ Other government Institutions
§ Other Polish ISPs
V. Incident handling ... 1. Cooperation Cooperation
Regarding: TP Security Incident Response Team
20
INCIDENT RESPONSEINCIDENT RESPONSE
2. Incident response Incident response
I. Information/Warning
1. Phone
2. E-mail
3. Letter
II. Blockade - discharge
��É
V. Incident handling ...
Regarding: TP Security Incident Response Team
21
NUMBER OF REQUESTS FROM POLISH POLICE AND PUBLIC PROSECUTORNUMBER OF REQUESTS FROM POLISH POLICE AND PUBLIC PROSECUTOR
3. Cooperation with ... Number of requests
0
50
100
150
200
250
300
350
400
450
1998 1999 2000 2001 2002 03.2003
V. Incident handling ...
Regarding: TP Security Incident Response Team
22
REGISTRATION OF DATA AND INFORMATION SENT THROUGH THE NETWORKREGISTRATION OF DATA AND INFORMATION SENT THROUGH THE NETWORK
3. Cooperation with ... Registered data and informationV. Incident handling ...
§ Data� subscriber / user identification� location and identification connections between nodes in the network� type of connection and other data
§ Information sent through the network
According to new regulations operators are obliged to enable selected government institution access to the following:
Regarding: TP Security Incident Response Team
23
CONCLUSIONCONCLUSION
VI. Conclusion Conclusion Conclusion - TP Security Incident Response Team
§ Operate against network abuse incidents, the additional role is to prevent, educate and inform. Team`s Web site, special line for victims, e-mails, warnings.
§ Trace kinds and ways of network abuse and adapt its procedures to current demands. CERT Cooperation, Security sites in the internet.
§ Take active part in implementing standards of handle and incidentclassification. Implementing the Common Language classification.
§ Cooperate with security institutions: the police, public prosecutors andnetwork administrators.
TP Security Incident Response Team*
Regarding: TP Security Incident Response Team
24
HOW TO CONTACT TP SECURITY INCIDENT RESPONSE TEAM HOW TO CONTACT TP SECURITY INCIDENT RESPONSE TEAM -- INCIDENT INCIDENT REPORTINGREPORTING
§ E-mail: - abuse@telekomunikacja.pl- abuse@tpsa.pl- abuse@tpnet.pl
§ Web site (On-line Form): http://www.tpnet.pl/eng_ver/abuse/php
§ Address: TP S.A. - „POLPAK”Network Security Departmentul. Nowogrodzka 4700-695 WarszawaPOLAND
§ Phone: +48 /22/ 58-50-777
§ Fax: +48 /22/ 824-14-52
Incidents can be reported by:
Regarding: TP Security Incident Response Team
top related