EG-CERT Vision and Mission - BlueKaizen › ... › CONFHpdfs › WalidZakaria › EG-CERT_2.pdfEG-CERT Training • SANS Security Training and Certification 1. 401 SANS Security Essentials

EG-CERTEgyptian Computer Emergency Team

EG-CERT

Vision and Mission


Problem Statement

• According HSBC, within 2050

different African countries will be

part of top 50 world economies.

•But, consider a rapid growth could

create favorable conditions for the

development of cybercrime.

•Malware infections in Africa are

higher than the worldwide average.


Problem Statement

• BSA’s (Business Software Alliance) 2011 study on

software piracy, the average in the region is around 73% data that

could justify also high level of penetration of malware agents in the

region.

• The main “cyber problem” of the Egypt seems to be the

cybercrime, in 2010 the country was named by Kaspersky Labs as

one of the top sources of password-stealing Trojans

• year before, Egyptian hackers were involved in one of the world’s

largest cyber-crime criminal court cases.


Problem Statement

• Websense security firm has recently confirmed Egypt as third

for countries hosting phishing fraud.

• Fundamental is establishment in each countries of a Computer

Emergency Response Teams (CERT).


EG-CERT

• Established on April 2009 under Egyptian National Telecom Regulatory Authority (NTRA)

• 24/7 Monitoring & Incident Response established on July 2009.

• Forensics Analysis Service established on September 2009.

• Malware analysis & Reverse Engineering established on April 2011.

• Full member in FIRST (Forum for Incident Response and Security Teams) in March 2012.


EG-CERT Vision

• EG-CERT is charged with providing computer and

information security incident response support, defending

against cyber attacks and collaboration with government,

financial entities and any other critical information

infrastructure sectors.


EG-CERT Mission

• Enhancing the security of Egyptian's Communications

and Information Infrastructure through proactive action,

gathering and analyzing of information on security

incidents, coordination and mediation between the

interested parties in solving security incidents and

international cooperation with other CERTs


EG-CERT Scope

• Critical Information Infrastructure Protection:

1-Telecom Sector.

2-Governmental Sector

3-Financial Sector

4-Media Sector.


EG-CERT Services

1. Reactive servicesIncident (Response –Coordination-support on site)

2. Proactive Services

Vulnerability Scanning – Penetration testing

3. Forensics Services

Evidence handling & analysis – Reporting

4. Malware Analysis

Malicious Software Collection - Malware analysis –Reverse engineering


EG-CERT Training

• SANS Security Training and Certification 1. 401 SANS Security Essentials Bootcamp Style

2. 502 Perimeter Protection In-Depth

3. 504 Hacker Techniques, Exploits and Incident Handling

4. 508 Computer Forensics , Investigation and Response

5. 542 Web App Penetration Testing and Ethical Hacking

6. 617 Wireless Ethical hacking, Penetration testing and Defences

7. 610 Reverse Engineering Malware

• MyCERT Training

• BlackHat Training.

• CSI (Crime scene investigation )Training.

• IMPACT Training.


EG-CERT Incident Handling

Feeds•Currently all the analysis is done on the international

feeds.

•The standard is to get both international and local feeds.

•National feeds depends on two resources CII Sensor

Network and the honeynet project distributed on the

internet gates


Incidents From 1/4/2009 to 30/6/2012

Incident type No of cases Incident type No of cases

Web site defacement 789 Authentication bypass 15

Malware URLs 85 SQL Injection 40

Phishing 80 Abusive content 11

Spamdexing 55 Mass web site defacement 10

Online Web shells 6 Remote File Inclusion (RFI) 2

DDOS 25




Penetration Testing & Vulnerability AssessmentFinancial Sector Assessment• Central Bank of Egypt Assessment.

• Egyptian Banks Assessment (26 banks).

• Egyptian Exchange Assessment.


EG-CERT Forensics

EG-CERT has involved in solving many cases including:• Credit Cards theft

• Fraud

• Network intrusion

• Analysis of digital evidence involved in physical criminal

activity.


EG-CERT Forensics

EG-CERT has contributed to the investigations of one of largest

phishing (phish phray)case by providing (forensics analysis; report

+400 pages; 1600 working hours by 12 specialists).


EG-CERT Reverse Engineering and

Malware Research

Department

Honeynet ProjectMalware Analysis

and Reverse Engineering



Malware Research

Honeynet Project• Exploration of the best practices to design, test, analyze, and

implement a honeynet.

• Design and deploy a honeynet on the Egyptian networks to carry

out experimentations and evaluate their performance.

• Build local expertise and knowledge-base in installing, integrating,

and developing honeynets in Egypt.


Honeynet Project

• The Honeynet project is currently being deployed on a

Virtual Server.

• Following is topology of the Virtual Honeynet.


Malware Research


Honeynet Project TopologyEG-CERT Reverse Engineering and

Malware Research

Honeynet Project Topology


Early Warning Systems

• Composed of two parts:

1. CII Sensors.

2. Honeynet Project. (Dionaea,Nepenthes, Snort, Malware

Sandbox, . . etc)

• CII Sensors as well as the Honeynet Project depend on open

source and cover the critical infrastructure (lot of efforts and

detailed plan for the implementation during the next 6 months

after preparing the required H/W)


Malware Research



Malware Research

Malware Analysis and Reverse Engineering Objectives• To Improve Incident Response and Forensics Skills

• To help incident responders assess the severity and repercussions of

a situation that involves malicious software

• To assist in determining how to contain the incident and plan

recovery steps.

• To understand key characteristics of malware present on

compromised systems.


Malware Sandbox

• Hacked websites, fake media players, malicious Office documents and social engineering are all part of the Internet threat landscape today.

• Sandbox gives researchers the ability to Rapidly analyze behavior of malware - including infected Trojans, Office documents, malicious URLs and more - by executing the code inside a controlled environment.


Malware Research


• Number of attacks per day


Malware Research


• Number of hits per port


Malware Research


Services

CII Sensor Network plus the Honeynet Project can provide:

1. Malicious software collection.

2. Malware analysis.

3. Reverse engineering.

4. SLQ-Injections detection.

5. Geographical, IP-based mapping about the attack sources.

6. Detection of phishing attacks


Malware Research


Benefits

• National feeds can be correlated with international feeds.

• Ability to run without international feeds that come from

different organizations that are not 100% trusted for

continuity.


Malware Research


The risk of online infection around the world

All of the statistics reported here are based on data collected by the Kaspersky Security Network and its

security modules..http://www.securelist.com/en/analysis/204792231/IT_Threat_Evolution_Q1_2012#16


Malware Research

http://www.securelist.com/en/analysis/204792231/IT_Threat_Evolution_Q1_2012









Local Threats

Maximum level of local infection (over 60%): 23 Asian countries (India, Vietnam, Mongolia etc.), Middle East countries (Iran, Iraq) and parts of Africa (Sudan, Angola, Nigeria, Cameroon).

High level of local infection (41-60%): 49 countries, including Egypt, Kazakhstan, Russia, Ecuador and Brazil.

.

Malware Research


Local Threats

• Moderate level of local infection (21-40%): 41countries including Turkey, Mexico, Israel, Latvia, Portugal, Italy, the US, Australia and France.

• Lowest level of local infection (20% or less): 18 countries including Canada, New Zealand, Puerto Rico, 13 European countries (including Norway, Finland, the Netherlands, Ireland, Germany, Estonia) plus Japan and Hong Kong

All of the statistics reported here are based on data collected by the Kaspersky Security Network and its

security modules..http://www.securelist.com/en/analysis/204792231/IT_Threat_Evolution_Q1_2012#16


Malware Research










Threats (Malware Activities)

Flame Malware:

• Kaspersky Lab researchers say "might be the most sophisticated cyber weapon yet unleashed.“

• Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on.

• Later, the operators can choose to upload further modules, which expand Flame’s functionality. There are about 20 modules in total and the purpose of most of them is still being investigated.


Flame Top 7 affected countries

The previous figure shows Egypt as one of the top 10 countries infected with Flame malware.


What EG-CERT has done so far?

• After we knew about the attack and Egypt is among the attacked countries, we

successfully get a sample of the malware for further analysis and we also were

following all the analysis by other parties.

Based on the current information:

• We released a remover tool for the malware that can be downloaded from our web site.

• We developed a malware scanner using signatures which scans the system directory and

support managing and logging by a centralized server.


What EG-CERT has done so far?

• Contacted all ISPs and provided them with all C&C domains

that the malware uses in order to help in defining infected IP

Addresses in Egypt.

• Tedata offered two solutions:

a- Blocking Flame C&C domains.

b- Forwarding all traffic which going to Flame C&C

domains to machine on EG-CERT in order to define infected

machine.


• Participating & Completing in ITU-IMPACT drill 2012.

• Participating & Completing in OIC-CERT drill 2012.

• Participating & Completing in APCERT drill 2012.

• Participating in Annual FIRST Conference 3 times: – (24th Annual FIRST Conference Malta 2012).

– (23rd Annual FIRST Conference Vienna 2011).

– (22nd Annual FIRST Conference MIAMI 2010).

– (21st Annual FIRST Conference KYOTO 2009) .

• Participating In MERIDIAN conference 3 times (2009,2010,2011).

• Participating in Annual Meeting for CSIRTs with National Responsibilities Vienna 2011 & Malta 2012) .

• Participating in CSI Annual conference 2009,2010 in Washington DC, USA.

• Participating in OIC-CERT Annual General Meeting 2009,2010.

• Host The OIC-CERT 2010.

• Participating in Black hat 2009,2010,2011

Building Trust


Documents

EG-CERT Vision and Mission - BlueKaizen › ... › CONFHpdfs › WalidZakaria › EG-CERT_2.pdfEG-CERT Training • SANS Security Training and Certification 1. 401 SANS Security Essentials