CERT-RO Romanian Approach in Cyber Security Catalin PATRASCU

1. CERT-RO
Romanian Approach in Cyber Security
Catalin PATRASCU
catalin.patrascu@cert-ro.eu
http://www.cert-ro.eu

2. About CERT–RO
 COM (2010) 2020: Europe 2020 Strategy & COM (2010) 245: A
Digital Agenda for Europe
– Action area #3, Trust and Security: Member States should establish by 2012
a well-functioning network of CERTs at national level covering all of Europe
 H.G. 494 / 2011
– Prevent, analyze, identify and react to cyber security incidents related to
public IT&C infrastructure (not military, public safety, national security)
– National contact point for similar structures
– Elaborate and distribute public cyber security policies
– Analyze technical and procedural problems within cyber infrastructures.

3. CERT-RO Partenrs

4. CERT-RO Services
Proactive Reactive Support
• Alerts on new threats and
vulnerabilities that may affect
national cyberspace.
• Notices regarding the
possibility of major cyber
security incidents occurrence.
• Study guides and
documentation on recent
developments in the field of IT
& C. security.
• Security assessment for
partners (audits, network and
application pentests etc.).
• Alerts and warnings on
the occurrence of major
attacks preceding
activities.
• Alerts and warnings
related to cyber security
incidents occurrence.
• Management of a
database with national
cyber security incidents.
• Security incidents
investigation and results
dissemination.
• Awareness activities for
the government and
partners.
• Risk assessments
• Support the partners in
development of their own
CERT teams.
• Consulting services for
securing critical
infrastructures.
• Development of the
national policy and
security strategy with
partners.

5. Ticketing System
CERT-RO uses Request Tracker for Incident Response (RTIR), a customised
user interface which sits on top of Request Tracker (RT), a popular ticketing
system.
Everyday use of RTIR is through a web interface and does not require any
additional software to be installed on the user’s machine.
RT and RTIR are open-source projects supported by Best Practical Solutions LLC
and can be obtained from the company website:
http://bestpractical.com/rt/ - current stable release is RT 4.0.17
http://bestpractical.com/rtir/ - current stable release is RTIR 3.0.0

6. RTIR Interface - homepage

7. Incident Handling Workflow
RTIR’s incident handling system relies primarily on e-mail.
E-mail messages reporting incidents, called Incident Reports, are sent to an
email address configured by CERT/CSIRT (alerts@cert-ro.eu).
Messages that constitute on-going correspondence in the handling of a ticket
include a number in the form [CERT-RO #34159] and are automatically
appended to the corresponding RTIR ticket.
All new messages that do not include a number in the form [CERT-RO #34159]
are stored as new Incident Reports and appear in the New unlinked Incident
Reports section of the RTIR homepage.

8. Incident Handling Workflow

9. Dealing with Structured Data Feeds
CERT-RO receives daily reports (files with structured data) that together
contain 50,000 to 100,000 records related to cyber security events.
For that amount of data is needed an automated processing system.
Currently we use an in house developed solution to automatically:
• collect all data feeds;
• store them in a relational database (MySQL);
• perform data enrichment;
• distribute alerts to the affected parties
Right now we are working on adopting STIX (Structured Threat Information
eXpression) - http://stix.mitre.org/, supported by MITRE, which is a
collaborative community-driven effort to define and develop a standardized
language to represent structured cyber threat information.

10. Report on cyber security alerts received by
CERT-RO in the first 6 months of 2013

11. Report on cyber security alerts received by
CERT-RO in the first 6 months of 2013
Number of alerts
Number of unique IP’s

12. Advanced Persistent Threaths – APT’s
In the first two months of 2013 where discovered two cyber espionage
campaigns that targeted public institutions from Romania.
 Red October (ROCRA)
• Infection vector: email message with malicious document attached
• Exploited vulnerabilities: CVE-2009-3129 (Excel), CVE-2010-3333 (Word), CVE-2012-0158 (Word)
 MiniDUKE
• Infection vector : email message with malicious document attached
• Exploited vulnerabilities : exploit 0-day CVE-2013-0640/641 (Adobe Reader)

13. Conclusions
Based on the analysis of data held by CERT-RO, it appears that computer
science threats to the national cyberspace have diversified and evolutionary
trends was observed, both in terms of quantity and in terms of technical
complexity.

14. THANK YOU!