www.IndianJournals.com Members Copy, Not for Commercial Sale

Downloaded From IP - 115.254.44.5 on dated 24-Apr-2019 of the magnitude may threaten lives, economy and economy lives, threaten may magnitude the of information systems. Complications from disruptions critical of functioning disrupting by services and resources sector private and public government, overwhelm may incidents cyber scale Large others. malwaresand resources, system of misuse availability, services/ of denial data, of disruption system, incidents could be unauthorized access to information such of Examples confidentiality. and integrity availability, of respect in security information of incident is any event that causes, or may cause a breach an words, other security.In network or computer to thatposeathreat information systemand/ornetwork A security incident is defined as an adverse event in an Introduction Bahuguna* Ashutosh andCoordinationReporting FIRe: forComputerSecurityIncident Niketan, 6-CGO Complex, New Delhi-110003 New Complex, 6-CGO Niketan, Electronics IT & Communication of Ministry IT,& Electronics of Department Scientist, Bahuguna* Ashutosh Keywords: tool. the improving for used be will FIRe to respect with organizations participating of feedback and exercise of Learning’s (CERT-In). Team Response Emergency Computer testing of FIRe is planned in upcoming national cyber security exercise 2015 to be conducted by Indian real time interaction with handler & analyst and database of stakeholder point of contacts. Operational the incident resolution. FIRe also integrated tools for secure communication, sensitive information labeling, during coordinate & communicate to functionalities the FIReprovides CSIRTs. sectoral and/or national extensions with the browser with format standardize in information Firefoxincident the share to organizations the enable to customized developed a is FIRe process. resolution incident during Sectoral) & reporting provide to developed is organization, a Reporting) single window Incident solution for for incident (Firefoxreporting & FIRe coordination activities attacks. with CSIRTs cyber (National countering in means & methods, relaying only few available means like unsecured email coordination communication is and insufficient reporting incident the in improvement for need is there that (ISAC) Centers Analysis and Sharing Information and (CSIRT) Teams Response Incident Security Computer national various by critical assets of organization and nation. It is observed from the current means and methods employed the protecting and attack cyber the thwarting for crucial is resolution incident during coordination and tools and techniques to compromise new the with information up infrastructure. coming Effective regularly incident are information adversaries sharing and increase the on are breaches Security Information Abstract opoie (IOC) Compromise of Indicators Coordination; Incident Handling; Incident Reporting; Incident (CSIRT); Computer Security Incident Response Computer TeamEmergency Response Team (CERT); coordination activities. coordination and reporting incident improved for purview CSIRTssectoral enable their under organizations and CSIRTnational regionalor to bodies coordination to finally comes It implemented. is resolution incident for coordination time real for means where instances few only is there that observed also is It resolution. incident during CSIRT with coordination (for) and stakeholders CSIRTs & with exchange information incident CSIRT,(for) to incidents the report (to) methods, & channels formats, standardize of adopted by CSIRTs worldwide reveals that there is lack incident reporting and coordination means & methods different of Study coordination. sectoral and/or A significant cyber incident requires increased national activity. cyberspace malicious by caused damage the mitigate can response coordinated and exchange information incident identification, Rapid security. national www.IndianJournals.com Members Copy, Not for Commercial Sale

Downloaded From IP - 115.254.44.5 on dated 24-Apr-2019 objectives & features of FIRe tool and operational and tool FIRe of features & objectives methods, & means coordination & reporting incident in improvement for need discuss paper This attacks. cyber handling in communication & coordination improving a incident system reporting but a tool with purpose of email exchange in incident reporting. FIRe is not only forms electronics the replaces to reporting incident online for [2][3], reporting incident for guidelines 13a: Article per as [2][3], (CIRAS) System Analysis and Reporting Incident Cyber tool a developed also ENISA union. European across reporting incident of standardization in [1] (ENISA) Security Information and Network for Agency Union European by effort notable is There process. resolution incident during communication with national or/and sectoral CSIRTs & coordination better for party reporting enable to tool a FIReis summary, In (IoC). compromise of Indicators of sharing and stakeholders relevant of database contact of point centralized to access labeling, sensitivity information resolution, incident during coordination for messaging Instant reporting, incident based web-form communication, email secure for features provides it activities, coordination and reporting incident the enhance and standardize to objective with developed is browser Firefox extended an Reporting), Incident for (Firefox FIRe NationalConferenceonEmerging Trends inInformationTechnology 4 Figure During 1.Cyber February, Intrusion 2014. IITM JournalofManagementandIT thus reported and analyze them; draw inferences; draw them; analyze and reported thus help national/sectoral CSIRTs to also correlate the This incidents incidents. of resolving timely in assistance technical & entities other with coordination receive users and organizations CSIRTs,the to incidents security computer reporting By purview. their under cyberspace impacting incidents the to related using multiple channels for gathering the information CSIRTsare National/Sectoral [4]. incidents security cyber the respondingto for agencies nodal sectoral or Emergency Response Teams (CERTs) are the national National and sectoral CSIRTs also known as Computer Computer Security IncidentsReporting with future roadmap for FIRe. for roadmap future with security exercise. Finally section 6 concludes the paper cyber upcoming in FIRe of testing operational about is 5 Section provided. are details FIRefunctionality 4 solutions at various national CERTs/CSIRT. and In practices Section reporting incident security computer current discuss 3 Section Reporting. Incidents Security Computer of challenges and need about is 2 Section follows. as organized is paper the of rest & paper. The this in presented also are CSIRT national coordination and entities facilitating reporting between communications for CSIRTs national various by mediums & means implemented of Study scenarios. exercise in FIRe of testing www.IndianJournals.com Members Copy, Not for Commercial Sale

Downloaded From IP - 115.254.44.5 on dated 24-Apr-2019 is vital for incident and reporting information sharing Trust of community on National and sectoral CSIRTs others. and issues reputation parties, external with information sharing for procedures like lack of trust, lack of clarity and users standard operating or organizations to reasons possible various of because unreported remains incidents) of percentage 70% than (more incidents of number large that infer sources other from tracked” “incidents and reported” “incidents the of Study sources. different various Propagation (WIMP) and defacement are tracked from WebsiteSpam, Malware Malicious & code, Intrusion category in incidents the of Most [5]. In_Feb_2014) Monthly_report_CERT- Report: (Public 2014 reported & tracked by CERT-Inincident in of month of breakup February, the is 1 Figure information. incident the for sources different the monitoring also and reported incidents handling CSIRTsare platforms. and tools coordination & reporting of means effective by supported and encouraged be to need reporting Incident future. in incidents the of occurrence prevent to guidelines security effective develop and information up-to-date disseminate oue6 su aur-ue 055 January-June, 2015 • Volume 6,Issue1 Figure andCoordinationSolutions 2.Incident Reporting IITM JournalofManagementandIT CSIRT [9]. CSIRT meanswould also improve operational efficiency of the standardization of incident data and incident reporting by process reporting incident the Streamlining resolution. incident & during activities coordination communication supporting effective for the solutions implementing and developing by exchange information & reporting incident encouraging on focus to need CSIRTs community CSIRT.incidents, unreported Toof figure the reduce by tracked and reported incidents of percentage upon depends fundamentally attacks, cyber against defending CSIRT,for national of actions response of Effectiveness data. event complete of instead [8] (IoC) Compromise of Indicators share to encouraged be should data share to unwillingness or trust of lack legal andpolicyissues[7],reputation oforganization, incident information due to the confidentiality share of data, to reluctant user or Organization [6]. party reporting to damage of risk any without resolution incident in help have to organizations for hope only themselves, trusted CSIRTs (national and sectoral) are to damaging as organizations external to sharing information consider CSIRT.organizations to Many www.IndianJournals.com Members Copy, Not for Commercial Sale

Downloaded From IP - 115.254.44.5 on dated 24-Apr-2019 to-analyst level interaction, rapid exchange of ideas & analyst- enable coordination & communication time Real activities. coordination & exchange information real timeinteraction, standardized incident reporting, enabling for solution effective of need a is There reporting. incident for followeduse by web-portals in fax are the main categories of communication channels telephone/ and email also today that noteworthy is It figure. significant a not again is which interaction, for channel a as Facebook and LinkedIn Twitter,like (SNS) sites networking social using CSIRTsare CSIRTs,17 82 Among implemented. widely not are methods these however incident, the about information useful required with incident the report to users the enable to efforts are template) incident reporting and incident reporting template (IR for Web-portals [10]. CSIRT regional and national 82 of methods coordination & communication of study,study the on of based resultarepresents results CSIRTs.Figure2 national various by implemented means coordination & reporting incident on study the of findings main the presents section This Practices AndSolutions Computer Security IncidentReporting NationalConferenceonEmerging Trends inInformationTechnology 6 Secure Email- Pretty Good Privacy (PGP) Privacy Good Pretty Email- Secure Extensions and Functionalities of FIRe of Functionalities and Extensions Figure 3.FIRe V 1.0Screenshot. IITM JournalofManagementandIT b. Real Time coordination in incidents as required. as incidents in RealTimecoordination b. improvingcommunity- for options the explore to a. : objectives main 5 following with developed is CSIRTs.FIRe at setup be to need Relay Chat (IRC) server [12], point of contact database server side applications like incident database, Internet activities.Supporting &incidentresolution reporting incident supporting for extensions includes which browser [11] Firefox customized a is FIRe Fire (Firefox For IncidentReporting) activities. these supporting for tools and resolution incident during activities coordination & communication reporting, incident for means & mechanism effective develop to require is it landscape, threat security reporting. Looking at complex nature of current cyber incident based (SMS) Service Message Short & real time coordination solution for incident resolution CSIRT, surprisingly only one CSIRT implemented the information sharing with external entities and national for willingness & trust enhance and details technical cyber security incident resolution. incident security cyber in coordination & communication to-CSIRT www.IndianJournals.com Members Copy, Not for Commercial Sale

Downloaded From IP - 115.254.44.5 on dated 24-Apr-2019 n niet eouin o analyst-to-analyst for resolution incident in chat facility. Instant Messaging (IM) and IRC are useful (IRC) [12] provides real time group (IRC) Chat Relay Coordination-Internet Time Real coordination. time real during and sharing IoC reporting, incident in TLP per as information of marking ensures FIRe US-CERT). (Source: 4 figure refer sensitivity, to according information classify to White) and Green, Amber, (Red, colors four of use make It disclosure. controlled ensures and marking confidential information by incident reporter CERTsinternational for various by used is [15] TLP Information Sharing-Traffic LightProtocol (TLP) CSIRTs provide Pretty Good Privacy (PGP)[13] public various and details confidential contains Incident Enhance trust & willingness to share information. e. Enable rapid exchange of ideas & technical details. d. Provide Analyst-to-Analyst platformforreal-time c. oue6 su aur-ue 057 January-June, 2015 • Volume 6,Issue1 coordination. Figure 4.Secure EmailCommunication-Mailvelope. IITM JournalofManagementandIT resolution phases. resolution & reporting incident during required as entities CSIRTsother with and communication email secure for providers service email with facility integration and management key generation, key provide to 1.0 V FIRe with used is [14] 0.9.0 Mailvelope 3). section to (refer communication email secure for key of CSIRT.of efficiency improve also and incident the resolving for required time the reduces portal reporting Incident information. related incident required of collection [19] to national/sectoral CSIRTs. This system improves CERT-Inof form reporting incident per as reporting incident secure web-based enable feature This Portal Reporting Incident services. IRC, would support web XMPP/JabberIM and [18] that client (IM) messaging instant common include to proposed is it 2.0, V FIRe In client. IRC as [17] 0.9.90.1 Chatzilla uses 1.0 v FIRe details. technical & ideas of sharing fast and informal coordination, www.IndianJournals.com Members Copy, Not for Commercial Sale

Downloaded From IP - 115.254.44.5 on dated 24-Apr-2019 with trusted entities. trusted with IoC the sharing for portal FIReprovide IoC. share to encouraged be should information incident complete correlation at CSIRT. Organizations unwilling to share detectionandthreat data exchange for earlyintrusion information threat fast provides IoC botnets. of hashes of files, other attributes of malicious files, URL MD5 addresses, IP includes typically IoC incident. security computer a indicate that artifacts are IoC (IoC) Compromise of Indicators Sharing NationalConferenceonEmerging Trends inInformationTechnology 8 Figure 5.Information Sharing Traffic LightProtocol US-CERT[16]). (Source: Figure Relay 6.Internet Chat(IRC) client-Chatzilla. IITM JournalofManagementandIT are IP addresses, domains and urls that are observed to observed are that urls and domains addresses, IP are CIF in warehoused intelligence threat of types common most The route). (null mitigation and (IDS) detection response), (incident identification for information that use and sources many from information threat malicious “ (CIF). work Frame- Intelligence system-Collective management threat accessing for interface client provide will FIRe FIRe in client (CIF) Framework Intelligence Collective like systems management threat cyber of Integration CIF allows you to combine known combine to you allows CIF www.IndianJournals.com Members Copy, Not for Commercial Sale

Downloaded From IP - 115.254.44.5 on dated 24-Apr-2019 Atom feed aggregation. feed Atom and RSS for FIRe with implemented is [23] 1.5.2 Sage advisory. and alert security report, vulnerability sharing for feeds CSIRTsimplemented various that communication of implemented means by CSIRTs (refer section of 3), it is observed study During subscribers the to reader feed by notes alert and vulnerability advisory, Security [22]. spamhaus configured by CSIRT like as malwaredomainlist [21] internet, and on sources various from cif by collected access to threat information shared by community and allow will functionality This description)[20]. CIF activity malicious to related be oue6 su aur-ue 059 January-June, 2015 • Volume 6,Issue1 on fCnatDtbs Y Y N Y Y Y NA Y Y FIReV2.0 N N Y Y Y FIReV1.0 N Database Contact of Point CSIRTsusers from to alerts advisories, Feeds-Security Systems-Integration Management CyberThreat Y Compromise of Indicators Sharing PortalY Reporting Incident Client IM Coordination-Common TimeReal client Coordination-IRC TimeReal -TLP Classification Information EmailY Secure Functionality/Version Table 1.FIRe functionalityImplementation[Yes(Y), No(N), Not Applicable (NA)]. ”(source: Google-code- ”(source: Figure Portal. 7.IncidentReporting IITM JournalofManagementandIT entities & service providers andmaynotincludePoCentities &service few to limited is database the however plan, security incident. the Organizations resolve usually maintain details of PoC in their to required is entities Coordination with various domestic and international Database. Stakeholders and service provider’s point of contacts (PoC) sector. specific for CSIRT systems analysis data implemented by CSIRT at national level or network by sectoral and sensors threat level” based on the data collected by the observed network “current – weather Internet display FIRe data sensors Dashboard for sharing internet weather based on NetFlow www.IndianJournals.com Members Copy, Not for Commercial Sale

Downloaded From IP - 115.254.44.5 on dated 24-Apr-2019 9. James R. Antonides, Donald N. Benjamin, Daniel P. Daniel Benjamin, Donald JamesN. Antonides, R. Feldpausch,:StreamliningSalem, USCC JeffreyS. and 9. https://www.mandiant.com/blog/tag/openioc/. (IoC), Compromise of Indicators 8. Protocol. Reporting Incident Cyber System Control S., Hennin, 7. KimoonJeong, Junhyung Park, Minsoo Kim, BongNam Noh: A Security Coordination Model for an Inter- 6. http://www.cert-in.org.in/. Report, CERT-InMonthly 5. Moira J. West-Brown, Don Stikvoort, and Kalus-Peter Kossakowski: 4. https://resilience.enisa.europa.eu/article-13. portal. Group Expert 13a Article ENISA: 3. 2012. Reports Incident Annual (ENISA): Security Information and Network for Agency Union European 2. http://www.enisa.europa.eu/.(ENISA), Security Information and Network for Agency Union European 1. References sharing artifacts & logs and Point of contacts database communication, email secure Messaging, Instant reporting, incident for solution window one a as exercise forthcoming in FIRe include to proposed is & CERTs,sectoral providers.It service and stakeholders coordination CERT,national improve among activities communication to opportunity response actions.Cyber securityexercisesalsoprovide and mitigation communication, & coordination reporting, detection, preparation, of means by attacks cyber combating in preparedness their test to provide opportunity to the participating organizations to is exercises of purpose The economy. Indian the of sectors various targeting basis periodic on (CSE) exercises security cyber national conducting is In) Indian Computer Emergency Response Team (CERT- Fire inCyber Security Exercise tool. of versions respective in implement to implemented/proposed features of snapshot exercise, discussed in next section. security Table cyber below providesupcoming in 1.0 FIRe of evaluation after development for planned is 2.0 version FIRe CSIT. by maintained PoCs of database centralized the to access provide will FIRe incident. particular in involved vectors of 0NationalConferenceonEmerging Trends inInformation Technology 10 Engineering Design Symposium. Design Engineering System. Reporting Incident Network Army US the (2008). (2008) Management Information Advanced and Computing Networked on Conference Process Forensic Supporting Response Incidents Information Organizational Teams(CSIRTs). Response reports. incident 13a Article of Analysis CMU/SEI-2003-HB-002. IITM JournalofManagementandIT Proceedings of the 2008 IEEE Systems and Information and Systems IEEE 2008 the of Proceedings us further. us lead definitely will exercise security cyber upcoming in evaluation FIRe FIRe. the using organizations or sector the to trends analysis flow network alerts, malware alerts, threat critical reports, vulnerability sectoral CSIRT may add the functionality for pushing National/ vendors. and partners international from information incident and information threat collect to functionality with enhanced further be can FIRe resolution. and reporting incident in communication & coordination standardize of culture flourishing by CSIRT of efficiency operational the improve will It setup. to easy and independent platform it made national CSIRT. Browser plugin based implementation and CSIRTs,providers sectoral service organizations, among communication and coordination improve will FIRe activities. resolution and reporting incident in impact positive have will FIRe that believe Author Conclusion community use. community for it releasing before FIRe the improve to used be will organizations participating and team observer exercise of feedback & Learning testing. operational Cyber securityexercise willprovide platformforFIRe CERTs/stakeholders/agencies/serviceproviders. of IEEE, Technologies for Homeland Security Homeland for Technologies IEEE, Handbook for Computer Security Incident . IEEE Fourth International Fourth IEEE . . www.IndianJournals.com Members Copy, Not for Commercial Sale

Downloaded From IP - 115.254.44.5 on dated 24-Apr-2019 23. Sage 1.5.2. https://addons.mozilla.org/en-US/firefox/addon/sage/. 1.5.2. Sage 23. http://www.spamhaus.org/. Spamhaus. 22. http://www.malwaredomainlist.com/. malwaredomainlist. 21. https://code.google.com/p/collective-intelligence-framework/. Framework. Intelligence Collective 20. TeamResponse (CERT-In).http://www.cert-in.org.in. Emergency Computer Indian 19. http://www.ietf.org/rfc/rfc3920.txt. XMPP/Jabber. 18. https://addons.mozilla.org/en-US/firefox/addon/chatzilla/. ChatZilla. 17. Teamhttps://www.us-cert.gov/.Readiness (US-CERT). Emergency Computer States United 16. https://www.enisa.europa.eu/activities/cert/support/ (ISTLP): Protocol TrafficLayer Sharing Information 15. https://www.mailvelope.com/. Mailvelope: 14. http://www.ietf.org/rfc/rfc2440.txt. PGP: 13. http://tools.ietf.org/html/rfc1459.html. (IRC). Chat Relay Internet 12. http://www.mozilla.org/. Firefox. Mozilla 11. CERT/CC:http://www.cert.org/incident-management/national-csirts/national-csirts.cfm. 10. oue6 su aur-ue 0511 January-June, 2015 • Volume 6,Issue1 incident-management/browsable/incident-handling-process/information-disclosure. IITM JournalofManagementandIT