Aspects of Cooperation Between Csirts and Le

Aspects of Cooperation Between Csirts and Le

ASPECTS OF COOPERATION BETWEEN CSIRTS AND LE Handbook, Document for trainers JANUARY 2021 0 ASPECTS OF COOPERATION BETWEEN CSIRTS AND LE January 2021 ABOUT ENISA The European Union Agency for Cybersecurity, ENISA, is the Union’s agency dedicated to achieving a high common level of cybersecurity across Europe. Established in 2004 and strengthened by the EU Cybersecurity Act, the European Union Agency for Cybersecurity contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow. Through knowledge sharing, capacity building and awareness raising, the Agency works together with its key stakeholders to strengthen trust in the connected economy, to boost resilience of the Union’s infrastructure, and, ultimately, to keep Europe’s society and citizens digitally secure. For more information, visit www.enisa.europa.eu. CONTACT For contacting the authors please use [email protected] For media enquiries about this paper, please use [email protected] AUTHORS (IN ALPHABETICAL ORDER BY SURNAME) Philip Anderson, Sandra Blanco Bouza, Smaragda Karkala (ENISA), Gregoire Kourtis, Alexandra Michota (ENISA), Catalin Patrascu, Silvia Portesi (ENISA), Václav Stupka, Koen Van Impe. ACKNOWLEDGEMENTS ENISA would like to thank the following people and organisations: The following subject matter experts, selected from the List of Network and Information Security (NIS) Experts compiled following the ENISA Call for Expressions of Interest (CEI) (ref. ENISA M-CEI-17-C01): - Philip Anderson, Sandra Blanco Bouza, Catalin Patrascu, Václav Stupka and Koen Van Impe, who, together with the ENISA project team, drafted the handbook; - François Beauvois and Yonas Leguesse who contributed as reviewers. Gregoire Kourtis, who provided input to the drafting of the handbook, in particular the graphical representations. Europol’s European Cybercrime Centre (EC3) for the peer-review of the handbook. The ENISA colleagues who provided input and reviewed the handbook, in particular Jo De Muynck and Christian Van Heurck. LEGAL NOTICE Notice must be taken that this publication represents the views and interpretations of ENISA, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 2019/881. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. 1 ASPECTS OF COOPERATION BETWEEN CSIRTS AND LE January 2021 This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. COPYRIGHT NOTICE © European Union Agency for Cybersecurity (ENISA), 2021 Reproduction is authorised provided the source is acknowledged. Copyright for the image on the cover: © Shutterstock For any use or reproduction of photos or other material that is not under the ENISA copyright, permission must be sought directly from the copyright holders. ISBN: 978-92-9204-436-7, DOI: 10.2824/71834 2 ASPECTS OF COOPERATION BETWEEN CSIRTS AND LE January 2021 TABLE OF CONTENTS 1. INTRODUCTION 5 1.1 THEMATIC AREA 5 1.2 TRAINING OUTCOMES 6 1.3 TARGET AUDIENCE 6 1.4 COURSE DURATION 6 1.5 FREQUENCY 6 2. GENERAL DESCRIPTION 7 2.1 IMPORTANCE OF COOPERATION BETWEEN CSIRTS, LE AND THE JUDICIARY 7 2.2 RELEVANT ENISA WORK ON CSIRT/LE COOPERATION 8 2.3 SUMMARY OF 2020 REPORT 9 2.4 CORE READING 9 3. CASE STUDIES 10 3.1 CASE STUDY 1: THEFT OF CONFIDENTIAL DATA 11 3.1.1 Objectives 11 3.1.2 Scenario 12 3.1.3 Tasks 18 3.1.4 Lessons Learned 24 3.2 CASE STUDY 2: RANSOMWARE 25 3.2.1 Objectives 25 3.2.2 Scenario 26 3.2.3 Tasks 29 3.2.4 Lessons Learned 35 3.3 CASE STUDY 3: DDOS AND MALWARE BLENDED ATTACK 36 3.3.1 Objectives 36 3.3.2 Scenario 37 3.3.3 Tasks 41 3.3.4 Lessons Learned 45 3 ASPECTS OF COOPERATION BETWEEN CSIRTS AND LE January 2021 4. BIBLIOGRAPHY 46 ANNEX A: MAIN ABBREVIATIONS 48 ANNEX B: SEGREGATION OF DUTIES (SOD) MATRIX 50 4 ASPECTS OF COOPERATION BETWEEN CSIRTS AND LE January 2021 1. INTRODUCTION 1.1 THEMATIC AREA This training material has been developed based particularly on the ENISA 2020 Report on CSIRT-LE Cooperation - A study of the roles and synergies among selected EU Member States/EFTA countries1. Some of the 2020 report’s conclusions are that, in terms of incident response and cybercrime, the position and role of the computer security incident response teams (CSIRTs) and law enforcement (LE) in the national institutional framework varies from country to country. Similarly, the structure and the organisation of the judiciary also depends on the country. In addition, between the three communities - CSIRTs, LE and judiciary - different approaches and different levels of cooperation exist. While the operational cooperation, especially in the daily interactions and informal communication, seems to be well-established, sometimes it seems that more structured cooperation could be achieved to have less fragmented information flow between the three communities. Also, there is a more significant gap in the interaction between CSIRTs and the judiciary, compared to the cooperation established between LE and the judiciary. CSIRTs would rather often interact with the judiciary in case they are called as an expert witness in court. Moreover, LE is not solely involved in the detection and investigation of cybercrimes. A key component of their role is the preventive aspects of cybercrime, and it is in this role that cooperation with other communities, particularly the CSIRT community, becomes apparent to support preventive strategies. Preventive aspects of incidents/cybercrimes can also be seen as the initial ground for establishing cooperation between the CSIRTs and the LE communities, which can then extend to other phases of the incident/crime investigation. On the other hand, CSIRTs play an important role in informing (potential) victims of cybercrime and providing them with information on how to report a crime to the police. CSIRT and LE communities also need to closely cooperate to mitigate the risks of having evidence compromised or destroyed. Regarding the incident handling and cybercrime investigation, several competences are required. While each community has developed its own set of skills and knowledge, they can all benefit from the competences of the other communities. Finally, the 2020 report on CSIRT and LE cooperation also concluded that despite the initiatives that are already in place to facilitate training within each community, or joint trainings engaging two communities (e.g. CSIRTs and LE, or LE and the judiciary), it seems that there is a need for more training and exercises addressing the three communities together. The 2020 report on CSIRT and LE, this handbook and the related toolset are a set of deliverables complementing each other as follows: The report analyses roles, duties, competences, synergies and potential interferences across the three communities (CSIRTs, LE and judiciary). The handbook helps the trainer explain these concepts through scenarios. The toolset contains exercises for trainees based on these scenarios. 1 ENISA, 2020 Report on CSIRT-LE Cooperation - A study of the roles and synergies among selected EU Member States/EFTA countries, https://www.enisa.europa.eu/publications/2020-report-on-csirt-le-cooperation (26 January 2021) 5 ASPECTS OF COOPERATION BETWEEN CSIRTS AND LE January 2021 The following figure provides an overview of this handbook and the related toolset (also available on the ENISA website), especially in terms of background, methods and recommended material. Figure 1: ENISA training on CSIRT-LE cooperation – Syllabus ENISA Training on CSIRT – LE Cooperation - Syllabus Computer Security Incident Response Teams (CSIRTs), Law Enforcement (LE), Judiciary, Keywords Cybercrime, Cooperation, Interaction This module is intended to provide trainees with a better understanding of the CSIRT, LE Background and judiciary cooperation, including the segregation of duties (SoDs) of each community (CSIRTs, LE and judiciary) when dealing with cybersecurity incidents of criminal nature. Method of Class lectures, interactive learning (class discussions, group work) and practical problems teaching and solved in class learning Case studies are assigned to the trainees and are reviewed in class Recommended ENISA reports material Handbook and toolset 1.2 TRAINING OUTCOMES As a result of attending this training, the trainee should be able to: demonstrate knowledge of interactions across the three communities (CSIRTs, LE and judiciary); synergies, interferences and challenges use the SoD matrix to collect the data to identify the key responsibilities for their communities (CSIRTs, LE and judiciary) and link them with the skills required to fulfil these duties better understand the legal and organisational framework defining the competences of CSIRTs, LE, and the judiciary, in their activities related to fighting cybercrime understand different decision-making processes among the communities capture potential synergies and possible overlaps overcome possible interferences

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    54 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us