« Home Router being a Part of Botnet? | Main | CVE is about to undergo a change in syntax for CVE identifiers »

Nov 16, 2012

CSIRT Trainings for ThaiCERT and LaoCERT

Hello, this is Osamu Sasaki. I belong to the Global Coordination Division in JPCERT/CC, responsible for overseas CSIRT trainings. Today I would like to introduce you two of our CSIRT trainings conducted recently - in September/Tokyo and October/Vientiane. I think it turned out to be a good model of CSIRT collaboration by sharing the knowledge and capability that each team have.


Training in September/Tokyo

In late September, two engineers from ThaiCERT came to Tokyo and participated in an on-the-job training on incident response, malware analysis and TSUBAME, a network monitoring system in the Asia Pacific region headed by JPCERT/CC. ThaiCERT, the national CSIRT in Thailand established in 2000, is in the process of extending its services and strengthening the staffs’ capability after it’s reformation in February, 2011.


In the incident response training, JPCERT/CC gave a lecture on JPCERT/CC's workflows/operations. JPCERT/CC also conducted exercises, which would require the knowledge acquired in the lecture. The exercise was designed based on a real incident which happened just recently and it required analysis of log files containing a bunch of texts. It should have been quite tough, but ThaiCERT colleagues managed to handle it with their capability.


In the malware analysis training, JPCERT/CC conducted a variety of analysis methods of malware. JPCERT/CC also conducted some exercises, and the most interesting one for them seemed to be the analysis of a web defacement case. From this exercise, they gained the techniques to understand what has to be done when someone accessed to a defaced site.


Dsc05063_2
Training in Tokyo


As a part of the training, ThaiCERT colleagues visited the SOC (Security Operation Center) of a Japanese private company to learn from their operation.


Training in October/Vientiane

Two weeks after the training held for ThaiCERT colleagues in Tokyo, Sparky, ThaiCERT Colleagues and I traveled to Vientiane, the capital of Lao. JPCERT/CC and ThaiCERT provided a five-day training course for LaoCERT staffs. LaoCERT, the national CSIRT in Lao, is a very new organization established in May, 2012.


The main topics of the training were CSIRT operations/tools and incident response. In the incident response training, JPCERT/CC introduced our ways of incident handling. Additionally, JPCERT/CC gave a lecture on how to use PGP in order to communicate securely. ThaiCERT colleagues conducted a lecture on RTIR. RTIR is a request tracking freeware for incident response. They also conducted hands-on exercise on RTIR, with step-by-step procedures.


Dsc05386_2
Training in Vientiane, conducted by ThaiCERT


The training was conducted in English, but since all of us were non-native English speakers, Lao, Thai and Japanese were also spoken in the room to confirm the correct understanding among us. (How interesting that was for me!) Thanks to ThaiCERT colleagues, they contributed a lot in narrowing the language barrier, because of the similarity in Thai and Lao language and their good skill in English.


As a final word, I would like to extend my sincerest appreciation for LaoCERT staff for their warm hospitality. I would also like to thank the Japanese Ministry of Economy, Trade and Industry (METI) for their understanding of the importance of the overseas CSIRT development. I hope LaoCERT will start their incident response shortly and I look forward to visiting Lao again!


Img_2049
Group photo of LaoCERT Training