13 posts categorized "#Incident management" Feed

Jul 10, 2015

The 27th FIRST Annual Conference in Berlin

Hello, Taki here, and its currently rainy season in Japan.

Just recently, I attended the 27th FIRST Annual Conference, held on June 14-19 , 2015 in Berlin – a city that I visited for the first time.


(Photo by Hiroshi Kobayashi)

I would like to go over some activities that JPCERT/CC was involved in during the conference.

This year I attended together with 3 colleagues, Yurie Ito, Koichiro (Sparky) Komiyama and Hiroshi Kobayashi. The conference was themed “Unified Security: Improving the Future”, focusing attendees’ collective efforts on improving the future of security together. As usual, it was great to catch up with the various people that work in the industry and also getting to know some new people as well. Many discussions around work over the past year and prospective collaboration over the next year were had.

JPCERT/CC was involved in 3 different presentations at the conference and I would like to take the time to briefly introduce each of them.

First, Yurie's presentation was titled, "A Proposal for Cybersecurity Metrics Through Cyber Green". Cyber Green, currently led by JPCERT/CC, is a project that aims to measure the health of the Internet by aggregating data sets of key risk factors, enabling comparisons over time and around the world, in order to identify what can be improved to make the Internet a better place. The presentation centered around the overview of the project, along with some details on the methods as to how the data is collected, analyzed and shown.

I was a co-presenter in a talk titled, "VRDX-SIG: Global Vulnerability Identification" along with Mr. Art Manion of CERT Coordination Center (CERT/CC) and Dr. Masato Terada of the Hitachi Incident Response Team (HIRT). The FIRST VRDX-SIG (Vulnerability Reporting and Data eXchange Special Interest Group) was chartered in 2013 to study existing practices on how vulnerabilities are identified, tracked and exchanged, and to develop recommendations on how to better the existing practices across disparate vulnerability databases (including Vulnerability Notes Database by CERT/CC, Japan Vulnerability Notes (JVN) by JPCERT/CC and Information-technology Promotion Agency, Japan (IPA), Open Sourced Vulnerability Database (OSVDB) and other vendor security advisories). This talk presented results of the work of the VRDX-SIG, including the creation of a vulnerability database catalog and some findings about vulnerability identification and tracking.

The last presentation that JPCERT/CC was involved in was a presentation by Hiroshi titled, "Keeping Eyes on Malicious Websites - “ChkDeface” Against Fraudulent Sites". He first talked about some noteworthy features of defaced websites reported to JPCERT/CC, and then introduced a tool called "ChkDeface", developed and implemented at JPCERT/CC, to collect various information on the defaced websites through a secure and efficient monitoring method. JPCERT/CC is planning to share the source code of this tool with some CSIRTs in the FIRST community, and eventually to open source the tool so that it can be practically utilized to trigger deeper discussion among security experts about more precise detection methods ― so here's hoping for a follow-up blog entry when that happens.

JPCERT/CC was a part of a few working groups as well, including the Energy-SIG, Vulnerability Coordination-SIG and CVSS-BoF in addition to the aforementioned VRDX-SIG. While I am unable to provide any insight about what was actually discussed, I believe that the work being done is worthwhile and when there is any output provided, I hope to notify through this blog or some other forms of communication.

Lastly, Berlin was a wonderful city, a little colder than I had expected, and hope to create a chance to visit again.

That's all for today.

Thank you for reading.


(Photo by Hiroshi Kobayashi)

- Takayuki (Taki) Uchiyama

Jun 30, 2015

APWG eCrime 2015 and Phishing Trends in Japan

Hola!  This is Shoko from Incident Response Team.  Last month I attended the APWG eCrime 2015, held from May 26-29 in Barcelona – the cosmopolitan capital of Spain’s Catalonia region, defined by quirky art and architecture, imaginative cuisine and siesta.

Today, I’d like to share an overview of the APWG eCrime 2015 and my presentation there on “Phishing Trends in Japan.”

About APWG and APWG eCrime 2015

You may well know that APWG, founded in 2003 as the Anti-Phishing Working Group, is the global coalition of industry, government and law-enforcement sectors, focused on unifying the global response to cybercrime.  APWG provides a forum to discuss phishing and cybercrime issues, to consider potential technology solutions, and more, with over 2,000 institutions participating worldwide.

The APWG eCrime (Symposium on Electronic Crime Research) 2015 is one of APWG’s rotation of global meetings, held in Europe this time, bringing together a variety of participants from the law enforcement, financial institutions, security vendors, CSIRTs and more.

At the event, I joined a panel session focusing on cybercrime trends from APWG members around the globe, namely from MyCERT, CERT.br and CNNIC, and presented on Japanese phishing trends in 2014.

Phishing Trends in Japan

The following graph shows the number of phishing incidents reported to JPCERT/CC since 2012.

Figure 1: Trend of phishing sites observed at JPCERT/CC

The red block shows the number of overseas brand phishing sites (phishing sites spoofing overseas brand websites), and the blue block shows the number of Japanese brand phishing sites (phishing sites spoofing Japanese brand websites).

The number of overseas brand phishing sites has always been observed at a certain level, but what is interesting is that the number of Japanese brand phishing sites showed a sharp spike at the end of 2013, and then dropped significantly in August 2014.  There could be several reasons for this, but one noteworthy event is that in November 2014, the Japanese police arrested cyber criminals who had illegally set up malicious infrastructures for phishing purposes.  We assume that the timing of their investigation (prior to the arrest), had some relation to the sudden drop of phishing incidents reported to JPCERT/CC.  At that time, we also worked closely with relevant ISPs to investigate the case, and provided information to relevant parties from a technical standpoint.  This case was also covered in the National Police Agency’s presentation during APWG eCrime 2015. 

The following graphs show the top categories for overseas and Japanese brand phishing sites.

Figure 2: Industry breakdown of overseas brand phishing
Figure 3: Industry breakdown of Japanese brand phishing

The top category for both is Financial, but interestingly, Gaming comes second for Japanese brand phishing sites.  This could be one unique observation in Japan, as one of the famous gaming superpowers.

In Summary

The APWG eCrime 2015 was a significant place to strengthen collaboration among persons/organizations pursing the same goal, and to have productive and lively conversations.  Throughout this experience, I strongly reconfirmed the importance of close collaboration among relevant parties, which is the key to combat against cyber incidents and criminals.

Well, of course it was Barcelona – Iberian pork and black paella were wonderful, but I would like to add that “agua con gas” (sparkling water) was also good!

Thank you for reading my post.


- Shoko Nakai

Nov 08, 2013

Information Security Incident Management Standard under Revision

Hi, it's Masaki Kubo. I’ve just returned from my trip to Incheon, Korea, where we had an ISO/IEC JTC 1/SC 27 meeting on standardization of IT security techniques. JPCERT/CC has been engaged in this standardization effort through the Japanese national body over the past years, and I participated particularly in the revision work of ISO/IEC 27035:2011 on information security incident management.

ISO/IEC 27035:2011 was published in 2011 and right after its publication, it was called for the so-called "early revision" [1]. Now the experts have divided the document into 3 parts for review:

- 27035 Part 1:
    Principles of incident management

- 27035 Part 2:
    Guidelines to plan and prepare for incident response

- 27035 Part 3:
    Guidelines for incident response operations

All 3 parts are now in the 3rd Working Draft (WD) stage, and it was just agreed to go into the 4th stage. Since the WD documents are not official ISO documents yet, we still have the right to propose amendments to them. If the documents pass the 4th WD stage, they will then be proceeded to the 1st Committee Draft (CD) [2].

27035 Part 1 inherits most of the text from the published standard 27035:2011 and is summarized to address only the principles: what is incident management, what steps should be taken to prepare for incidents and to respond to them, etc. Because this part gives the overall structure for 27035 Part 2 and 3, it should be well elaborated, and in this sense, I think it has achieved good maturity for the 3rd WD stage. Incident management phases mentioned in 27035 Part 1 include the following 6 phases:

    - Plan and Prepare
    - Detection and Reporting
    - Assessment and Decision
    - Responses
    - Post Incident Activity
    - Lessons Learnt

27035 Part 2 gives guidelines to prepare for incidents. Japan contributed several comments to restructure the overall document, which were well accepted by the editor. Now the structure of Part 2 is in sync with the incident management phases referred to in Part 1. Topics covered in this part include:

    - Establishing information security incident management policy
    - Creating information security incident management scheme.
    - Establishing an Incident Response Team (IRT)
    - Defining technical and other support
    - Creating information security incident awareness and training
    - Testing the information security incident management scheme
    - Lessons Learnt

Although the structure of the document is getting in better shape, it requires more body text, thus we are seeking for more contribution from the national bodies.

27035 Part 3 gives a guideline for incident handling operations. This is an operational guideline and the current discussion may not be neutral enough for an ISO document. Also, it still lacks the structure that draws ease of comprehension. However, the overall text is improving and I hope it will settle better before we move on to the CD stage.

There already exists several best practice guides on incident management, and you may question why another one from ISO. One way to answer is we have standardization projects in SC 27/WG 4 around incidents such as digital forensics, data storage security, SIEM, etc., and cannot omit incident management. Another way to answer is there are people who wish to refer to neutral, standardized guidelines, and ISO is the place to offer them.

JPCERT/CC wishes to continue making contribution to this project, so that the standardization will be in consistency with the practice of the CSIRT community.

Last but not least, FIRST (Forum of Incident Response and Security Teams) has also established a liaison relationship with ISO/IEC JTC 1/SC 27. If you are a FIRST Member and would like to contribute to this project, please visit FIRST’s website on ISO Activities for further information. Even if you are not a FIRST Member, there are several ways you can submit your comments to ISO:

- Your organization may have a person who is already involved in the standardization effort so you can work with that person.

- You can work with your national standardization body.

Whichever avenue you choose to use, your contribution will be much appreciated.

- Masaki Kubo

[1] According to the standard procedure, all international standards are reviewed at least every five years.

[2] After going through the CD, the documents will go to the Draft International Standard (DIS) stage, and then to the Final Draft International Standard (FDIS) stage, which then finally become issued as official ISO documents.