No larger team can work with one data source and one incident management system today(at least we don’t know such team yet). That’s why every team is engaged in the development of their own tools or at least their own upgrade for already existing tools.
In most cases CSIRT teams learn best one from another. That’s why we have decided to lead a project, and named it CS Danube (Cyber Security in Danube Region), whichis partly financed by the European Union from the START Danube Region Project Fund. Teams from Moldova, Serbia, Slovakia and Austria are involved in this project. What are the “tweaks” that our colleagues from other teams presented us at our first joint meeting?
Our Slovak colleagues showed us how they had adapted Malicious Domain Manager to meet their own needs; this tool has been created by CZ.NIC and the CSIRT.CZ team and is used for processing information about malicious operation within the .cz domain. This system, intended to process incidents, has been named the Malicious Resource Manager by the CSIRT.SK and among the others it provides regular phishing page screenshots,direct information from virustotal.com and direct connection to WHOIS. Our colleagues also showed how they try to educate users through a so-called Phishing test. Try also to test yourself and determine how many e-mails received by Chuck Norris 🙂 are legitimate.
Representatives of AMRES, a Serbian team, presented us, among other things, Netvizura, a set of tools enabling to analyse the operation of a network and services operated within the network; it has been created as a result of cooperation between the University of Belgrade, Serbia, and the private sector. Among the tools that are available for free, you can find DNS Checker, for example; it gives, among other things, information about a DNS server – whether it’s used as an open resolver or has / doesn’t have AAAA or PTR records for reverse records and so on. Another free tool is DomainDossier; it gives information about a domain, the network within which it is, the DNS server, the trace route, or the services that are running at the given address through the web interface.
The Austrian CERT.AT team, who’s way of working is similar to that of the CSIRT.CZ team, i.e. it is operated by national domain (.AT) registry, presented a few open source projects, focused on analysing malicious files or traffic. I’ll mention at least Passive DNS, which is also used by our team. Probes within Passive DNS detect DNS queries from recursive DNS server, delete the source and target addresses (to protect privacy), add time stamps to public DNS records, and then save them to a database.Queries can be made in this database though a graphic interface.One can get information about A record that domain had in the past or, for example, whichA records are within a given address range have.