MONGOLIAN CIRT (CYBER INCIDENT RESPONSE TEAM)Khaltar Togtuun. (PhD, ass professor).Managing director of MonCIRT

MONGOLIAN SITUATION Mongolian Internet Infrastructure vulnerable

target for attack In recent years the attack techniques have

become sophisticated Rapid proliferation of viruses, Trojans and worms Terminals become the zombie computers of

Botnets. Critical infrastructure can get affected by attacks

on information infrastructure. There were some incidents in financial sector. It is registered some cyber crimes. The information infrastructure and broadband

develops quickly. Information Security knowledge of Internet users

is low

MONGOLIAN CIRT Mongolian Cyber Incident Response Team established in

2007 for creating national information security system, for enhancing cyber security and for providing support in the protection of critical infrastructure

From end of 2007 started the reactive service In 2008 planning to start proactive and security quality

services. The purpose of MonCIRT is to become the nation’s most

trusted referral agency of the Mongolian Community for responding to Computer Security and Cyber Security incidents as and when they occur.

In further to become CERTs coordination center Will also assist organizations in implementing proactive

measures to reduce the risks of cyber security incidents.

MONCIRT MISSIONTo become the warranty of

information, communication technology development of steppe country.

To enhance the security of Mongolia’s Communications and Information Infrastructure through proactive actions and effective collaboration

Prevent and respond to incidents which have place in Mongolian segment of Internet.

MONCIRT PROJECTFor creating MonCIRT we was developed project in 2005. We consider

that for successful implementation of the project, it is necessary to set up the following purposes.

To determine the mission and function of the MONCERT, to develop the operation rules of the MONCERT.

To determine the structure and internal organization of the MONCERT, to select its staff members

To train the selected staff members To collect and analyze data on cyber attacks, cyber damages, level of

protection of users and ISP-s, and on their information security knowledge.

To find the maecenas and sponsors To obtain the equipments, hardware and software To start the MONCERT operation To offer free service for users and ISP-s, to carry out registration and

keep statistics To establish Hotline communication with other CERT-s, APCERT and

FIRST, to cooperate with them and to help mutually.

MONCIRT CREATING STAGES (PLANNED)      Step 1: Obtain government support and

buy-in      Step 2: Determine the MonCIRT strategic

plan      Step 3: Gather relevant information      Step 4: Design the MonCIRT vision      Step 5: Communicate the MonCIRT vision

and operational plan      Step 6: Start MonCIRT operation      Step 7: Promotion of MonCIRT      Step 8: Evaluate MonCIRT effectivenessNow we are in stage 7

ORGANIZATIONAL MODEL OF MONCIRT

In first time as Security Team.From 2009 will work as CERTs coordination Center

Managing Board

Managing Director

Bookkeeper

Incident handler /group leader/

Manager Vulnerabilityhandler /expert/

Technology Watchers -4

Malware expert

Botnet analyst

System administrator

Artifact and IDS analyst

Organizational structure of MonCIRT

CONSTITUENCY OF MONCIRT

ДАРХАН-УУЛ

БУЛГАН

SAINSHAND

CHOIR

УЛАНБАТОР

ДОРНОГОБИ

ХУБСУГУЛ

AРХАНГАЙ

УВС

БАЯН-УЛГИЙ

ХОВД ЗАВХАН

ГОБИ-АЛТАЙБАЯНХОНГОРУБУРХАНГАЙ

УМНУГОБИ

ДУНДГОБИ

ХЭНТИЙTOV

ДОРНОД

СУХЭБАТОР

СЭЛЭНГЭ

•Serve all the society•Best Effort service for users of ISPs

CURRENT ACTIVITY Incident coordination among organizations and

aimaks (province) of Mongolia. Distribute documents about security incidents and

vulnerabilities Anti-spam, phishing, pharming, Social engineering

scams Guidance of construction of other teams in critical

infrastructure organizations. Research and development. Creating of Honeynet Installing IDS-s in main gateways. Creating of single point of contact for reporting

incidents Developing of handbooks, guidelines on Mongolian

INCIDENTS CATEGORY HANDLED BY MONCIRT

Worm, Trojan and viruses (286 times) System intrusion / compromise (2

times) DoS attack / abnormal (5 times) Port scan (63 times) Spam, phishing, pharming (184 times)

(from August till December 2007)

MONTHLY INCIDENT REPORT (DECEMBER. 2007)

I nci dent Category

05

101520253035

Port scan reports

6

10

5

23 3

Web rpc sshd dns pri nt other

65 times

ONGOING PROJECTS IDS based on Autonomous agent Cooperative Incident handling system

with Government Communication Department

Incident handling, Artifact handling handbooks on mongolian

Honeynet Incident database

WE NEED Share information and lessons learned with

other CERTs Incident analysis and response experiences Auditing and penetration testing experiences Education and trainings, site visiting Technical supports in creation of vulnerability

database, Incident Tracking System, Infrastructure building Forensics tools Experiences in botnet analysis