The CIRCL is a CERT (Computer Emergency Response Team). It acts as a fire department for cyber security. Present at the International Cyber Security Forum in Lille, the CIRCL will present its collaborative platform for information exchange in cyber security MISP (Malware Information Sharing Platform) and the ENFORCE project for police use. Here’s excerpts from our conversation with Alexandre Dulaunoy, coordinator at the CIRCL and computer security researcher, who represents the CIRCL at the FIC.
by: Silicon Luxembourg
photo: CEIS
featured: CEIS training in the span of the European ENFORCE project
Listen to article (Part I)
What is the role of CIRCL?
It is a CERT that identifies and responds to computer incidents. CIRCL has been in existence for 8 years in Luxembourg. It is made up of 14 people within the GIE Grand-ducal SMILE. CIRCL has developed a collaborative free information exchange tool in Luxembourg called MISP (Open Source Threat Intelligence and Sharing Platform, formerly known as Malware Information Sharing Platform) to exchange information at a national and international level. Our organisation seeks to be pro-active, not just reactive in the fight against cybercrime and espionage.
How does MISP work?
The platform will allow any company, community or governmental organization (there are about 400 contributors) to freely share information related to an attack or attempt against it, which then shares it to all other affiliated users and organizations. It is an efficient automated system that saves time via a search tool. MISP is used by more than 6,000 organizations worldwide. For example, the CIRCL sharing community for the private sector counts more than 10,000 indicators per day: if shared quickly, it can be used to block the attack or notify users. On some cases, we work in partnership with companies that perform remediation, i.e. restore the integrity of compromised systems.
“We realized that police and enforcement services in Europe (especially in Luxembourg and France) were also using cyber security information sharing to communicate internally with their teams spread across the territory.”
Are you part of one or more cyber security networks? How do they operate?
Yes, we are part of several networks but mainly of three major international cyber security networks. FIRST.org, which regroups all the CERTs in the world, is the most significant. This network uses the MISP platform for its own operation. Trusted Introducer is its equivalent at a large European scale (from Brittany to Vladivostok).
The European CSIRT (European Computer Security Incident Response Teams) network is the official network of the member states of the European Union and its core mission is “to contribute to developing confidence and trust between the Member States and to promote swift and effective operational cooperation”. Finally, we are also members of the Luxembourg CERT network (CERT.lu) which brings together public and private structures in the Grand Duchy.
What do you expect from FIC (International Cybersecurity Forum) this year?
This is our fourth time taking part. We are integrated into the associative space of the show as our service is intergovernmental and serves the community. What interests us is to go and meet people who use MISP, especially in France, and to collect information on the use of the platform. There are French-speaking participants from Africa or Canada who come to the FIC and report their use cases, which is very interesting for us.
Our objective is that as many people as possible have the reflex to share their information on MISP because the more it is shared, the better we can fight against malevolence and cyber danger. As MISP is open source software, we don’t often have direct contact with its users. Usually we come back from trade shows with a lot of information that we can then analyse over several weeks to improve our software like MISP and promote information exchange.
Listen to article (Part II)
Tell us about the ENFORCE project?
It is a European project launched in the framework of DG Home (funding of projects for enforcement) that we also presented at the FIC. We realized that police and enforcement services in Europe (especially in Luxembourg and France) were also using cyber security information sharing to communicate internally with their teams spread across the territory. This is an important project because it represents a launch for our activities. We have therefore extended and adapted the use of the MISP platform for the police and defense sectors, including internal, military and general intelligence services. For instance, information can now be exchanged on passports for border controls, the search for specific individuals or the circulation of false documents. We also have a partnership with Europol regarding the use of MISP.
What are the most common types of computer attacks in Luxembourg? Who do they come from?
There are two types. The first: economic cybercrime, the aim of which is to generate wealth through economic fraud. This is the case, for example, of ransomwares, which are quite common in Luxembourg: the attacker will compromise an infrastructure by exploiting a human or machine flaw and try to encrypt the content of his site or network. He asks the company to pay a ransom to recover its readability. Sometimes the ransomware penetrates the entire infrastructure and the attacker can demand ransoms of up to a few hundred thousand euros.
Unfortunately, the development of encryption technologies, or the increase of Bitcoins, is helping attackers. Sextortion is also a form of economic blackmail: through spam (password leakage), an employee is made to believe that he or she is holding sexually compromising files for ransom. We know that there are people who pay for this because every year, out of millions of emails sent, criminals have earned between €700,000 and €800,000. The bomb threat is a variant. Cyber mafias that are mainly economically oriented are very often based in economically weak countries.
“We have been selected to be part of a promising project with a consortium of other CERTs in Europe to provide a collaborative toolkit to assist in incident response in addition to sharing information on MISP.”
What are the other types of attacks?
Generic, opportunistic or targeted phishing remains the most widespread: you receive an email with a link, you click on the link and the file is infected and generates fraud or data leaks. Other cyber criminals are interested in general and industrial espionage and sometimes act on behalf of organised or governmental associations. It is no secret that China or Russia support such actors. There may be a financial reason, but it may also be indirect, such as acting on calls for tenders.
Have cases of computer hacking or malware increased in recent years?
Yes and no. It is purely statistical: we are increasingly dependent on systems and services that use computer and digital technologies. So, statistically, we create the risk by increasing the attack surface. From the mobile phone to smart TV, everyone is connected and potentially vulnerable. Individuals and industries are globally the most affected sectors. Not all attacks are serious, but some can go up to a few hundred thousand euros.
What will you announce in 2020?
We have been selected to be part of a promising project with a consortium of other CERTs in Europe (Poland, Austria, Estonia and Luxembourg) to provide a collaborative toolkit to assist in incident response in addition to sharing information on MISP. The Commission officially announced this collaboration in a press release on 15 January. The aim is to have a European autonomy of tools at CERT level.
