Africacert XV
The Road to Maturity





Tentative Program For AIS 2019

CSIRT BASICS
Sunday    09 June 2019
——————-
14:30    CSIRT BootCamp
16:30    Break
17:00    CSIRT BootCamp
18:30    Dinner
 
CSIRT Maturity workshop: Stimulating the development and maturity enhancement of CSIRTs.
 
Monday 10 June 2019
——————-
08:30    Start of programme
09:00    CSIRT Maturity : introduction
11:00    Break
11:30    CSIRT Maturity : organisational factors
13:30    Lunch
14:30    CSIRT Maturity : human factors
16:30    Break
17:00    CSIRT Maturity : tooling factors
18:30    Dinner
 
Tuesday 11 June 2019
——————–
08:30    Start of programme
09:00    CSIRT Maturity : process factors
11:00    Break
11:30    CSIRTs working together: nationally, regionally, worldwide
13:30    Lunch
 
Pratical CSIRT Case Study: TunCERT
 
14:30    Opensource tooling
16:30    Break
17:00    Demo: Ransomware Analysis
18:30    Dinner
 

Wednesday 12 June 2019
——————–
Title: Incident response workshop by Estonian and French cyber security experts
 
Description – the workshop will focus on the operational, tactical, procedural, legal and communication aspects of incident response. The 
experts will deliver sessions covering the whole incident response lifecycle from incident detection through various
escalation levels until the implementation of mitigation measures and post-incident activities. This includes incident response best 
practices, workflow, classification, SLAs and team composition/roles along with business impact. Special focus will be dedicated
on internal and external incident communication. The issues pertinent to compliance and supervision, as well as risk management and their role
in incident handling will be covered.
Who should attend – technical personnel (system administrators, developers, engineers), incident responders, management level participants, 
people involved in communications/PR, law, compliance, business, risk management  

 
08:30    Start of programme
09:00    Threat landscape, awareness and community building (RIA and ANSSI). 
11:00    Break
11:30    Establishing incident response (history and current practice from around the world)
13:30    Lunch
14:30    CSIRT organisation and legal framework: French and Estonian examples 
16:30    Break
17:00    Communication (internal, external, communication channels and methods) 
18:30    Dinner
 
Thursday 13 June 2019
——————–
 
08:30    Start of programme
09:00    Incident response taxonomies and escalation paths (Part 1)
11:00    Break
11:30    Incident response: examples from CERT-EE and ANSSI
13:30    Lunch
14:30    Exercises: validating your skills and procedures (RIA) 
16:30    Break
17:00    Supervision (RIA) 
18:30    Dinner
 
Friday    14 June 2019
——————–
 
08:30    Start of the Program
09:00    Presentations
11:00    Break
11:30    Team updates
13:30    Lunch
14:30    AfriNIC Whois for the Incident Responder
15:30    CyberHealth Ecosystem Analysis
16:30    Break
17:00    AfricaCERT Framework 
18:30    Dinner
 

Draft Program Description

CSIRT Creation and Management

The CSIRT Creation and Management Training is organized with FIRST Course by AfricaCERT. It is the opportunity to enable AfricaCERT Train the Trainer program using FIRST course.

Pre-requisite

None

Requirements

Participants should bring their own laptop

Duration

1 Day.

Objectives

  • Exposes participants to methods for incident coordination with a focus on how to handle major security events and coordinate incident responses.
  • Discusses the purpose and structure of CSIRTs and a high-level overview of the key issues and decisions that must be addressed in establishing and maintaining a CSIRT. Other topics include a discussion of CSIRT services as well as key policies, procedures, methods, tools, and infrastructure components that are needed to effectively operate a CSIRT.
  • Walks participants to walks through how CSIRT leaders and managers would set up and manage a newly created CSIRT. It covers both the external processes of meeting the needs of stakeholders and community and the internal processes of policies, configuration, and planning.
  • Topics includes:
    • Define incident management and establish the need for an incident handling team
    • Step through potential CSIRT requirements and define how a
      CSIRT functions
    • Define the range, levels of services, and organizational components
      of a CSIRT
    • Set expectations for meeting the needs of constituencies and stakeholders
    • Define expectations for a newly created CSIRT and categorize roles and responsibilities
    • Set expectations for funding, staffing, and training
    • Clarify hardware and software requirements
    • Explain how to develop security configurations, including for
      physical security
    • Practice assessing needs for a CSIRT
    • Outline how to develop policies, procedures, processes, and workflows
    • Define methods for building disaster recovery and business continuity plans
    • Explain how to create policies for security configurations, including for physical security
    • Describe how to build relationships between a CSIRT and its constituency
    • Identify ways to work with the wider community, including vendors, law enforcement, press, and academia
    • Practice setting up a CSIRT to function optimally
    • Operational management issues.

Securing Webserver.

The workshop is based on the manipulation and configuration of open source software to secure the web server. The workshop is structured around tools, including:

  • Remove Unnecessary Services.
  • Enable Automatic Security UPDATE
  • Tools that be run on your server to dynamically block clients that fail to authenticate correctly with your services repeatedly.
  • Hardening your webserver
  • Web application firewall (WAF)
  • MOD_EVASIVE: Apache module.
  • Chrooting: is an operation to change the apparent root directory i.e.
  • / for a running process and their child processes.
  • SSL: Generating, Config and test ssl certificate

Participants will be equip and walk through methods to configure their own Web server (VM) and install the open-source software on it and try to break into their own servers using hacking tool (Kali).

Requirement:

  • Participants bring their own laptop
  • Tools to install and preparation will be provided to registered participants before the training
  • A session will take place on June 9thto prepare participants having issues to install the tools prior to the training

Title: Incident response workshop (~2 days)

Content:

  • Addressing Operational Challenges.
  • Good Practices on CSIRT regulative frameworks
  • Cooperation with CII operators etc.
  • Working with Policy Makers

Description – the workshop will focus on the operational, tactical, procedural, legal and communication aspects of incident response. The experts will deliver sessions covering the whole incident response lifecycle from incident detection through various escalation levels until the implementation of mitigation measures and post-incident activities. This includes incident response best practices, workflow, classification, SLAs and team composition/roles along with business impact. Special focus will be dedicated on internal and external incident communication. The issues pertinent to compliance and supervision, as well as risk management and their role in incident handling will be covered.

Who should attend – technical personnel (system administrators, developers, engineers), incident responders, management level participants, people involved in communications/PR, law, compliance, business, risk management

WEDNESDAY (12.06)

Morning session 1: Threat landscape, awareness and community building

Morning session 2: Establishing incident response (history and current practice from around the world)

Afternoon session 3: CSIRT organisation and legal framework

Afternoon session 4: Communication (internal, external, communication channels and methods)

THURSDAY (13.06)

Morning session 5: Incident response taxonomies and escalation paths

Morning session 6: Incident response: Cases.

Afternoon session 7: Exercises: validating your skills and procedures

Afternoon session 8: Supervision

Additional Topics

 

  • AfriNIC Whois Database use for Incident Responders

             Lead Trainer: AfriNIC

  • Resources for the CSIRT

            Lead Trainer: AfricaCERT 

  • PGP Key Signing Party and Information Exchange

            Lead Trainer: AfricaCERT

GFCE Triple I Capacity Building Day | The Internet Infrastructure Security Day (more at: https://triple-i-workshop-ais2019.gfce-events.com/)

This will be a workshop in which participants from different stakeholder groups together:

  • learn more about Open Internet Standards such as DNSSEC, TLS, DANE, RPKI, ROA, DMARC, DKIM, SPF, and IPv6, in support of more trusted communications;

be inspired by Good Practice experience that helped improve reliability of the Internet and collaborative security. Good practice examples will be presented from the region, and from elsewhere that may be of interest in the region;

  • with a collaborative foundation, work to develop and commit to specific actions that will help improve the region’s Internet economy. For this we will work according the Open Spacemethodology which means that the participants set the agenda, together.

Participants are sought across regional Internet stakeholder groups, including government, business, education, and technical community. Collaborative security is how we build trust in the Internet’s infrastructure. You are invited to join this workshop in order to improve the trusted Internet experience in the region. You may want to stimulate people you would need to work with as well to register for this workshop. Participation is upon confirmed registration, only, and limited in numbers.

Team of Instructors are/from:

AfricaCERT

CERT Estonia

French Cybersecurity Agency

JPCERT/CC – Japan Computer Emergency Response Team Coordination Centre

Team Cymru

TunCERT – Tunisian Computer Emergency Response Team

One Continent, One Vision, One Team United in Promoting Cybersecurity in Africa.