Project News

CSIRT training was conducted online by JPCERT Coordination Center (JPCERT/CC) for four days from June 15 to 18, 2021. From Viet Nam, 11 participants from the Authority of Information Security (AIS) of the Ministry of Information and Communications (MIC), 12 participants from other governmental agencies, and 6 participants from state-owned enterprises participated in the training.

* CSIRT (Computer Security Incident Response Team) is an organization that monitors organization's PCs, servers, and networks, especially on the Internet, for security problems (incidents). When incidents occur, it analyzes the causes and investigates the impact to solve problems and prevent recurrence. In addition to being set up within an organization to protect its information assets, CSIRTs are often set up in each country to protect the nation as a whole. In the case of Japan, the JPCERT Coordination Center (JPCERT/CC) and the National center of Incident readiness and Strategy for Cybersecurity (NISC) are national CSIRTs.

The training subjects are as follows:

1. CSIRTs and Advanced State Sponsored Attacks
2. Roles and responsibilities of JPCERT/CC
3. CSIRT Fundamentals
4. Incident Coordination
5. Regional and Global Coordination
6. TSUBAME
7. Security Incident Trends
8. Mejiro
9. Summary, Feedback, Course Certificate, and Way Forward

The following is a summary of each session and a report of the most memorable moments.

1. CSIRTs and Advanced State Sponsored Attacks

The trainer began his talk by explaining how the world's first CSIRT, CERT/CC in the US, was established. Initially, its role was to "put out fires when fires broke out," but in recent years, with the development of the Internet, its role has increased to include identifying attackers and monitoring networks. In some cases, nations are also expecting CSIRTs to censor social media and perform cyber-attacks against other countries.

The reason why JPCERT/CC provides training on CSIRT to Viet Nam is that both sides need to cooperate in order to protect cyberspace within each other's country. We also need to share information with each other in order to protect against attacks from the same country or organization.

The most important culture of CSIRTs is to help each other. The training itself, like this one, represents the culture of helping each other.

As cyber-attack technologies and the surrounding environment become more complex, international cooperation will become more difficult. In order to cooperate under such circumstances, the importance of knowing and understanding each other's organizations and people, as well as sharing technical information, was emphasized.

2. Roles and responsibilities of JPCERT/CC

An overview of the activities of JPCERT/CC was given. JPCERT/CC functions as the National CSIRT of Japan, sharing the responsibility with the National center of Incident readiness and Strategy for Cybersecurity (NISC).

AIS asked a question on how to receive threat information released by JPCERT/CC.

3. CSIRT Fundamentals

Using the teaching materials of FIRST (Forum of Incident Response and Security Teams), an international organization that CSIRT organizations in various countries are members of, the trainer explained the basics of CSIRT organizations, such as CSIRT overview, CSIRT business plan, CSIRT architecture, and necessary human resource capabilities. In particular, the trainer emphasized the importance of recognizing who CSIRT activities are useful for.

4. Incident Coordination

Using other materials provided by FIRST, the participants learned about types of security events, incident management, CSIRT organizational structure, and incident response process.

Since many newcomers from the VNCERT Coordination Center (VNCERT/CC), an internal organization of AIS, participated this time, we believe that they were able to learn the basics of being a CSIRT organizational member together with session 3.

In addition to session 3, there were questions about the cyber security systems of local governments in Viet Nam and Japan. It was shared with the Japanese side that there are many issues related to security, especially in local cities in Vietnam.

5. Regional and Global Coordination

This subject is an introduction to JPCERT/CC's activities in Japan and international collaboration.

JPCERT/CC is a member of the Board of Directors of FIRST, and also leads the activities of the Asia Pacific Computer Emergency Response Team (APCERT), a CSIRT organization in the Asia Pacific region, as its secretariat.

JPCERT/CC was also introduced as the secretariat of the Council of Anti-Phishing and the Nippon CSIRT Association to strengthen Japan's cyber security measures and CSIRT capabilities.

Although there are some voluntary information sharing schemes in Viet Nam, ISAC (Information Sharing Analysis Center) has not been established in each sector. It is hoped to be established in the future.

6. TSUBAME

JPCERT/CC has shared the results of its observation in Viet Nam in 2020 for the Internet Threat Monitoring System (TSUBAME) operated by JPCERT/CC.

The data is analyzed by JPCERT/CC and shared with the countries where the sensors have been installed. The data itself can also be obtained by the countries where the sensors are installed.

In the JPCERT/CC's report, the analysis of communication packets arriving at the open ports in Viet Nam pointed out the risk of network security vulnerabilities. JPCERT/CC suggested that the Vietnamese side should consider taking action.

The trainer also taught participants in detail the method of analyzing TSUBAME data conducted by JPCERT/CC. It is expected that AIS will proceed with the analysis using the methods learned in the future.

• TSUBAME website (external link)

7. Security Incident Trends

This session is a report on the threats that occurred frequently in Japan in 2020 and were addressed by JPCERT/CC. Vulnerability exploitation of Virtual Private Network (VPN), malware spreading attacks such as Emotet, and ransomware attacks were explained technically and the responses taken by JPCERT/CC were shared. Since similar attacks can occur in Viet Nam, there seemed to be a lot of useful information for the participants.

Questions were asked frankly about the issues faced by local cities and banks in Viet Nam, such as responses to email attacks and measures taken by users. JPCERT/CC also shared knowledge from Japan to the extent possible, and we hope that this information will be utilized to improve security measures by AIS.

8. Mejiro

The Internet Risk Visualization Service (Mejiro) operated by JPCERT/CC, was introduced and its usage was shared. Mejiro collects data on risk factors on the Internet, and calculates and visualizes indicators for each country and region.

The trainer pointed out the possibility of unnecessary ports being opened and the use of old versions of operating systems and protocols, which were found through the analysis of vulnerabilities in Viet Nam in 2020 using Mejiro. AIS and other organizations are required to investigate the situation of devices in the country and their vulnerabilities, and to strengthen their security measures. Not only AIS, but also security officers in each organization in Viet Nam are referring to publicly available threat information and taking security measures.

Specific questions about what Mejiro can do were raised by Vietnamese government organizations and local governments.

9. Summary, Feedback, Course Certificate, and Way Forward

In the final session, JICA expert encouraged the participants to review the contents of the four-day training and then to put the shared knowledge to practical use.

<Expectations for all participants>

• Utilize concrete measures and information sharing methods with related organizations in their work
• Confirm the mindset of a CSIRT member
• Confirm the missions and tasks of their own departments
• Promote cooperation in Viet Nam and overseas

<Expectations for AIS>

• Create a clear action plan for career development plan
• Promote the use of TSUBAME data

Afterwards, certificates and challenge coins were given to the participants. JPCERT/CC explained that the challenge coins were a sign that everyone had worked hard as a part of the same group, even if they were separated after participating in the same mission.

Lastly, a representative from VNCERT/CC expressed his gratitude that the training was able to be conducted online even under the difficult circumstances of COVID-19. He also emphasized that each individual is a warrior in cyberspace, and that security cannot be ensured alone, but only through cooperation, mutual help, and sharing.

It is hoped that this training will help the Vietnamese side to strengthen their security in concrete ways and further promote cooperation between Japan and Viet Nam.

JICA project will continue to support AIS to promote cooperation between the two sides.