Comply with CERT-In's new reporting requirements by cutting irrelevant alerts

TL;DR 

• Indian Computer Emergency Response Team (CERT-In) issued sweeping new directions to sub-section (6) of section 70B of the Information Technology Act, 2000.
• Mandates include reporting of ANY cyber security incident to CERT-In, including targeted scanning of systems, within 6 hours of noticing such incidents.
• Enforcement deadline is 25-Sep-2022 and applies to virtually all organizations with operations in India.
• GreyNoise helps customers comply with targeted scanning reporting requirements by allowing them to separate irrelevant "mass scanners" from targeted scanners. 

Ready for updated security incident reporting requirements from CERT-In?

On 28-April-2022, in light of escalating cyber attacks in India, the Indian Computer Emergency Response Team (CERT-In) issued new directions to sub-section (6) of section 70B of the Information Technology Act, 2000. Among other expanded requirements, the new directions mandate reporting of any cyber security incident, including targeted scanning of systems and data breaches, within 6 hours of noticing the incident to CERT-In. Prior to this change, CERT-In had been allowing organizations to report the incidents within “a reasonable time.”

The implications and sweeping nature of the changes caused quite a stir in the security community when initially released, especially since organizations ranging from service providers, intermediaries, data centers, government entities, and corporations, all the way down to small and medium businesses, need to follow CERT-In requirements. 

The directions were to become effective 60 days from the date of issuance in April. However, after receiving a large volume of feedback from affected organizations, CERT-In extended the enforcement deadline to 25-September, 2022. Despite the reprieve on the enforcement deadline, responses to the CERT-In’s standing FAQ indicate that the national agency is not inclined to adjust the main provisions it introduced. 

GreyNoise helps customers identify and respond to opportunistic “scan-and-exploit” attacks in real time. In the case of CERT-In’s new reporting mandate, GreyNoise helps customers filter opportunistic mass-scanning activity out of their alerts, so they can focus (and report on) targeted scanning activity. GreyNoise’s guidance on how to automate the process of detecting and reporting on targeted scanning/probing of critical networks and systems is below.

Section 70B directions scope

At a high level, the new CERT-In directions require organizations to: 

1. Enable logs of all their Information and Communication Technologies (ICT) systems
2. Retain logs for 180 days 
3. Synchronize time with National Informatics Centre’s Network Time Protocol
4. Define a special point of contact for this activity and share their credentials with CERT-In 
5. Ensure that Virtual Private Server (VPS) providers, cloud service providers, and Virtual Private Network Service (VPN service) providers maintain accurate information, such as name of the subscriber and IP address for a minimum of five years
6. Report to CERT-In within 6 hours of any “qualified cybersecurity incidents,” which are summarized in the following excerpt from CERT-In Directions for Section 70B: 

CERT-In defines “Targeted scanning/probing of critical networks/systems” as: 

The action of gathering information regarding critical computing systems and networks, thus, impacting the confidentiality of the systems. It is used by adversaries to identify available network hosts, services and applications, presence of security devices as well as known vulnerabilities to plan attack strategies.

Not all scans are created equal

These days, every machine connected to the internet is exposed to scans and attacks from hundreds of thousands of unique IP addresses per day. While some of this traffic is from malicious attackers driving automated, internet-wide exploit attacks, a large volume of traffic is benign activity from security researchers, common bots, and business services. And some of it is just unknown. But taken together, this internet noise triggers potentially thousands of events requiring human analysis. Given the expansive wording and stringent timeline of the directions, it’s crucial to intelligently reduce the number of alerts that are in scope and quickly prioritize mass exploit and targeted activity. 

Automate reports of targeted scanning with GreyNoise 

Using GreyNoise, you can effectively identify IP addresses that are connecting to your network and prioritize those that are specifically targeting your organization (versus non-targeted, opportunistic scanning that can be ignored).

In this representative scenario, we have configured our perimeter firewalls to send logs to Splunk. 

Using the GreyNoise App for Splunk (which you can install from Splunkbase), you can configure the gnfilter command to query the IP addresses against GreyNoise API and only return events that GreyNoise has not observed.

Important note - GreyNoise data identifies IP addresses that “mass-scan” the internet - so If GreyNoise has NOT observed an IP address, that means it is potentially “targeted" scanning activity.

For better presentation, the results are deduplicated and stored as a table.

Within Splunk Enterprise, adjust the query to reflect events in the last 6 hours: 

By selecting Search, the query will enrich all the filtered IP addresses against GreyNoise data and return only those IP addresses that have not been observed across our distributed sensor network. 

In our case, the query returned seven IP addresses for which GreyNoise has not seen activity. 

Prioritize this filtered list for additional analysis to rule out targeted scanning on your infrastructure.

To automate this process going forward, save the query as an Alert. You can adjust the Cron Expression to set a query frequency. In this example, it is set to every 6 hours.

Before clicking Save, consider two other helpful actions for configuration: setting a destination email address for the alert, and then formatting the results as a CSV file.

With the alert configured, our query will run every 6 hours to ensure that any IP addresses that should be prioritized for analysis are packaged in a CSV format for review.

Next steps

To learn more about how GreyNoise can help you comply with the updated reporting mandates from CERT-In, reach out to schedule a demo with one of our technical experts.