Cyber Threats Incident Response Model for CNII Organizations Dr. Aswami Ariffin Megat Mutalib Dr. Zahri Yunos
Presentation Outline 1. Our Service: CyberDEF (Cyber Defence) 2. Our R&D Product: CMERP (Coordinated Malware Eradication & Remediation Project)
R&D Papers
1. Our Service: CyberDEF D “detection of cyber threat” This stage is iterative, return to “D” or “E” E to improve the technique further “eradication of cyber threat” F “forensic analysis of cyber threat”
CyberDEF (cont…) CyberDEF Typical CSIRT Intelligence F O R Detection E Eradication N S Detection I Eradication C
CyberDEF (cont…) Detection Eradication Forensics Identify any loopholes, Close loopholes, patch 1. E-Discovery vulnerabilities and existing vulnerabilities and 2. Root cause analysis threats neutralize existing threats 3. Investigation Perform cyber threats 1. Sensors 4. Forensics readiness exercise or drill to test the 2. Sandbox feasibility and resiliency of 5. Forensic compliance the new defense / 3. Analytics prevention system 4. Visualization 5. Situational Awareness
CyberDEF (cont…) Why CyberDEF is unique ? 3 C entralized F orensic Technical G overnance E lement Departments Consists of 3 technical Effective centralized Forensic element incorporated departments : governance because all of the 3 in the services offered and 1. Secure Technology Services departments are under the intelligence Department (STS) 2. Malaysia Computer Cyber Security Responsive Emergency Response Team Services Division (MyCERT) 3. Digital Forensic Department (DF)
MYCERT STS DF Management Constant monitoring Constant monitoring Detection Detect threats Detect threats Response time = 0.5 hour Register case in OTRS CyberDEF Verification Analyze threats Identify device Management Response time = 3 hour Inform Management Conduct debrief to team members Workflow Inform HoD of suspected device’s owner Containment Verify threat with actual device Response time = 1 hour Preserve memory dump Collect device
MYCERT STS DF Management Preservation Response time = Preserve device 16 hour Evidence analysis Security analysis Analysis Response time = Produce root cause analysis Produce security analysis 5 days report report CyberDEF Management Workflow Eradicate the threats based on recommendations Eradication Response time = Recover device 1 hour Return device Reporting Report submission to Response time = Management 1 hour
CyberDEF Management Workflow
CyberDEF Detection Framework and System
Case Study: Detection Appliance detected the victim is accessing malicious website which is “sl-reverse.com” and download malicious executable files Affected device identified
Case Study: Eradication Eradicate the malware
Case Study: Forensics Analysis Extract metadata & registry info from malicious file and conduct forensics analysis Findings
2. Our R&D Product: CMERP PR PROJECT BA BACKGR GROUND ND Coordinated Malware Eradication & Remediation Project OBJECTIVE OB reduce the number of Ma To re Malware infection in Malaysia DELI DE LIVERA RABLE LES Technical expertise A framework and in the areas of Malware threat Ma platform for A comprehensive malware analysis, effective malware la landsca cape report system to mitigate threat intelligence, an and das ashboar ard detection and malware infection and security data eradication analytics 15
FRAMEWORK Collection Analysis Sinkhole Wall Garden Report •Detection •Static •Domain •Containment •Statistic Sinkhole •Normalization •Dynamic •Malware •Comparison •IP Sinkhole Removal / •Enrichment •C2 Identification •Trend Eradication •Infected host •Correlation identification
CMERP Main Components 1. CMERP 2. CMERP 4. CMERP Walled 5. CMERP Intelligent Coordinated 3. CMERP Sinkhole Garden Removal Tool Detection System Intelligence (CSH) (CWG) (CRT) (CIDS) System (CCIS) To detect the Intelligent malware Big data platform To prevent and To quarantine infected activity of known redirect malicious that coordinate PC from accessing the removal tool with network traffic inside network / Internet & unknown based on Indicator malware the network based on intelligence (signatureless) of Compromised detection, infrastructure from information from CCIS. malware inside a (IoC) as input. knowledge base communicating with Through quarantine network after a and analysis in Command & Control process, the infected breach has order to contain Purpose for rapid (C2) or Drop Site PC will be redirected occurred. server. Through malware removal and mitigate to a captive portal redirection, the tool preparation. malware infection with malware system collects all through CSH and infection information infected host CWG. and Malware Removal information. Tool.
CMERP Ecosystem Based on information PC/IP was cleaned from the sensor or Monitoring and regained access to security feeds the internet as usual 1 2 6 Back to In the event of malware Detection normal attacks. User identities are identified based on information from CMERP Platform Appropriate removal measures will be given 3 5 to ensure PC/IP is free Notification Recovery Users will be notified from infection. that the PC/IP has 4 been infected with Malware and information are distributed via email Quarantine notification/portal WallGarden – Users are in quarantine and have limited Internet access
CMERP Network Infrastructure
Pilot Implementation Location : University Campus Campaign Started : April 2018 Campaign Ended : May 2018 Malware Name : Carberp Malware Severity : High Malware Description : This family of Trojans can steal online banking credentials as well as usernames and passwords from applications. The malware also has the capability to download other malware and steal sensitive information by taking screenshots or recording keyboard strokes. Carberp Reference: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Carberp
Pilot Outcome Carberp Malware Infection 14 12 10 8 Host Count Infected 6 Cleaned 4 2 0 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 - - - - - - - - - - - - - - - 4 4 4 4 4 5 5 5 5 5 5 5 5 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 -2 - - - - - - - - - - - - - - - 6 7 8 9 0 1 2 3 4 5 6 7 9 3 5 2 2 2 2 3 0 0 0 0 0 0 0 0 1 1 Campaign Management Identified IOC information through malware analysis • • Redirected all C2 communications through Sinkhole process • Infected hosts were quarantine during the Walled Garden process
Pilot Outcome 21% Total Not Cleaned Total Cleaned 79% Analysis of Result: • Some of Carberp malware variants are not only targeting for Microsoft Windows (PC) but for Android (Mobile Phone); which is outside the scope of this pilot project • Lack of users awareness on the campaign, thus unable to clean the Carberp malware
Project Outcome PR PROJECT OUTCOME Strengthen Comprehensive system Address sophisticated the CNII sectors against with threat intelligence malware including APT & cyber threats through capability unknown malware CMERP implementation Contain malware infection Using 100% local expertise Prevent data breach through Walled Garden in collaboration with IHLs in through Sinkhole (notify & quarantine) developing CMERP system
FU FUTURE W WORKS CMERP Walled Garden : CMERP Intelligence Detection System : • More product support other than Cisco. • Improve Sandbox detection. • 802.1x implementation for organization • To support Sandbox Evasion malware. level. • Agentless Sandbox – VM Introspection. • High bandwidth support (> 40Gbps). • Android & Mac Sandbox support. CMERP Coordinated Intelligence System : • Machine Learning / Artificial Intelligence. • More event types supported such as Netflow, Firewall, Honeypot, etc. CMERP Sinkhole : • More product support other than Cisco. Overall : • OS fingerprinting. Endpoint Detection & Response. • • High performance sinkhole. • Improve System performance and • Ability to sinkhole bad traffic only. stability 24
Conclusion 1. Our strategy to cope with emerging new threats is by adopting a holistic approach – people, process and technology 2. We need to be prepared all the times by enhancing: a. Information sharing amongst relevant stakeholders b. Cyber incidents response and coordination c. Collaborative & innovative research d. Capacity building and education e. Acculturation and outreach program
Recommend
More recommend