CERTs and Digital Forensics: The Need for Security Collaborations - - PowerPoint PPT Presentation

1

CERTs and Digital Forensics:

The Need for Security Collaborations Among Regions

• Dr. Soranun Jiwasurat

Division Director, Office of Security, ETDA

2

ThaiCERT: A Quick Glance

• A government funded unit, established in 2000
• The first and only non-profit CSIRT (Computer

Security Incident Response Team) in Thailand

• Provide an incident response service to Thai local

constituency, and to other international entities where the sources of attacks are originated within Thailand

3

ThaiCERT, Growth

2000 2011 Year

5 12 12 2 17 21

2011 2012 2013

• No. of staffs
• No. of certs

4

Operations

• Incident coordination
• Digital forensics
• Security and Awareness training
• Research and development

5

• Risk / vulnerability assessment
• Malware analysis
• Threat watch
• Digital forensics examination
• Log monitoring
• And bunch of opensource tools like Xen,

Spam cleaner, Volatility, splunk, etc.

Technical Capabilities and Tools

6

20 40 60 80 100 120 140

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr

• No. of reported incidents

Abusive Content Availability Fraud Information Gathering Information Security Intrusion Attempts Intrusion Malicious Code Other

Statistics

Incidents received from / sent by e-mail (Jan 2012 – May 2013)

2012 2013

7

Incidents received from / sent by e-mail (by country) (Jan 2012 – May 2013)

50 100 150 200 250 300 350 400 450

• No. of reported incidents

Abusive Content Availability Fraud Information Gathering Information Security Intrusion Attempts Intrusion Malicious Code Other

Statistics

8

Incidents received from threat watch system (Aug 2012 – May 2013)

DDoS Brute Force Phishing Malware URL Open Proxy Server Scanning Open DNS Resolver Botnet Spam

• No. of unique IPs

Statistics

9

What we have seen:

• Most incidents were reported from foreign entities
• Recent attacks were likely to be originated from

distributed sources

• Many victims did not know what to do after an incident
• ccurred
• Existing communication channel lacks some properties

– e.g. e-mail is solid, but is not the best option when an immediate action is needed to be taken

10

Why collaboration is needed:

• One incident, many relevant entities

– Active collaboration is crucial

• Some information needs to be properly exchanged

with other entities to make it useful

– e.g. information from a threat monitoring system should be exchanged in real-time

• No one knows everything

– Need sharing knowledge and experience in order to know the bad guys’ trick

• Not only among infosec people, but also with end users

11

Collaborations

Incident information exchange and subscription:

ISPs System admins Website maintainers

… …

Threat Watch System

Incident alerts and reports Raw incident reports

12

Threat monitoring projects:

Collaborations

13

14

Drills, trainings and workshops:

Collaborations

15

Shown as a legitimate app Requires a password

Android Trojan targeting e-banking

Downloaded

• utside

Google Play Pass: xxx OTP: yyy Sends user’s info via SMS to the attacker

16

From Phishing ..

Servers located Worldwide Hacked websites are used as phishing site

17

to Watering Hole Attacks

Let’s go hunt!

18

Watering Hole Anatomy

Servers located Worldwide

19

Alerts!!!

20

About Digital Forensics

• Became one of the main operations since early 2012
• Creating a collaboration network is one of our top priorities

– Constantly participated in a number of seminars and trainings to make connections, share experience and develop skills – Work closely and support LEA and Ministry of Justice

• Plan for establishing a full-scale digital forensics lab

– Clean room (Disk Forensics) – Mobile Chip-off and Forensics – Computer Forensics

21

22