CERTs and Digital Forensics: The Need for Security Collaborations Among Regions Dr. Soranun Jiwasurat Division Director, Office of Security, ETDA 1
ThaiCERT: A Quick Glance • A government funded unit, established in 2000 • The first and only non-profit CSIRT (Computer Security Incident Response Team) in Thailand • Provide an incident response service to Thai local constituency, and to other international entities where the sources of attacks are originated within Thailand 2
ThaiCERT, Growth Year 2000 2011 21 17 12 12 5 2 2011 2012 2013 No. of staffs No. of certs 3
Operations • Incident coordination • Digital forensics • Security and Awareness training • Research and development 4
Technical Capabilities and Tools • Risk / vulnerability assessment • Malware analysis • Threat watch • Digital forensics examination • Log monitoring • And bunch of opensource tools like Xen, Spam cleaner, Volatility, splunk, etc. 5
Statistics Incidents received from / sent by e-mail (Jan 2012 – May 2013) Abusive Content 140 Availability No. of reported incidents 120 Fraud 100 Information Gathering 80 Information Security 60 Intrusion Attempts 40 Intrusion 20 Malicious Code Other 0 Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr 2012 2013 6
Statistics Incidents received from / sent by e-mail (by country) (Jan 2012 – May 2013) 450 Abusive Content 400 No. of reported incidents Availability 350 Fraud 300 Information Gathering 250 Information Security 200 Intrusion Attempts 150 Intrusion 100 Malicious Code 50 Other 0 7
Statistics Incidents received from threat watch system (Aug 2012 – May 2013) Spam Botnet Open DNS Resolver Scanning Open Proxy Server Malware URL Phishing Brute Force DDoS No. of unique IPs 8
What we have seen: • Most incidents were reported from foreign entities • Recent attacks were likely to be originated from distributed sources • Many victims did not know what to do after an incident occurred • Existing communication channel lacks some properties – e.g. e-mail is solid, but is not the best option when an immediate action is needed to be taken 9
Why collaboration is needed: • One incident, many relevant entities – Active collaboration is crucial • Some information needs to be properly exchanged with other entities to make it useful – e.g. information from a threat monitoring system should be exchanged in real-time • No one knows everything – Need sharing knowledge and experience in order to know the bad guys’ trick • Not only among infosec people, but also with end users 10
Collaborations Incident information exchange and subscription: Raw incident reports Threat Watch System Incident alerts and reports Website System … … ISPs admins maintainers 11
12 Threat monitoring projects: Collaborations
13
14 Drills, trainings and workshops: Collaborations
Android Trojan targeting e-banking Requires a password Shown as a legitimate app Sends user’s info via SMS to the attacker Downloaded Pass: xxx outside OTP: yyy Google Play 15
From Phishing .. Servers Hacked websites located are used as Worldwide phishing site 16
17 Let’s go hunt! to Watering Hole Attacks
18 Watering Hole Anatomy Worldwide Servers located
19 Alerts!!!
About Digital Forensics • Became one of the main operations since early 2012 • Creating a collaboration network is one of our top priorities – Constantly participated in a number of seminars and trainings to make connections, share experience and develop skills – Work closely and support LEA and Ministry of Justice • Plan for establishing a full-scale digital forensics lab – Clean room (Disk Forensics) – Mobile Chip-off and Forensics – Computer Forensics 20
21
22
Recommend
More recommend
