Current status of collaboration between India and Japan Koji Nakao - - PowerPoint PPT Presentation
Current status of collaboration between India and Japan Koji Nakao KDDI, Information Security Fellow 1 CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or
KDDI, Information Security Fellow
1 3/21/2015
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
M2M (streamin g data) Open data Persona l data Digitally stored knowledg e Collected and stored big data
(static / dynamic)
More severe risks Dessemination of risks Globalization of risks
Cyber Space
“Big Data” Society and Cybersecurity
2
Increasing dependence
economic systems on IT
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
Sophisticated Attacks to Sensitive Information
2
[Recent major cases]
2011.9
~
[Mitsubishi Heavy Industries, Ltd. (MHI), House of Representative (HR) etc.]
Found virus infection by targeted attacks 2012.5
[Japan Nuclear Energy Safety Organization (JNES)] Found possibility of information leakage over previous months
2013.1
[Ministry of Agriculture, Forestry and Fisheries of Japan (MAFF)]
Announced attack case on TPP-related information leakage 2013.4
[Japan Aerospace Exploration Agency (JAXA)] Found unauthorized access to servers from outside
2013 autumn
[Government agencies etc.]
Found zero-day attack* causing particular entities to be infected by web
browsing
2014.1
[Japan Atomic Energy Agency (JAEA)]
Found possibility of information leakage by virus infection
[Threats to government’s organizations]
* Zero-day attack: Attack misuses unpatched or undisclosed security holes in software. * * No. of no normal accesses or communications among events detected by sensors installed in the ministries by the GSOC (abbreviation for Government Security Operation Coordination team) etc.
through monitoring by sensors, etc.**
through monitoring by sensors, etc.
App rox. 660,000 Appr ox. 1,080,00
Appro x. 5,080,000 139 175
139
209 415
381
FY 2012 FY 2011 FY 2013
24 hrs & 365 days (10 times in a min.)
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
Attacks on Critical Infrastructures
3
[No. of attacks on critical infrastructures] [Area of the Critical infrastructure]
(1)Information and Communications (2) Finance (3) Aviation (4) Railways (5) Electricity (6) Gas (7) Gov’t and
(8) Medical Services (9) Water (10) Logistics
* Reports from the critical infrastructure operators to the NISC * * * Reports from the five industries (45 organizations), or critical infrastructure equipment manufacture, power, gas, chemistry and petroleum to Information-Technology Promotion Agency (IPA), Japan
(11) Chemistry (12) Credit Card (13) Petroleum
* * * * These three sectors were added to the third action plan to security measures for critical infrastructures decided by the Information Security Policy Council (ISPC) on 19th May 2014.
reports* from critical infrastructures areas
110 (76)** 153 (133)
Unauthorized access,Dos 121 Virus infection 7 Other intentional factors 5
FY 2012 FY 2013 Main Details
Messages*** about targeted attack e-mail, etc.
246 385
FY 2012 FY 2013 ** Reports concerning Cyber Attacks
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
[Spread of smart phones etc.] [Penetration throughout all of society in Japan]
* * Approaches for Vehicle Information Security (August 2013) by Information-technology Promotion Agency (IPA), Japan * 2013 White Paper – Information and Communications in Japan by the Ministry of Internal Affairs and Communications (MIC) Regarding the increase rate of illicit sites: Research by Trend Micro corp.
Household ownership rate increased five times rapidly* (End of 2010: approx. 10% -> End of 2012: approx. 50% ) Illicit sites targeted at mobile devices increased twenty times rapidly (End of 2011: approx. 3 thousand -> End of 2013: approx. 57 thousand)
* * * Handout at 14th Study group for Smart Meter system, by the Ministry of Economy, Trade and Industry(METI)
Widespread Scope of Targets
5
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
Overse as 97% Japan 3%
[Attacks on Japan from Overseas] [Recent major cases]
2011.3
[Korea] DDoS attacks to 40 web servers of government agencies etc.
→ At t ack
ck co com m ands s issu ssued usi sing hom e PCs s in Japan as s bot s 2013.3
[Korea] Large-scale cyber attacks to critical infrastructures
→ Sam e m
m alicious program c concurrent ly found in Japan
(Reference)
2013.5
[US] The US government points out t h
t he po possibil ilit it y of t t he involvem ent t of f foreign gn governm ent s or m m ilit ilit arie ies in targeted attacks made to steal national or corporate
secrets* *
* * Source: “The Administrative Strategy on Mitigating the Theft of U.S. Trade Secrets” (White House, February 2013) & “the Annual Report to Congress” (Department of Defense, May 2013)
Attacks from a Variety of Entities in the World
6
Geological location of IP addresses used by malware (2013)*
97% of malware tried to connect to
* Source: National Police Agency of Japan (Feb. 2014)
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
Recent Efforts on Cybersecurity Strategy (Summary)
″ Cybersecurity Strategy ″
(June 2013) ″Resilient″ Cyberspace
protection -
Organizational Reform
Security Measures for the Central Government Computer Systems (May 2014)
Critical Infrastructures (May 2014)
Resource Development Program (May 2014)
Research and Development Strategy (July 2014)
Cybersecurity Cooperation – j-initiative for Cybersecurity (October 2013)
Summit Meeting (held in December 2013)
NISC (scheduled in FY2015)
(July 2014)
″Vigorous″ Cyberspace
fundamentals -
″World-leading″ Cyberspace
Strategy -
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
Policy Agenda on Cybersecurity towards 2020
21
the multinational frameworks including the UN and OECD, and bilateral policy discussions, is required.
strengthening its security are the two wheels of a cart. In particular the security standards in a cloud computing environment should be urgently clarified.
need to be considered.
agencies.
to be enhanced.
strengthen information security of the Control System is necessary.
cybersecurity enhancement.
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
Based on NISC strategy…
MIC has started the following three cyber security projects.
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
Leaking of classified information
caused by sophisticated cyber- attacks such as Advanced Persistent Threat (APT).
Advanced Persistent Threat Malware infection of individual computers
Comprehensive countermeasures for malware infections such as prevention of access to malware propagation websites by collaborating with ISPs and so on. Started in November 2013.
Malicious attacks (e.g. DDoS) caused by Malwares
Among individual Internet users, fraud such as unjust remittance of funds has appeared by way of malware infections through websites. Malicious activities such as DDoS etc. which are caused by Malwares have been frequently
Japanese business.
ACTIVE
(Advanced Cyber Threats response InitiatiVE)
CYDER
(CYber Defense Exercise with Recurrence)
PRACTICE
(Proactive Response Against Cyber-
attacks Through International Collaborative Exchange)
Understanding of current status by analyzing APT, considering defensive models for APT and capacity building through practical defensive exercises participated in by the public and private sectors. Started in September 2013. R&D and field trials for grasping symptoms of attacks and acting quick response to cyber-attacks by deep analysis and constructing networks through international collaboration to exchange cyber-security
2011.
MIC’s Ongoing Projects
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
ACTIVE(Advanced Cyber Threats response InitiatiVE)
providing comprehensive countermeasures against malware by collaborating with ISPs, anti virus vendors, and so on.
will alert Internet users who don’t recognize malware infection.
(1)Gathering information on malignancy website (2)Alerting(user) (3)Alerting (web-site administrator) (1)Infection detected (2)Alerting (3)Exterminati
(1)Identifying user’s PCs infected by malware. (2) Sending an alert email to the users to make them aware of current infected condition. (3)Exterminating malware by complying with instructions in the email. (1)Listing information on malignancy websites. (2)Alerting users when they are accessing malignancy websites. (3)Alerting administrator of malignancy websites.
Alert! This website is malicious. Would you really like to access? Yes No
(i)Approach for preventing malware infection (ii)Approach for malware extermination
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
CYDER(CYber Defense Exercise with Recurrence)
MOD, NISC, MOFA, MOJ), incorporated administrative agencies and private businesses (critical infrastructure sectors), etc. participated in groups of three or four people through ten CYDER session.
Staff to imitate attacker supporting imitation attack Staff to imitate business operator
exercise
Staff room
Firewal l DNS E-mail Web DMZ LAN File AP server DB
Participants Participants
Exercise venue
Instructor and assistant Secret
DC
Staff supporting
Large scale emulated LAN
enterprises to tackle Advanced Persistent Threat.
CYDER repeatedly. Features
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
In order to realize Secure and trust communication environments against new types of cyber-attacks, analysis
cyber-security exercise against new cyber-attacks should be conducted among public/private participants.
CYDER: Analysis, Protection-Model and Exercise against Cyber-Attacks
Analysis of Cyber-attacks
・・・ !!! %$%Targeted e-mails Analysis of Malware Specific behaviors
Utilizing the resulsts Practice of Protection Model Improve the Model Improving methods
Utilizing the results
Feed-back
Study of Protection Model Verification s of Protection Model for SMEs
Systems in The Organizations
Studies for method
against attacks Attacker
Operations of Practical Exercise Practical Scenarios
LAN Admin
Test-bed For the exercise
Collaborations
VPN
Virus, etc. Internet
Se Security Contr trols by y ISP SPs Net etworks a and Systems a are e shared ef effici iciently
SME SME SME SME
Analysis Protection Model
Practical Exercise
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
PRACTICE
As of Sep. 2014, 8 foreign countries have participated in the PRACTICE project. It is expected to cover more than 10 countries by the end of 2015. We have succeeded in finding some symptoms of Cyber- Attacks through R&D of analyzing Cyber attacks such as DDoS. Symptoms will be utilized in the actions taken by ISPs for their Early
action (e.g. Filtering / Port Blocking) and/or be connected with ISP readiness against Cyber-Attacks among international participants.
International Collaboration
NL, FR… Indonesia Thailand Malaysia The Philippines Singapore Maldives
Global Monitoring
Real-time capturing attack traffic by using “darknet sensors” located in many foreign regions.
Analysis
Based on data-mining and correlation technologies, collected data/traffic are deeply analyzed.
Quick Response
Symptoms and new malware behavior will be an effective trigger of quick Response.
(Proactive Response Against Cyber-attacks Through International Collaborative Exchange)
India
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
15 3/21/2015
Joint Press Statement for The Second India - Japan Joint Working Group under India-Japan ICT Comprehensive Cooperation Framework New Delhi, December 03, 2014
During the conference, Japan made a proposal for candidates of joint projects involving the said priority areas, and as a result of discussions, it was decided to work on the following five projects as India-Japan joint projects to be implemented. 1) Green ICT - Green Mobile Base Station project 2) Cyber Security Cooperation - Japan-India Combat Spam project 3) Cooperative project for detecting symptoms and quick response to cyber attacks (PRACTICE) 4) ICT for Disaster Management (ICT4DM) - ICT Use in disaster-affected areas project 5) ICT Application for Social and Economic Challenges - National ID Application and Utilization Platform project MCIT, India and MIC, Japan will coordinate the activities for taking these projects forward by discussing with the industry from both sides.
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting GISFI TTC/??
Japan India
Government (MIC) ・ICT Security Office Advanced R&D
Field Trial (Telecom-ISAC Japan) Government level
Proactive Response Scheme against Cyber-attack with ISPs
Research Institutes
PRACTICE Project
ISPAI (ISP group) Government (MCIT) ・ICERT Operational level Research level NEC
University and Research institute
CERT
Future work
India - Japan collaboration framework: High Level
Standardization level
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
17 3/21/2015
PRACTICE Collaboration with India
Oct 3, 2013
Japan-India ICT Public-Private Partnership Dialogue
Aug 22, 2014
Sensor implementation at NEC India (Chennai) and started
cyber-attacks data sharing
Agreement between NEC and PRACTICE members (NDA)
Sep 1, 2014
Brainstorming Workshop on 5G Standardization: WISDOM
Mar 14, 2015
This meeting (second joint-workshop of GISFI & PRACTICE)
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting Project Overview
18
Building a cooperative structure betw een Japan and India for Detecting Symptoms and Quick response to Cyber Attacks
responses by collection and analysis of attack information thorough international collaboration. Current status (Overall project)
Singapore, Thailand, and US, have participated in PRACTICE (except India). Current status (Collaboration with India)
India (with Dr. Anand Prasad) and started data exchange on August 22, 2014.
meeting/discussion with them for further collaboration.
Global Monitoring Real-time capturing of attack traffic by using “darknet sensors” located in many foreign regions. Analysis Based on data-mining and correlation technologies, collected data/traffic is deeply analyzed. Quick Response Symptoms and new malware behavior will be an effective trigger of quick response.
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
19 3/21/2015
PRACTICE: Research Level Collaboration
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
20 3/21/2015
Distribution of source host’s location monitored by a darknet sensor in India
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
21 3/21/2015
Comparison with Japanese sensor’s data (march, 2015)
Distribution of source country is not so different each other Japan India
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
22 3/21/2015
Comparison with other sensor’s data (march, 2015)
Several ports can be found India Japan all 8807/tcp scan is carried out in order to search for vulnerabilities regarding to Web Servers “Apache Mod_SSL Apache-SSL” Buffer Overflow vulnerabilities. 9064/tcp scan is carried out in order to search for open proxies.
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
23 3/21/2015
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
Atlas: Real-time Cyber-attack Visualization by darknet monitoring
TCP_SYN TCP_SYN_ACK UDP ICPM
2014 From India
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
25 3/21/2015
2015/3/1 1184559 31229 20388 1236176 2015/3/1 568746 2015/3/2 1384364 48902 38996 1472262 2015/3/2 579010 2015/3/3 1645330 37853 139214 1822397 2015/3/3 675514 2015/3/4 2012464 44207 43659 2100330 2015/3/4 639833 2015/3/5 1433883 53881 37410 1525174 2015/3/5 568489 2015/3/6 1343279 47640 21416 1412335 2015/3/6 553285 2015/3/7 1407878 48282 28727 1484887 2015/3/7 554030 2015/3/8 1299106 55299 18279 1372684 2015/3/8 615964 2015/3/9 1470418 58662 38137 1567217 2015/3/9 619184 2015/3/10 1824699 52588 40667 1917954 2015/3/10 724630 2015/3/11 1269618 54259 40091 1363968 2015/3/11 391632 2015/3/12 1260787 56537 41082 1358406 2015/3/12 294473
date tcp packet counts udp packet counts icmp packet counts ALL packet counts date 23/tcp packet counts
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
(Direct Alert Environment for Darknet And Livenet Unified Security)
Daedalus Ikaros
Introduction of a new function
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
Utilize the darknet monitoring results for securing the livenet.
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
System Overview
nicter
: Darknet : Livenet
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
Internal Darknet Alert (Local Scan)
Case 1 nicter
: Darknet : Livenet : Infected Host
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
External Darknet Alert (Global Scan)
: Darknet : Livenet : Infected Host
Case 2 nicter
Darknet Traffic
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
External Darknet Alert (Backscatter)
nicter
Darknet Traffic
Case 3
: Darknet : Livenet : DDoS Victim
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or
activities toward the next GSFI meeting
DAEDALUS