Cyber Threats Incident Response Model for CNII Organizations Dr. - - PowerPoint PPT Presentation

cyber threats incident response model for cnii
SMART_READER_LITE
LIVE PREVIEW

Cyber Threats Incident Response Model for CNII Organizations Dr. - - PowerPoint PPT Presentation

Jan 16, 2023 338 likes •606 views

Cyber Threats Incident Response Model for CNII Organizations Dr. Aswami Ariffin Megat Mutalib Dr. Zahri Yunos Presentation Outline 1. Our Service: CyberDEF (Cyber Defence) 2. Our R&D Product: CMERP (Coordinated Malware Eradication &

slide-1
SLIDE 1

Cyber Threats Incident Response Model for CNII Organizations

  • Dr. Aswami Ariffin

Megat Mutalib

  • Dr. Zahri Yunos
slide-2
SLIDE 2

Presentation Outline

  • 1. Our Service: CyberDEF (Cyber Defence)
  • 2. Our R&D Product: CMERP (Coordinated Malware

Eradication & Remediation Project)

slide-3
SLIDE 3

R&D Papers

slide-4
SLIDE 4
  • 1. Our Service: CyberDEF

D E F

“detection of cyber threat” “eradication of cyber threat” “forensic analysis of cyber threat”

This stage is iterative, return to “D” or “E” to improve the technique further

slide-5
SLIDE 5

CyberDEF (cont…)

F O R E N S I C

CyberDEF

Intelligence

Typical CSIRT

Detection Eradication Detection Eradication

slide-6
SLIDE 6

CyberDEF (cont…)

Identify any loopholes, vulnerabilities and existing threats

  • 1. Sensors
  • 2. Sandbox
  • 3. Analytics
  • 4. Visualization
  • 5. Situational Awareness

Detection

Close loopholes, patch vulnerabilities and neutralize existing threats Perform cyber threats exercise or drill to test the feasibility and resiliency of the new defense / prevention system

Eradication

  • 1. E-Discovery
  • 2. Root cause analysis
  • 3. Investigation
  • 4. Forensics readiness
  • 5. Forensic compliance

Forensics

slide-7
SLIDE 7

CyberDEF (cont…)

Why CyberDEF is unique?

Consists of 3 technical departments :

  • 1. Secure Technology Services

Department (STS)

  • 2. Malaysia Computer

Emergency Response Team (MyCERT)

  • 3. Digital Forensic Department

(DF) Effective centralized governance because all of the 3 departments are under the Cyber Security Responsive Services Division Forensic element incorporated in the services

  • ffered

and intelligence

Governance Element

Technical Departments

3

Centralized Forensic

slide-8
SLIDE 8

CyberDEF Management Workflow

Analyze threats Conduct debrief to team members Collect device Inform Management

MYCERT STS DF Management

Register case in OTRS Detect threats Constant monitoring Identify device Detect threats Constant monitoring Preserve memory dump Verify threat with actual device Inform HoD of suspected device’s owner

Detection

Response time = 0.5 hour

Verification

Response time = 3 hour

Containment

Response time = 1 hour

slide-9
SLIDE 9

CyberDEF Management Workflow

MYCERT STS DF Management

Produce root cause analysis report Produce security analysis report Return device Report submission to Management Security analysis Evidence analysis Preserve device Recover device Eradicate the threats based

  • n recommendations

Preservation

Response time = 16 hour

Analysis

Response time = 5 days

Eradication

Response time = 1 hour

Reporting

Response time = 1 hour

slide-10
SLIDE 10

CyberDEF Management Workflow

slide-11
SLIDE 11

CyberDEF Detection Framework and System

slide-12
SLIDE 12

Appliance detected the victim is accessing malicious website which is “sl-reverse.com” and download malicious executable files

Case Study: Detection

Affected device identified

slide-13
SLIDE 13

Eradicate the malware Case Study: Eradication

slide-14
SLIDE 14

Extract metadata & registry info from malicious file and conduct forensics analysis

Findings

Case Study: Forensics Analysis

slide-15
SLIDE 15

15

PR PROJECT BA BACKGR GROUND ND OB OBJECTIVE

To re reduce the number of Ma Malware infection in Malaysia

A framework and platform for effective malware detection and eradication A comprehensive system to mitigate malware infection Technical expertise in the areas of malware analysis, threat intelligence, and security data analytics Ma Malware threat la landsca cape report an and das ashboar ard

DE DELI LIVERA RABLE LES

  • 2. Our R&D Product: CMERP

Coordinated Malware Eradication & Remediation Project

slide-16
SLIDE 16

Collection

  • Detection
  • Normalization
  • Enrichment
  • Correlation

Analysis

  • Static
  • Dynamic
  • C2 Identification

Sinkhole

  • Domain

Sinkhole

  • IP Sinkhole
  • Infected host

identification

Wall Garden

  • Containment
  • Malware

Removal / Eradication

Report

  • Statistic
  • Comparison
  • Trend

FRAMEWORK

slide-17
SLIDE 17
  • 1. CMERP

Intelligent Detection System (CIDS)

  • 2. CMERP

Coordinated Intelligence System (CCIS) To detect the activity of known & unknown (signatureless) malware inside a network after a breach has

  • ccurred.

Big data platform that coordinate malware detection, knowledge base and analysis in

  • rder to contain

and mitigate malware infection through CSH and CWG.

  • 3. CMERP Sinkhole

(CSH)

  • 4. CMERP Walled

Garden (CWG)

To prevent and redirect malicious network traffic inside the network infrastructure from communicating with Command & Control (C2)

  • r

Drop Site server. Through redirection, the system collects all infected host information. To quarantine infected PC from accessing the network / Internet based on intelligence information from CCIS. Through quarantine process, the infected PC will be redirected to a captive portal with malware infection information and Malware Removal Tool.

  • 5. CMERP

Removal Tool (CRT) Intelligent malware removal tool with based on Indicator

  • f

Compromised (IoC) as input. Purpose for rapid malware removal tool preparation.

CMERP Main Components

slide-18
SLIDE 18

CMERP Ecosystem

Appropriate removal measures will be given to ensure PC/IP is free from infection. PC/IP was cleaned and regained access to the internet as usual WallGarden – Users are in quarantine and have limited Internet access Based on information from the sensor or security feeds Users will be notified that the PC/IP has been infected with Malware and information are distributed via email notification/portal In the event of malware

  • attacks. User identities

are identified based on information from CMERP Platform

Monitoring Detection Back to normal Quarantine Notification Recovery

1 2 3 4 6 5

slide-19
SLIDE 19

CMERP Network Infrastructure

slide-20
SLIDE 20

Pilot Implementation

Carberp Reference: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Carberp

Location : University Campus Campaign Started : April 2018 Campaign Ended : May 2018 Malware Name : Carberp Malware Severity : High

Malware Description: This family of Trojans can steal online banking credentials as well as usernames and passwords from applications. The malware also has the capability to download other malware and steal sensitive information by taking screenshots or recording keyboard strokes.

slide-21
SLIDE 21

Pilot Outcome

Campaign Management

  • Identified IOC information through malware analysis
  • Redirected all C2 communications through Sinkhole process
  • Infected hosts were quarantine during the Walled Garden process
  • 2

2 4 6 8 10 12 14 2 6

  • 4
  • 1

8 2 7

  • 4
  • 1

8 2 8

  • 4
  • 1

8 2 9

  • 4
  • 1

8 3

  • 4
  • 1

8 1

  • 5
  • 1

8 2

  • 5
  • 1

8 3

  • 5
  • 1

8 4

  • 5
  • 1

8 5

  • 5
  • 1

8 6

  • 5
  • 1

8 7

  • 5
  • 1

8 9

  • 5
  • 1

8 1 3

  • 5
  • 1

8 1 5

  • 5
  • 1

8 Host Count

Carberp Malware Infection Infected Cleaned

slide-22
SLIDE 22

Pilot Outcome

Analysis of Result:

  • Some of Carberp malware variants are not only targeting for Microsoft Windows

(PC) but for Android (Mobile Phone); which is outside the scope of this pilot project

  • Lack of users awareness on the campaign, thus unable to clean the Carberp

malware

21% 79%

Total Not Cleaned Total Cleaned

slide-23
SLIDE 23

Strengthen the CNII sectors against cyber threats through CMERP implementation Comprehensive system with threat intelligence capability Address sophisticated malware including APT & unknown malware Prevent data breach through Sinkhole Contain malware infection through Walled Garden (notify & quarantine) Using 100% local expertise in collaboration with IHLs in developing CMERP system

PR PROJECT OUTCOME

Project Outcome

slide-24
SLIDE 24

24

FU FUTURE W WORKS

CMERP Intelligence Detection System :

  • Improve Sandbox detection.
  • To support Sandbox Evasion malware.
  • Agentless Sandbox – VM Introspection.
  • High bandwidth support

(> 40Gbps).

  • Android & Mac Sandbox support.

CMERP Sinkhole :

  • More product support other than Cisco.
  • OS fingerprinting.
  • High performance sinkhole.
  • Ability to sinkhole bad traffic only.

CMERP Walled Garden :

  • More product support other than Cisco.
  • 802.1x implementation for organization

level. CMERP Coordinated Intelligence System :

  • Machine Learning / Artificial Intelligence.
  • More event types supported such as

Netflow, Firewall, Honeypot, etc. Overall :

  • Endpoint Detection & Response.
  • Improve System performance and

stability

slide-25
SLIDE 25

Conclusion

  • 1. Our strategy to cope with emerging new threats is by

adopting a holistic approach – people, process and technology

  • 2. We need to be prepared all the times by enhancing:

a. Information sharing amongst relevant stakeholders

  • b. Cyber incidents response and coordination

c. Collaborative & innovative research

  • d. Capacity building and education

e. Acculturation and outreach program