cyber threats incident response model for cnii
play

Cyber Threats Incident Response Model for CNII Organizations Dr. - PowerPoint PPT Presentation

Jan 16, 2023 •338 likes •605 views

Cyber Threats Incident Response Model for CNII Organizations Dr. Aswami Ariffin Megat Mutalib Dr. Zahri Yunos Presentation Outline 1. Our Service: CyberDEF (Cyber Defence) 2. Our R&D Product: CMERP (Coordinated Malware Eradication &

  1. Cyber Threats Incident Response Model for CNII Organizations Dr. Aswami Ariffin Megat Mutalib Dr. Zahri Yunos

  2. Presentation Outline 1. Our Service: CyberDEF (Cyber Defence) 2. Our R&D Product: CMERP (Coordinated Malware Eradication & Remediation Project)

  3. R&D Papers

  4. 1. Our Service: CyberDEF D “detection of cyber threat” This stage is iterative, return to “D” or “E” E to improve the technique further “eradication of cyber threat” F “forensic analysis of cyber threat”

  5. CyberDEF (cont…) CyberDEF Typical CSIRT Intelligence F O R Detection E Eradication N S Detection I Eradication C

  6. CyberDEF (cont…) Detection Eradication Forensics Identify any loopholes, Close loopholes, patch 1. E-Discovery vulnerabilities and existing vulnerabilities and 2. Root cause analysis threats neutralize existing threats 3. Investigation Perform cyber threats 1. Sensors 4. Forensics readiness exercise or drill to test the 2. Sandbox feasibility and resiliency of 5. Forensic compliance the new defense / 3. Analytics prevention system 4. Visualization 5. Situational Awareness

  7. CyberDEF (cont…) Why CyberDEF is unique ? 3 C entralized F orensic Technical G overnance E lement Departments Consists of 3 technical Effective centralized Forensic element incorporated departments : governance because all of the 3 in the services offered and 1. Secure Technology Services departments are under the intelligence Department (STS) 2. Malaysia Computer Cyber Security Responsive Emergency Response Team Services Division (MyCERT) 3. Digital Forensic Department (DF)

  8. MYCERT STS DF Management Constant monitoring Constant monitoring Detection Detect threats Detect threats Response time = 0.5 hour Register case in OTRS CyberDEF Verification Analyze threats Identify device Management Response time = 3 hour Inform Management Conduct debrief to team members Workflow Inform HoD of suspected device’s owner Containment Verify threat with actual device Response time = 1 hour Preserve memory dump Collect device

  9. MYCERT STS DF Management Preservation Response time = Preserve device 16 hour Evidence analysis Security analysis Analysis Response time = Produce root cause analysis Produce security analysis 5 days report report CyberDEF Management Workflow Eradicate the threats based on recommendations Eradication Response time = Recover device 1 hour Return device Reporting Report submission to Response time = Management 1 hour

  10. CyberDEF Management Workflow

  11. CyberDEF Detection Framework and System

  12. Case Study: Detection Appliance detected the victim is accessing malicious website which is “sl-reverse.com” and download malicious executable files Affected device identified

  13. Case Study: Eradication Eradicate the malware

  14. Case Study: Forensics Analysis Extract metadata & registry info from malicious file and conduct forensics analysis Findings

  15. 2. Our R&D Product: CMERP PR PROJECT BA BACKGR GROUND ND Coordinated Malware Eradication & Remediation Project OBJECTIVE OB reduce the number of Ma To re Malware infection in Malaysia DELI DE LIVERA RABLE LES Technical expertise A framework and in the areas of Malware threat Ma platform for A comprehensive malware analysis, effective malware la landsca cape report system to mitigate threat intelligence, an and das ashboar ard detection and malware infection and security data eradication analytics 15

  16. FRAMEWORK Collection Analysis Sinkhole Wall Garden Report •Detection •Static •Domain •Containment •Statistic Sinkhole •Normalization •Dynamic •Malware •Comparison •IP Sinkhole Removal / •Enrichment •C2 Identification •Trend Eradication •Infected host •Correlation identification

  17. CMERP Main Components 1. CMERP 2. CMERP 4. CMERP Walled 5. CMERP Intelligent Coordinated 3. CMERP Sinkhole Garden Removal Tool Detection System Intelligence (CSH) (CWG) (CRT) (CIDS) System (CCIS) To detect the Intelligent malware Big data platform To prevent and To quarantine infected activity of known redirect malicious that coordinate PC from accessing the removal tool with network traffic inside network / Internet & unknown based on Indicator malware the network based on intelligence (signatureless) of Compromised detection, infrastructure from information from CCIS. malware inside a (IoC) as input. knowledge base communicating with Through quarantine network after a and analysis in Command & Control process, the infected breach has order to contain Purpose for rapid (C2) or Drop Site PC will be redirected occurred. server. Through malware removal and mitigate to a captive portal redirection, the tool preparation. malware infection with malware system collects all through CSH and infection information infected host CWG. and Malware Removal information. Tool.

  18. CMERP Ecosystem Based on information PC/IP was cleaned from the sensor or Monitoring and regained access to security feeds the internet as usual 1 2 6 Back to In the event of malware Detection normal attacks. User identities are identified based on information from CMERP Platform Appropriate removal measures will be given 3 5 to ensure PC/IP is free Notification Recovery Users will be notified from infection. that the PC/IP has 4 been infected with Malware and information are distributed via email Quarantine notification/portal WallGarden – Users are in quarantine and have limited Internet access

  19. CMERP Network Infrastructure

  20. Pilot Implementation Location : University Campus Campaign Started : April 2018 Campaign Ended : May 2018 Malware Name : Carberp Malware Severity : High Malware Description : This family of Trojans can steal online banking credentials as well as usernames and passwords from applications. The malware also has the capability to download other malware and steal sensitive information by taking screenshots or recording keyboard strokes. Carberp Reference: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/Carberp

  21. Pilot Outcome Carberp Malware Infection 14 12 10 8 Host Count Infected 6 Cleaned 4 2 0 8 8 8 8 8 8 8 8 8 8 8 8 8 8 8 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 - - - - - - - - - - - - - - - 4 4 4 4 4 5 5 5 5 5 5 5 5 5 5 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 -2 - - - - - - - - - - - - - - - 6 7 8 9 0 1 2 3 4 5 6 7 9 3 5 2 2 2 2 3 0 0 0 0 0 0 0 0 1 1 Campaign Management Identified IOC information through malware analysis • • Redirected all C2 communications through Sinkhole process • Infected hosts were quarantine during the Walled Garden process

  22. Pilot Outcome 21% Total Not Cleaned Total Cleaned 79% Analysis of Result: • Some of Carberp malware variants are not only targeting for Microsoft Windows (PC) but for Android (Mobile Phone); which is outside the scope of this pilot project • Lack of users awareness on the campaign, thus unable to clean the Carberp malware

  23. Project Outcome PR PROJECT OUTCOME Strengthen Comprehensive system Address sophisticated the CNII sectors against with threat intelligence malware including APT & cyber threats through capability unknown malware CMERP implementation Contain malware infection Using 100% local expertise Prevent data breach through Walled Garden in collaboration with IHLs in through Sinkhole (notify & quarantine) developing CMERP system

  24. FU FUTURE W WORKS CMERP Walled Garden : CMERP Intelligence Detection System : • More product support other than Cisco. • Improve Sandbox detection. • 802.1x implementation for organization • To support Sandbox Evasion malware. level. • Agentless Sandbox – VM Introspection. • High bandwidth support (> 40Gbps). • Android & Mac Sandbox support. CMERP Coordinated Intelligence System : • Machine Learning / Artificial Intelligence. • More event types supported such as Netflow, Firewall, Honeypot, etc. CMERP Sinkhole : • More product support other than Cisco. Overall : • OS fingerprinting. Endpoint Detection & Response. • • High performance sinkhole. • Improve System performance and • Ability to sinkhole bad traffic only. stability 24

  25. Conclusion 1. Our strategy to cope with emerging new threats is by adopting a holistic approach – people, process and technology 2. We need to be prepared all the times by enhancing: a. Information sharing amongst relevant stakeholders b. Cyber incidents response and coordination c. Collaborative & innovative research d. Capacity building and education e. Acculturation and outreach program

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response

GE Incident Response Insight Awareness Advantage Sean Mason Director, Incident Response Investing in new talent & capabilities Incident response Cyber intelligence Digital forensics Security architecture Identity management

609 views • 42 slides
Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017

Assessing Targeted Attacks in Incident Response Threat Correlation Jan 2017 www.lookingglasscyber.com PRESENTER: Allan Thomson, CTO Dr Jamison Day, Principal Data Scientist 2017 LookingGlass Cyber Solutions Inc. 1 What threats are

344 views • 21 slides
Canadian Cyber Incident Response Centre (CCIRC) UNCLASSIFIED Cyber in the News 1

Canadian Cyber Incident Response Centre (CCIRC) UNCLASSIFIED Cyber in the News 1

UNCLASSIFIED Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC) UNCLASSIFIED Cyber in the News 1 UNCLASSIFIED Tactics, Techniques and Procedures These observed tactics,

674 views • 25 slides
Vancouver 2010 Olympics Lessons Learned: Cyber Robert Pitcher, Cyber Incident Handler

Vancouver 2010 Olympics Lessons Learned: Cyber Robert Pitcher, Cyber Incident Handler

Vancouver 2010 Olympics Lessons Learned: Cyber Robert Pitcher, Cyber Incident Handler robert.pitcher@ps.gc.ca Public Safety Canada FIRST Conference 15 June 2011 Agenda Canadian Cyber Incident Response Centre Roles and Responsibilities

408 views • 21 slides
CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats

CYBER THREATS AND HOW TO A VOID THEM AGENDA 1. Development of the cyber world 2. Threats to small businesses 3. Cyber Recovery Insurance Y our presenters Anne Jackson Sarah Morton Gary Hibberd Sales Director, Lorega Sales and

342 views • 31 slides
Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline

Cyber Up! Digital Forensics & Incident Response Tobi West Principal Investigator Coastline College NSF Grant Award #1800999 Agenda Background on Coastline College Need for Incident Response Professionals Overview Advisory

571 views • 14 slides
2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action April 11, 2018 Contact Information Theodore J. Kobus, III Casie D. Collignon Leader, Privacy and Data Protection Practice

448 views • 23 slides
Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response &

Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Incident Response & Evidence Management Management Management Management CIPS Brandon Chapter November 28 2002 Dr. Marc Rogers PhD,

629 views • 27 slides
Cyber security technology consulting, incident response and applied research company with a

Cyber security technology consulting, incident response and applied research company with a

Cyber security technology consulting, incident response and applied research company with a focus on services for specialized public service providers, finance industry and corporations with high data sensitivity. NRDCS.L T TIMETABLE FOR

612 views • 12 slides
CYBER INCIDENT DETECTION AND RESPONSE DESK REFERENCE OVERVIEW Matt Masterson 1 February 4,

CYBER INCIDENT DETECTION AND RESPONSE DESK REFERENCE OVERVIEW Matt Masterson 1 February 4,

C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y CYBER INCIDENT DETECTION AND RESPONSE DESK REFERENCE OVERVIEW Matt Masterson 1 February 4, 2020 Cyber Incident Detection and Agenda 1

240 views • 9 slides
UTSA Community-Based Secure Information and Resource Sharing in AWS Public Cloud Cyber Incident

UTSA Community-Based Secure Information and Resource Sharing in AWS Public Cloud Cyber Incident

UTSA Community-Based Secure Information and Resource Sharing in AWS Public Cloud Cyber Incident Response A Model for Information and Resource Sharing Amy(Yun) Zhang, Farhan Patwa, Ravi Sandhu Institute for Cyber Security University of Texas

578 views • 19 slides
Process-based cyber incident response Mr Jorge Silveira Executive Director of Information

Process-based cyber incident response Mr Jorge Silveira Executive Director of Information

Code Yellow - Cybersecurity Process-based cyber incident response Mr Jorge Silveira Executive Director of Information Management & Chief Information Officer Northeast Health Wangaratta @HISA_HIC #HIC18 Introduction about

340 views • 18 slides
Cyber Threats P R E S E N T E D T O C A S R E I N S U R A N C E S E M I N A R B O S T O N ,

Cyber Threats P R E S E N T E D T O C A S R E I N S U R A N C E S E M I N A R B O S T O N ,

Cyber Threats P R E S E N T E D T O C A S R E I N S U R A N C E S E M I N A R B O S T O N , M A S S A C H U S E T T S J U N E 4 , 2 0 12 Antitrust Notice 2 The Casualty Actuarial Society is committed to adhering strictly to the

577 views • 26 slides
Cyber Security February - 2016 Agenda Overview of Cyber Crime The top cyber threats to UK

Cyber Security February - 2016 Agenda Overview of Cyber Crime The top cyber threats to UK

Cyber Security February - 2016 Agenda Overview of Cyber Crime The top cyber threats to UK businesses and how to remain safe What help is available Further reading Setting the scene 21.2bn The cost of fraud to the

304 views • 19 slides
Spatial Incident Response Data T echnical Interchange April 17, 2014 What We Do All emergencies

Spatial Incident Response Data T echnical Interchange April 17, 2014 What We Do All emergencies

Spatial Incident Response Data T echnical Interchange April 17, 2014 What We Do All emergencies are local where the role is to respond to observed impacts and identified threats with resources that protect people, property, and the environment

331 views • 16 slides
UTSA Secure Information and Resource Sharing in Cloud Infrastructure as a Service Cyber Incident

UTSA Secure Information and Resource Sharing in Cloud Infrastructure as a Service Cyber Incident

UTSA Secure Information and Resource Sharing in Cloud Infrastructure as a Service Cyber Incident Response Models for Information and Resource Sharing Amy(Yun) Zhang, Ravi Sandhu Institute for Cyber Security University of Texas at San

704 views • 42 slides
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows An integer overflow occurs

639 views • 52 slides
Geometry of null hypersurfaces Jacek Jezierski, Uniwersytet Warszawski e-mail:

Geometry of null hypersurfaces Jacek Jezierski, Uniwersytet Warszawski e-mail:

Geometry of null hypersurfaces Jacek Jezierski, Uniwersytet Warszawski e-mail: Jacek.Jezierski@fuw.edu.pl Jurekfest, Warszawa Abstract: We discuss geometry of null surfaces (and its possible applications to the horizons, null shells, near

566 views • 39 slides
BI NARY HEAPS Binary Trees in Contiguous Storage

BI NARY HEAPS Binary Trees in Contiguous Storage

BI NARY HEAPS Binary Trees in Contiguous Storage 1 array 2 3 4 5 6 7 9 10 8 11 15 12 13 14 23 16 18 21 22 25 26 27 30 17 19 20 24

697 views • 17 slides
Ernesto U. Savona Direttore e Professore di Criminologia Universit Cattolica del S. Cuore

Ernesto U. Savona Direttore e Professore di Criminologia Universit Cattolica del S. Cuore

24 gennaio 2017 Modulo Jean Monnet III ed. Universit di Catania conferenza su Nuove Competenze per Nuove Sfide: politiche nazionali ed europee per la lotta alla Criminalit Organizzata MAFIE IN EUROPA E NON SOLO: LE INFILTRAZIONI DELLA

283 views • 27 slides
Hadrons in FGT: Measurement & Calibration of P , +/-

Hadrons in FGT: Measurement & Calibration of P , +/-

Hadrons in FGT: Measurement & Calibration of P , +/- , K+/- , K0 Xinchun Tian, Sanjib R. Mishra, Roberto Petti 01 ECAL High-Resolu,on

272 views • 26 slides
CSCE 496/896 Lecture 11: Structured Prediction and Structured Prediction and Probabilistic

CSCE 496/896 Lecture 11: Structured Prediction and Structured Prediction and Probabilistic

CSCE 496/896 Lecture 11: CSCE 496/896 Lecture 11: Structured Prediction and Structured Prediction and Probabilistic Probabilistic Graphical Models Graphical Models Stephen Scott and Vinod Variyam Introduction Stephen Scott and Vinod

853 views • 74 slides
Deformable Parts Model Rafi Witten, David Knight 4 April 2011 Overview 1. Labeled dataset

Deformable Parts Model Rafi Witten, David Knight 4 April 2011 Overview 1. Labeled dataset

Deformable Parts Model Rafi Witten, David Knight 4 April 2011 Overview 1. Labeled dataset (PASCAL) 2. Making image pyramids 3. Feature extraction (HoG) 4. Parts model 5. Generating random negative examples 6. Generating hard negatives

591 views • 47 slides
MORE ABOUT MENTHOL: R EGULATING A T OXIC F LAVOR 11/2/2018 THE PUBLIC HEALTH LAW CENTER

MORE ABOUT MENTHOL: R EGULATING A T OXIC F LAVOR 11/2/2018 THE PUBLIC HEALTH LAW CENTER

MORE ABOUT MENTHOL: R EGULATING A T OXIC F LAVOR 11/2/2018 THE PUBLIC HEALTH LAW CENTER 11/2/2018 2 LEGAL TECHNICAL ASSISTANCE Legal Research Policy Development, Implementation, Defense Publications Trainings Direct Representation Lobby

1.1k views • 88 slides

More recommend