collaborative information sharing model for malware … · · 2017-08-08collaborative information...

Copyright © 2016 CyberSecurity MalaysiaCopyright © 2016 CyberSecurity Malaysia

DrAA (Dr Aswami Ariffin)SVP & Digital Forensics Scientist

Cyber Security Responsive Services

CyberSecurity Malaysia

[email protected]

Collaborative Information Sharing Model for Malware

Threat Analysis

Copyright © 2016 CyberSecurity Malaysia

Agenda

1.Current problem

2.Malware Mitigation Working Group and CyberDEF Intelligent System – CDIS

3.Findings


Banking &

Finance

Energy

Government Service

Transportation

Health

Services

Food &

Agriculture

Information &

Communication

Defense &

Security

Water

Emergency

Services

Critical National Information

Infrastructure (CNII)

Thrust 1:

Effective

Governance

Thrust 2:

Legislative &

Regulatory

Framework

Thrust 4:

Culture of

Security &

Capacity Building

Thrust 3:

Cyber Security

Technology

Framework

Thrust 7:

Cyber Security

Emergency

Readiness

Thrust 8:

International

Cooperation

Thrust 6:

Compliance &

Enforcement

Thrust 5:

R&D Towards

Self Reliance

“Malaysia’s CNII shall be secure, resilient and self-reliant. Infused with a culture of

security it will promote stability, social well being and wealth creation.”

Vision:

National Cyber Security Policy

(NCSP)

http://www.inmagine.com/view_image.php?filename=pdre052574&sid=

http://www.inmagine.com/view_image.php?filename=rbv0030519&sid=

http://www.inmagine.com/view_image.php?filename=pdre052935&sid=2373185

http://www.inmagine.com/view_image.php?filename=is868087&sid=2373225

http://www.inmagine.com/view_image.php?filename=paa154000063&sid=

http://bahasajepun.com/flash/images/keretabomba.jpg


Malware mitigation WG

Malaysia would like to initiate

under

Malware Mitigation Working Group

Honeynet / Lebahnet


The project

Malware Mitigation ProjectA collaboration within APCERT/OIC-CERT/Partners members to share

malware threat, analysis, response and mitigation against cyber threat attacks

To conduct research in malware threats analysis with information sharing among participating members

• Provide an overview of cyber threats landscape and to have a workable solution by doing collaborative research to mitigate the

cyber threats• Sharing regular report/data on the malware attacks and focus on

the impact analysis and remedial action


Project plan

• Data Collection / RepositoryPhase I

• Data Analysis & SharingPhase II

• Malware MitigationPhase III


Commitment from

participating members

Determine the location to

install/host the honeypot sensor

Provide the local technical support

Share reports and findings

related to the project

LOCATIONLOCAL

TECHNICALSHARE

REPORT


LebahNet sensor


LebahNet process flow


Architecture and participation

APCERT/OIC-CERT MEMBER

Sensor Deployment

Regional Participant/Member


DATA from

LebahNet

TYPE OF INFORMATION THAT WILL BE CAPTURED BY LEBAHNET

SENSORS

MalwareRemote access login

attempt (SSH, Telnet, etc.)

Web application attack

(SQLi, RFI, LFI, etc.)

Important Note: Sensors will not capture sensitive information from

the organization network (passive mode)


LebahNet

requirementsMONITORING SENSOR USER / PARTICIPATION

For monitoring threats from the

Public / Internet, the sensor will

require public IP (or mapped

from public IP) with allow ANY

incoming ports configure from

Firewall.

The sensor will be

prepared in two (2)

forms, a Physical box

and a Virtual Machine.

Participant can choose

either form suite to their

environment.

Participant have to allow

information sending through

secured protocol (HTTPS

443/TCP) over the Internet

between the sensor and

MyCERT centralized server

(api.honeynet.org.my).

User/Participant will have access

to their dedicated Dashboard

that require access credential.

For monitoring threats from the

Internal (LAN / VLAN /

Secured), the sensor will require

internal IP related to the segment

being monitored with allow ANY

incoming ports configure from

Firewall.


User dashboard: LebahNet user

interface Participant will view information according to their sensors deployed


Collaborative Model

APCERT

OIC-CERT

MyCERT CyberDEFCMERP + ICEC1…..Cn

HP1 HP2 HPn


SENSOR

SANDBOX, SINKHOLING, WALL GARDEN &

TAKEDOWN

IOC/REPORT

DATA WAREHOUSE

ANALYTICS

VISUALISATION / PREDICTIVE/INTEL REPORT

MANUAL/SEMI-AUTO AUTOMATED

CMERP

ICE

Fore

nsi

c El

emen

t

8

2

1

43

7

CyberDEF Intelligent System - CDIS

WEB BOTNET

CRAWLER

6

5FEEDS

Copyright © 2016 CyberSecurity Malaysia 17

Incident Response Escalation:

•Ticketing system

Digital Forensics:In-depth

Threat Actor Investigation

Data Analyzing: SPLUNK

Active Defense :• Firewall

• IPS, IDS, WAF• Spam Filter

Threat Intel Repository

Data Analysis and Classification

Process

IR E

scal

atio

n

PredictiveSignature

Trusted Automated eXchange of

Indicator Information :

TAXII

Security Feeds HoneynetCyber999 Incidents

International CERTs

Feeds and Raw Data

SOC operation V2.0 - SIC

PHILOSOPHY

• Proactive

• Predictive


Botnet infection heat map


73784

107308

124734

28097

5050447423

32764

4240944204

20573

34418

39492

Feb-15 Mar-15 Apr-15

0

20000

40000

60000

80000

100000

120000

140000 Conficker

B106-Jenxcus

B106-Bladabindi

B106-Malagent

B75-S1

B75-S2

B106-Vbinder

B75-S12

B106-Dimegup

B106-Tapazom

B58-DGA1

B58-CODE1

B106-Poison

zbot

B68-2-32

B68-DNS

B106-Dynamer

Monthly statistic of malware infection

Very high!


Objective


Threat report


Advisories


Findings

• Such analysis and landscape report will provide

early detection of malware and the appropriate

advisories allow organizations and government

to react against the malware threats and

protecting critical national information

infrastructure, intellectual property and economy

against the detrimental effect of malware

intrusion and attacks.

• People; operational + research (training &

experience)

• Process; coordination

• Technology; facilitation

• TRUST <- need to resolve this!

collaborative information sharing model for malware … · · 2017-08-08collaborative information...

Documents