collaborative information sharing model for malware … · · 2017-08-08collaborative information...
TRANSCRIPT
Copyright © 2016 CyberSecurity MalaysiaCopyright © 2016 CyberSecurity Malaysia
DrAA (Dr Aswami Ariffin)SVP & Digital Forensics Scientist
Cyber Security Responsive Services
CyberSecurity Malaysia
Collaborative Information Sharing Model for Malware
Threat Analysis
Copyright © 2016 CyberSecurity Malaysia
Agenda
1.Current problem
2.Malware Mitigation Working Group and CyberDEF Intelligent System – CDIS
3.Findings
Copyright © 2016 CyberSecurity Malaysia
Copyright © 2016 CyberSecurity Malaysia
Banking &
Finance
Energy
Government Service
Transportation
Health
Services
Food &
Agriculture
Information &
Communication
Defense &
Security
Water
Emergency
Services
Critical National Information
Infrastructure (CNII)
Thrust 1:
Effective
Governance
Thrust 2:
Legislative &
Regulatory
Framework
Thrust 4:
Culture of
Security &
Capacity Building
Thrust 3:
Cyber Security
Technology
Framework
Thrust 7:
Cyber Security
Emergency
Readiness
Thrust 8:
International
Cooperation
Thrust 6:
Compliance &
Enforcement
Thrust 5:
R&D Towards
Self Reliance
“Malaysia’s CNII shall be secure, resilient and self-reliant. Infused with a culture of
security it will promote stability, social well being and wealth creation.”
Vision:
National Cyber Security Policy
(NCSP)
Copyright © 2016 CyberSecurity Malaysia
Malware mitigation WG
Malaysia would like to initiate
under
Malware Mitigation Working Group
Honeynet / Lebahnet
Copyright © 2016 CyberSecurity Malaysia
The project
Malware Mitigation ProjectA collaboration within APCERT/OIC-CERT/Partners members to share
malware threat, analysis, response and mitigation against cyber threat attacks
To conduct research in malware threats analysis with information sharing among participating members
• Provide an overview of cyber threats landscape and to have a workable solution by doing collaborative research to mitigate the
cyber threats• Sharing regular report/data on the malware attacks and focus on
the impact analysis and remedial action
Copyright © 2016 CyberSecurity Malaysia
Project plan
• Data Collection / RepositoryPhase I
• Data Analysis & SharingPhase II
• Malware MitigationPhase III
Copyright © 2016 CyberSecurity Malaysia
Commitment from
participating members
Determine the location to
install/host the honeypot sensor
Provide the local technical support
Share reports and findings
related to the project
LOCATIONLOCAL
TECHNICALSHARE
REPORT
Copyright © 2016 CyberSecurity Malaysia
LebahNet sensor
Copyright © 2016 CyberSecurity Malaysia
LebahNet process flow
Copyright © 2016 CyberSecurity Malaysia
Architecture and participation
APCERT/OIC-CERT MEMBER
Sensor Deployment
Regional Participant/Member
Copyright © 2016 CyberSecurity Malaysia
DATA from
LebahNet
TYPE OF INFORMATION THAT WILL BE CAPTURED BY LEBAHNET
SENSORS
MalwareRemote access login
attempt (SSH, Telnet, etc.)
Web application attack
(SQLi, RFI, LFI, etc.)
Important Note: Sensors will not capture sensitive information from
the organization network (passive mode)
Copyright © 2016 CyberSecurity Malaysia
LebahNet
requirementsMONITORING SENSOR USER / PARTICIPATION
For monitoring threats from the
Public / Internet, the sensor will
require public IP (or mapped
from public IP) with allow ANY
incoming ports configure from
Firewall.
The sensor will be
prepared in two (2)
forms, a Physical box
and a Virtual Machine.
Participant can choose
either form suite to their
environment.
Participant have to allow
information sending through
secured protocol (HTTPS
443/TCP) over the Internet
between the sensor and
MyCERT centralized server
(api.honeynet.org.my).
User/Participant will have access
to their dedicated Dashboard
that require access credential.
For monitoring threats from the
Internal (LAN / VLAN /
Secured), the sensor will require
internal IP related to the segment
being monitored with allow ANY
incoming ports configure from
Firewall.
Copyright © 2016 CyberSecurity Malaysia
User dashboard: LebahNet user
interface Participant will view information according to their sensors deployed
Copyright © 2016 CyberSecurity Malaysia
Collaborative Model
APCERT
OIC-CERT
MyCERT CyberDEFCMERP + ICEC1…..Cn
HP1 HP2 HPn
Copyright © 2016 CyberSecurity Malaysia
SENSOR
SANDBOX, SINKHOLING, WALL GARDEN &
TAKEDOWN
IOC/REPORT
DATA WAREHOUSE
ANALYTICS
VISUALISATION / PREDICTIVE/INTEL REPORT
MANUAL/SEMI-AUTO AUTOMATED
CMERP
ICE
Fore
nsi
c El
emen
t
8
2
1
43
7
CyberDEF Intelligent System - CDIS
WEB BOTNET
CRAWLER
6
5FEEDS
Copyright © 2016 CyberSecurity Malaysia 17
Incident Response Escalation:
•Ticketing system
Digital Forensics:In-depth
Threat Actor Investigation
Data Analyzing: SPLUNK
Active Defense :• Firewall
• IPS, IDS, WAF• Spam Filter
Threat Intel Repository
Data Analysis and Classification
Process
IR E
scal
atio
n
PredictiveSignature
Trusted Automated eXchange of
Indicator Information :
TAXII
Security Feeds HoneynetCyber999 Incidents
International CERTs
Feeds and Raw Data
SOC operation V2.0 - SIC
PHILOSOPHY
• Proactive
• Predictive
Copyright © 2016 CyberSecurity Malaysia
Botnet infection heat map
Copyright © 2016 CyberSecurity Malaysia
73784
107308
124734
28097
5050447423
32764
4240944204
20573
34418
39492
Feb-15 Mar-15 Apr-15
0
20000
40000
60000
80000
100000
120000
140000 Conficker
B106-Jenxcus
B106-Bladabindi
B106-Malagent
B75-S1
B75-S2
B106-Vbinder
B75-S12
B106-Dimegup
B106-Tapazom
B58-DGA1
B58-CODE1
B106-Poison
zbot
B68-2-32
B68-DNS
B106-Dynamer
Monthly statistic of malware infection
Very high!
Copyright © 2016 CyberSecurity Malaysia
Objective
Copyright © 2016 CyberSecurity Malaysia
Threat report
Copyright © 2016 CyberSecurity Malaysia
Advisories
Copyright © 2016 CyberSecurity Malaysia
Findings
• Such analysis and landscape report will provide
early detection of malware and the appropriate
advisories allow organizations and government
to react against the malware threats and
protecting critical national information
infrastructure, intellectual property and economy
against the detrimental effect of malware
intrusion and attacks.
• People; operational + research (training &
experience)
• Process; coordination
• Technology; facilitation
• TRUST <- need to resolve this!
Copyright © 2016 CyberSecurity MalaysiaCopyright © 2016 CyberSecurity Malaysia 24