2016 Taiwan National Computer Emergency Response Team 1

National Information & Communication Security Taskforce, Executive Yuan, Taiwan R.O.C. Organization Chart

NICST Convener: Vice Premier

Deputy Convener: Minister Without Portfolio and one Specified Minister Co-Deputy-Convener: Advisory Committee Member of National Security Council

Committee Members: Deputy Ministers of Ministries; Deputy Mayors of Municipalities; Deputy Minister of National Security Bureau; scholars and experts

Cyberspace Protecting System (Department of Cyber Security)

Cybercrime Investigation System

( MOI / MOJ )

Standard and Norm Group

(Department of Cyber Security)

Awareness and Training Group

(MOE)

Government Cyber Security Protection

Group (Department of Cyber

Security)

Personal Information

Protection and Legislation

Group (MOJ)

Cybercrime Prevention Group

( MOI / MOJ )

Cyber Environment and Internet

Content Security Group (NCC)

Department of Cyber Security

(Staff Unit) Information Security

Consulting Committee (Consulting Unit)

National Center for Cyber Security Technology

(TWNCERT)

Cyber Security

Standard

Information Service

Cyber security Education

Com

petition and Industry

Com

munication

Telecomm

unication

Health and M

edical

Financial Affairs

Transportation B

usiness

Critical Industry

Control System

Science Park

National Standard

Critical Information Infrastructure

Protection Management Group (Department of Cyber

Security)

Industry Development

Group (MOEA)

Critical Infrastructure Protection System

(Office of Homeland Security)

Other Cyber Security-Related Systems

(Competent Authorities)

E-government

2016 Taiwan National Computer Emergency Response Team 2

Critical Infrastructure Sectors

Energy

WaterResources

TransportationHigh-TechIndustrialPark

Banking&Finance

Communication&Broadcast

EmergencyServices&PublicHealthCare

Government

Database

Data/Info

Network

Communication System

Middleware IT System/IDC

End Points

2016 Taiwan National Computer Emergency Response Team 3 3

Cyber Security Measures of Government Sector

•  Agency Business Continuity Drill

•  Agency Cyber Drills (e.g. Social Engineering Drill)

•  Annual Internal and 3rd Party Audit (including Cyber Health Check)

•  Cyber Offensive and Defensive Exercise•  Cyber Governance and Defense Capability

Indicator

Act Plan

DoCheck

•  NICST Committee Meeting•  NICST Working Group Meeting •  Cyber Security Technology Workshop •  CIO and CISO Meeting •  Quarterly Workshop for

IT Personnel

•  Baseline Security Measures of Agencies (ISMS/Dedicated Personnel/Defense-in-depth/24x7 Monitoring)

•  Baseline Security Measures of IT Systems•  Personnel Competence and Certification•  Public Private Partnership

(G-SOC Co-defense / G-ISAC)

•  National Strategy for Cyber Security •  Cyber Security Policy Whitepaper •  Agency Responsibility Ranking•  IT System Classification

2016 Taiwan National Computer Emergency Response Team 4 4

Framework of Government ISMS

• Honeypot R&D and Deployment • Botnet Tracing • GSN Backbone Intel. Gathering • Domestic Intel Exchange •  International Intel Exchange • Threat and Alert Light

Early W

arning

• 2nd Tier G-SOC for Co-defense •  Incident Handling • Alert Projects for National Celebrations • Special Projects for Critical Incidents • Digital Forensic Services

• Agency Responsibility Ranking •  IT System Risk Classification • Annual Government IS Audit • Security Governance Maturity and Defense Index

Incident R

esponse

• National Software Asset Control Database •  IT System Defense Baseline • Government Configuration Baseline • Secure Software Development • Penetration Testing • Cyber Health Check • Cyber Offensive and Defensive Exercise • Government Mobile App Security Test

System

Security

Mgm

t Process

A

wareness

Training

• Training of IT/IS Officials • Certification of IT/IS Officials •  IS Competence Training Certification/Accreditation Scheme

• Awareness Raising Workshop •  IS Legal Case Study Booklet

Detection Rules Alert Intelligences

Incident Tickets Security Logs

Security Appliances

SIEM Platform

Point of Contact CSIRT Team

IT Assets

ISMS

Government Officials

Incident Response Services

Incident Report

System Security Services

System Security Status

Customized Controls

Management and Audit Results

Training and Campaigns

Test and Accreditation

Situation Awareness 5 Perspectives / 30 Key Services 3,039 Agencies

G-ISAC

2016 Taiwan National Computer Emergency Response Team 5

5

G-ISAC for Early Warning

Botnet

APT

Malware

SPAM

Threat Precursor A

nalysis

Threat Intelligence Generation

Information S

haring

Gov. Agencies 3,039 Agencies

CIIP Authorities Telecom (NCC) / Banking(FSC) Utilities & e-Commerce (MOEA)

Internet Service Provider Gov.(GSN) /Academic (TANET) /All private ISPs

MSSP Chunghwa Telecom / Acer TradeVAN / ISSDU…etc

International Cooperation FIRST / APCERT / US-CERT CERT-EU…etc

HoneyBEAR

HoneyNET

Botnet Tracer

G-ISAC Government Information Sharing and Analysis Center

G-SOC

Legend HoneyBEAR: Behavior-based Email Anomaly Reconnaissance NCC：National Communication Commission FSC：Financial Supervisory Commission MOEA：Ministry of Economic Affairs GSN：Government Service Network MSSP: Managed Security Service Provider FIRST: Forum for Incident Response and Security Teams

Indicators Of

Compromise

2016 Taiwan National Computer Emergency Response Team 6

G-ISAC Intelligence Sharing

G-ISAC

Private Sectors ISAC

Gov. Agencies

Law Enforcement

Gov. Service Network

Antivirus & Related Industry

MSSPsIntelligence

Intelligence

TW Network Info. Center

Telecom ISAC (NCC-ISAC)

Academic ISAC (A-ISAC)

Financial ISAC (F-ISAC)

TACERT

TWAREN

ISPs

Insurance

Stocks Banks

CERT

E-Commerce CERT (EC-CERT)

TWCSIRT

TWCERT

●  G-ISAC has covered IPs of GSN, Academic Network and 34 ISPs (Taiwan IP coverage > 99%)

2016 Taiwan National Computer Emergency Response Team 7

Domestic Information Sharing Status

2011 2012 2013 2014 2015 2016 (Q3)

ANA 720 1,432 1,646 756 1,222 1,410

EWA 17,327 6,455 3,710 3,865 4,782 2,410

INT 60,980 135,527 84,210 107,405 76,757 48,051

DEF 69 507 407 225 867 582

FBI 164 158 338 265 399 397

Total 79,260 144,079 90,311 112,516 84,027 52,850

From：2011/1/1~2016/9/30

60,980

135,527

84,210

107,405

76,757

48,051

79,260

144,079

90,311

112,516

84,027

52,850

0

20000

40000

60000

80000

100000

120000

140000

160000

2011 2012 2013 2014 2015 2016(Q3)

ANA

EWA

INT

DEF

FBI

Total

2016 Taiwan National Computer Emergency Response Team 8

Collaboration of Members - Mobile Device Malware Sample Sharing

●  Criminal Investigating Bureau (CIB) established mobile device malware sample sharing channel with SOC members via G-ISAC

1.  CIB Collect suspicious fraud messages , URL, and APK from various sources

2.  TWNCERT receives intel, extracts malicious APKs and shares with SOC members

3.  SOC members feedback APK analysis results

4.  TWNCERT integrates all results and share the results with all members

G-ISAC

1

4

2

32

4

3 4

Share Intel with SOC Members SOC Members Feedback Results Integrate & Share the Final Results

Receive Intel Source

TWNCERT

2016 Taiwan National Computer Emergency Response Team 9

●  Build government-wide situation awareness of cyber security ●  Promote Public-private-partnership for better decision making

2nd Tier G-SOC for Co-Defense

External Threat

Existing Vulnerability

Regulation Compliance

Incident Handling

1st Tier MSSP

2nd Tier Ｇ-SOC

3rd Tier NICST

Actionable Intelligence

Government-Wide Situation Awareness

National-Level Decision Making Support

Co-defense Detection Rules

Trend Statistics Classification Data Modeling Prediction

Monitoring Data

2016 Taiwan National Computer Emergency Response Team 10

Current Situation Review

● Public-Private-Partnership now is weighted more on public sectors

● There are only three ISACs established (G-ISAC, NCC-ISAC and A-ISAC), although all operate and collaborate smoothly, but the sector coverages are limited

● Moreover, the sector level CERTs are also very few, thus the incident handlings do not performed very effectively

● There were no specific working groups for CI & CII sectors until this year in NICST organization

● There are no comprehensive regulations for cyber security, most cyber security tasks were limited within government agencies

2016 Taiwan National Computer Emergency Response Team 11

The Fifth National IC Security Development Plan

National Security Cyber Security Management

Industry Development

Technology R&D Talent Incubation

1.  Develop national cyber security risk assessment mechanism

2.  Establish national network and communication emergency recovery mechanism

3.  Build national network defensive and offensive capabilities

4.  Complete national cyber security policies, regulation & standards

5.  Enhance cyber security defense among gov. and CI & CII sectors

6.  More International collaborations

7.  Increase cyber crime prevention and solve effectiveness

8.  Promote related policies and development of cyber security industries

9.  Reduce cyber security risks for industry supply chains

10.  Combine and raise the values of academic and industrial cyber security R & D capabilities

11.  Develop a privacy protected digital identification framework

12.  Perfect the incubation and demand of cyber security professionals

13.  Promote cyber security awareness and child online protection

2016 Taiwan National Computer Emergency Response Team 12

Complete Law and Regulation, Promote CIIP

ICT Security Management Act and Enforcement Rules

CIIP Steering Group

G-ISMS

CI Sector Specific Guidelines

Common Baseline Of CIIP

Power

Water

Transportation

High Tech Parks

Banking & Finance

Comm. & Broadcasting

Medical

CI Cyber Security Committees

Law Supervise

Help define

Provide References Provide references

Define

CI Cyber Security Promotion Mechanisms CI Sectors

Join

Execution

Government ISMS Framework

•  CIIP Steering Group is formed by NICST and MOST •  CI Cyber Security Committees is led by competent authority of that CI sector

2016 Taiwan National Computer Emergency Response Team 13

Conclusion

● Taiwan has set cybersecurity as national policy priority since 2001, 8 sectors have been defined as CI and central government had lead the way

● TWNCERT is a Government CERT, which recognized the need for an integrated approach of government coordination, public-private partnerships and international cooperation to better cybersecurity environment

● To enhance cyber resilience and preparedness of CII, a draft of ICT security management act is under development and public consultation is also on the way

2016 Taiwan National Computer Emergency Response Team

Thank You

julie@twncert.org.tw