sign in sign up

<<

RSA NETWITNESS SUITE CUSTOMER STORY: PROTECTING THAI GOVERNMENT with THAICERT GMS Pornprom Prapakittikul Director , Office of Information Security / ETDA / Thaicert

RSA NETWITNESS SUITE CUSTOMER STORY: PROTECTING THAI GOVERNMENT with THAICERT GMS Pornprom Prapakittikul Director , Office of Information Security / ETDA / Thaicert

RSA NETWITNESS SUITE CUSTOMER STORY: PROTECTING THAI GOVERNMENT WITH THAICERT GMS Pornprom Prapakittikul Director , Office of Information Security / ETDA / ThaiCERT

Real operation with real world hacking About me

• 6+ years experience in cyber security field and providing CSOC and cyber security project called “ThaiCERT Government Monitoring System” • Incident Handling • Malware Analysis • Penetration Testing • Digital Forensics Pornprom Prapakittikul • Web Application Security and Secure Coding Director , Office of Information • Information Security Management System Security and CSOC manager at • Cybersecurity Trainning and Exercise ThaiCERT • etc => e.g. System Develoment + System and Email : Network Administration + Research and [email protected] Development [email protected] https://www.youtube.com/watch?v=rlCVwA2A5UA Electronic Transaction Development Agency

ETDA is a public organization, established in 2011 • Promote and support Thailand’s electronic transactions • Provide an IT infrastructure which facilitates electronic transactions • Help businesses regarding electronic transactions and create secure, safe and reliable IT standards and communication ThaiCERT Mission Since 2011

• Incident Response • Monitor and alert computer security incidents • Provide essential support and technical details • Research and develop tools and security guidelines • First team outside Europe to be TI Accredited • Threat monitoring • Member of and • Cooperate with Thai organizations and overseas • Incident Monitoring 24x7

Among more than 300 CERT(s), there are more than 50 natioal-CERTs A lot of Incidents in Thailand Statistics on .th Web Attacks in 2016

100%

90%

80%

70%

60%

50%

40%

30%

20%

10%

0% co.th mi.th ac.th go.th in.th or.th Web Defacement 2 54 16 1054 40 1 Phishing 29 0 16 16 1 5 Malware URL 305 11 306 171 67 30 Thai Web Defacement Statistics in 2016

Government websites were by far the largest target of defacements

Government 1,054 Other Academic 16 Other 97

Academic

Government

0 200 400 600 800 1000 1200 OBSERVED TRENDS

• Many repeated incidents • Back-ups are restored rather than underlying vulnerabilities patched • Similar vulnerabilities throughout government IT • Lack of capacity and capabilities • Difficulties to find enough qualified staff (more than 250 agencies) • Security often not recognized as crucial

à Leverage scale: much more efficient to combine efforts into 1 solution THAICERT GOVERNMENT MONITORING SYSTEM ThaiCERT Government Monitoring System (GMS)

ETDA / ThaiCERT End results

Agencies joined GMS

Monthly Report Log Monitoring Emergency Report IT assets Administrator DDoS Protection

ThaiCERT Government Monitoring Web Application Firewall System (ThaiCERT GMS) Incident Response & Alert

1. Monitor and Analyze threats from inside agencies (GTM) 2. Protect threats from hacking and DDoS DNS Record for websites (GWP) Digital Forensics

Web Available Check Vulnerability Assessment Cyber Drill Monitor Analyze and Coordinate to Agencies by 24 hours 7 days Roles in the ThaiCERT GMS

Process name ThaiCERT Agencies

Monitor and identify incident X X (Optional)

Analyze incident X X (Optional)

Coordination X X

Advisory X X

Follow up and close incident X X

Monthly report X - กลไกตรวจจ ับการโจมตี (Detection) โครงการ GovernmentThaiCERT Threat MonitoringGMS (GTM)

1 Collect log from agency’s perimeter Send alert to agency including threat details and advisory 3 Agency

Internet CyberSecurity Operation Center Gateway

Correlate with TI (Threate Intelligence)

C&C Security Information Intelligence Engine Event Management (SIEM)

Bookworm (Nov ’15) Alert Advise • Analyze suspect email þ þ • Malicious code was attached to email • Correlate information and found infections in more than 10 agencies Government Website Protection (GWP)

Hackers/Users access website New Joomla! 0-Day announced to public (Dec 15) 1 under our supervision • More than 43 percent use vulnerable Joomla!

Create signature DDoS and WAF work þ by dropping and Alert with newsbite alerting malicious traffic 2 þ

CyberSecurity Operation Center

Intelligence Engine

Agency Threat Analysis with Verification Step

Monitor -> Identify / Assess -> Alert/Coordinate -> Solve Incident(Threat Correlation Intelligence) with T ThaiCERThreat IntelligenceGMS (TI)

Monitor -> Identify / Assess -> Alert/Coordinate -> Solve Botnet Botnet and Botnet….

100+ machines infected with botnet by observing the activity of scanning RDP ThaiCERT GMS Statistics (Web hacking)

Top 3 Web hacking techniques ไทยเซริ ต์ ได้วิเคราะห์ข้อมูลการ โจมตี จากBruteforce Web Accesslogin Log page จํานวนมากกว่า 500 เว็บ SQL Injection

Gain access again to the backdoor that were put in the past

Found 120 backdoor files in first 3 months ThaiCERT GMS Statistics (Malware Spreading)

IDS with known signature of malwares

Agencies

Internet Gateway

เครืองแฮกเกอร์ (C&C)

From IDS perspective , we found more than 30 malware families.

Trojan Zeus will be the most affected part , infection in 20 agencies First success , After Coordination to System Owner

Zeroaccess was the most seen infection family in 2015, after September 2016, the number of 25000000 infection went down to 0.8 M records

20000000 Alert Advisory þ þ 15000000

10000000 1400000

5000000 1200000 1000000 800000 0 JULY AUGUST SEPTEMBER OCTOBER NOVEMBER DECEMBER 600000 400000 Upatre CryptoLocker softpulse Nuqel Nvbpass Neutrino Napolar Iniduoh njRAT Papras 200000 ramdo Roopre Spyrat Nurjax dorkbot 0 Kbot Allaple fareit Careto Downloader Glupteba Vundo Silly joanap Mazben OCTOBER NOVEMBER DECEMBER Symmi Sality dropper gamarue Pushdo Cryptowall Necurs netwiredrc Ramnit zues Andromeda zeroaccess ThaiCERT GMS Drill Twice Per Year

• Network forensics, DDoS attack response • System forensics, finding point of entry, lateral movement, backdoors and other artifacts on hacked systems • Log file analysis, correlating event alerts, reconstructing time-line Digital Forensics Center

• Receives evidences from government and law enforcement agencies • Operates under ISO/IEC 17025:2005 and ISO/IEC 27001:2013 • Can analyze any digital medium, with a clean room for hard disks • Also skilled in malware analysis and reverse engineering Training and Activities

Malware Analysis Training PHP/Java/Android Secure Coding

Sector-based CERT Thailand CTF Competition Publication and Security Awareness

Available at www.etda.or.th and www.thaicert.or.th THANK YOU