arm 7: thaicert operations and priorities
TRANSCRIPT
Malware Lab & Digital Forensics Center
Threat Analysis Team
Incident Response Team
Capacity Building and Compliance Team
List of Common CSIRT Services, Handbook for Computer Security Incident Response Teams (CSIRTs), SEI, CMU Proprietary and Confidential
National CERT Mission - Maintain a national point of contact for computer security threats and reduce the number of security incidents perpetrated from or targeted at systems in that country.
ThaiCERT Services
ISPs
1. Gather raw incident reports
Threat Watch System
2. Normalize, lookup, categorize, etc.
3. Generate a normalized report
Raw
Normalized
4. Distribute the sanitized report to the ISPs via web portal
Web Defacement Blogs
CERT/CSIRT Partners
Proprietary and Confidential
ThaiCERT ThreatWatch System
Incident Statistics 2014
Proprietary and Confidential
2,016 incidents (50.3%) were discovered by ThaiCERT ThreatWatch System
Top requestors by country
Report by Incident Type
ThaiCERT handled 4,008 incidents. - Malicious code 1,735 (43.3%) - Fraud (Phishing) 1,010 (25.2%) - Intrusion 711 (17.7%)
12%14.6%
50.3%
United States
ThaiCERT
Germany
Web Defacement Statistics in ASEAN 2014
0
500
1,000
1,500
2,000
2,500
3,000
3,500
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec
Brunei
Cambodia
Indonesia
Laos
Malaysia
Myanmar
Philippines
Singapore
Thailand
Vietnam
Data collected from public defacement databases by ThaiCERT ThreatWatch System Note:
Proprietary and Confidential
Alert & Coordination (since ’12)
Public and Private Sectors/ CERT/CSIRT Partners
Ticketing and Analysis (’12-’15)
Monitoring and Detection (’13’15)
Threat
Thre
at
Aler
t Thailand Internet Community Public / Private Sectors
Regulator Law enforcements
(’13-’14) Internet Malware & Vulnerability Scanner
(’15) Cyber Threat Detection for Government Agencies
Prot
ectio
n
Protection (’15)
(’15) Web and DDoS Firewall for Government Agencies
Traffic Flows
Data Center Legitimate web traffics
Known Malicious
& DDoS Traffics
Legitimate web traffics
Threat Detection info
ThaiCERT Government Monitoring System (GMS)
Monitoring and Analysis
Proprietary and Confidential
Proprietary and Confidential
Information Security Expert Certification
Level Test Score Certificates Work experience
Advanced Greater than 80% iSEC-M3 or iSEC-T3 At least 5 years
High Greater than 70% SEC-M2 or iSEC-T2 At least 3 years
Basic Greater than 60% SEC-M1 or iSEC-T1 At least 1 year
Capacity Building Activities – Local Certification
72 certificate holders
Technical Security
Security Management
8
Capacity Building Activities - Training
Mobile Forensics
About 200 security practitioners from both public and private sectors were trained by ThaiCERT.
Proprietary and Confidential
Proprietary and Confidential
Malware Analysis
Objectives: • Practice incident handling coordination between the banks, ISPs and ThaiCERT • Assess advanced technical skills such as malware analysis
ThaiCERT Incident Drill for Fin sector & ISPs
“To enhance the communication
and participating teams’ incident response capabilities and cooperation between teams”
Proprietary and Confidential
Malware Analysis Competition 2014 (MAC2014)
“To raise interest of IT security for university students in
Thailand and development of in-demand skill of malware analysis” • Organized by ThaiCERT and JPCERT/CC
• Participation of 13 Teams from 9 universities in Bangkok • 3 Days of Training + Final Day for competition • For competition, team need to analyze behavior of malware and present the
result skillfully in order to win the prize (a trip to join APCERT AGM 2015)
11
• January 2014, D-Link Rom-0 vulnerability • April 2014, Heartbleed • May 2014, 0-day IE 6- IE 11 • August 2014, Android Trojan (SMS) • September 2014, 0-days • September 2014, ShellShock • October 2014, Poodle
Press Conference/ Release
Proprietary and Confidential
URL: kasikornbankgroup.ru First Found: 6/3/58
Host on Latvia
Case study: Phishing without e-mail
Feb 25 : Registered Phishing Domain Mar 6 : First found of Phishing site
Proprietary and Confidential
Phishing on Adsense
15
+66-2-123-1212
Report Incident: [email protected] (KeyID: 0xF2CB3EE1)
General Inquiry: [email protected] (KeyID: 0x52D48426)