prac%cal workflow for automaon and orchestraon …...copyright © 2017 cybersecurity malaysia...
TRANSCRIPT
Copyright © 2017 CyberSecurity Malaysia Copyright © 2017 CyberSecurity Malaysia
Prac%calWorkflowforAutoma%onandOrchestra%onofAddressingCyberThreat:CaseStudyofMiraiBotnetinMalaysia
Megat MuazzamHead of Malaysia CERTCyberSecurity Malaysia
Copyright © 2017 CyberSecurity Malaysia
Agenda
• Introduction• Issues Surrounding Protecting Malaysia Cyber
Security• Important of Threat Intelligent Sharing• Traditional SOC “And” Threat Intelligent
Information Sharing • Case study Mirai
2
Copyright © 2017 CyberSecurity Malaysia 3
Cyber999™ Cyber Early Warning Services
Email us at: [email protected]
REFERENCE CENTRE FOR CYBER SECURITY ASSISTANCE
- for all internet users, including home users and organizations
IncidentHandling
CyberEarlyWarning
TechnicalCoordina<onCentre
MalwareResearchCenter
Copyright © 2017 CyberSecurity Malaysia 4
Copyright © 2017 CyberSecurity Malaysia
Issues Surrounding Cyber Security in Malaysia
Vastly expanding attack surface area (Mobile,Cloud,Virtualiza%on,IOTetc)
Insufficient reliable data related to cyber threats
No appropriate body or authority that provides reliable data
Insufficient technical resources and expertise to expedite threat intelligence analysis and incident response.
5
Copyright © 2017 CyberSecurity Malaysia
CSIRT’s Role in Protecting Critical National Information Infrastructure
q Information sharing about latest threats and mitigation measures against the
threats
q Early warning of latest outbreaks, provide Alert and Advisory on the latest outbreak which includes detection and mitigations
q Raise awareness about cybersecurity and critical infrastructure protection issues
q As a platform to promote mutual collaboration between all sectors in CNII, such as Government, Private, Financial sectors. A good example is a National-level Cyber Exercise.
q Engaging with various parties such as with Law Enforcement Agencies, ISPs ,
security experts on mitigations against cyber attacks against CNII.
6
Copyright © 2017 CyberSecurity Malaysia
CurrentMalaysiaPrac<seforMi<ga<ngCyberThreatsinMalaysia
Coordinated Cyber Incident Escalation
Annual Cyber Exercise “Code Name X-Maya”
National Level Policy: National Cyber Crisis Management Plan
“NCCMP”
National Level Security Awareness
7
Copyright © 2017 CyberSecurity Malaysia 8
What is Threat Intel
“ThreatIntelligence(TI)isevidencebasedknowledge,includingcontext,mechanism,indicator,implica%ons,andac%onableadviseaboutanexis%ngoremergingmenaceorhazardtoassetsThatcanbeusedtoinformdecisionsregardingthesubjectresponsetothatmenaceorhazard”-Gartner,2013
• SANSIns%tute- Thesetofdatacollected,assessedandappliedregardingsecuritythreat,threatactors,exploits,malware,vulnerabili%esandcompromiseindicators”
Copyright © 2017 CyberSecurity Malaysia
Importance of Threat Intelligence
Tomovethreatintelligencesharingtothenextlevelofefficiencyandeffec%veness,improvementisneededinthreeareas:• WeneedtosimplifyeventtriageandprovideabeVer
environmentforsecurityprac%%onerstoinves%gatehigh-prioritythreats.
• WeneedtodoabeVerjobestablishingrela%onshipsbetweenindicatorsofcompromisesothatwecanunderstandtheirconnec%onstoaVackcampaigns.
• WeneedabeVerwaytosharethreatintelligenceamongourstakeholdersandrelevantauthori%es.
9
Copyright © 2017 CyberSecurity Malaysia 10
Example of Threat Intelligence / Information Sharing Framework
TechnicalPlaXorm/Framework-MISP-OpenIOC-STIX/TAXII- Collec%veIntelligenceFramework(CIF)- Avalanche/Soltra(FS-ISAC)
SIEMCommuni%es- QradarThreatExchange- Splunkfeeds
Na%onalCSIRTs/CERTsinfosharingexchange
Copyright © 2017 CyberSecurity Malaysia
Traditional SOC Operation
11
Triage
Emails
Faxes
SMSes
IntrusionDetec%onSystems
NetworkManagement
Tools
Phonecalls
• Informa%onRequests
• VulnerabilityReport
IncidentReport
Analyze
TechnicalAssistanceEscala%on
Resolu%on
Copyright © 2017 CyberSecurity Malaysia
Repor%ngSystem
Honeynet FeedsProvider ForeignCERT
ThreatIntelligenceAnalysisby
Agent/Machine
BlockingandInves%ga%on
processbyrelatedCNIISectors
ThreatIntelRepositoryfor:
1.FutureReference2.ProduceAdvisories
ThreatIntelligenceAnalysisProcess
VerifiedDataEscala<ontorelatedCNIISectors
Advisories&Alerts
Escala%onTo
LawEnforcementAgency(LEA):Forcrimerelated
cases
MyCERT:Ifrequiretechnicalassistance,data
preserva%on
HighRisk
Informa-%on?
YES
NO
CNIISectorsmayrefertoCNIIPortaladvisoriesandalertsforproperhandlingofcasesandforfuturereference
1
63
2
4
7
8
5
DistributeFeeds&RawData
ThreatIntelligenceInforma1onSharingModel
12
ThreatIntelSources
Copyright © 2017 CyberSecurity Malaysia 13
Copyright © 2017 CyberSecurity Malaysia
Tools Used for Information Sharing
14
• Semi-automatedescala%ontool• FormassIPno%fica%onMyLipas
• Sourceofthreatinforma%onHoneynet
• Automa%ngtheanalysisandprocessingofthethreatinforma%on
AutomatedScripts
• ForensicanalysisForensictools
Copyright © 2017 CyberSecurity Malaysia
Case Study - Mirai
15
Copyright © 2017 CyberSecurity Malaysia 16
hVps://intel.malwaretech.com/botnet/mirai/?t=24h&bid=all
Mirai Botnet Infection
Copyright © 2017 CyberSecurity Malaysia 17
hVps://www.shodan.io/
Copyright © 2017 CyberSecurity Malaysia 18
Listofvectorsfoundinsourcecode.
Thepasswordscomefromthebotnet'ssourcecode
Copyright © 2017 CyberSecurity Malaysia
Security Feeds Information
19
5021
56036
533615
83766
2091106
10425
35395
95275207
144957
2851 70
20000
40000
60000
80000
100000
120000
140000
160000
Miraiinfec<onCC-PortScanDetectedJan-April2017
Count
228220,69%
83781,26%
408,0%17452,5%
Infec<onTypebyVariant
Mirai
Mirai-Botnet
Mirai#14
MiraiWgetDownload
Copyright © 2017 CyberSecurity Malaysia 20
Mirai detection using Honeypot MTPot–opensourcehoneypotdevelopedbyCymmetriaResearch.MTPotiswriVeninPython
• theipandporttowhichthehoneypotshallbind• alistofcommandsexpectedtobesentbythescannersandtheresponsesthatMTPotshallgive
• thenameoftheaVack(Mirai)• asession%meoutvalue• someop%onalsyslogsesngstocollectthefingerprintedIPs
-Escala%ontoISPfocusonlyfor.mysourceofIPthathavebeeninfected.
Copyright © 2017 CyberSecurity Malaysia
BotnetFeeds
Automated Escalation Process
LebahNETSensor
Centralized
System
Cyber999
21
Copyright © 2017 CyberSecurity Malaysia 22
Automation of escalation
Copyright © 2017 CyberSecurity Malaysia
Mitigate the attacked
• Automated incident escalation to ISP • Recommend ISPs identify compromised IoT
devices by filtering traffic TCP23 / TCP 2323 / TCP 7547– ISP action : Isolate and notify legitimate owners of
the problem and urge to take corrective action.
• Publish advisory to alert Malaysia Internet user
23
Copyright © 2017 CyberSecurity Malaysia
Recommendation to device owners
• Research the capabilities and security features of an IoT device before purchase
• Stop using default/generic passwords.• Disable Telnet login and use SSH • Disable or protect remote access to IoT
devices when not needed• Regularly check the manufacturer’s website for
firmware updates
24
Copyright © 2017 CyberSecurity Malaysia
What is the challengesOwner of Devices
– Not straightforward to patch/upgrade
– Not every user know how to resolve infected devices
IoT Manufacture– Profit Vs Security
– Unnecessary services should be disabled by default
– Best practices: password
ISP– Difficult to correlate information that have been share / escalate by
CERT– Need proper guidelines to informed affected customers.
25
Copyright © 2017 CyberSecurity Malaysia
• It worked for us in obtaining valid, reliable threat intelligent information from
our trusted partners. This will eventually makes identification and rectification works smoothly.
• It worked in identifying the threats, vulnerabilities to systems belonging to the CNII sector
• It strengthens the working collaboration between CSIRTs and CNII sectors and position CSIRT as an entity that plays an important role in safe guarding the cyber space
• CSIRTs partnership has become an integral part at international network to fight against cyber threats.
• To develop a baseline understanding of common threats and capabilities to enable coordinated actions among the CNII sectors in the event of large scale cyber attacks.
26
Summary
Copyright © 2017 CyberSecurity Malaysia
Questions ?
§ Find out more§ www.cybersecurity.my § www.mycert.org.my
§ Personal§ [email protected]
27
Copyright © 2017 CyberSecurity Malaysia Copyright © 2017 CyberSecurity Malaysia