prac%cal workﬂow for automaon and orchestraon …...copyright © 2017 cybersecurity malaysia...

Copyright © 2017 CyberSecurity Malaysia Copyright © 2017 CyberSecurity Malaysia

Prac%calWorkflowforAutoma%onandOrchestra%onofAddressingCyberThreat:CaseStudyofMiraiBotnetinMalaysia

Megat MuazzamHead of Malaysia CERTCyberSecurity Malaysia

Copyright © 2017 CyberSecurity Malaysia

Agenda

•  Introduction•  Issues Surrounding Protecting Malaysia Cyber

Security•  Important of Threat Intelligent Sharing•  Traditional SOC “And” Threat Intelligent

Information Sharing •  Case study Mirai

2

Copyright © 2017 CyberSecurity Malaysia 3

Cyber999™ Cyber Early Warning Services

Email us at: [email protected]

REFERENCE CENTRE FOR CYBER SECURITY ASSISTANCE

- for all internet users, including home users and organizations

IncidentHandling

CyberEarlyWarning

TechnicalCoordina<onCentre

MalwareResearchCenter


Issues Surrounding Cyber Security in Malaysia

Vastly expanding attack surface area (Mobile,Cloud,Virtualiza%on,IOTetc)

Insufficient reliable data related to cyber threats

No appropriate body or authority that provides reliable data

Insufficient technical resources and expertise to expedite threat intelligence analysis and incident response.

5


CSIRT’s Role in Protecting Critical National Information Infrastructure

q  Information sharing about latest threats and mitigation measures against the

threats

q  Early warning of latest outbreaks, provide Alert and Advisory on the latest outbreak which includes detection and mitigations

q  Raise awareness about cybersecurity and critical infrastructure protection issues

q  As a platform to promote mutual collaboration between all sectors in CNII, such as Government, Private, Financial sectors. A good example is a National-level Cyber Exercise.

q  Engaging with various parties such as with Law Enforcement Agencies, ISPs ,

security experts on mitigations against cyber attacks against CNII.

6


CurrentMalaysiaPrac<seforMi<ga<ngCyberThreatsinMalaysia

Coordinated Cyber Incident Escalation

Annual Cyber Exercise “Code Name X-Maya”

National Level Policy: National Cyber Crisis Management Plan

“NCCMP”

National Level Security Awareness

7


What is Threat Intel

“ThreatIntelligence(TI)isevidencebasedknowledge,includingcontext,mechanism,indicator,implica%ons,andac%onableadviseaboutanexis%ngoremergingmenaceorhazardtoassetsThatcanbeusedtoinformdecisionsregardingthesubjectresponsetothatmenaceorhazard”-Gartner,2013

•  SANSIns%tute-  Thesetofdatacollected,assessedandappliedregardingsecuritythreat,threatactors,exploits,malware,vulnerabili%esandcompromiseindicators”


Importance of Threat Intelligence

Tomovethreatintelligencesharingtothenextlevelofefficiencyandeffec%veness,improvementisneededinthreeareas:•  WeneedtosimplifyeventtriageandprovideabeVer

environmentforsecurityprac%%onerstoinves%gatehigh-prioritythreats.

•  WeneedtodoabeVerjobestablishingrela%onshipsbetweenindicatorsofcompromisesothatwecanunderstandtheirconnec%onstoaVackcampaigns.

•  WeneedabeVerwaytosharethreatintelligenceamongourstakeholdersandrelevantauthori%es.

9


Example of Threat Intelligence / Information Sharing Framework

TechnicalPlaXorm/Framework-MISP-OpenIOC-STIX/TAXII-  Collec%veIntelligenceFramework(CIF)-  Avalanche/Soltra(FS-ISAC)

SIEMCommuni%es-  QradarThreatExchange-  Splunkfeeds

Na%onalCSIRTs/CERTsinfosharingexchange


Traditional SOC Operation

11

Triage

Emails

Faxes

SMSes

IntrusionDetec%onSystems

NetworkManagement

Tools

Phonecalls

• Informa%onRequests

• VulnerabilityReport

IncidentReport

Analyze

TechnicalAssistanceEscala%on

Resolu%on


Repor%ngSystem

Honeynet FeedsProvider ForeignCERT

ThreatIntelligenceAnalysisby

Agent/Machine

BlockingandInves%ga%on

processbyrelatedCNIISectors

ThreatIntelRepositoryfor:

1.FutureReference2.ProduceAdvisories

ThreatIntelligenceAnalysisProcess

VerifiedDataEscala<ontorelatedCNIISectors

Advisories&Alerts

Escala%onTo

LawEnforcementAgency(LEA):Forcrimerelated

cases

MyCERT:Ifrequiretechnicalassistance,data

preserva%on

HighRisk

Informa-%on?

YES

NO

CNIISectorsmayrefertoCNIIPortaladvisoriesandalertsforproperhandlingofcasesandforfuturereference

1

63

2

4

7

8

5

DistributeFeeds&RawData

ThreatIntelligenceInforma1onSharingModel

12

ThreatIntelSources


Tools Used for Information Sharing

14

• Semi-automatedescala%ontool• FormassIPno%fica%onMyLipas

• Sourceofthreatinforma%onHoneynet

• Automa%ngtheanalysisandprocessingofthethreatinforma%on

AutomatedScripts

• ForensicanalysisForensictools


Case Study - Mirai

15


hVps://intel.malwaretech.com/botnet/mirai/?t=24h&bid=all

Mirai Botnet Infection


hVps://www.shodan.io/


Listofvectorsfoundinsourcecode.

Thepasswordscomefromthebotnet'ssourcecode


Security Feeds Information

19

5021

56036

533615

83766

2091106

10425

35395

95275207

144957

2851 70

20000

40000

60000

80000

100000

120000

140000

160000

Miraiinfec<onCC-PortScanDetectedJan-April2017

Count

228220,69%

83781,26%

408,0%17452,5%

Infec<onTypebyVariant

Mirai

Mirai-Botnet

Mirai#14

MiraiWgetDownload


Mirai detection using Honeypot MTPot–opensourcehoneypotdevelopedbyCymmetriaResearch.MTPotiswriVeninPython

•  theipandporttowhichthehoneypotshallbind•  alistofcommandsexpectedtobesentbythescannersandtheresponsesthatMTPotshallgive

•  thenameoftheaVack(Mirai)•  asession%meoutvalue•  someop%onalsyslogsesngstocollectthefingerprintedIPs

-Escala%ontoISPfocusonlyfor.mysourceofIPthathavebeeninfected.


BotnetFeeds

Automated Escalation Process

LebahNETSensor

Centralized

System

Cyber999

21


Automation of escalation


Mitigate the attacked

•  Automated incident escalation to ISP •  Recommend ISPs identify compromised IoT

devices by filtering traffic TCP23 / TCP 2323 / TCP 7547–  ISP action : Isolate and notify legitimate owners of

the problem and urge to take corrective action.

•  Publish advisory to alert Malaysia Internet user

23


Recommendation to device owners

•  Research the capabilities and security features of an IoT device before purchase

•  Stop using default/generic passwords.•  Disable Telnet login and use SSH •  Disable or protect remote access to IoT

devices when not needed•  Regularly check the manufacturer’s website for

firmware updates

24


What is the challengesOwner of Devices

–  Not straightforward to patch/upgrade

–  Not every user know how to resolve infected devices

IoT Manufacture–  Profit Vs Security

–  Unnecessary services should be disabled by default

–  Best practices: password

ISP–  Difficult to correlate information that have been share / escalate by

CERT–  Need proper guidelines to informed affected customers.

25


•  It worked for us in obtaining valid, reliable threat intelligent information from

our trusted partners. This will eventually makes identification and rectification works smoothly.

•  It worked in identifying the threats, vulnerabilities to systems belonging to the CNII sector

•  It strengthens the working collaboration between CSIRTs and CNII sectors and position CSIRT as an entity that plays an important role in safe guarding the cyber space

•  CSIRTs partnership has become an integral part at international network to fight against cyber threats.

•  To develop a baseline understanding of common threats and capabilities to enable coordinated actions among the CNII sectors in the event of large scale cyber attacks.

26

Summary


Questions ?

§  Find out more§ www.cybersecurity.my § www.mycert.org.my

§  [email protected]

§  Personal§ [email protected]

27

prac%cal workﬂow for automaon and orchestraon …...copyright © 2017 cybersecurity malaysia...

Documents