THE ESTABLISHMENT OF TI INTO IR - apricot 2019
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
THE ESTABLISHMENT OF TI INTO IR Copyright © 2019 CyberSecurity Malaysia
Agenda
• Introduction to CyberSecurity Malaysia
• Cyber999 Service
• Technical Threat Intelligence (TTI) vs Incident Response
• Case Study
• Challenges and Gap Findings
• Lesson Learnt
• Way Forward
Copyright © 2019 CyberSecurity Malaysia 2
About CyberSecurity Malaysia
NATIONAL SECURITY COUNCIL
1997 2001 2005 2007 2017 2018
19 Oct 2018
30 Mar 2007
Cabinet Meeting
NISER was officially chaired by the YAB
• A technical cyber security agency under registered as Prime Minister Tun
CyberSecurity
the Ministry of Science, Technology & Malaysia
Dr. Mahathir
Mohamad have
Innovation decided CyberSecurity
20 Aug 2007
Malaysia will report
• Started operation as the Malaysia CyberSecurity to Ministry of
Computer Emergency Response Team Malaysia was Communication and
launched by Multimedia (KKMM)
(MyCERT) in year 1997 and later YAB Prime Minister under Compliance
rebranded as CYBERSECURITY and Control sector
MALAYSIA in 2007
22 Oct 2018
Officially CSM is
reporting to KKMM
Copyright © 2019 CyberSecurity Malaysia 3
CyberSecurity Malaysia - Services
Copyright © 2019 CyberSecurity Malaysia 4
Cyber999™
Cyber Early Warning Services
Incident Cyber Early Technical Malware
Coordination Research
Handling Warning Centre Center
REFERENCE CENTRE FOR CYBER SECURITY ASSISTANCE
for all internet users, including home users and organizations
Email us at:
cyber999@cybersecurity.my
• 72 international linkages • Established Cyber999 Integrated System
• Produced 8 applications such as Malware Sandbox, PDF • Established Malware Research Center
Analyzer, AntiPhishing Plugin
Copyright © 2019 CyberSecurity Malaysia 5
Incidents Reported to Cyber999 (1997 – 2019)
15218
11918
10636 10699
9986 9915
8090 8334
7962
3564
2123
1732
115 342 728 503 920 739 911 915 835 1038
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018
Copyright © 2019 CyberSecurity Malaysia 6
Incident Response Life Cycle
Reference:https://www.experts-exchange.com/articles/28821/What's-in-an-Incident-Response-Plan.html
Copyright © 2019 CyberSecurity Malaysia 7
Threat Intelligence Life Cycle
Planning and
Direction
Dissemination Collection
Analysis and Processing and
Production Exploitation
Copyright © 2019 CyberSecurity Malaysia 8
IR VS TI
Preparation Planning and
Direction
Identification
Dissemination Collection
Containtment
Eradication
Recovery Analysis and Processing
and
Production Exploitation
Lessons Learnt
Copyright © 2019 CyberSecurity Malaysia 9
Planning and Direction
• Threat Modelling
• Identify Stakeholders
• Intelligence Collection Plan
• Service catalog / Service Offering
Copyright © 2019 CyberSecurity Malaysia 10Planning and Direction
• Threat modeling – what threats do we need
to worry about?
Threats targeting Malaysia geographically
Threats targeting Malaysia geopolitically
Threats targeting CNII sectors
Threats targeting our organization
Threats targeting technologies widely used in Malaysia
Copyright © 2019 CyberSecurity Malaysia 11Planning and Direction
• Identify stakeholders
Ø Executives/Management in our organization
Ø Internal technical operation stakeholders
Ø CNII sectors/sector lead
Ø Other global CERTs, external collaboration and
private companies that subscribes to us.
Copyright © 2019 CyberSecurity Malaysia 12Planning and Direction (cont…)
• Intelligence collection plan – how do we
collect our data?
Interview our stakeholders periodically to get the idea of
what they really want to see in the intelligence we share as it
tend to change
Malware Analyst requested some background of the campaign and
necessary hashes, binaries or samples of the malware that is related
to the campaign for them to directly do analysis
IR Analyst requires the overview of the campaign and TTP to
understand the incident better and IOCs for quicker escalation
process.
Management would request
weekly threat landscape
Copyright © 2019 CyberSecurity Malaysia 13Planning and Direction (cont…)
Service catalog / offering
Catalog/Offerings Description
Threat review and Daily review of the data collections and extraction
readiness actionable information.
IOCs and TTP sharing From the actionable information, enriched IOCs and TTP
will be detected and shared concurrently with analysis
Support of incident Assist incident responders to gain more knowledge and
that is reported to our continue to report the additional information to respective
SOC party
Alert and Advisories To inform stakeholders regarding threats
Intelligence reports A structured form of report
Gap analysis and Findings from analysis that can help to built up rules in IDS,
capability development IPS or WAF
Copyright © 2019 CyberSecurity Malaysia 14Planning and Direction (cont…)
Service catalog / offering
Catalog / Offerings Output
Threat review and readiness Push into our ticketing system
IOCs and TTP sharing Pushed into centralized repository (MISP)
Support for SOC New incidents finding = new ticket
Related to old incidents = merge or create new
ticket (ie different target using same TTP)
Alert and Advisories Published in our website
Intelligence reports Report format in docx or pdf
Gap analysis and capability Notify and alert internal team for actions like
development blocking IDS, IPS or gateway
Copyright © 2019 CyberSecurity Malaysia 15Collection – Use case IR
Feeds Content
Related
Reported C
Incidents L
A
Format:
ISAC and S
Ticketing
Special I Phishing
CSV
Interest F
Json
Groups I
Stix and
C
taxi
OSINT A
RSS feeds
Unstructured
T Intrusion
I
LebahNet O
N
Foreign Cert Malicious
Code
Copyright © 2019 CyberSecurity Malaysia 16Processing & Exploitation
1. Credential • Task:
Content leaked 1. Check and validate
Related 2. PII information
C feeds/ high profile
3. Online Scam
L reported incident for
A false positives
S 1. Phishing URL
2. Categorize intel
I Phishing 2. Phishing IP
3. Phishkit
received whether it is
F
for information or
I
C needs to be taken
A 1. Compromised action
T Intrusion Email Accounts 3. Tagging according to
I 2. Web Intrusions incident classification
O
N
1. Ransomware
Malicious 2. Android
Code application .apk
3. Javascripts
Copyright © 2019 CyberSecurity Malaysia 17Analysis and Production
1. Credential • The IOCs accepted
Content leaked would then be analyze
Related 2. PII information by respective analysts.
3. Online Scam • Enrichment of the
IOCs and extraction
1. Phishing URL will be done at this
Phishing 2. Phishing IP point.
3. Phishkit • Compile the
information (IOC &
TTP) according to Kill
1. Compromised Chain
Intrusion Email Accounts • If the TTP is
2. Web Intrusions new/changes, then need
to renew advisory and
alert
1. Ransomware
• Results would be
Malicious 2. Android
application .apk stored in centralized
Code
3. Javascripts repository and
ticketing system
Copyright © 2019 CyberSecurity Malaysia 18Dissemination
IOCs and TTP sharing platform
https://www.mycert.org.my/en/services/advisories/mycert/2019/main/index.html
Sample report
Copyright © 2019 CyberSecurity Malaysia 19Case Study: Fake Malaysia National Bank
App
Background of incident:
• Received a number of similar incidents, reported to our ticketing system that rise
attention.
• The incident was classified as malicious as the victim reported an application was
installed and money was lost.
• IR analyst request a complete information regarding the campaign. (TTP, C2, IOC
and etc)
Money laundering
Personal loan scam
Copyright © 2019 CyberSecurity Malaysia 20Case Study: Fake Malaysia National
Bank App
Adversary’s Kill Chain Weaponization: Malware
downloaded from the link Delivery: Whatsapp
purportedly from National message with phishing
Bank of Malaysia with ext /malware hosted link
.apk
Reconnaissance: Adversary File name: https://67.229.128.74:88/BNM.HTML
pretends to be a law bnm_h_signed.apk https://144.217.88.38
enforcement agency officer nm_m_psigned.apk http://www.bnm-
and claimed the victim is gov.org/index.php/w/page/a
involve in unlawful activity MaintainV3.apk
such as money laundering ga.apk http://www.bnm-
and threaten to arrest victim gov.com/index.php/w/page/a
if they do not cooperate. Exploitation: Social
Adversary offering personal engineering exploitation
loans.
Actions:
Installation: From the link,
Unauthorized money victim is instructed to
transferred from victim’s download and application
account to adversary’s Command and Control: that instructed victim to
account C2 servers are from these replace the default SMS
IPs receives victims app
information
Copyright © 2019 CyberSecurity Malaysia 23Case Study: Fake Malaysia National Bank App
After enrichment with these 2 domains, we found more domains targeting to our
National Bank.
Pivot email and found new domains that are still up
Bnm-gov.com
Bnm-gov.org
Copyright © 2019 CyberSecurity Malaysia 24Case Study: Fake Malaysia National Bank App
Phishing links:
https://67.229.128.74:88/BNM.HTML
https://144.217.88.38
http://www.bnm-gov.org/index.php/w/page/a
http://www.bnm-gov.com/index.php/w/page/a
http://www.m-bnmgov.com/index.php/w/page/a
http://brm-bnm-gov.com/index.php/w/page/a
http://www.m-bithumb.com/index.php/w/page/a
MD5 hash for malicious .apk found:
• B2bca9cf53db7237f218e73fd270bec5
• 76335eff5c7fd48c6d9e53e61c6f5dc8
• E955601b87e7a2e87f767f543600a2f1
• 19166bfcb02c59c900191e8c6570bc6f
Copyright © 2019 CyberSecurity Malaysia 25Case Study: Fake Malaysia National Bank App
C2s obtain:
• 67.229.128.74
• 23.244.168.148
• 183.86.209.102
• 144.217.88.38
• 61.177.172.91
http://61.177.172.91:1013/app2/
Copyright © 2019 CyberSecurity Malaysia 26Case Study: Fake Malaysia National Bank App
IR’s Kill Chain
Kill Chain Process Incident Response
Reconnaissance • Monitor adversary or related infra
Weaponization • Perform dynamic and behavioral analysis
Delivery • Phishing domain and host is reported to
respective ISP and hosting company for take
down
Installation • Guide the victim to run antivirus or malware
detection application for the phone (google play
protect)
• Factory reset
Command and Control • Report to respective ISP regarding
suspicious/malicious IP activities
Actions • Guide the victim to report to respective banks
and LEA for further physical investigation and
actions.
• Escalate to respective parties as well.
Copyright © 2019 CyberSecurity Malaysia 27Case Study: Fake Malaysia National Bank App
IOCs and TTP sharing
Copyright © 2019 CyberSecurity Malaysia 28Case Study: Fake Malaysia National Bank App
https://www.mycert.org.my/en/services/advisories/mycert/2018/main/detail/1305/index.html
https://www.mycert.org.my/en/services/advisories/mycert/2018/main/detail/1304/index.html
Copyright © 2019 CyberSecurity Malaysia 29Challenges
• Automation tools constraint and platform since most of
them need to be purchased
• Competency of gathering the intel and to consolidate the
information
• People
– Additional work load to IR
– Lack of Resources (no dedicated person to
segregation of daily task)
– Various type of threat, huge number of threat
Copyright © 2019 CyberSecurity Malaysia 30Lesson Learnt
• Improve on how to enrich the IOCs and TTPs.
• Improve on the maturity plan of the process flow of
dissemination between stakeholders and requirements
• Need to be on tip of your toes and read latest news
regarding threats and emerging threats
Copyright © 2019 CyberSecurity Malaysia 31Way Forward to Improve
• To seek other intelligence tool that suits the daily tasks of
analyst.
• Established collaboration with more national and
international CERTs/CSIRTs
• Extend partnership with more industry players on
leveraging threat intelligence as well as special interest
groups.
Copyright © 2019 CyberSecurity Malaysia 32Copyright © 2019 CyberSecurity Malaysia 33
You can also read
