Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies

Transcription

1 Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some policies used to investigate cybercrimes and to protect network security in Taiwan's government institutions. First, we start from two recent case studies to explain the threats we are facing have been evolved to be more insensible and more targeted. We not only need to strength the capabilities of cybercrime investigation, but also to construct an infrastructure to prevent and disturb the malicious activities from the internet. By the joint efforts of the law enforcement units and information security operation center in Taiwan, we hopefully establish a more safety network environment. Keywords: Targeted Attack, Cyber Security, Network Defense Policy 1. Introduction The government networks have been being targeted by hackers for a long time, which include public websites, endpoint PC of officials and inner services systems. With the attacks from all aspect on the internet, such as a rising issue in cyber security, the advanced persistent threat (APT), which employs social engineering, Trojan horses, injection attacks, vulnerability exploitations and many other methods to control victims' computers and extract data, protection of the government networks and investigation of malicious activities become more difficult and need more effort. The investigation bureau of ministry of justice (MJIB) is an important law enforcement agency in Taiwan and its primary missions are protecting national security and investigating major crimes. While the government networks are suffering from a great amount of attacks, one of the responsibilities of MJIB is to protect system safety and information integrity in the region, so we have developed some efficient investigation procedures to find the malicious activities on the internet and trace the sources of attacks, and besides the procedures, we also want to propose some policies to construct a safety network environment according to the accumulated experiences on cybercrime investigations. In the next chapter, we study 2 cases of APT targeting to the government institutions, which is uncovered in the cybercrime investigations recently, to explain the threats we are facing have been evolved to be more insensible and more targeted. Next, we introduce some checklists and standard operation procedures in cybercrime investigation and malware analysis. In the fourth chapter, we further propose 3 policies applied in Taiwan s government for cyber threat mitigation and prevention. Last, we make a conclusion of the importance of

2 cyber security. 2.Case Studies 2.1 APT Targeting Particular Personnel Recently in an information security check in Taiwan s government institutions, we found a document, annexed to an official's , titled "The 18th CPC (Communist Party of China) National Congress Situation and the Afterward Relationship between China and Taiwan.doc" in Chinese. The document is a malicious file and exploits Windows Common Controls vulnerability (MS12-027) to execute malicious codes packed in it. The main function of the malicious codes is to fetch communication log in infected computers and upload to the C&C servers. The files added and modified are shown in Figure 1. According to the title and content of the document, this kind of malware is targeting the researchers, officers and scholars who are interested in political affairs of China. And it is a typical example of social engineering attacks. Figure 1. Files added and modified after open the malicious document. 2.2 Data Burglary through Cloud Storage In an investigation of government data leakage, we found a malware in a victim's computer that secretly uploaded sensitive data to the Google Cloud storage. There are at least 2 advantages for the malwares that extract data to commercial cloud storages. First, the IP of the cloud storages are always in the white list of the firewalls and intrusion detection systems (IDS), and the cloud storages can be easily used as legal C&C servers. Second, the packet flow of the malwares uploading data to cloud storages is encrypted by SSL protocol and has no difference to normal internet surfing traffic, which make it hardly aware from outward appearance monitored by IDS and other network security guards. In this example, the malware's source code is written by GO Language, which is developed by Google and is

3 uncommon in Taiwan, therefore it may confuse the analyst in static malware analysis. In another case, a malware with the same function, but is written in C# and includes APIs provided by Dropbox, steals user account and password from victim's computers, and uploads the password files to the Dropbox storage. Figure 2. The malware uploading data to Google Cloud. 3. Investigation Procedures in MJIB 3.1 Checklist to Unearth the Malicious Activities According to the criminal law in Taiwan, entering account code and password, breaking computer protection, or taking advantage of the system loophole of such other accesses another s computer or relating equipment without reason is considered illicit. As a law enforcement agency, we have a responsibility to investigate cybercrimes, and we use some technique like packet sniffer, computer log survey or malware analysis to find the malicious activities and the attack sources. With the packet flow of government network monitored by Security Operations Center, which we will discuss later, and the information security check of government institutions every year, we can collect the indications of network activities and find the vulnerabilities of systems. The information security check items include network framework, network activity analysis, and endpoint computer or server examination, as shown in Table 1. If there are indications of malicious activities, we further analysis the records to find out the invasion time, attack sources and the amount of damages of the cybercrimes. The information security check can reduce the threat of malicious activities. Item Explain Network Framework Targeting to the vulnerabilities of network framework, including deployment logic, infrastructure and attack prevention.

4 Network Activity Endpoint Computer or Server Examination Packet Sniffer Placing a packet sniffer in the gateway of and the network, observing abnormal connections, DNS queries and malicious IP of C&C servers. Network Device Reviewing firewall, intrusion prevention Log log files to find abnormal connection records and indications of malicious activities. Malwares and Examining Endpoint Computers and Suspicious Files Servers to find malwares and suspicious Searching files involving malicious activities. PC Scanning the versions and vulnerabilities Vulnerabilities of OS, applications and anti-virus Scanning softwares in personal computer. Table 1. Information Security Check list in Cybercrime Investigation 3.2 Malware Forensic Flow For the prevalence of the APT nowadays, the government network suffers a great amount of threats from phishing, Trojan horse, software-vulnerability attack. For that reason, we have developed a standard operation process of malware forensic, which is used to find the sources, functions and infection paths of the malwares, to fast discover the infection of the network. First, we start our forensic from the suspicious computers. And depending on the status, we can apply network packet sniffer and analysis, volatile data collection and system image backup of the computers. Next, we further use dynamic and static analysis to search the malicious and suspicious files, and apply sandbox analysis, disassembly analysis and other approaches to confirm the behaviors and the sources of C&C servers, and further by comparing with the network analysis and memory dump analysis, we construct a database of the memory clips and packet patterns of the malware. The complete forensic flow is shown in Figure 3.

5 Start Memory Dump Power On Computer Status? Shutdown YES Sniffer And Analyze Network Packet at Gateway Network Forensic? NO Collect Volatile Data and System Snapshot Scanning system memory YES Computer Can Be Shutdown? Make Live Image NO Dynamic Start Image in Virtual Eviroment Jump to Power- On Forensic Process Make System Image or Disk Bit-Stream Copy Dynamic or Static Static Analyze Suspicious Files hy Mounting the Image Compare with Blacklist and Online Databases Extract all suspicious Files Sandbox DisassemblY Is Malware? No Yes Compare with Netowrk Forensic and Memory Dump Constructing Database End Figure 3. Flow of Malware Forensic 4. Mitigation and Prevention of Cyber Threat to Government 4.1 Government Configuration Baseline The government configuration baseline (GCB) standardizes the consistency of the security setting of endpoint device such as personal computers and local servers. In order to reduce the chance of attacks to the vulnerabilities caused by weak settings, we need to configure the operating environment we are using as faultlessly as possible. The check item of the GCB includes the length and complexity of password, system update period, dangerous function exclusion and other security settings of the OS and browser, which is widely used in Taiwan s

6 government units. By reference of the GCB provided by the U.S government, we construct a version of our own, which contains 396 items including account policies, Windows 7 & Firewall settings and IE8 settings, as shown in Table 2. By implementing the GCB in every government units, we can basically guarantee a secure operating environment. Class Name Sum subtotal Windows 7 GCB Account Policy GCB Windows 7 Computer Energy Policy 4 GCB Windows 7 Computer Settings 225 GCB Windows 7 User Settings 8 Windows 7 GCB Windows 7 Firewall Settings Firewall Internet Explorer 8 GCB Internet Explorer 8 Computer Settings GCB Internet Explorer 8 User Settings 5 Total 396 Table 2. Items of the GCB 4.2 Construction of Local Security Operations Center The Taiwan s government is strengthening the construction of local Security Operations Center (SOC), which is a centralized unit that monitors and deals with network security issues. At present, there is a central SOC that monitor the overall packet flow in real time from the main gateway of the central government in Taiwan, but it is not enough to control the flow at the main gateway since some endpoint PCs and servers in the government units have been taken by malwares and backdoors are already opened. The local SOCs can guarantee the discovery and prevention of extraordinary flows in real time by supervising the local systems, such as Active Directory servers of Microsoft and electronic official document exchange systems. More importantly, through cooperating with information security companies and training students who major in information management, we can get more professionals and improve awareness of system defense of local personnel. 4.3 Networking Attack Drill Every year, the National Information and Communication Security Taskforce (NICST) in Taiwan would hold a networking attack drill to excavate system vulnerabilities and assess the safety in every government institution. The NICST invited security experts from all over the country as intruders to invade the computer systems using approaches from social engineering, website penetration, loophole exploitation and many other methods, and the experts listed the deficiencies and score the security of each local system after invasion. Next, a situational drill would take place in written or video chat mode, to simulate agencies

7 suffered severely targeted and consistent attacks and to test the authorities familiar or not with standard procedures, emergency handling, defense mechanisms and notification. Last, there was a seminar to discuss the process and result of the drill, and foreign experts were invited to share relevant experience. The result of the networking attack drill is a good reference resource for the network authorities of each government unit to repair vulnerabilities of their systems and enhance the defense consciousness. 5. Conclusion In this article, we introduced some procedures to investigate attacks in the government networks and proposed the countermeasures against network malicious activities. While the cyber war is happening secretly and new attack methods continuously brought up, the policies of information security shall be reviewed frequently. With the malicious activities always existing on the internet, not only the network authorities need to reinforce the capabilities to guard the government networks, but all staffs in the government institutions shall have a basic information security concept to resist different threats.