Cyber Security in Taiwan's Government Institutions: From APT To. Investigation Policies



Similar documents
Security Intelligence Services.

The Hillstone and Trend Micro Joint Solution

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Hope is not a strategy. Jérôme Bei

Fighting Advanced Threats

A Case for Managed Security

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

The Value of Physical Memory for Incident Response

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Appalachian Regional Commission Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement... 2

Detailed Description about course module wise:

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Streamlining Web and Security

Spyware Analysis. Security Event - April 28, 2004 Page 1

An Overview of Cybersecurity and Cybercrime in Taiwan

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

Network Incident Report

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

Top tips for improved network security

Effective Methods to Detect Current Security Threats

WildFire. Preparing for Modern Network Attacks

Realize Innovation of Cyber-Security with Big Data. Qi Xiangdong

INFORMATION SECURITY TRAINING CATALOG (2015)

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

The Key to Secure Online Financial Transactions

Penetration Testing Service. By Comsec Information Security Consulting

Global Partner Management Notice

ITSC Training Courses Student IT Competence Programme SIIS1 Information Security

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Lessons from the DHS Cyber Test Bed Project

An New Approach to Security. Chris Ellis McAfee Senior System Engineer

CYBERTRON NETWORK SOLUTIONS

Effective Methods to Detect Current Security Threats

10- Assume you open your credit card bill and see several large unauthorized charges unfortunately you may have been the victim of (identity theft)

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Presented by Evan Sylvester, CISSP

Security Maintenance Practices. IT 4823 Information Security Administration. Patches, Fixes, and Revisions. Hardening Operating Systems

Loophole+ with Ethical Hacking and Penetration Testing

Contents. vii. Preface. P ART I THE HONEYNET 1 Chapter 1 The Beginning 3. Chapter 2 Honeypots 17. xix

Information Technology Audit & Forensic Techniques. CMA Amit Kumar

2014 Entry Form (Complete one for each entry.) Fill out the entry name exactly as you want it listed in the program.

24/7 Visibility into Advanced Malware on Networks and Endpoints

A Study on the Live Forensic Techniques for Anomaly Detection in User Terminals

Common Cyber Threats. Common cyber threats include:

Office 365 Cloud App Security MARKO DJORDJEVIC CLOUD BUSINESS LEAD EE TREND MICRO EMEA LTD.

Advanced & Persistent Threat Analysis - I

Looking Behind the Attacks - Top 3 Attack Vectors to Understand in 2015

Defensible Strategy To. Cyber Incident Response

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and Advanced Persistent Threats

NEW JERSEY STATE POLICE EXAMPLES OF CRIMINAL INTENT

Ed Ferrara, MSIA, CISSP Fox School of Business

Protecting Your Organisation from Targeted Cyber Intrusion

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Incident Response. Six Best Practices for Managing Cyber Breaches.

Security Awareness For Server Administrators. State of Illinois Central Management Services Security and Compliance Solutions

5 Steps to Advanced Threat Protection

Advanced Endpoint Protection Overview

Enterprise Incident Response: Network Intrusion Case Studies and Countermeasures

Top Five Data Security Trends Impacting Franchise Operators. Payment System Risk September 29, 2009

IDS or IPS? Pocket E-Guide

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Analyzing HTTP/HTTPS Traffic Logs

INCREASINGLY, ORGANIZATIONS ARE ASKING WHAT CAN T GO TO THE CLOUD, RATHER THAN WHAT CAN. Albin Penič Technical Team Leader Eastern Europe

FORBIDDEN - Ethical Hacking Workshop Duration

Endpoint Security - HIPS. egambit, your defensive cyber-weapon system. You have the players. We have the game.

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

A Database Security Management White Paper: Securing the Information Business Relies On. November 2004

Security Intelligence Services. Cybersecurity training.

PART D NETWORK SERVICES

Seven Strategies to Defend ICSs

A Proposed Architecture of Intrusion Detection Systems for Internet Banking

Course Content Summary ITN 261 Network Attacks, Computer Crime and Hacking (4 Credits)

Types of cyber-attacks. And how to prevent them

THE ROLE OF IDS & ADS IN NETWORK SECURITY

Cybercrime myths, challenges and how to protect our business. Vladimir Kantchev Managing Partner Service Centrix

Where every interaction matters.

Alert (TA14-212A) Backoff Point-of-Sale Malware

Fighting Advanced Persistent Threats (APT) with Open Source Tools

CRYPTUS DIPLOMA IN IT SECURITY

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Total Defense Endpoint Premium r12

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Internet threats: steps to security for your small business

COURSE NAME: INFORMATION SECURITY INTERNSHIP PROGRAM

Trends in Advanced Threat Protection

Penetration Test Methodology on Information-Security Product Utilizing the Virtualization Technology

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Anti-exploit tools: The next wave of enterprise security

National Endowment for the Arts Evaluation Report. Table of Contents. Results of Evaluation Areas for Improvement Exit Conference...

Keyword: Cloud computing, service model, deployment model, network layer security.

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

The Need for Intelligent Network Security: Adapting IPS for today s Threats

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

場 次 :C-3 公 司 名 稱 :RSA, The Security Division of EMC 主 題 : 如 何 應 用 網 路 封 包 分 析 對 付 資 安 威 脅 主 講 人 :Jerry.Huang@rsa.com Sr. Technology Consultant GCR

External Supplier Control Requirements

Protect Your IT Infrastructure from Zero-Day Attacks and New Vulnerabilities

Transcription:

Cyber Security in Taiwan's Government Institutions: From APT To Investigation Policies Ching-Yu, Hung Investigation Bureau, Ministry of Justice, Taiwan, R.O.C. Abstract In this article, we introduce some policies used to investigate cybercrimes and to protect network security in Taiwan's government institutions. First, we start from two recent case studies to explain the threats we are facing have been evolved to be more insensible and more targeted. We not only need to strength the capabilities of cybercrime investigation, but also to construct an infrastructure to prevent and disturb the malicious activities from the internet. By the joint efforts of the law enforcement units and information security operation center in Taiwan, we hopefully establish a more safety network environment. Keywords: Targeted Attack, Cyber Security, Network Defense Policy 1. Introduction The government networks have been being targeted by hackers for a long time, which include public websites, endpoint PC of officials and inner services systems. With the attacks from all aspect on the internet, such as a rising issue in cyber security, the advanced persistent threat (APT), which employs social engineering, Trojan horses, injection attacks, vulnerability exploitations and many other methods to control victims' computers and extract data, protection of the government networks and investigation of malicious activities become more difficult and need more effort. The investigation bureau of ministry of justice (MJIB) is an important law enforcement agency in Taiwan and its primary missions are protecting national security and investigating major crimes. While the government networks are suffering from a great amount of attacks, one of the responsibilities of MJIB is to protect system safety and information integrity in the region, so we have developed some efficient investigation procedures to find the malicious activities on the internet and trace the sources of attacks, and besides the procedures, we also want to propose some policies to construct a safety network environment according to the accumulated experiences on cybercrime investigations. In the next chapter, we study 2 cases of APT targeting to the government institutions, which is uncovered in the cybercrime investigations recently, to explain the threats we are facing have been evolved to be more insensible and more targeted. Next, we introduce some checklists and standard operation procedures in cybercrime investigation and malware analysis. In the fourth chapter, we further propose 3 policies applied in Taiwan s government for cyber threat mitigation and prevention. Last, we make a conclusion of the importance of

cyber security. 2.Case Studies 2.1 APT Targeting Particular Personnel Recently in an information security check in Taiwan s government institutions, we found a document, annexed to an official's email, titled "The 18th CPC (Communist Party of China) National Congress Situation and the Afterward Relationship between China and Taiwan.doc" in Chinese. The document is a malicious file and exploits Windows Common Controls vulnerability (MS12-027) to execute malicious codes packed in it. The main function of the malicious codes is to fetch communication log in infected computers and upload to the C&C servers. The files added and modified are shown in Figure 1. According to the title and content of the document, this kind of malware is targeting the researchers, officers and scholars who are interested in political affairs of China. And it is a typical example of social engineering attacks. Figure 1. Files added and modified after open the malicious document. 2.2 Data Burglary through Cloud Storage In an investigation of government data leakage, we found a malware in a victim's computer that secretly uploaded sensitive data to the Google Cloud storage. There are at least 2 advantages for the malwares that extract data to commercial cloud storages. First, the IP of the cloud storages are always in the white list of the firewalls and intrusion detection systems (IDS), and the cloud storages can be easily used as legal C&C servers. Second, the packet flow of the malwares uploading data to cloud storages is encrypted by SSL protocol and has no difference to normal internet surfing traffic, which make it hardly aware from outward appearance monitored by IDS and other network security guards. In this example, the malware's source code is written by GO Language, which is developed by Google and is

uncommon in Taiwan, therefore it may confuse the analyst in static malware analysis. In another case, a malware with the same function, but is written in C# and includes APIs provided by Dropbox, steals user account and password from victim's computers, and uploads the password files to the Dropbox storage. Figure 2. The malware uploading data to Google Cloud. 3. Investigation Procedures in MJIB 3.1 Checklist to Unearth the Malicious Activities According to the criminal law in Taiwan, entering account code and password, breaking computer protection, or taking advantage of the system loophole of such other accesses another s computer or relating equipment without reason is considered illicit. As a law enforcement agency, we have a responsibility to investigate cybercrimes, and we use some technique like packet sniffer, computer log survey or malware analysis to find the malicious activities and the attack sources. With the packet flow of government network monitored by Security Operations Center, which we will discuss later, and the information security check of government institutions every year, we can collect the indications of network activities and find the vulnerabilities of systems. The information security check items include network framework, network activity analysis, and endpoint computer or server examination, as shown in Table 1. If there are indications of malicious activities, we further analysis the records to find out the invasion time, attack sources and the amount of damages of the cybercrimes. The information security check can reduce the threat of malicious activities. Item Explain Network Framework Targeting to the vulnerabilities of network framework, including deployment logic, infrastructure and attack prevention.

Network Activity Endpoint Computer or Server Examination Packet Sniffer Placing a packet sniffer in the gateway of and the network, observing abnormal connections, DNS queries and malicious IP of C&C servers. Network Device Reviewing firewall, intrusion prevention Log log files to find abnormal connection records and indications of malicious activities. Malwares and Examining Endpoint Computers and Suspicious Files Servers to find malwares and suspicious Searching files involving malicious activities. PC Scanning the versions and vulnerabilities Vulnerabilities of OS, applications and anti-virus Scanning softwares in personal computer. Table 1. Information Security Check list in Cybercrime Investigation 3.2 Malware Forensic Flow For the prevalence of the APT nowadays, the government network suffers a great amount of threats from email phishing, Trojan horse, software-vulnerability attack. For that reason, we have developed a standard operation process of malware forensic, which is used to find the sources, functions and infection paths of the malwares, to fast discover the infection of the network. First, we start our forensic from the suspicious computers. And depending on the status, we can apply network packet sniffer and analysis, volatile data collection and system image backup of the computers. Next, we further use dynamic and static analysis to search the malicious and suspicious files, and apply sandbox analysis, disassembly analysis and other approaches to confirm the behaviors and the sources of C&C servers, and further by comparing with the network analysis and memory dump analysis, we construct a database of the memory clips and packet patterns of the malware. The complete forensic flow is shown in Figure 3.

Start Memory Dump Power On Computer Status? Shutdown YES Sniffer And Analyze Network Packet at Gateway Network Forensic? NO Collect Volatile Data and System Snapshot Scanning system memory YES Computer Can Be Shutdown? Make Live Image NO Dynamic Start Image in Virtual Eviroment Jump to Power- On Forensic Process Make System Image or Disk Bit-Stream Copy Dynamic or Static Static Analyze Suspicious Files hy Mounting the Image Compare with Blacklist and Online Databases Extract all suspicious Files Sandbox DisassemblY Is Malware? No Yes Compare with Netowrk Forensic and Memory Dump Constructing Database End Figure 3. Flow of Malware Forensic 4. Mitigation and Prevention of Cyber Threat to Government 4.1 Government Configuration Baseline The government configuration baseline (GCB) standardizes the consistency of the security setting of endpoint device such as personal computers and local servers. In order to reduce the chance of attacks to the vulnerabilities caused by weak settings, we need to configure the operating environment we are using as faultlessly as possible. The check item of the GCB includes the length and complexity of password, system update period, dangerous function exclusion and other security settings of the OS and browser, which is widely used in Taiwan s

government units. By reference of the GCB provided by the U.S government, we construct a version of our own, which contains 396 items including account policies, Windows 7 & Firewall settings and IE8 settings, as shown in Table 2. By implementing the GCB in every government units, we can basically guarantee a secure operating environment. Class Name Sum subtotal Windows 7 GCB Account Policy 9 246 GCB Windows 7 Computer Energy Policy 4 GCB Windows 7 Computer Settings 225 GCB Windows 7 User Settings 8 Windows 7 GCB Windows 7 Firewall Settings 35 35 Firewall Internet Explorer 8 GCB Internet Explorer 8 Computer 110 115 Settings GCB Internet Explorer 8 User Settings 5 Total 396 Table 2. Items of the GCB 4.2 Construction of Local Security Operations Center The Taiwan s government is strengthening the construction of local Security Operations Center (SOC), which is a centralized unit that monitors and deals with network security issues. At present, there is a central SOC that monitor the overall packet flow in real time from the main gateway of the central government in Taiwan, but it is not enough to control the flow at the main gateway since some endpoint PCs and servers in the government units have been taken by malwares and backdoors are already opened. The local SOCs can guarantee the discovery and prevention of extraordinary flows in real time by supervising the local systems, such as Active Directory servers of Microsoft and electronic official document exchange systems. More importantly, through cooperating with information security companies and training students who major in information management, we can get more professionals and improve awareness of system defense of local personnel. 4.3 Networking Attack Drill Every year, the National Information and Communication Security Taskforce (NICST) in Taiwan would hold a networking attack drill to excavate system vulnerabilities and assess the safety in every government institution. The NICST invited security experts from all over the country as intruders to invade the computer systems using approaches from social engineering, website penetration, loophole exploitation and many other methods, and the experts listed the deficiencies and score the security of each local system after invasion. Next, a situational drill would take place in written or video chat mode, to simulate agencies

suffered severely targeted and consistent attacks and to test the authorities familiar or not with standard procedures, emergency handling, defense mechanisms and notification. Last, there was a seminar to discuss the process and result of the drill, and foreign experts were invited to share relevant experience. The result of the networking attack drill is a good reference resource for the network authorities of each government unit to repair vulnerabilities of their systems and enhance the defense consciousness. 5. Conclusion In this article, we introduced some procedures to investigate attacks in the government networks and proposed the countermeasures against network malicious activities. While the cyber war is happening secretly and new attack methods continuously brought up, the policies of information security shall be reviewed frequently. With the malicious activities always existing on the internet, not only the network authorities need to reinforce the capabilities to guard the government networks, but all staffs in the government institutions shall have a basic information security concept to resist different threats.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information