Cyber Security Trends and Incident Response...
Transcript of Cyber Security Trends and Incident Response...
Cyber Security Trends and
Incident Response System
JaeHyoung-Lee,
Korea Internet & Security Agency
Ch 1 Cyber security trend
Ch 2 Cyber attack response system
Table of Contents
Ch1 Cyber Security Trend
1. The Global Status of Cybercrime (2012)
Cybercrime cost $110 Billion in the last year in 24 countries
Changing face of cybercrime
- Cybercrime goes social and mobile
- Mobile Vulnerabilities doubled(2x) in 2011 from 2010
※ 2012 Norton Cybercrime Report(Symantec, ‘12.7)
1. Cyber security trend
Purpose : self display money extortion cyber terror(social chaos)
Technique : manual hide, automatic systematic, intelligent
Target : individual system large scale, network social infra, nation
● Hacking incidents changes in recent 10 years
Stuxnet(’10)
2000 2002
Virus
Level of threats
2004 2006 2008
CIH(’97)
DDoS
Amazon, eBay
DDoS(’00)
slammer
worm(’03)
7.7 DDoS(’09) Root DNS
DDoS(’02)
Blaster
worm(’03)
Personal info leakage
Worm
2010
APT
Nong-hyup (’11)`
eBay hacking (’08)
Code Red(’01)
2012
Phishing
sites(’12)
Auction(’08)
3.4 DDoS(’11)
SK Coms
Hyundai
Capital(’11)
2013
3.20 cyber terror(’13)`
6.25 cyber terror(’13)`
1. Cyber security trends
Stuxnet infected through USB (July 2010)
A closed network isolated from the outside
Attack and destroy
SCADA-controlled system A blaster worm caused the New York blackout (August 2003)
Iran manipulated GPS signals to capture an American drone reconnaissance plane (December 2011)
Cyber war between Russia-Estonia (2007) /Georgia cyber (2008)
India hacked the intelligence bureau of Pakistan (March 2013)
Target : Expanded to national and social infrastructures
Internet Broadband
100
90
80
70
0
Korea Netherland Iceland Norway Sweden
[ Internet Access & Broadband Penetration Rate 1st ]
Mobile-based Wireless Internet
Date Terminal-based Wireless Internet
100
80
60
0
Korea Netherland Iceland Norway Sweden
[ Wireless Internet Penetration Rate 1st ]
40
20
Nation Ranking Index
(2012) 2012 2010 note
Korea 1 1 (=) 0.9283
Netherlands 2 5 3(↑) 0.9125
United Kingdom 3 4 1(↑) 0.8960
Nation Ranking Index
(2011) 2011 2010 note
Korea 1 1 (=) 8.40
Sweden 2 2 (=) 8.23
Iceland 3 7 4(↑) 8.06
[ e-Government Development Index 1st] [ ICT Development Index 1st ]
7
1. Cyber security trend: Korea’s ICT Status
1. Cyber security trends
1. Mobile security threats became
a reality
2. Massive Personal information disclosure
3. Phishing incidents posing as financial institutions increase
rapidly
4. Small payment frauds are rapidly
increasing
5. Endless DDoS attacks
Major hacking incidents in Korea in 2012
● The Tallinn Manual was created at the behest of the NATO
Cooperative Cyber Defence Centre of Excellence(CCDCOE) (‘13.3)
● Tallinn Manual on the International Law Applicable to Cyber Warfare
1. Cyber War manual released
● The attacker compromises a site likely to be visited by a particular
group(organization, industry, or region)
1. WATERING HOLE ATTACKS
< The watering hole attack on the Council on Foreign Relations(CFR) website(2012) >
1. March 20 cyber attack Cyber terrorism against 6 companies including broadcasters and financial institutions
damaging 48,700 PCs and ATMs (March 20)
- Gained control of internal servers and PCs Installed malicious codes in the S/W
update servers Distributed malicious codes to internal PCs Destroyed internal
PCs on a certain time (14:00)
12
1. March 20 cyber attack (details of incident)
● Disguise as vaccine update to install mal-code after gaining control of internal server and PC - Spread mal-code to internal network as vaccine update using vaccine S/W release server - At 14:00 hacker commanded to destroy hard disk
원격조종
ATM Employee PC
Hacker’s a group of C&C
…
Homepage
unconfirmed Confirmed
① Injecting Mal-code after hacking
① Attached mal-code then email
…
…
Employee’s PC / ATM Control by hacker
PC or server
…
SERVER
Vaccine and etc., S/W release server
Broadcasting/Financial Internal Network
Hacker
Overview of Internal Infection
③ Hard disk termination code (3.20 13:49) ④ hard disk termination
code sent (before March 20 14:00)
⑤ destroy infected PC (March 20 14:00)
② infected by remote control mal-code
Remote Control
Remote Control
● Analyzed 76 malicious codes that damaged the systems
and supported recovery
● Made and distributed vaccines for removing the malicious
codes
● Reinforced monitoring of homepages in provision against
additional attacks
● Operated an emergency response system
1. March 20 cyber attack
14
1. June 25 Cyber Attack
The websites of S.Korea’s presidential office, government agencies
and some media organizations were attacked(6.25)
- Homepage defacement, DDoS Attack, damaging and destroying servers
Ch2 Cyber attack Response System
● The national cyber crisis management system is divided into the public
sector, the private sector and national defense.
※ Korea Internet & Security Agency is in charge of preventing and responding to intrusions in the private sector
(Republic of Korea Blue House)
[National Security Office]
The Internet communication of the entire country is paralyzed.
Multiple Internet operators’ networks and infrastructure are experiencing failures.
Local Internet communication and service failed.
The possibility of intrusions and diffusion is increasing.
Always monitoring signs of abnormalities
Warning levels and criteria for issuance
National Intelligence Service
National Cyber Security Center
Public
Ministry of National Defense
Cyber Command
National defense
Ministry of Science, ICT and Future
Planning
Private sector
KrCERT
Critica
l Severe
M
odera
te
Norm
al
Substa
ntia
l
2. Cyber attack response system
2. Cyber attack response Process
수집· 탐지 : 국내 주요 ISP, 백신 업체 및 원격 탐지 센서와 국외 유관 기관 등으로부터 침해사고 관련 정보 수집 분석· 협의 : 수집, 탐지된 정보 분석, 평가 전파· 발령 : 경보 발령 및 보안공지를 통한 사이버 위협 대국민 안내 대응· 복구 : 취약점 패치 등 담당자 역할 안내 및 피해 복구 지원
Monitoring: Collects incident-related information from major ISPs, security venders, etc Analysis : Analyzes collected information Propagation : Issues alerts, provides emergency response tips Recovery : Enforces response techniques and supports recovery procedure
2. Cyber attack response system
Monitoring and responding to anomalous events on the Internet in
private sector 24 hours a day/365 days a year.
주요사업 – 118 상담센터 운영2. Cyber attack response system
Domestic homepages
(2.3 million)
Internet service
provider KISA
Internet network
System for finding sites hiding malicious
codes
(Media) (politics)
(portal) (shopping)
2. Cyber attack response system
● Operation of DDoS shelter for SMEs
After applied to DDoS Shelter
Normal Traffic
[Web server]
KISA
DDoS
Shelter
[Attacker] [Zombie PC]
[Normal PC]
[DNS] [DNS A Record]
WWW 60 IN A webserver IP ↓(change)
WWW 60 IN A shelter IP
Notify of malware infection and removal method using popup window
Effective measure against large-scale DDoS attack
2. Cyber Curing System
2. Request that the attack site and zombie be deleted.
3. Delete and stop attack
<A case of successful international cooperation>
March 4 DDoS attack US-CERT cooperation
- shared sample malicious codes,
consulted with each other about analysis results
- quickly deleted 51 sites and zombies in US
<June 2011 Interview with US Secretary of Defense>
As the globe is connected with the Internet, transnational cyber attacks are possible
International cooperation is mandatory if domestic organizations and citizens attacked
by hackers
If damages are great, it will be regarded as ‘war,’ and aggressive actions will be taken.
2. International Cooperation
The Korea Internet & Security Agency will make
a Beautiful and safe Internet world