About authors

SangWookSeo(Speaker)Ø GeneralResearcher,NationalCyberIntelligenceTeam,KoreaInternet&SecurityAgencyØ Ph.D Course,GraduateSchoolofInformationSecurity,KoreaUniversityØ BigDataSystem&DataArchitect,DataMining&MachineLearninginSecurity

JungHee KimØ Director,CyberThreatIntelligenceCenter,KoreaInternet&SecurityAgencyØ DirectorofNational&GlobalCyberThreatIntelligenceCooperationinKorea

DongRyunLeeØ Manager,NationalCyberIntelligenceTeam,KoreaInternet&SecurityAgencyØ CoordinatorofNationalCyberThreatIntelligenceNetworkinKorea

Huy KangKimØ AssociateProfessor,GraduateSchoolofInformationSecurity,KoreaUniversityØ FounderofA3SecurityConsulting(1999),TechnicalDirectorofNCSOFT(2004-2010)Ø OnlineGameSecurity,FraudDetectionSystem,Network&SystemSecurity

Contents

1

3

2

1. C-TAS System

1-1. Introduction to C-TAS System

C-TAS system was developed to prevent the spread of harm from various

cyber incidents by collecting, analyzing and disseminating cyber threats

1-2. Motivation & History

v 12.05 ~ 12.11 : MMS 1.0 & MML 1.0

v 13.08 ~ 13.12 : MMS 1.1 & MML 1.1

v 13.09 ~ 14.07 : C-TAS 1.0 & C-TAS 1.0

v 15.05 ~ 15.12 : C-TAS 1.1 & C-TEX 1.1 (MMS -> TIMS)

v 16.05 ~ 16.12 : C-TAS 1.2 & C-TEX 1.2 (with STIX 1.2)

v 17.05 ~ 17.12 : C-TAS 2.0 & C-TEX 2.0 (with STIX 2.0)

v by KISA(Korea Internet & Security Agency), August 2014

v 7.7 DDoS Attack (2009) & 3.4 DDoS Attack (2011)

v NH APT Attack (2011) & 3.20 APT Attack (2013, DarkSeoul)

v Korea Hydro & Nuclear Power Hacking (2014)

v C-TAS : Cyber Threat Analysis & Sharing

v C-TEX : Cyber Threat EXpression

v MMS : Malware Management System

v MML : Malware Markup Language

v TIMS : Threat Intelligence Management System

1-3. Collecting Cyber Threat

MalwareDomain/IP Vulnerability

MalwareDomain/IP Vulnerability

KISADetectionSystems

C-TASParticipants

Agent

Website

WebAPI

Agent

WebAPI

CyberThreatCollecting

CyberThreatSharing

CollectingAgent

Automatically

C-TASSystem

Cyber Threat : Malware, Malicious Domain/IP, Vulnerability Info and etc

Collecting Method : Agent, Web API, Website

The ways to disseminate cyber threats are :

Ø Web API to respond to cyber threats in real time

Ø Website to download & upload cyber threats manually

Ø STIX/TAXII 2.0 will be supported in 2018

1-4. Disseminating Cyber Threat

C-TEX&STIX2.0 (2018)

Thewaystodisseminateare:

① WebAPI (exportAPI) &TAXII (2018)② Website (https://cshare.krcert.or.kr)

C-TAS Participants

If you want cyber threats, you must share cyber threats (no free-riding)

You can get the same types of cyber threat you share (type symmetric)

The amount you share decides your grade (4 grades)

Higher grades give you additional information (quality symmetric)

1-5. Sharing Policy

Dependingonthegrade

Thesharingpolicyis:

① Nofree-riding② Type&QualitySymmetric

C-TAS Participants

1-6. C-TEX Sample

C-TEX1.2(XML)

C-TEX2.0(JSON)

1-7. C-TEX to STIX

C-TEX1.2(XML)

STIX1.2(XML)

1-8. Supports for C-TAS Participants

C-TAS

C-TASAnalysisModule

Users

C-TASParticipant

ExportAPI

C-TAS AM : Tool for C-TAS participants to search and visualize cyber threats easily

Logstash isreplacedbyC-TASConvertertosupportC-TEX

Elasticsearch helpsC-TASparticipantstosearchcyberthreats

Kibana helpsC-TASparticipantstovisualizecyberthreats

C-TAS Converter Elasticsearch kibana1 2 3

1 2 3

Storage

1-8. Supports for C-TAS Participants

1-9. Cyber Threat Use Cases

ForAllParticipants

ThreatDBC-TAS

Firewall

IDS

IPS

C-TASParticipants

ExportAPI

②①Apply

1-9. Cyber Threat Use Cases

ForAV&Security

ThreatDBC-TAS

C-TASParticipants

ExportAPI

②①UpdateMalwareSignatures

③Malwarediagnostics

Antivirus Users

1-9. Cyber Threat Use Cases

ForWebService

ThreatDBC-TAS

C-TASParticipants

ExportAPI

③①Compare

the filehashto ThreatDB

UploadFile

FileStorage

Mail

Blog

Board

USER

②

2. C-TEX Structure

2-1. Introduction to C-TEX

v To make it easy for everybody to share cyber threats

v Even for kids!

v Markup Language to express cyber threats

v 12.05 ~ 12.11 : MMS 1.0 & MML 1.0

v 13.08 ~ 13.12 : MMS 1.1 & MML 1.1

v 13.09 ~ 14.07 : C-TAS 1.0 & C-TAS 1.0

v 15.05 ~ 15.12 : C-TAS 1.1 & C-TEX 1.1 (MMS -> TIMS)

v 16.05 ~ 16.12 : C-TAS 1.2 & C-TEX 1.2 (with STIX 1.2)

v 17.05 ~ 17.12 : C-TAS 2.0 & C-TEX 2.0 (with STIX 2.0)

v C-TAS : Cyber Threat Analysis & Sharing

v C-TEX : Cyber Threat EXpression

v MMS : Malware Management System

v MML : Malware Markup Language

v TIMS : Threat Intelligence Management System

2-2. C-TEX Structure

CML (Collect Markup Language)

Ø Address, Sample, Vulnerability

IML (Incident Markup Language)

Ø Details on cyber Incident

DML (Domain Markup Language)

Ø Details on registered Domain

HML (Host Markup Language)

Ø Details on hacked Host

SML (Sample Markup Language)

Ø Details on malware Sample

VML (Vulnerability Markup Language)

Ø Details on Vulnerability info

AML (Adversary Markup Language)

Ø Details on Adversary

Collect Markup Language: Address(Domain/IP), Sample(Malware), Vulnerability(Vulnerability)

Core Markup Languages: Incident, Domain, Host, Sample, Vulnerability, Adversary

2-3. C-TEX Schema

2-4. C-TEXg Structure

Sample

Host

Vulnerability

Incident 1

control

infect

spread

exploit

exploit

drop

relay

Sample

Host

Vulnerability

Incident 2

control

infect

spread

exploit

drop

relay

conduct

found

exploit

found

DomainDomain

register register

Adversaryconduct

AML (Adversary) has relationships with IML (Incident)

IML (Incident) has relationships with HML (Host), SML (Sample), VML (vulnerability)

HML (Host), SML (Malware), VML (Vulnerability) has relationships with each other

HML (Host) has relationship with DML (Domain)

2-5. C-TEXg Schema

2-6. Internal Sources

Cyber Threat Detection Systems

Ø Web Crawler

Ø DDoS Defense System

Ø Email Detection Sysytem

Ø Mobile Detection System

Ø Honeypot/Honeynet

Ø DNS Sinkhole

Ø etc.

Threat Intelligence Mngmt. System

Ø Incident Mngmt. System

Ø Malware Mngmt. System

Ø Vulnerability Mngmt. System

Cyber Threat Detection Systems collect cyber threats in CML

The analysts turn cyber threat information into intelligence in IML, HML, SML, VML, AML

SameDomain

2-7. C-TEX Use Case (Drive By Download)

domain3.co.kr/2

domain4.co.kr/2

domain7.co.kr/1

domain11.co.kr/1

vire.emf

domain6.org/1

qqkj.emfqqkj.emf

Website

Malware

C2

wiee.emf

domain8.co.kr/1 domain2.or.kr/1

domain4.co.kr/1

upvd.emfupvd.emf ookm.emf fopo.emf

domain3.co.kr/1 domain5.com/1

domain1.com/1

192.187.127.xxx

domain1.com/2

qqkj.emf

domain9.co.kr/1

qubn.emf

domain10.com/1

vire.emf

SameHostingCompany

SameDomain

2-7. C-TEX Use Case (Drive By Download)

domain2.or.kr/1

domain8.co.kr/1

upvd.emfupvd.emf ookm.emf fopo.emf

domain9.co.kr/1 domain10.com/1

domain2.or.kr/2

d11.co.kr/1

eyip.exe

d12.co.kr/1

hlkk.exe

d13.co.kr/1

asqw.emf qwas.emf

domain2.or.kr/3

domain14.org/1 domain15.or.kr/1

srab.emfkasm.exe

domain1.com/1 domain3.co.kr/1 domain6.co.kr/1domain4.com/1 domain7.com/1domain5.co.kr/1

121.115.165.xxx192.187.127.xxx 25

Website

Malware

C2

2-8. C-TEXg Use Case (Drive By Download)

3. Big Data in C-TAS

3-1. Big Data Platform in C-TAS

Disseminating

Application

3-2. Big Data Analysis in C-TAS

Ø library(sna)

Ø edgelist <- read.csv(file="edgelist.csv",header=TRUE,sep=",")

Ø nodelist <- read.csv(file="nodelist.csv",header=TRUE,sep=",")

Ø edgelist <- as.matrix(edgelist)

Ø nodelist <- as.matrix(nodelist)

Ø adjacency<- matrix(data=0,nrow=25,ncol=25)

Ø rownames(adjacency)<- nodelist

Ø colnames(adjacency)<- nodelist

Ø adjacency[edgelist]<- 1

Ø centrality<- degree(dat=adjacency,gmode="digraph",diag=FALSE,cmode="freeman",rescale=FALSE)

Ø gplot(dat=adjacency,mode="circle",label.cex=0.8,edge.col="grey",displaylabels=TRUE,vertex.cex=sqrt(centrality),vertex.col="white",label.pos=5)

Ø plot_data <- data.frame(nodelist,centrality)

Ø plot_data <- plot_data[order(-centrality),]

Ø barplot(plot_data[,2],names.arg=plot_data[,1],col=ifelse(plot_data[,2]<3,"red","blue"),xlab="node",ylab="centrality",main="TNA")