Cyber Security Trends and

Incident Response System

JaeHyoung-Lee,

Korea Internet & Security Agency

Ch 1 Cyber security trend

Ch 2 Cyber attack response system

Table of Contents

Ch1 Cyber Security Trend

1. The Global Status of Cybercrime (2012)

Cybercrime cost $110 Billion in the last year in 24 countries

Changing face of cybercrime

- Cybercrime goes social and mobile

- Mobile Vulnerabilities doubled(2x) in 2011 from 2010

※ 2012 Norton Cybercrime Report(Symantec, ‘12.7)

1. Cyber security trend

Purpose : self display money extortion cyber terror(social chaos)

Technique : manual hide, automatic systematic, intelligent

Target : individual system large scale, network social infra, nation

● Hacking incidents changes in recent 10 years

Stuxnet(’10)

2000 2002

Virus

Level of threats

2004 2006 2008

CIH(’97)

DDoS

Amazon, eBay

DDoS(’00)

slammer

worm(’03)

7.7 DDoS(’09) Root DNS

DDoS(’02)

Blaster

worm(’03)

Personal info leakage

Worm

2010

APT

Nong-hyup (’11)`

eBay hacking (’08)

Code Red(’01)

2012

Phishing

sites(’12)

Auction(’08)

3.4 DDoS(’11)

SK Coms

Hyundai

Capital(’11)

2013

3.20 cyber terror(’13)`

6.25 cyber terror(’13)`

1. Cyber security trends

Stuxnet infected through USB (July 2010)

A closed network isolated from the outside

Attack and destroy

SCADA-controlled system A blaster worm caused the New York blackout (August 2003)

Iran manipulated GPS signals to capture an American drone reconnaissance plane (December 2011)

Cyber war between Russia-Estonia (2007) /Georgia cyber (2008)

India hacked the intelligence bureau of Pakistan (March 2013)

Target : Expanded to national and social infrastructures

Internet Broadband

100

90

80

70

0

Korea Netherland Iceland Norway Sweden

[ Internet Access & Broadband Penetration Rate 1st ]

Mobile-based Wireless Internet

Date Terminal-based Wireless Internet

100

80

60

0

Korea Netherland Iceland Norway Sweden

[ Wireless Internet Penetration Rate 1st ]

40

20

Nation Ranking Index

(2012) 2012 2010 note

Korea 1 1 (=) 0.9283

Netherlands 2 5 3(↑) 0.9125

United Kingdom 3 4 1(↑) 0.8960

Nation Ranking Index

(2011) 2011 2010 note

Korea 1 1 (=) 8.40

Sweden 2 2 (=) 8.23

Iceland 3 7 4(↑) 8.06

[ e-Government Development Index 1st] [ ICT Development Index 1st ]

7

1. Cyber security trend: Korea’s ICT Status

1. Cyber security trends

1. Mobile security threats became

a reality

2. Massive Personal information disclosure

3. Phishing incidents posing as financial institutions increase

rapidly

4. Small payment frauds are rapidly

increasing

5. Endless DDoS attacks

Major hacking incidents in Korea in 2012

● The Tallinn Manual was created at the behest of the NATO

Cooperative Cyber Defence Centre of Excellence(CCDCOE) (‘13.3)

● Tallinn Manual on the International Law Applicable to Cyber Warfare

1. Cyber War manual released

● The attacker compromises a site likely to be visited by a particular

group(organization, industry, or region)

1. WATERING HOLE ATTACKS

< The watering hole attack on the Council on Foreign Relations(CFR) website(2012) >

1. March 20 cyber attack Cyber terrorism against 6 companies including broadcasters and financial institutions

damaging 48,700 PCs and ATMs (March 20)

- Gained control of internal servers and PCs Installed malicious codes in the S/W

update servers Distributed malicious codes to internal PCs Destroyed internal

PCs on a certain time (14:00)

12

1. March 20 cyber attack (details of incident)

● Disguise as vaccine update to install mal-code after gaining control of internal server and PC - Spread mal-code to internal network as vaccine update using vaccine S/W release server - At 14:00 hacker commanded to destroy hard disk

원격조종

ATM Employee PC

Hacker’s a group of C&C

…

Email

Homepage

unconfirmed Confirmed

① Injecting Mal-code after hacking

① Attached mal-code then email

…

…

Employee’s PC / ATM Control by hacker

PC or server

…

SERVER

Vaccine and etc., S/W release server

Broadcasting/Financial Internal Network

Hacker

Overview of Internal Infection

③ Hard disk termination code (3.20 13:49) ④ hard disk termination

code sent (before March 20 14:00)

⑤ destroy infected PC (March 20 14:00)

② infected by remote control mal-code

Remote Control

Remote Control

● Analyzed 76 malicious codes that damaged the systems

and supported recovery

● Made and distributed vaccines for removing the malicious

codes

● Reinforced monitoring of homepages in provision against

additional attacks

● Operated an emergency response system

1. March 20 cyber attack

14

1. June 25 Cyber Attack

The websites of S.Korea’s presidential office, government agencies

and some media organizations were attacked(6.25)

- Homepage defacement, DDoS Attack, damaging and destroying servers

Ch2 Cyber attack Response System

● The national cyber crisis management system is divided into the public

sector, the private sector and national defense.

※ Korea Internet & Security Agency is in charge of preventing and responding to intrusions in the private sector

(Republic of Korea Blue House)

[National Security Office]

The Internet communication of the entire country is paralyzed.

Multiple Internet operators’ networks and infrastructure are experiencing failures.

Local Internet communication and service failed.

The possibility of intrusions and diffusion is increasing.

Always monitoring signs of abnormalities

Warning levels and criteria for issuance

National Intelligence Service

National Cyber Security Center

Public

Ministry of National Defense

Cyber Command

National defense

Ministry of Science, ICT and Future

Planning

Private sector

KrCERT

Critica

l Severe

M

odera

te

Norm

al

Substa

ntia

l

2. Cyber attack response system

2. Cyber attack response Process

수집· 탐지 : 국내 주요 ISP, 백신 업체 및 원격 탐지 센서와 국외 유관 기관 등으로부터 침해사고 관련 정보 수집 분석· 협의 : 수집, 탐지된 정보 분석, 평가 전파· 발령 : 경보 발령 및 보안공지를 통한 사이버 위협 대국민 안내 대응· 복구 : 취약점 패치 등 담당자 역할 안내 및 피해 복구 지원

Monitoring: Collects incident-related information from major ISPs, security venders, etc Analysis : Analyzes collected information Propagation : Issues alerts, provides emergency response tips Recovery : Enforces response techniques and supports recovery procedure

2. Cyber attack response system

Monitoring and responding to anomalous events on the Internet in

private sector 24 hours a day/365 days a year.

주요사업 – 118 상담센터 운영2. Cyber attack response system

Domestic homepages

(2.3 million)

Internet service

provider KISA

Internet network

System for finding sites hiding malicious

codes

(Media) (politics)

(portal) (shopping)

2. Cyber attack response system

● Operation of DDoS shelter for SMEs

After applied to DDoS Shelter

Normal Traffic

[Web server]

KISA

DDoS

Shelter

[Attacker] [Zombie PC]

[Normal PC]

[DNS] [DNS A Record]

WWW 60 IN A webserver IP ↓(change)

WWW 60 IN A shelter IP

Notify of malware infection and removal method using popup window

Effective measure against large-scale DDoS attack

2. Cyber Curing System

2. Request that the attack site and zombie be deleted.

3. Delete and stop attack

<A case of successful international cooperation>

March 4 DDoS attack US-CERT cooperation

- shared sample malicious codes,

consulted with each other about analysis results

- quickly deleted 51 sites and zombies in US

<June 2011 Interview with US Secretary of Defense>

As the globe is connected with the Internet, transnational cyber attacks are possible

International cooperation is mandatory if domestic organizations and citizens attacked

by hackers

If damages are great, it will be regarded as ‘war,’ and aggressive actions will be taken.

2. International Cooperation

The Korea Internet & Security Agency will make

a Beautiful and safe Internet world