Establishment of Threat Intel into Incident Response

Copyright © 2019 CyberSecurity MalaysiaCopyright © 2019 CyberSecurity Malaysia
THE
ESTABLISHMENT
OFTI INTO IR

Copyright © 2019 CyberSecurity Malaysia
Agenda
• Introduction to CyberSecurity Malaysia
• Cyber999 Service
• Technical Threat Intelligence (TTI) vs Incident Response
• Case Study
• Challenges and Gap Findings
• Lesson Learnt
• Way Forward
2

Copyright © 2019 CyberSecurity Malaysia 333
About CyberSecurity Malaysia
1997 2001 2005 2007 2017
19 Oct 2018
Cabinet Meeting
chaired by the YAB
Prime Minister Tun
Dr. Mahathir
Mohamad have
decided CyberSecurity
Malaysia will report
to Ministry of
Communication and
Multimedia (KKMM)
under Compliance
and Control sector
22 Oct 2018
Officially CSM is
reporting to KKMM
2018
NATIONAL SECURITY COUNCIL
• A technical cyber security agency under
the Ministry of Science, Technology &
Innovation
• Started operation as the Malaysia
Computer Emergency Response Team
(MyCERT) in year 1997 and later
rebranded as CYBERSECURITY
MALAYSIA in 2007
30 Mar 2007
NISER was officially
registered as
CyberSecurity
Malaysia
20 Aug 2007
CyberSecurity
Malaysia was
launched by
YAB Prime Minister

CyberSecurity Malaysia - Services
4

Cyber999™
Cyber Early Warning Services
5
Cyber Early
Warning
Technical
Coordination
Centre
Malware
Research
Center
REFERENCE CENTRE FOR CYBER SECURITY ASSISTANCE
Email us at:
cyber999@cybersecurity.my
for all internet users, including home users and organizations
Incident
Handling
• 72 international linkages
• Produced 8 applications such as Malware Sandbox, PDF
Analyzer, AntiPhishing Plugin
• Established Cyber999 Integrated System
• Established Malware Research Center

Incidents Reported to Cyber999 (1997 – 2019)
6
115 342 728 503 920 739 911 915 835
1732
1038
2123
3564
8090
15218
9986
10636
11918
9915
8334
7962
10699
1997 1998 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2017 2018

Incident Response Life Cycle
7
Reference:https://www.experts-exchange.com/articles/28821/What's-in-an-Incident-Response-Plan.html

Threat Intelligence Life Cycle
8
Planning and
Direction
Collection
Processing and
Exploitation
Analysis and
Production
Dissemination

IR VS TI
9
Preparation
Identification
Containtment
Eradication
Recovery
Lessons Learnt
Planning and
Direction
Collection
Processing
and
Exploitation
Analysis and
Production
Dissemination

• Threat Modelling
• Identify Stakeholders
• Intelligence Collection Plan
• Service catalog / Service Offering
10
Planning and Direction

• Threat modeling – what threats do we need
to worry about?
11
Threats targeting Malaysia geographically
Threats targeting Malaysia geopolitically
Threats targeting CNII sectors
Threats targeting our organization
Threats targeting technologies widely used in Malaysia

• Identify stakeholders
Ø Executives/Management in our organization
Ø Internal technical operation stakeholders
Ø CNII sectors/sector lead
Ø Other global CERTs, external collaboration and
private companies that subscribes to us.
12

• Intelligence collection plan – how do we
collect our data?
13
Planning and Direction (cont…)
Interview our stakeholders periodically to get the idea of
what they really want to see in the intelligence we share as it
tend to change
Malware Analyst requested some background of the campaign and
necessary hashes, binaries or samples of the malware that is related
to the campaign for them to directly do analysis
IR Analyst requires the overview of the campaign andTTP to
understand the incident better and IOCs for quicker escalation
process.
Management would request
weekly threat landscape

Service catalog / offering
Catalog/Offerings Description
Threat review and
readiness
Daily review of the data collections and extraction
actionable information.
IOCs and TTP sharing From the actionable information, enriched IOCs and TTP
will be detected and shared concurrently with analysis
Support of incident
that is reported to our
SOC
Assist incident responders to gain more knowledge and
continue to report the additional information to respective
party
Alert and Advisories To inform stakeholders regarding threats
Intelligence reports A structured form of report
Gap analysis and
capability development
Findings from analysis that can help to built up rules in IDS,
IPS or WAF

Catalog / Offerings Output
Threat review and readiness Push into our ticketing system
IOCs and TTP sharing Pushed into centralized repository (MISP)
Support for SOC New incidents finding = new ticket
Related to old incidents = merge or create new
ticket (ie different target using same TTP)
Alert and Advisories Published in our website
Intelligence reports Report format in docx or pdf
Gap analysis and capability
development
Notify and alert internal team for actions like
blocking IDS, IPS or gateway
15
Service catalog / offering

Collection – Use case IR
16
Feeds
ISAC and
Special
Interest
Groups
Reported
Incidents
OSINT
LebahNet
Foreign Cert
Format:
Ticketing
CSV
Json
Stix and
taxi
RSS feeds
Unstructured
Content
Related
Intrusion
Malicious
Code
C
L
A
S
I
F
I
C
A
T
I
O
N
Phishing

Processing & Exploitation
17
Content
Related
Phishing
Intrusion
Malicious
Code
C
L
A
S
I
F
I
C
A
T
I
O
N
• Task:
1. Check and validate
feeds/ high profile
reported incident for
false positives
2. Categorize intel
received whether it is
for information or
needs to be taken
action
3. Tagging according to
incident classification
1. Credential
leaked
2. PII information
3. Online Scam
1. Compromised
Email Accounts
2. Web Intrusions
1. Ransomware
2. Android
application .apk
3. Javascripts
1. Phishing URL
2. Phishing IP
3. Phishkit

Analysis and Production
• The IOCs accepted
would then be analyze
by respective analysts.
• Enrichment of the
IOCs and extraction
will be done at this
point.
• Compile the
information (IOC &
TTP) according to Kill
Chain
• If the TTP is
new/changes, then need
to renew advisory and
alert
• Results would be
stored in centralized
repository and
ticketing system
18
Content
Related
Phishing
Intrusion
Malicious
Code
1. Credential
leaked
2. PII information
3. Online Scam
1. Compromised
Email Accounts
2. Web Intrusions
1. Ransomware
2. Android
application .apk
3. Javascripts
1. Phishing URL
2. Phishing IP
3. Phishkit

Dissemination
19
https://www.mycert.org.my/en/services/advisories/mycert/2019/main/index.html
IOCs and TTP sharing platform
Sample report

Background of incident:
• Received a number of similar incidents, reported to our ticketing system that rise
attention.
• The incident was classified as malicious as the victim reported an application was
installed and money was lost.
• IR analyst request a complete information regarding the campaign. (TTP, C2, IOC
and etc)
20
Case Study: Fake Malaysia National Bank
App
Money laundering
Personal loan scam

Case Study: Fake Malaysia National
Bank App
23
Reconnaissance: Adversary
pretends to be a law
enforcement agency officer
and claimed the victim is
involve in unlawful activity
such as money laundering
and threaten to arrest victim
if they do not cooperate.
Adversary offering personal
loans.
Weaponization: Malware
downloaded from the link
purportedly from National
Bank of Malaysia with ext
.apk
Delivery: Whatsapp
message with phishing
/malware hosted link
Exploitation: Social
engineering exploitation
Installation: From the link,
victim is instructed to
download and application
that instructed victim to
replace the default SMS
app
Command and Control:
C2 servers are from these
IPs receives victims
information
Actions:
Unauthorized money
transferred from victim’s
account to adversary’s
account
File name:
bnm_h_signed.apk
nm_m_psigned.apk
MaintainV3.apk
ga.apk
https://67.229.128.74:88/BNM.HTML
https://144.217.88.38
http://www.bnm-
gov.org/index.php/w/page/a
http://www.bnm-
gov.com/index.php/w/page/a
Adversary’s Kill Chain

Case Study: Fake Malaysia National Bank App
After enrichment with these 2 domains, we found more domains targeting to our
National Bank.
Bnm-gov.com
Bnm-gov.org
Pivot email and found new domains that are still up

MD5 hash for malicious .apk found:
• B2bca9cf53db7237f218e73fd270bec5
• 76335eff5c7fd48c6d9e53e61c6f5dc8
• E955601b87e7a2e87f767f543600a2f1
• 19166bfcb02c59c900191e8c6570bc6f
Phishing links:
https://67.229.128.74:88/BNM.HTML
https://144.217.88.38
http://www.bnm-gov.org/index.php/w/page/a
http://www.bnm-gov.com/index.php/w/page/a
http://www.m-bnmgov.com/index.php/w/page/a
http://brm-bnm-gov.com/index.php/w/page/a
http://www.m-bithumb.com/index.php/w/page/a

C2s obtain:
• 67.229.128.74
• 23.244.168.148
• 183.86.209.102
• 144.217.88.38
• 61.177.172.91
http://61.177.172.91:1013/app2/

Kill Chain Process Incident Response
Reconnaissance • Monitor adversary or related infra
Weaponization • Perform dynamic and behavioral analysis
Delivery • Phishing domain and host is reported to
respective ISP and hosting company for take
down
Installation • Guide the victim to run antivirus or malware
detection application for the phone (google play
protect)
• Factory reset
Command and Control • Report to respective ISP regarding
suspicious/malicious IP activities
Actions • Guide the victim to report to respective banks
and LEA for further physical investigation and
actions.
• Escalate to respective parties as well.
IR’s Kill Chain

IOCs and TTP sharing

https://www.mycert.org.my/en/services/advisories/mycert/2018/main/detail/1305/index.html
https://www.mycert.org.my/en/services/advisories/mycert/2018/main/detail/1304/index.html

Challenges
• Automation tools constraint and platform since most of
them need to be purchased
• Competency of gathering the intel and to consolidate the
information
• People
– Additional work load to IR
– Lack of Resources (no dedicated person to
segregation of daily task)
– Various type of threat, huge number of threat
30

Lesson Learnt
• Improve on how to enrich the IOCs and TTPs.
• Improve on the maturity plan of the process flow of
dissemination between stakeholders and requirements
• Need to be on tip of your toes and read latest news
regarding threats and emerging threats
31

Way Forward to Improve
• To seek other intelligence tool that suits the daily tasks of
analyst.
• Established collaboration with more national and
international CERTs/CSIRTs
• Extend partnership with more industry players on
leveraging threat intelligence as well as special interest
groups.
32

Establishment of Threat Intel into Incident Response

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Establishment of Threat Intel into Incident Response

Similar to Establishment of Threat Intel into Incident Response (20)

More from APNIC

More from APNIC (20)

Recently uploaded

Recently uploaded (20)

Establishment of Threat Intel into Incident Response