The document discusses cybersecurity threats like ransomware, phishing, and data theft that can disrupt business operations and cause monetary or reputational losses. It then describes how a managed security services provider like SK infosec can monitor networks and systems 24/7, detect and respond to cyber threats through security analytics and a security operations center, and help organizations facing challenges with limited security resources. Case studies are provided showing how SK infosec's managed security services protected clients from a web-shell upload attack and C&C callback as part of an advanced persistent threat.

1. Hon Wee Leong

2. Cyber Security Landscape

3. How Cyber Attack/Threats Affect You?
Business Disruption, Monetary
and/or Reputation Losses
Ransonware
Disrupting your network and operations
Data theft (From internal or external)
Phishing (Social engineering)
Commercial Espionage
Loss of project, finance and other sensitive data
Government Regulatory
Requirement for Big Projects
Cannot participate in government related projects
Regulatory and legal liabilities
Steal Company E-Resources
Malicious crypto mining (Crypto jacking)
Crypto hi-jacking
Why are they doing this?
Who are these people?
What motivates them?

4. What is Managed Security Services (MSS)?
Playback Situation
Security Guard
24x7 Guarding / Monitoring the Premises
Incoming & Outgoing Traffic
Alert Owner When Threats Happens

5. Security Operation Center (SOC) Explained
Security Operation Center
Team
Shifts
Dedicated Facilities
Prevent, Detect and Respond
to Cyber Threats & Incident

6. SOC Alternative
Managed Security
Services Provider (MSSP)
Outsourced Monitor & Management
24x7 Services
Hire, Train & Retain
Enhance Security Posture

7. Challenges That IT Team Is Facing
1. To Do More With Less (24x7 Security Monitoring)
2. Single Point Product Won’t Identify All Threats
3. SIEM Complexity
32%
Average % of
incidents detected
by IDP / IPS
technologies
35%Too many false
positive responses

8. Why SK infosec MSS?
TechnologyProcessPeople

9. Elite Threat
Intelligence Arm1,000+
Cyber Security Experts
Intelligence
Community
Procedures
Tactics
Techniques
People

10. International
standards
Methodology
• Service Methodology
• Threat Detection & Response Task Flow
• MSS Event monitoring Process
• Escalation Matrix
Quality & Service
Management
Rule Management:
Monitor & manage detection rule for new
vulnerabilities
Process

11. Big Data Analytics
Complex Event Processing
Real time threat identification
with
automated correlation
•100millionlogsperday
•100,000 events perseconds
•3TBperday
•Automated ticketing
&response
•Multipledatasources
•Inferevents /patterns
A
V
Sandbox : File, URL Behavior Analyzer
Web Crawler : URL Malicious Checker
Security Information Gathering
- Security RSS/Blog/Site/CVE/CVSS/SNS
Google Dock
Private Virustotal
Exploit Checker
Security Alliance
OSINT
Open Source Intelligence
HUMINT
Human Intelligence
Threat
Intelligence
Network
&
Integration
Technology

12. Cyber Threat Alliance

13. Case Study: Web-Shell Upload Attack
IPS Event :
“Detect Web-Shell
Upload”
Ticket :
“Web-Shell
Correlation event”
CERT Analysis:
“Deep Analysis”
Response :
Rename
Delete
Detect Ticket Analysis Response
Agent
Agent
Internet
IPS
IPS
F/W
Agent
Web-shell upload attack
• On 2018-XX-XX, MSS Client web server
affected by “Web Shell Up Load “ and alert is
triggered by IPS
However, since the customer have MSS
Service…
...here’s what happened

14. Case Study: Web-Shell Upload Attack
How did our team protect our client?
1. Events of this IPS nature is often consider “typical” web exploit event hence it is
handle with normal priority
2. Our analysts PROACTIVELY suggest to our client to install Anti-Web-Shell agent
on the web server
3. BIG DATA analysis to correlate session data from the IPS and Anti-Web-Shell
agent
4. Our ANALYST found out that similar web shell event occur on the web server.

15. Case Study: Web-Shell Upload Attack
OUTCOME
• Client is comfortable with the detail information
provide and work closely with the analysts on
installation of anti web shell agent
• Additional commentary, context and remediation
advice was provided real-time via email
Web Shell installation, hacker got authority to the system and this can lead to
additional hacking damage such as information leakage. It is possible to prevent the
spread of damage through the analysis accuracy of Managed Security Services and
the proactive response.

16. Case Study: C&C Call Back
Internet
IPS
IPS
F/W
APT
① Malware Infection
② C&C Call back
APT Event :
“C&C Call back”
Ticket :
“Call back +T.I
Correlationn event”
CERT Analysis :
“T.I Analysis
Deep Analysis”
Forensic :
Malware Analysis
& Delete
Detect Ticket Analysis Response
• On 2018-XX-XX, MSS client PC was infected
by malware called “Backdoor.Adwind” and an
alert was generated by their APT solution.
However, since the customer have MSS
Service…
...here’s what happened

17. Case Study: C&C Call Back
How did our team protect our client?
1. Events of APT nature is highly suspicious with high risk of data
exfiltration
2. BIG DATA analysis on proximity of the occurrence to the
SUSPECTED destination URL is harmful
3. VALIDATION against past occurrence in event history
4. Our analysts performed TRIAGE on the computer and found
numerous incident traces and utility installation.
5. ADVISE the client to disconnect this computer from the network
and block outgoing traffic to the malicious IP on the firewall
6. Perform REMEDIATION activities

18. Case Study: C&C Call Back
OUTCOME
• Quick detection and Proactive Alerting allows this
incident to be remediated
• Client is enabled with the detailed information to
justify forensic on affected node.
• Additional commentary, context and remediation
advice was provided real-time via email
C&C Call back is a secondary action in the APT cyber kill chain. It is hard to verify
exact hacked system with simple detection and blocking only. It is possible to
prevent the spread of damage through the analysis accuracy of Managed Security
Services and the suitable response.

19. www.netpluz.asia
contact@netpluz.asia
+65 6805 8998