ARM 7: ThaiCERT Operations and Priorities

1

ThaiCERT – Operations and Priorities

Malware Lab & Digital Forensics Center

Threat Analysis Team

Incident Response Team

Capacity Building and Compliance Team

List of Common CSIRT Services, Handbook for Computer Security Incident Response Teams (CSIRTs), SEI, CMU Proprietary and Confidential

National CERT Mission - Maintain a national point of contact for computer security threats and reduce the number of security incidents perpetrated from or targeted at systems in that country.

ThaiCERT Services

ISPs

1. Gather raw incident reports

Threat Watch System

2. Normalize, lookup, categorize, etc.

3. Generate a normalized report

Raw

Normalized

4. Distribute the sanitized report to the ISPs via web portal

Web Defacement Blogs

CERT/CSIRT Partners

Proprietary and Confidential

ThaiCERT ThreatWatch System

Incident Statistics 2014

Proprietary and Confidential

2,016 incidents (50.3%) were discovered by ThaiCERT ThreatWatch System

Top requestors by country

Report by Incident Type

ThaiCERT handled 4,008 incidents. - Malicious code 1,735 (43.3%) - Fraud (Phishing) 1,010 (25.2%) - Intrusion 711 (17.7%)

12%14.6%

50.3%

United States

ThaiCERT

Germany

Web Defacement Statistics in ASEAN 2014

0

500

1,000

1,500

2,000

2,500

3,000

3,500

Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec

Brunei

Cambodia

Indonesia

Laos

Malaysia

Myanmar

Philippines

Singapore

Thailand

Vietnam

Data collected from public defacement databases by ThaiCERT ThreatWatch System Note:

Proprietary and Confidential

Alert & Coordination (since ’12)

Public and Private Sectors/ CERT/CSIRT Partners

Ticketing and Analysis (’12-’15)

Monitoring and Detection (’13’15)

Threat

Thre

at

Aler

t Thailand Internet Community Public / Private Sectors

Regulator Law enforcements

(’13-’14) Internet Malware & Vulnerability Scanner

(’15) Cyber Threat Detection for Government Agencies

Prot

ectio

n

Protection (’15)

(’15) Web and DDoS Firewall for Government Agencies

Traffic Flows

Data Center Legitimate web traffics

Known Malicious

& DDoS Traffics

Legitimate web traffics

Threat Detection info

ThaiCERT Government Monitoring System (GMS)

Monitoring and Analysis

Proprietary and Confidential

Proprietary and Confidential

Information Security Expert Certification

Level Test Score Certificates Work experience

Advanced Greater than 80% iSEC-M3 or iSEC-T3 At least 5 years

High Greater than 70% SEC-M2 or iSEC-T2 At least 3 years

Basic Greater than 60% SEC-M1 or iSEC-T1 At least 1 year

Capacity Building Activities – Local Certification

72 certificate holders

Technical Security

Security Management

8

Capacity Building Activities - Training

Mobile Forensics

About 200 security practitioners from both public and private sectors were trained by ThaiCERT.

Proprietary and Confidential

Proprietary and Confidential

Malware Analysis

Objectives: • Practice incident handling coordination between the banks, ISPs and ThaiCERT • Assess advanced technical skills such as malware analysis

ThaiCERT Incident Drill for Fin sector & ISPs

“To enhance the communication

and participating teams’ incident response capabilities and cooperation between teams”

Proprietary and Confidential

Malware Analysis Competition 2014 (MAC2014)

“To raise interest of IT security for university students in

Thailand and development of in-demand skill of malware analysis” • Organized by ThaiCERT and JPCERT/CC

• Participation of 13 Teams from 9 universities in Bangkok • 3 Days of Training + Final Day for competition • For competition, team need to analyze behavior of malware and present the

result skillfully in order to win the prize (a trip to join APCERT AGM 2015)

11

• January 2014, D-Link Rom-0 vulnerability • April 2014, Heartbleed • May 2014, 0-day IE 6- IE 11 • August 2014, Android Trojan (SMS) • September 2014, 0-days • September 2014, ShellShock • October 2014, Poodle

Press Conference/ Release

Proprietary and Confidential

Proprietary and Confidential

Publication

URL: kasikornbankgroup.ru First Found: 6/3/58

Host on Latvia

Case study: Phishing without e-mail

Feb 25 : Registered Phishing Domain Mar 6 : First found of Phishing site

Proprietary and Confidential

Phishing on Adsense

ThaiCERT/ETDA’s new home

Proprietary and Confidential

15

+66-2-123-1212

Report Incident: [email protected] (KeyID: 0xF2CB3EE1)

General Inquiry: [email protected] (KeyID: 0x52D48426)