View
3
Download
0
Category
Preview:
Citation preview
APT Protect ion for
Cri t ical Information
Infrast ructure
M i n i s t r y o f I n f o r m a t i o n & C o m m u n i c a t i o n s o f V N
A U T H O R I T Y O F I N F O R M A T I O N S E C U R I T Y
N A T I O N A L C Y B E R S E C U R I T Y C E N T E R
2AGENDA
• Overview of Cyber Security & CIIP in Viet Nam
• APT Protection for CII:
• Technology
• Information
• Human
3
Organizational Structure (1)
Government
Ministry of Public Security
In charge of cyber crime
Ministry of Information and Communications
In charge of cyber security
(civil affairs)
Ministry of Defense
In charge of cyber war
4
Organizational Structure (2)
Ministry of Information and Communications
Viet Nam Computer Emergency Response
Team (VNCERT)
Mainly focus onincidents coordination
Authority of Information Security
(AIS)
Oversee the state administration in
cyber security
National Electronic Authentication Center
(NEAC)
Mainly focus on electronic
authentication
5
Organizational Structure (3)Ministry of
Information and Communications
In charge of cyber security
(civil affairs)
Authority of Information Security
(AIS)Oversee the state
administration in cyber security
National Cyber Security Center
(NCSC)National SOC
Viet Nam Computer Emergency Response
Team (VNCERT)Mainly focus on incidents
coordination
National Electronic Authentication Center
(NEAC)Mainly focus on electronic
authentication
6
Master Plan 2016 - 2020
Cyber resilience:
- National Level
- Organizational Level
CII
Protection
Awareness
Raising
CooperationMarket Development
Capacity Building
Cyber Security Master Plan 2016 –2020approved by Prime Minister on 27 May 2016
CII ProtectionGovernment Decision No. 623 dated on 10/5/2017 on priority of CII list. Lead by MIC
CII Protection PlanMIC Decision No. 2022 dated on 15/11/2017
7
Critical areas of CII
Information infrastructure in energy areaLeaded by Ministry of Industry and Trade
Information infrastructure in municipal areaLeaded by People’s Committee of Ha Noi,Ho Chi Minh City
Information infrastructure in security areaLeaded by Ministry of Public Security
Information infrastructure in environmental areaLeaded by Ministry of Nature resources and environment
Information infrastructure in defensive areaLeaded by Ministry of National Defense
Information infrastructure in banking areaLeaded by State bank
Information infrastructure in financial areaLeaded by Ministry of Finance
Information infrastructure in medical areaLeaded by Ministry of Health
Information infrastructure in information & communication areaLeaded by Ministry of Information and Communications
Information Infrastructure for guiding, operating of Government
Leaded by Office of the Government
Information infrastructure in transportation areaLeaded by Ministry of Transport
8
Legal FrameworkCritical Information Infrastructure Protection
Level 5
Level 4
Level 3
Level 2
Level 1
Information System Classifications
The higher, the more important
Critical Information Infrastructure
9
Classification information system based on
security level
The level of consequence
Normal
harm
Serious
harm
Extremely serious
harm
Impact on
Lawful rights and interests
of organizations or
individuals
--- Level 1 Level 2
Public interests and social
order, safetyLevel 2 Level 3 Level 4
National defense and
securityLevel 3 Level 4 Level 5
Five level of security requirementThe decree on Protecting system based on level of security
10
NIST Framework for Improving Critical Infrastructure Cybersecurity
IDENTIFY PROTECT DETECT RESPOND RECOVER
IT EnvironmentICS Environment
11
136 Organizations in Vietnam are
attacked by APT
Quarter I - 2019
12
HOW LONG DOES IT TAKE TO DETECT AN APTATTACK?
78 DAYS
204 DAYS
GLOBAL
APAC
Source: Fire Eye’s report
13
N C S C
BUSINESS PRESENTATION2017
W E L C O M E
“If you know the enemy
and know yourself, you
need not fear the result of
a hundred battles.”
14
There IS a GAPbetween Attack & Defense
15ATTACK – DEFENSE GAP
APT’SCHARACTERISTICS
• Tailored malware & tools
• TTPs changing continuously
• Low & Slow
• Advanced Team Behind
16ATTACK – DEFENSE GAP
DEFENSE TEAM
• Effective tools to detect & respond?
• Update new TTPs?
• Continuously monitoring?
• Advanced Team?
17ATTACK – DEFENSE GAP
How to remove the
GAPS ?
TECHNOLOGY
INFORMATION
TEAM
181.TECHNOLOGY GAP
IDENTIFY PROTECT DETECT RESPOND RECOVER
NIST Framework for Improving Critical Infrastructure Cybersecurity
19
MONITOR ANALYZE
INVESTIGATERESPOND
ENDPOINT DETECTION & RESONSE
EDR
1.TECHNOLOGY GAP
20
ATTACK-CHAINIOA
IOC
Initial Access
Execution
Persistence
Privilege Escalation
Defensive Evasion
Credential Access
Discovery
Lateral Movement
Data Collection
Exfiltration
Command & Control
Windowsevents
Network events
WMI events
Process events File
events
Registryevents
EDR - DETECTION
21
Alert Contain Investigate Respond
CLOSED WORKFLOW & UNIQUE WORKSPACE
EDR - IR Workflow
22EDR – INVESTIGATION & RESPONSE
Example of a Vietnamese’s EDR solution
23
Example of a Vietnamese’s EDR solution
EDR – INVESTIGATION & RESPONSE
24
ACTION
NEW CVE
CRITICAL
NEW APT OPERATIONS
NEW THREATACTORS
DATA LEAK
NEW MALWARE
NEW ATTACKING TECHNIQUES
2. INFORMATION GAP
25
ORGANIZATIONS NEED
ACTIONABLE INTELLIGENCE
26
Threat intelligence is evidence-basedknowledge, including context, mechanisms,indicators, implications and actionable advice,about an existing or emerging menace orhazard to assets that can be used to informdecisions regarding the subject's response tothat menace or hazard.
Gartner
Threat Intelligence
27
N C S C
Threat Intelligence Sharing
Internal – SIEM, NOCs, Sysadmins, CIRTs…
External – Trusted partners, Law Enforcements, Vendors
Standards – IODEF, YARA, OpenIOC, IF-MAP, STIX, TAXII, VERIS,
CyBOX, TLP, OTX, CIF etc.
28THREAT INTELLIGENCE – ACTIONABLEINTELLIGENCE
Example of a Vietnamese’s Threat Intelligence platform
29THREAT INTELLIGENCE – ACTIONABLEINTELLIGENCE
Example of a Vietnamese’s Threat Intelligence platform
30THREAT INTELLIGENCE –APT TRACKING
Example of a Vietnamese’s Threat Intelligence platform
31
xxx@gmail.com
Job ApplicationLetters
Business Contracts
hr@xxx.com
hr@yyy.comJob Application Letters
Other public emails
THREAT INTELLIGENCE –TACTICS & PROCEDURES
32
Example of an APT attack in Vietnam
33
THREAT HUNTING
Image Source: sqrrl.com
34
24/7 Monitoring Detect, Investigate & Respond
3.HUMAN GAP
35
MANAGED DETECTION & RESPONSE SERVICE
*SOURCE: Gartner’s report
MDR
36
MDR SERVICE
• Focus on threats
• High skilled Team
• Quick deployment
• Flexible Model
• Lower Cost
MANAGED DETECTION & RESPONSE
37
*SOURCE: Gartner’s report
Initiative: Malware & Cyber Attack Prevention
Alliance
38
N C S C
TECHNOLOGYQUICKLY REMOVE THE
GAPS INFORMATION
HUMAN
EDR
TI
MDR
SUMMARY
THANK YOU!Q&A
Recommended