APT Protect ion for

Cri t ical Information

Infrast ructure

M i n i s t r y o f I n f o r m a t i o n & C o m m u n i c a t i o n s o f V N

A U T H O R I T Y O F I N F O R M A T I O N S E C U R I T Y

N A T I O N A L C Y B E R S E C U R I T Y C E N T E R

2AGENDA

• Overview of Cyber Security & CIIP in Viet Nam

• APT Protection for CII:

• Technology

• Information

• Human

3

Organizational Structure (1)

Government

Ministry of Public Security

In charge of cyber crime

Ministry of Information and Communications

In charge of cyber security

(civil affairs)

Ministry of Defense

In charge of cyber war

4

Organizational Structure (2)

Ministry of Information and Communications

Viet Nam Computer Emergency Response

Team (VNCERT)

Mainly focus onincidents coordination

Authority of Information Security

(AIS)

Oversee the state administration in

cyber security

National Electronic Authentication Center

(NEAC)

Mainly focus on electronic

authentication

5

Organizational Structure (3)Ministry of

Information and Communications

In charge of cyber security

(civil affairs)

Authority of Information Security

(AIS)Oversee the state

administration in cyber security

National Cyber Security Center

(NCSC)National SOC

Viet Nam Computer Emergency Response

Team (VNCERT)Mainly focus on incidents

coordination

National Electronic Authentication Center

(NEAC)Mainly focus on electronic

authentication

6

Master Plan 2016 - 2020

Cyber resilience:

- National Level

- Organizational Level

CII

Protection

Awareness

Raising

CooperationMarket Development

Capacity Building

Cyber Security Master Plan 2016 –2020approved by Prime Minister on 27 May 2016

CII ProtectionGovernment Decision No. 623 dated on 10/5/2017 on priority of CII list. Lead by MIC

CII Protection PlanMIC Decision No. 2022 dated on 15/11/2017

7

Critical areas of CII

Information infrastructure in energy areaLeaded by Ministry of Industry and Trade

Information infrastructure in municipal areaLeaded by People’s Committee of Ha Noi,Ho Chi Minh City

Information infrastructure in security areaLeaded by Ministry of Public Security

Information infrastructure in environmental areaLeaded by Ministry of Nature resources and environment

Information infrastructure in defensive areaLeaded by Ministry of National Defense

Information infrastructure in banking areaLeaded by State bank

Information infrastructure in financial areaLeaded by Ministry of Finance

Information infrastructure in medical areaLeaded by Ministry of Health

Information infrastructure in information & communication areaLeaded by Ministry of Information and Communications

Information Infrastructure for guiding, operating of Government

Leaded by Office of the Government

Information infrastructure in transportation areaLeaded by Ministry of Transport

8

Legal FrameworkCritical Information Infrastructure Protection

Level 5

Level 4

Level 3

Level 2

Level 1

Information System Classifications

The higher, the more important

Critical Information Infrastructure

9

Classification information system based on

security level

The level of consequence

Normal

harm

Serious

harm

Extremely serious

harm

Impact on

Lawful rights and interests

of organizations or

individuals

--- Level 1 Level 2

Public interests and social

order, safetyLevel 2 Level 3 Level 4

National defense and

securityLevel 3 Level 4 Level 5

Five level of security requirementThe decree on Protecting system based on level of security

10

NIST Framework for Improving Critical Infrastructure Cybersecurity

IDENTIFY PROTECT DETECT RESPOND RECOVER

IT EnvironmentICS Environment

11

136 Organizations in Vietnam are

attacked by APT

Quarter I - 2019

12

HOW LONG DOES IT TAKE TO DETECT AN APTATTACK?

78 DAYS

204 DAYS

GLOBAL

APAC

Source: Fire Eye’s report

13

N C S C

BUSINESS PRESENTATION2017

W E L C O M E

“If you know the enemy

and know yourself, you

need not fear the result of

a hundred battles.”

14

There IS a GAPbetween Attack & Defense

15ATTACK – DEFENSE GAP

APT’SCHARACTERISTICS

• Tailored malware & tools

• TTPs changing continuously

• Low & Slow

• Advanced Team Behind

16ATTACK – DEFENSE GAP

DEFENSE TEAM

• Effective tools to detect & respond?

• Update new TTPs?

• Continuously monitoring?

• Advanced Team?

17ATTACK – DEFENSE GAP

How to remove the

GAPS ?

TECHNOLOGY

INFORMATION

TEAM

181.TECHNOLOGY GAP

IDENTIFY PROTECT DETECT RESPOND RECOVER

NIST Framework for Improving Critical Infrastructure Cybersecurity

19

MONITOR ANALYZE

INVESTIGATERESPOND

ENDPOINT DETECTION & RESONSE

EDR

1.TECHNOLOGY GAP

20

ATTACK-CHAINIOA

IOC

Initial Access

Execution

Persistence

Privilege Escalation

Defensive Evasion

Credential Access

Discovery

Lateral Movement

Data Collection

Exfiltration

Command & Control

Windowsevents

Network events

WMI events

Process events File

events

Registryevents

EDR - DETECTION

21

Alert Contain Investigate Respond

CLOSED WORKFLOW & UNIQUE WORKSPACE

EDR - IR Workflow

22EDR – INVESTIGATION & RESPONSE

Example of a Vietnamese’s EDR solution

23

Example of a Vietnamese’s EDR solution

EDR – INVESTIGATION & RESPONSE

24

ACTION

NEW CVE

CRITICAL

NEW APT OPERATIONS

NEW THREATACTORS

DATA LEAK

NEW MALWARE

NEW ATTACKING TECHNIQUES

2. INFORMATION GAP

25

ORGANIZATIONS NEED

ACTIONABLE INTELLIGENCE

26

Threat intelligence is evidence-basedknowledge, including context, mechanisms,indicators, implications and actionable advice,about an existing or emerging menace orhazard to assets that can be used to informdecisions regarding the subject's response tothat menace or hazard.

Gartner

Threat Intelligence

27

N C S C

Threat Intelligence Sharing

Internal – SIEM, NOCs, Sysadmins, CIRTs…

External – Trusted partners, Law Enforcements, Vendors

Standards – IODEF, YARA, OpenIOC, IF-MAP, STIX, TAXII, VERIS,

CyBOX, TLP, OTX, CIF etc.

28THREAT INTELLIGENCE – ACTIONABLEINTELLIGENCE

Example of a Vietnamese’s Threat Intelligence platform

29THREAT INTELLIGENCE – ACTIONABLEINTELLIGENCE

Example of a Vietnamese’s Threat Intelligence platform

30THREAT INTELLIGENCE –APT TRACKING

Example of a Vietnamese’s Threat Intelligence platform

31

xxx@gmail.com

Job ApplicationLetters

Business Contracts

hr@xxx.com

hr@yyy.comJob Application Letters

Other public emails

THREAT INTELLIGENCE –TACTICS & PROCEDURES

32

Example of an APT attack in Vietnam

33

THREAT HUNTING

Image Source: sqrrl.com

34

24/7 Monitoring Detect, Investigate & Respond

3.HUMAN GAP

35

MANAGED DETECTION & RESPONSE SERVICE

*SOURCE: Gartner’s report

MDR

36

MDR SERVICE

• Focus on threats

• High skilled Team

• Quick deployment

• Flexible Model

• Lower Cost

MANAGED DETECTION & RESPONSE

37

*SOURCE: Gartner’s report

Initiative: Malware & Cyber Attack Prevention

Alliance

38

N C S C

TECHNOLOGYQUICKLY REMOVE THE

GAPS INFORMATION

HUMAN

EDR

TI

MDR

SUMMARY

THANK YOU!Q&A