Internet Security Activities
Download
1 / 17

Internet Security Activities in Korea - PowerPoint PPT Presentation


  • 265 Views
  • Updated On :

Internet Security Activities in Korea Wan-keun Jeon 2005.11.17 Korea Internet Security Center Contents I. Internet Status in Korea II. Internet Threat Status III. Responding Malicious Codes IV. Responding Web Hacking Incidents V. Further Works I. Internet Status in Korea (1/2)

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Internet Security Activities in Korea' - ostinmannual


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Slide1 l.jpg

Internet Security Activitiesin Korea

Wan-keunJeon

2005.11.17

Korea Internet Security Center


Contents l.jpg
Contents

I. Internet Status in Korea

II. Internet Threat Status

III. Responding Malicious Codes

IV. Responding Web Hacking Incidents

V. Further Works


I internet status in korea 1 2 l.jpg
I. Internet Status in Korea (1/2)

Internet Infrastructure

1.4M Home Pages

Internet

70+ ISPs

87,000 Leased Line

Subscribers (Enterprise/Orgs)

28M PCs

12M Broadband Subscribers

Source :NIDA (KrNIC)


I internet status in korea 2 2 l.jpg
I. Internet Status in Korea (2/2)

Evolution of Security Threats Areas

Client/Server Type

Pure Distributed Type

Peer

Server

Peer

Peer

Peer

Peer

Client

Client

Client

Peer

Peer

Transition of Internet Usage

Evolving into Broadband convergence Network

: Data(Internet) + Voice(Telecom) + Broadcasting (DMB)

Internet

Attacks

Broadcasting

Voice

Internet+Mobile+Voice+Broadcasting

Secure Zone

Mobile


Ii internet threat status 1 3 l.jpg
II. Internet Threat Status (1/3)

Hacking Threats

Malicious Code Threats

Source :KISA KISC Monthly Report

PC Survival Time

Worm/Virus Incidents

Phishing cases

Web Page Defacements


Ii internet threat status 3 3 l.jpg
II. Internet Threat Status (3/3)

Focusing Areas

Responding Web Hacking

Responding Malicious Codes

Vulnerability

BOTNet (Zombies)

“Only 20% of Windows users are up-to-date with patches”

: ’04.1.27

Vulnerability Patch :

’04.4.13

Sasser Worm Outbreak :

’04.5.1


Iii responding malicious codes l.jpg
III. Responding Malicious Codes

Mitigation of BOTnet

BOT Infected PCs

Source: KISC Monthly Report(July)

Total IP

Korean IP

  • Botnet is one of the biggest threats for Internet

    • Too many PCs in Korea get infected by BOT

    • Abused for Spamming, Phishing, etc.

Src: http://en.wikipedia.org/wiki/Botnet


Iii responding malicious codes8 l.jpg
III. Responding Malicious Codes

  • Working with ISP/NSP

    • Nuking BOTNET C&C(Command & Control) Activity (Korea Only)

  • Cooperation with Dynamic DNS Providers to terminate BOTNET C&C DNS RR

  • Cooperation with Foreign CERT/ISP/NSP to block and take down IP addresses, used as BOTNET C&C server


Iii responding malicious codes9 l.jpg
III. Responding Malicious Codes

  • Filtering Botnet C&C IP

  • Terminating Botnet C&C DNS RR

  • Collecting Bot Samples and sharing with AV Vendors

  • Using ISP DNS for DNS Sinkhole

    • So far 4,691 Botnet DNS RR entry

    • Apply major KR ISP DNS Server

  • Forcing users to patch Windows vulnerability with the help from major portal and on-line game sites

<Botnet sinkhole activity>

<BOT infected Korean PCs worldwide>


Iii responding malicious codes10 l.jpg
III. Responding Malicious Codes

Malicious Codes Analysis

MC Sample sources

We analyze

Malicious codes which causing a high volume of garbage network traffic

Honeynet

Analysis Lab

Worm

Attack

Mgmt Server

  • Our analysis focuses on

    • Network Traffic

    • Protocol and Ports

    • Malicious behaviors (Registry operations, file operations, etc)

    • Probability of information theft

How can we respond rapidly and effectively?


Iii responding malicious codes11 l.jpg
III. Responding Malicious Codes

Malicious Codes Analysis Tool

MCAT

  • On-line analysis

  • Combined analysis tool with honeypot for maximum effects

New Analysis Tool

After

Before

Process’s Internal Behaviors

FileMon

  • System Information

    • # of Processes, threads

    • Termination of Processes (AV SW)

  • System Modifications

    • Creation, deletion of files

    • Creation, modification, deletion

    • of Registry

  • Network impact

    • Traffic and characteristics

    • Backdoors

  • Etc

    • Timers (coordinated attack time)

  • System modifications

    • Creation and deletion of Files

    • Creation, modification and deletion

    • of Registry entries

  • Network impact

    • Traffic

    • Payload contents

    • Detecting backdoors

RegMon

Sniffer, etc

30 Minutes

Netstat, etc

Less than 5 Minutes

Simple behavior report


Iii responding malicious codes12 l.jpg
III. Responding Malicious Codes

Detection

Mechanism

Time Checking

mechanism

Internet

Recovery mechanism

Honey Net

Survival Time - Measuring Degree of Internet Attack Status

  • The survival time is calculated as the average time between reports of an average target IP address(ISC, SANS)

  • SAS consist of

    • Survival time Analysis System (SAS) is a system to automate the measurement of survival time and a part of KISC Honeynet

    • SAS consists of analysis mechanism and collection of PCs with unpatched WinXP/Sp1, Win2K/Sp4, and so on.


Iv responding web hacking incidents l.jpg
IV. Responding Web Hacking Incidents

Web Hacking incidents in Korea

Hacking

Increased

Vulnerability

  • Hackers armed with search engines and automated defacing tools

  • More than 7,000 web pages have been defaced during Dec 2004 and Jan 2005

    • Mostly by Latin American Hackers

    • Unpatched BBS sites run by individuals were targeted

    • Multiple websites in one host(Virtual hosting sites)

  • Vulnerability in public domain BBS software has disclosed without patches

  • Vulnerabilities in some security software


Iv responding web hacking incidents14 l.jpg
IV. Responding Web Hacking Incidents

Web Hacking Prevention Activities

  • Finding and patching vulnerabilities in public domain BBS software

    • Found more than 100 unpatched vulnerabilities among 20 software and supported them patched

    • Organized training courses for the Developers

  • Etc.

    • Vulnerability analysis support for more than 3,000 hosts resided in small web hosting companies


Iv further works l.jpg
IV. Further Works

Responding New Threats

  • Web hacking skills have been evolving continuously and abused for information theft

    • From June 2005, attempts to steal game site ID and password have been increasing

    • These kinds of incidents are mostly related to web hacking

  • New ways of responding against emerging threats

    • KISC Honeynet is also evolving for the proper response.

    • Adware/Spyware problem

    • Phishing for Korean Banks is an emerging threat getting much attention from civil society and the press.


Slide16 l.jpg

Cooperation with Neighbors

Cooperation,

Information Sharing,

Cooperated Drills

attack

Malicious codes, DDoS


Slide17 l.jpg
Q&A

For more information

Please contact [email protected]


ad