Taiwan Cyber Security Development: TWCERT/CC and Taiwan Cyber Security Alliance

1. Chair Prof. Shian-Shyong Tseng ASIA University Chairman of the board of TWNIC & TWCERT/CC TAIWAN CYBER SECURITY DEVELOPMENT 1

2. Outline • Introduction of TWCERT/CC and Taiwan Cyber Security Alliance • Achievements • Taiwan APNOW (Anti-Phishing Notification Window) service • Taiwan CCC (Cyber Clean Center) for Anti-Botnet • Promoting Network Security Awareness • Conclusions The 61st APTLD Member's Meeting in Taipei, Taiwan

3. Network Security Issues -- Botnet 3

4. History of TWCERT/CC 2013-> Phase III 1998-2009(Phase I) Preparation phase－ supported by TWNIC 2010-2012(Phase II) Operation phase – operated by TWNIC 2010/10 Taiwan Security Alliance 2010/10 member TA-CERT Launched 2011/3 member NCC-CERT Launched Security Alliance 1998/9 TWCERT/CC 2001 TWNCERT New member Establishment Version scan for DNS, Mail and Web server DNS setup validation system Anti-Phishing Notification Window Cyber Clean Center 2001/10 Join FIRST 2002 Join APCERT 2003 Seoul,MelbourneAnti-Spam Agreement 2009 JPECRT/CC MOU International participation Services Anti-Phishing Cyber Clean Center NBEN security center setting IDS Working Group Project Training Course Certification program Working group meeting every week Advisory Committee meeting twice a year Annual General meeting once a year Training Meeting 80 Security education every year Security workshop each quarter Training 4

5. Relationship between TWCERT/CC and other CERTs FIRST APCERT CSIRT community Oversea CSIRT Internationalcooperation Other CERTs TWCERT/CC NCC CERT Advisory Committee TANet CERT Domesticcoordinationbased on social networking and collective intelligence TWNCERT EC-CERT

6. Initials Information Sharing CERT Attacks Info. Release News / Events Release Countermeasure Conduct ISAC Trends & Statistics Analyze G-ISAC Incidents Response Incidents Analyze Attacks Source Identify A-ISAC SOC Incidents Detect Data Collect Defense Organization for Network Security IASP SOC The 61st APTLD Member's Meeting in Taipei, Taiwan 6

7. Collaborative Defense Framework against Internet Crime • Network environment has become increasingly complex • Due to multiple-dimension features of the malware, no single group or organization can handle all the related issues. • Establish a Collaborative Defense Framework to strengthen the monitoring mechanism and provide a platform for information sharing and data analysis The 61st APTLD Member's Meeting in Taipei, Taiwan

8. Organization of Taiwan Cyber Security Alliance • Objective: Establish joint defense to strengthen information security infrastructure • Long term：To be an Independent and non-profit organization

9. Achievements • Standardizing the communication protocol of the Botnet attack information collaboratively by Consensus Building. • Building the Taiwan APNOW (Anti-Phishing Notification Window) for Anti-Phishing • Building Taiwan CCC (Cyber Clean Center) for Anti-Botnet • Scanning the version of DNS Servers and analyzing the locations of IPs to promote the cyber security awareness

10. Taiwan Cyber Security Alliance Launched on 2010/9/23 10

11. Web site of APNOW (Anti-Phishing Notification Window)

12. APNOW mechanism 7 Technicaladvice 8 4 ISP/Members Notice & Takedown Phishing Site 1 Report APNOW 3 2 6 5 Publicauthority 10 hours Report dispatch Notice & Takedown Phishing Site 6 hours 8 hours Check phishing site exist or not Public authority shutdown phishing site Return reporter 10 hours 14 hours Phishing site alive less then 24 hours

13. Instance handling principles 13

14. APNOW Statistics: 1,031instances since 2010Q4, Average uptime : 13.4 hours

15. CCC Launched on 30 March 2012 15 • Three services are provided on the web site. • Bot information query, • antidote download service, • malware prevention teaching.

16. Cyber Clean Center Project for Anti-Botnet – https://ccc.cert.org.tw/ 16

17. Workflow of Cyber Clean Center Honeypot Deployment TWCERT/CC Infected PCs attack Honeypot Bot-infected PCs ICST (2)Auto Send samples and instances to TWCERT/CC DB Internet Activities TANet SOCs NCHC (1) Check source Honeypot DB Antidote DB & Query System ICST (4)Inform ISPs ISP、TANet、GSN G-ISAC (6) Send an alert email to the customer G-ISAC (5) Identify the owner (3a) Send IP addresses, Timestamp, antidote download URL periodically AV Software vendor (3b)Send samples、timestamp, md5 (7) Download antidote at no cost from the website TWCERT/CC CCCWebsite Send developed antidote URL 17 Develop antidote

18. Infection rate of Botnet The proportion of the infective domestic IP addresses has the downward trend.

19. Cyber security awareness by scanning the version of DNS Servers and analyzing the locations of IPs 19

20. Statistics of versions of DNS servers in Taiwan BIND9 is more secure and stable than other versions.

21. Regional cyber security awareness by secure DNS servers North Central South East Islands

22. Available Data Sources for finding the location of IPs • .tw domain registration data • Traceroute every class C IP in Taiwan to find the router • Use DNS reverse name of router to Identify router location • Questionnaire Survey from end users and ISPs 22

23. Statistics of Botnet location 23

24. Conclusions • Using social networking structure to build the consensus is a good approach • Promoting the cyber security awareness should be the 1st priority. • To be a sustainable and independent organization that can continuously learn to improve its performance over time. • We still have a long way to go.

25. Q&A 25