Hiroshima Prefectural Government - Trend Micro Internet...
2
CHALLENGE RESULTS Customer Profile Implemented Products/Solutions Surrounded by an abundance of natural beauties such as Seto Inland Sea and the Chugoku Mountains, Hiroshima prefecture promotes itself as a tourist destination. For local government operations, Hiroshima Prefectural Government promotes the implementation of advanced IT systems, such as a paperless meeting system using tablet devices. In general, it is critical for the local government to implement appropriate security countermeasures on their systems which handle the information of citizens. In regard to this point, Hirofumi Nishida of the Office of Administration and Management, Information Platform Group says that “we mainly manage the infrastructures of the systems for employees, and on these, a lot of applications which handle the information of our citizens are running. Because the data is transmitted on these infrastructures, security countermeasures are still critical there.” Accordingly, they had secured their business PCs and IT systems through implementing countermeasures such as antivirus and firewalls. However, in April 2012, Hiroshima Prefectural Government experienced a situation. They allowed a threat to get into their environment via a targeted mail attack aimed at the local government. Specifically, the Prefectural Board of Education received four emails entitled “Regarding the extension of measures against North Korea”. Although a notification from the Ministry of Internal Affairs and Communications urging caution about suspicious emails disguised as information regarding North Korea was received directly afterwards, two employees had already opened the file that was attached to the email. They immediately inspected the communication logs. Although swift cleanup prevented any expansion of damage, they found a sign of a connection made by encrypted backdoor connection toward addresses in China. “There was only one instance of connection. We publicly announced that judging from changes in the amount of traffic, it was difficult to imagine that important information had leaked,” says Nishida. On the other hand, it was also a fact that just through analyzing the firewall and proxies, it was impossible to definitively specify any evidence that “there was no real harm”. “In order to prevent a re-occurrence, it was critical to create a situation in which we Case Study Cyber Attack Protection Hiroshima Prefectural Government Deep Discovery Inspector™ Trend Micro Premium Support Program There was a case in which the customer allowed threats exploiting targeted mail attacks to get into their environment . Although information leakage was avoided, Hiroshima Prefectural Government realized the necessity of more diversified countermeasures, and required systems which enabled them to understand the situation of damages precisely through communication logs if the worst should happen. How can the customer protect against new threats and damages which cannot be covered by traditional antivirus countermeasures? The customer now can “visualize” threats through network-wide visibility. They have established a system with which they track and fix problems swiftly even when incidents occur, and reinforced their security against targeted cyber attacks. Threats are detected and eliminated quickly through monitoring suspicious communications in real-time. Experiencing an attack drove the customer to implement countermeasures against targeted cyber attacks Deep Discovery Inspector realized network-wide visualization to eliminate malicious behavior and access in advance Hiroshima Prefectural Government With two World Heritage sites, the Hiroshima Peace Memorial Dome and the Itsukushima Shrine, Hiroshima Prefectural Government is responsible for the core administration of a manufacturing prefecture which makes up the foundation of the Setouchi industrial region. Location: Hiroshima, Japan Number of Employees: 5,963 (Hiroshima Prefecture, as at 01 April,2013) Challenge
Transcript of Hiroshima Prefectural Government - Trend Micro Internet...
CHALLENGE RESULTS
Customer Profile
Implemented Products/Solutions
every system and file server within the LAN.Thanks to DDI solutions, Hiroshima Prefectural Government now lowers a various risks of targeted cyber attacks.For example, in recent years, techniques in which websites infected with malicious programs spread the infection by leading those who click a URL to a malicious website have been increasing. “Although it is quite difficult to recognize cases such as those which involve redirection to a malicious website, DDI can visualize these malicious links and notifies us,” says Murakawa.Communication status can be confirmed in real time via the DDI dashboard. A system engineer stationed in their site handles daily operations. Though their basic operation is to verify daily reports the following business day, they could receive an email notification immediately when some emergent events, such as suspicious access to a file server are detected. These are collected and verified in a monthly report. Moreover, with PSP, they established flexible operational management system which enabled them to track and deal with problems quickly when suspicious behavior is identified. “We don’t know when an incident will occur. But the great sense of security that we have obtained from DDI which visualizes threats and prevents them in advance, together with the 24/365 operation of the PSP is the greatest accomplishment. We are extremely satisfied,” says Nishida, in conclusion.
Surrounded by an abundance of natural beauties such as Seto Inland Sea and the Chugoku Mountains, Hiroshima prefecture promotes itself as a tourist destination. For local government operations, Hiroshima Prefectural Government promotes the implementation of advanced IT systems, such as a paperless meeting system using tablet devices.In general, it is critical for the local government to implement appropriate security countermeasures on their systems which handle the information of citizens. In regard to this point, Hirofumi Nishida of the Office of Administration and Management, Information Platform Group says that “we mainly manage the infrastructures of the systems for employees, and on these, a lot of applications which handle the information of our citizens are running. Because the data is transmitted on these infrastructures, security countermeasures are still critical there.” Accordingly, they had secured their business PCs and IT systems through implementing countermeasures such as antivirus and firewalls.However, in April 2012, Hiroshima Prefectural
Government experienced a situation. They allowed a threat to get into their environment via a targeted mail attack aimed at the local government. Specifically, the Prefectural Board of Education received four emails entitled “Regarding the extension of measures against North Korea”. Although a notification from the Ministry of Internal Affairs and Communications urging caution about suspicious emails disguised as information regarding North Korea was received directly afterwards, two employees had already opened the file that was attached to the email.They immediately inspected the communication logs. Although swift cleanup prevented any expansion of damage, they found a sign of a connection made by encrypted backdoor connection toward addresses in China. “There was only one instance of connection. We publicly announced that judging from changes in the amount of traffic, it was difficult to imagine that important information had leaked,” says Nishida. On the other hand, it was also a fact that just through analyzing the firewall and proxies, it was impossible to definitively specify any evidence that “there was no real harm”. “In order to prevent a re-occurrence, it was critical to create a situation in which we
could regularly confirm the status of communication on the network, and detect and cleanup threats quickly should an invasion occur. At the same time, we also felt that logs remaining as evidence were essential,” says Akitoshi Murakawa, also of the Information Platform Group.
The Hiroshima Prefectural Government started to working on countermeasures focusing on “C&C communication” to monitor backdoor communications and “Lateral movement” to monitor internal activities inside of its network.“In the investigation we proceeded with to update our backbone network, we decided to add one requirement, ‘visualizing communications in in real time’,” says Hitoshi Okano of the Information Platform Group, looking back.While they reviewed the proposals of each vendor, they actually had several systems operated to examine them. In the end, they chose Trend Micro’s ‘Deep Discovery Inspector™’(DDI), which detects threats via three methods - static analysis, dynamic analysis and behavioral analysis. Okano explains the reason for the selection:“During the two week test, we really realized that DDI could visualize detailed events, such as ‘access using network sharing’ and ‘evidence of failed logins’. Additionally, because reports such as event logs and risk levels could also be created and output in our language, Japanese, we could quickly utilize them as evidence when an incident occurs. This is exactly what we were looking for.”.Furthermore, they had been using ‘OfficeScan™ Corporate Edition’ as antivirus for their business PCs. From the perspective of operational control, the advantages of consolidating security solutions with products of the same vendor also supported the adoption of DDI.Moreover, they also adopted the security operation management support ‘Trend Micro Premium Support Program(PSP)’ at the same time. It provides swift recovery assistance upon incidents, malware sample analysis, and emergency virus pattern files upon new or variant virus occurrence, in addition to the security operation management support of the implemented Trend Micro products. They aimed at further reinforcing their security against targeted cyber attacks to adopt this support.
Hiroshima Prefectural Government now connects DDI to a mirror port of core switches to which their internal LAN is consolidated, and monitors the Internet access of each employee. Furthermore, they established an environment in which they could monitor
Case Study
Cyber Attack Protection
Hiroshima Prefectural Government
Deep Discovery Inspector™
Trend Micro Premium SupportProgram
There was a case in which the customer allowed threats exploiting targeted mail attacks to get into their environment . Although information leakage was avoided, Hiroshima Prefectural Government realized the necessity of more diversified countermeasures, and required systems which enabled them to understand the situation of damages precisely through communication logs if the worst should happen.
How can the customer protect against new threats and damages which cannot be covered by traditional antivirus countermeasures?
The customer now can “visualize” threats through network-wide visibility. They have established a system with which they track and fix problems swiftly even when incidents occur, and reinforced their security against targeted cyber attacks.
Threats are detected and eliminated quickly through monitoring suspicious communications in real-time.
Experiencing an attack drove the customer to implement countermeasures against targeted cyber attacksDeep Discovery Inspector realized network-wide visualization to eliminate malicious behavior and access in advance
Hiroshima Prefectural Government
With two World Heritage sites, the Hiroshima Peace Memorial Dome and the Itsukushima Shrine, Hiroshima Prefectural Government is responsible for the core administration of a manufacturing prefecture which makes up the foundation of the Setouchi industrial region. Location:Hiroshima, Japan Number of Employees:5,963(Hiroshima Prefecture, as at 01 April,2013)
Challenge
Case Study Cyber Attack Protection
BR-CASE-007
Diagram of ‘Deep Discovery Inspector™’ utilized in Hiroshima Prefectural Government
HiroshimaPrefecture
File server
Business PCs
Other systems, etc.
Proxy serverSwitch
Deep Discovery Inspector™
Internet
every system and file server within the LAN.Thanks to DDI solutions, Hiroshima Prefectural Government now lowers a various risks of targeted cyber attacks.For example, in recent years, techniques in which websites infected with malicious programs spread the infection by leading those who click a URL to a malicious website have been increasing. “Although it is quite difficult to recognize cases such as those which involve redirection to a malicious website, DDI can visualize these malicious links and notifies us,” says Murakawa.Communication status can be confirmed in real time via the DDI dashboard. A system engineer stationed in their site handles daily operations. Though their basic operation is to verify daily reports the following business day, they could receive an email notification immediately when some emergent events, such as suspicious access to a file server are detected. These are collected and verified in a monthly report. Moreover, with PSP, they established flexible operational management system which enabled them to track and deal with problems quickly when suspicious behavior is identified. “We don’t know when an incident will occur. But the great sense of security that we have obtained from DDI which visualizes threats and prevents them in advance, together with the 24/365 operation of the PSP is the greatest accomplishment. We are extremely satisfied,” says Nishida, in conclusion.
Surrounded by an abundance of natural beauties such as Seto Inland Sea and the Chugoku Mountains, Hiroshima prefecture promotes itself as a tourist destination. For local government operations, Hiroshima Prefectural Government promotes the implementation of advanced IT systems, such as a paperless meeting system using tablet devices.In general, it is critical for the local government to implement appropriate security countermeasures on their systems which handle the information of citizens. In regard to this point, Hirofumi Nishida of the Office of Administration and Management, Information Platform Group says that “we mainly manage the infrastructures of the systems for employees, and on these, a lot of applications which handle the information of our citizens are running. Because the data is transmitted on these infrastructures, security countermeasures are still critical there.” Accordingly, they had secured their business PCs and IT systems through implementing countermeasures such as antivirus and firewalls.However, in April 2012, Hiroshima Prefectural
Government experienced a situation. They allowed a threat to get into their environment via a targeted mail attack aimed at the local government. Specifically, the Prefectural Board of Education received four emails entitled “Regarding the extension of measures against North Korea”. Although a notification from the Ministry of Internal Affairs and Communications urging caution about suspicious emails disguised as information regarding North Korea was received directly afterwards, two employees had already opened the file that was attached to the email.They immediately inspected the communication logs. Although swift cleanup prevented any expansion of damage, they found a sign of a connection made by encrypted backdoor connection toward addresses in China. “There was only one instance of connection. We publicly announced that judging from changes in the amount of traffic, it was difficult to imagine that important information had leaked,” says Nishida. On the other hand, it was also a fact that just through analyzing the firewall and proxies, it was impossible to definitively specify any evidence that “there was no real harm”. “In order to prevent a re-occurrence, it was critical to create a situation in which we
could regularly confirm the status of communication on the network, and detect and cleanup threats quickly should an invasion occur. At the same time, we also felt that logs remaining as evidence were essential,” says Akitoshi Murakawa, also of the Information Platform Group.
The Hiroshima Prefectural Government started to working on countermeasures focusing on “C&C communication” to monitor backdoor communications and “Lateral movement” to monitor internal activities inside of its network.“In the investigation we proceeded with to update our backbone network, we decided to add one requirement, ‘visualizing communications in in real time’,” says Hitoshi Okano of the Information Platform Group, looking back.While they reviewed the proposals of each vendor, they actually had several systems operated to examine them. In the end, they chose Trend Micro’s ‘Deep Discovery Inspector™’(DDI), which detects threats via three methods - static analysis, dynamic analysis and behavioral analysis. Okano explains the reason for the selection:“During the two week test, we really realized that DDI could visualize detailed events, such as ‘access using network sharing’ and ‘evidence of failed logins’. Additionally, because reports such as event logs and risk levels could also be created and output in our language, Japanese, we could quickly utilize them as evidence when an incident occurs. This is exactly what we were looking for.”.Furthermore, they had been using ‘OfficeScan™ Corporate Edition’ as antivirus for their business PCs. From the perspective of operational control, the advantages of consolidating security solutions with products of the same vendor also supported the adoption of DDI.Moreover, they also adopted the security operation management support ‘Trend Micro Premium Support Program(PSP)’ at the same time. It provides swift recovery assistance upon incidents, malware sample analysis, and emergency virus pattern files upon new or variant virus occurrence, in addition to the security operation management support of the implemented Trend Micro products. They aimed at further reinforcing their security against targeted cyber attacks to adopt this support.
Hiroshima Prefectural Government now connects DDI to a mirror port of core switches to which their internal LAN is consolidated, and monitors the Internet access of each employee. Furthermore, they established an environment in which they could monitor
Hiroshima PrefectureGeneral Affairs Bureau
Office of Administration and Management Information Platform Group
Chief Examiner
Mr. Akitoshi Murakawa (left)
Hiroshima PrefectureGeneral Affairs Bureau
Office of Administration and Management Information Platform Group
Manager
Mr. Hitoshi Okano (right)
©2013 by Trend Micro, Incorporated. All rights reserved. Trend Micro and the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product and/or company names may be trademarks or registered trademarks of their owners. Information contained in this document is accurate as of October, 2013, and subject to change without notice.
*Mr. Okano’s title is as of the time of implementation
Malicious email disguised as business related Suspicious communications using a backdoor Evidence of failed logins
Contacts:
Hiroshima PrefectureGeneral Affairs BureauOffice of Administration andManagementInformation Platform GroupChief ExaminerMr. Hirofumi Nishida
Monitors suspicious activities as below:
Solution
Results
