About authors
SangWookSeo(Speaker)Ø GeneralResearcher,NationalCyberIntelligenceTeam,KoreaInternet&SecurityAgencyØ Ph.D Course,GraduateSchoolofInformationSecurity,KoreaUniversityØ BigDataSystem&DataArchitect,DataMining&MachineLearninginSecurity
JungHee KimØ Director,CyberThreatIntelligenceCenter,KoreaInternet&SecurityAgencyØ DirectorofNational&GlobalCyberThreatIntelligenceCooperationinKorea
DongRyunLeeØ Manager,NationalCyberIntelligenceTeam,KoreaInternet&SecurityAgencyØ CoordinatorofNationalCyberThreatIntelligenceNetworkinKorea
Huy KangKimØ AssociateProfessor,GraduateSchoolofInformationSecurity,KoreaUniversityØ FounderofA3SecurityConsulting(1999),TechnicalDirectorofNCSOFT(2004-2010)Ø OnlineGameSecurity,FraudDetectionSystem,Network&SystemSecurity
Contents
1
3
2
1. C-TAS System
1-1. Introduction to C-TAS System
C-TAS system was developed to prevent the spread of harm from various
cyber incidents by collecting, analyzing and disseminating cyber threats
1-2. Motivation & History
v 12.05 ~ 12.11 : MMS 1.0 & MML 1.0
v 13.08 ~ 13.12 : MMS 1.1 & MML 1.1
v 13.09 ~ 14.07 : C-TAS 1.0 & C-TAS 1.0
v 15.05 ~ 15.12 : C-TAS 1.1 & C-TEX 1.1 (MMS -> TIMS)
v 16.05 ~ 16.12 : C-TAS 1.2 & C-TEX 1.2 (with STIX 1.2)
v 17.05 ~ 17.12 : C-TAS 2.0 & C-TEX 2.0 (with STIX 2.0)
v by KISA(Korea Internet & Security Agency), August 2014
v 7.7 DDoS Attack (2009) & 3.4 DDoS Attack (2011)
v NH APT Attack (2011) & 3.20 APT Attack (2013, DarkSeoul)
v Korea Hydro & Nuclear Power Hacking (2014)
v C-TAS : Cyber Threat Analysis & Sharing
v C-TEX : Cyber Threat EXpression
v MMS : Malware Management System
v MML : Malware Markup Language
v TIMS : Threat Intelligence Management System
1-3. Collecting Cyber Threat
MalwareDomain/IP Vulnerability
MalwareDomain/IP Vulnerability
KISADetectionSystems
C-TASParticipants
Agent
Website
WebAPI
Agent
WebAPI
CyberThreatCollecting
CyberThreatSharing
CollectingAgent
Automatically
C-TASSystem
Cyber Threat : Malware, Malicious Domain/IP, Vulnerability Info and etc
Collecting Method : Agent, Web API, Website
The ways to disseminate cyber threats are :
Ø Web API to respond to cyber threats in real time
Ø Website to download & upload cyber threats manually
Ø STIX/TAXII 2.0 will be supported in 2018
1-4. Disseminating Cyber Threat
C-TEX&STIX2.0 (2018)
Thewaystodisseminateare:
① WebAPI (exportAPI) &TAXII (2018)② Website (https://cshare.krcert.or.kr)
C-TAS Participants
If you want cyber threats, you must share cyber threats (no free-riding)
You can get the same types of cyber threat you share (type symmetric)
The amount you share decides your grade (4 grades)
Higher grades give you additional information (quality symmetric)
1-5. Sharing Policy
Dependingonthegrade
Thesharingpolicyis:
① Nofree-riding② Type&QualitySymmetric
C-TAS Participants
1-6. C-TEX Sample
C-TEX1.2(XML)
C-TEX2.0(JSON)
1-7. C-TEX to STIX
C-TEX1.2(XML)
STIX1.2(XML)
1-8. Supports for C-TAS Participants
C-TAS
C-TASAnalysisModule
Users
C-TASParticipant
ExportAPI
C-TAS AM : Tool for C-TAS participants to search and visualize cyber threats easily
Logstash isreplacedbyC-TASConvertertosupportC-TEX
Elasticsearch helpsC-TASparticipantstosearchcyberthreats
Kibana helpsC-TASparticipantstovisualizecyberthreats
C-TAS Converter Elasticsearch kibana1 2 3
1 2 3
Storage
1-8. Supports for C-TAS Participants
1-9. Cyber Threat Use Cases
ForAllParticipants
ThreatDBC-TAS
Firewall
IDS
IPS
C-TASParticipants
ExportAPI
②①Apply
1-9. Cyber Threat Use Cases
ForAV&Security
ThreatDBC-TAS
C-TASParticipants
ExportAPI
②①UpdateMalwareSignatures
③Malwarediagnostics
Antivirus Users
1-9. Cyber Threat Use Cases
ForWebService
ThreatDBC-TAS
C-TASParticipants
ExportAPI
③①Compare
the filehashto ThreatDB
UploadFile
FileStorage
Blog
Board
USER
②
2. C-TEX Structure
2-1. Introduction to C-TEX
v To make it easy for everybody to share cyber threats
v Even for kids!
v Markup Language to express cyber threats
v 12.05 ~ 12.11 : MMS 1.0 & MML 1.0
v 13.08 ~ 13.12 : MMS 1.1 & MML 1.1
v 13.09 ~ 14.07 : C-TAS 1.0 & C-TAS 1.0
v 15.05 ~ 15.12 : C-TAS 1.1 & C-TEX 1.1 (MMS -> TIMS)
v 16.05 ~ 16.12 : C-TAS 1.2 & C-TEX 1.2 (with STIX 1.2)
v 17.05 ~ 17.12 : C-TAS 2.0 & C-TEX 2.0 (with STIX 2.0)
v C-TAS : Cyber Threat Analysis & Sharing
v C-TEX : Cyber Threat EXpression
v MMS : Malware Management System
v MML : Malware Markup Language
v TIMS : Threat Intelligence Management System
2-2. C-TEX Structure
CML (Collect Markup Language)
Ø Address, Sample, Vulnerability
IML (Incident Markup Language)
Ø Details on cyber Incident
DML (Domain Markup Language)
Ø Details on registered Domain
HML (Host Markup Language)
Ø Details on hacked Host
SML (Sample Markup Language)
Ø Details on malware Sample
VML (Vulnerability Markup Language)
Ø Details on Vulnerability info
AML (Adversary Markup Language)
Ø Details on Adversary
Collect Markup Language: Address(Domain/IP), Sample(Malware), Vulnerability(Vulnerability)
Core Markup Languages: Incident, Domain, Host, Sample, Vulnerability, Adversary
2-3. C-TEX Schema
2-4. C-TEXg Structure
Sample
Host
Vulnerability
Incident 1
control
infect
spread
exploit
exploit
drop
relay
Sample
Host
Vulnerability
Incident 2
control
infect
spread
exploit
drop
relay
conduct
found
exploit
found
DomainDomain
register register
Adversaryconduct
AML (Adversary) has relationships with IML (Incident)
IML (Incident) has relationships with HML (Host), SML (Sample), VML (vulnerability)
HML (Host), SML (Malware), VML (Vulnerability) has relationships with each other
HML (Host) has relationship with DML (Domain)
2-5. C-TEXg Schema
2-6. Internal Sources
Cyber Threat Detection Systems
Ø Web Crawler
Ø DDoS Defense System
Ø Email Detection Sysytem
Ø Mobile Detection System
Ø Honeypot/Honeynet
Ø DNS Sinkhole
Ø etc.
Threat Intelligence Mngmt. System
Ø Incident Mngmt. System
Ø Malware Mngmt. System
Ø Vulnerability Mngmt. System
Cyber Threat Detection Systems collect cyber threats in CML
The analysts turn cyber threat information into intelligence in IML, HML, SML, VML, AML
SameDomain
2-7. C-TEX Use Case (Drive By Download)
domain3.co.kr/2
domain4.co.kr/2
domain7.co.kr/1
domain11.co.kr/1
vire.emf
domain6.org/1
qqkj.emfqqkj.emf
Website
Malware
C2
wiee.emf
domain8.co.kr/1 domain2.or.kr/1
domain4.co.kr/1
upvd.emfupvd.emf ookm.emf fopo.emf
domain3.co.kr/1 domain5.com/1
domain1.com/1
192.187.127.xxx
domain1.com/2
qqkj.emf
domain9.co.kr/1
qubn.emf
domain10.com/1
vire.emf
SameHostingCompany
SameDomain
2-7. C-TEX Use Case (Drive By Download)
domain2.or.kr/1
domain8.co.kr/1
upvd.emfupvd.emf ookm.emf fopo.emf
domain9.co.kr/1 domain10.com/1
domain2.or.kr/2
d11.co.kr/1
eyip.exe
d12.co.kr/1
hlkk.exe
d13.co.kr/1
asqw.emf qwas.emf
domain2.or.kr/3
domain14.org/1 domain15.or.kr/1
srab.emfkasm.exe
domain1.com/1 domain3.co.kr/1 domain6.co.kr/1domain4.com/1 domain7.com/1domain5.co.kr/1
121.115.165.xxx192.187.127.xxx 25
Website
Malware
C2
2-8. C-TEXg Use Case (Drive By Download)
3. Big Data in C-TAS
3-1. Big Data Platform in C-TAS
Disseminating
Application
3-2. Big Data Analysis in C-TAS
Ø library(sna)
Ø edgelist <- read.csv(file="edgelist.csv",header=TRUE,sep=",")
Ø nodelist <- read.csv(file="nodelist.csv",header=TRUE,sep=",")
Ø edgelist <- as.matrix(edgelist)
Ø nodelist <- as.matrix(nodelist)
Ø adjacency<- matrix(data=0,nrow=25,ncol=25)
Ø rownames(adjacency)<- nodelist
Ø colnames(adjacency)<- nodelist
Ø adjacency[edgelist]<- 1
Ø centrality<- degree(dat=adjacency,gmode="digraph",diag=FALSE,cmode="freeman",rescale=FALSE)
Ø gplot(dat=adjacency,mode="circle",label.cex=0.8,edge.col="grey",displaylabels=TRUE,vertex.cex=sqrt(centrality),vertex.col="white",label.pos=5)
Ø plot_data <- data.frame(nodelist,centrality)
Ø plot_data <- plot_data[order(-centrality),]
Ø barplot(plot_data[,2],names.arg=plot_data[,1],col=ifelse(plot_data[,2]<3,"red","blue"),xlab="node",ylab="centrality",main="TNA")
Top Related