Copyright (c) AhnLab, Inc. 1988-2011. All rights reserved.

Changing Security Awareness Training

in Response to Targeted Attacks,

Using Korean IT Cultural Characteristics

10th November 2011

Hojin Park

A-FIRST(AhnLab-Forensic and Incident Response Service Team)

Principal Security Researcher, CISSP, EnCE

Youngjun Chang

ASEC(AhnLab Security Emergency response Center)

Senior Advanced Threat Researcher, CISSP

Contents

1

I. Increase of social engineering attacks 1. Motives behind malware creation changing

2. Targeted attacks and Advanced Persistent Threats

(APTs) on the rise

3. Cultural characteristic of Korea’s IT

4. Social engineering of targeted attacks based on

Korean IT culture

5. Korean targeted attacks and APTs, and insufficient

Security Awareness Training

II. Transition of Security Awareness Training 1. Need of security awareness training

2. Essential requirement of security awareness training

3. Properties of security awareness training

Ⅲ. Movement of Security Awareness Training 1. Increasing role of SOC

2. Summary

Motives behind malware creation changing

2

Rapid increase of malwares every month

The number of infected malwares reported to AhnLab has increased approximately

62% compared to two years ago

Obtaining a monetary profit has been the biggest cause of malware increase

Targeted attacks and Advanced Persistent Threats (APTs) on the rise

3

In the past : Malware was for hobby, show-off and prank

Present : Targeted attacks, APT etc. (attacking with the specific purpose)

Sophistication and risk of this attacks has been increased greatly

Pranks and

Hobbies

Organized

Crime

Industrial

Espionage

APT

Cultural characteristics of Korea’s IT

4

Existence of variety of online services

Government, online gaming, online shopping, online banking etc.

Social engineering of targeted attacks based on Korean IT culture (1/3)

5

E-mail disguised as Korea Daegu Cyber Crime Division (Police agency)

Malware download link

Subject : Disguised as

police agency

Download to write

“Request reference to

attendance” form

Social engineering of targeted attacks based on Korean IT culture (2/3)

6

E-mail disguised as complaint of a use of illegal software

Subject : Disguised as Adobe

complaints

Malware named as “Result

of a complaint”

Request to confirm the illegal

use of Adobe Photoshop 7.0

Social engineering of targeted attacks based on Korean IT culture (3/3)

7

E-mail disguised as credit card bill payment sent by the bank

Uses the same format as

the real bank sends

Guided to a web page as

it looks like a real bill

payment

Social engineering of targeted attacks based on Korean IT culture (3/3)

8

Malware attempts to infect by installing the Active X in the web page

Attempts to infect by

installing Active X

Installation guide,

disguised as real

security program

9

Korean targeted attacks and APTs, and insufficient Security

Awareness Training

10

Attacker

Free software

update server

DB Server

From Targeted Attack changed to APT form of attack for Korean companies

Spreading

the malware

1

Malware infection

2

Remote

control 3

Connect to

DB server

4

Data transfer to

external server 5

Data transmit 6

Need of security awareness training

11

Essential requirement of security awareness training

12

• As many people possible

• Provide equal educational opportunities Opportunity

• Provide role-based training of trainees Role

• Provide timely training Time

• Provide of procedures for verification of educational results Verification

Properties of security awareness training

13

Security Human

Human is also a part of system and process

Security awareness training should not be ended formally

Increasing role of SOC

14

Risk Analysis

Security Policy

Making

Implementation

Threat Intelligence

Research

Security Education

SOC

(Security

Operations

Center)

Summary

15

Security awareness training is important, in response of social engineering attacks

based on regional IT culture

Opportunities, roles, timing and verification should be reflected in security

awareness training

New security awareness training should be provided and reviewed by the SOC

Source) http://theurbanalchemist.com/spilt-milk-dont-cry-over-it/

Thank you The safest name in the world

Copyright (c) AhnLab, Inc. 1998-2011 All rights reserved. http://www.ahnlab.com | http://blog.ahnlab.com | http://twitter.com/ahnlab_man