Copyright (c) AhnLab, Inc. 1988-2011. All rights reserved.
Changing Security Awareness Training
in Response to Targeted Attacks,
Using Korean IT Cultural Characteristics
10th November 2011
Hojin Park
A-FIRST(AhnLab-Forensic and Incident Response Service Team)
Principal Security Researcher, CISSP, EnCE
Youngjun Chang
ASEC(AhnLab Security Emergency response Center)
Senior Advanced Threat Researcher, CISSP
Contents
1
I. Increase of social engineering attacks 1. Motives behind malware creation changing
2. Targeted attacks and Advanced Persistent Threats
(APTs) on the rise
3. Cultural characteristic of Korea’s IT
4. Social engineering of targeted attacks based on
Korean IT culture
5. Korean targeted attacks and APTs, and insufficient
Security Awareness Training
II. Transition of Security Awareness Training 1. Need of security awareness training
2. Essential requirement of security awareness training
3. Properties of security awareness training
Ⅲ. Movement of Security Awareness Training 1. Increasing role of SOC
2. Summary
Motives behind malware creation changing
2
Rapid increase of malwares every month
The number of infected malwares reported to AhnLab has increased approximately
62% compared to two years ago
Obtaining a monetary profit has been the biggest cause of malware increase
Targeted attacks and Advanced Persistent Threats (APTs) on the rise
3
In the past : Malware was for hobby, show-off and prank
Present : Targeted attacks, APT etc. (attacking with the specific purpose)
Sophistication and risk of this attacks has been increased greatly
Pranks and
Hobbies
Organized
Crime
Industrial
Espionage
APT
Cultural characteristics of Korea’s IT
4
Existence of variety of online services
Government, online gaming, online shopping, online banking etc.
Social engineering of targeted attacks based on Korean IT culture (1/3)
5
E-mail disguised as Korea Daegu Cyber Crime Division (Police agency)
Malware download link
Subject : Disguised as
police agency
Download to write
“Request reference to
attendance” form
Social engineering of targeted attacks based on Korean IT culture (2/3)
6
E-mail disguised as complaint of a use of illegal software
Subject : Disguised as Adobe
complaints
Malware named as “Result
of a complaint”
Request to confirm the illegal
use of Adobe Photoshop 7.0
Social engineering of targeted attacks based on Korean IT culture (3/3)
7
E-mail disguised as credit card bill payment sent by the bank
Uses the same format as
the real bank sends
Guided to a web page as
it looks like a real bill
payment
Social engineering of targeted attacks based on Korean IT culture (3/3)
8
Malware attempts to infect by installing the Active X in the web page
Attempts to infect by
installing Active X
Installation guide,
disguised as real
security program
Korean targeted attacks and APTs, and insufficient Security
Awareness Training
10
Attacker
Free software
update server
DB Server
From Targeted Attack changed to APT form of attack for Korean companies
Spreading
the malware
1
Malware infection
2
Remote
control 3
Connect to
DB server
4
Data transfer to
external server 5
Data transmit 6
Essential requirement of security awareness training
12
• As many people possible
• Provide equal educational opportunities Opportunity
• Provide role-based training of trainees Role
• Provide timely training Time
• Provide of procedures for verification of educational results Verification
Properties of security awareness training
13
Security Human
Human is also a part of system and process
Security awareness training should not be ended formally
Increasing role of SOC
14
Risk Analysis
Security Policy
Making
Implementation
Threat Intelligence
Research
Security Education
SOC
(Security
Operations
Center)
Summary
15
Security awareness training is important, in response of social engineering attacks
based on regional IT culture
Opportunities, roles, timing and verification should be reflected in security
awareness training
New security awareness training should be provided and reviewed by the SOC
Source) http://theurbanalchemist.com/spilt-milk-dont-cry-over-it/