WiKi Security Skip to main content





A company (oil refinery)



As a global company, it operates a large number of information systems and is obliged to comply with legal regulations in the Information and Communication Network Act, it regularly explores vulnerabilities and hacks to professional firms every year. 
As the social issue of APT attack became big in the process of requesting diagnosis of annual simulation hacking of company A, there was no sharp countermeasure because A company did not introduce APT correspondence solution. 
Company consulted with our partner companies to lease APT correspondent solution for a short period of time, analyzed the APT attacks detected in the solution for enterprise system and discussed the measures. 
Checking the status of APT vulnerability on the terminal nodes on the corporate network of company A and establishing measures for it. - In case of APT-specific solution, it gives too much detection information, so there is a problem of detection of false positives or false positives Therefore; it is possible to obtain a practical effect by using a dedicated solution suitable for the correspondence. 
There is a risk of APT attacks, but it can be an effective way for enterprises or organizations that do not have a countermeasure solution or have a high introduction cost.



Company 2014, 1 month



Business and IT environment

Our customers are distributed nationwide, and it is difficult to apply collective IT policies and security policies because they perform various tasks such as manufacturing, refining, logistics, B2C and B2B. 
The network environment of the client company has a nationwide network, and it has a network structure that connects to the Internet by using the backbone switch of the headquarters.

Information protection environment

It is an environment where it is not easy to actively respond to security threats such as PCs, such as APT attacks, because A corporations distributed nationwide are environments that use various types of PC operating systems due to their different operating environments. 
It has a policy of installing antivirus on each PC and other terminals. It operates a virus wall on the network and supports zero-day attacks that are responding to malicious codes such as viruses on the network and PC terminals. - In addition, it provides internal and external business services through the nationwide network, but since the network is not separated, organizations in the blind spot of the security control of the company may be at serious risk if the malicious code is infected and spread to the nationwide network It is constituted that there is no outside.



  • We leased a dedicated APT solution to suit the customer's situation and installed it as a TAP on the backbone switch of the headquarters in consideration of the customer's network configuration and circuit speed.
  • The dedicated APT solution was located in the backbone network and collected all 3-week In / Out packets and operated according to the detection criteria provided by the internal engine. It is analyzed from various viewpoints to identify false positives or detections of detected malicious codes such as terminals communicating with external C & C servers in In / Out packets. 
  • We considered the accuracy of detection by not only detection based on simple domain / URL information but also DGA and Fast flux based on DNS information. 
  • When a PC terminal infected with ATP attack is identified, it prevents further spread of infection by blocking DNS synchhole and TCP connection in order to block the connection of the identified C & C server.
  • Based on the list of detected C & C servers, it is applied to the related security policy in blocking device such as Network Firewall / IPS.
  • The results of APT detection for 3 weeks and the measures to be taken are summarized, and APT diagnosis reports including infected PC status, detected C & C server address, and detailed results of infected malicious code analysis are provided.



- Selection of APT correspondence solution with high accuracy excluding false detection or detection of various types of APT attacks
- To overcome the limits of automated solutions and provide real and accurate APT vulnerability status, professional engineers analyze the results of the solution
- If necessary, repeatedly perform and respond twice a year (upper and lower half)



The following is a list of deliverables by stage.

Steps Key Activites Work-output
Identify the environment and install the solution - Identification of network configuration and status 
- Installation of APT-specific solution TAP 
- Detailed execution plan
- Equipment installation plan 
- Performance plan
APT Detection and Analysis - Solution policy enforcement and testing 
- Solution uptime and packet collection 
- Monitoring detection policy and detection results
Establish immediate action and improvement plan

- Detecting and detecting PC terminal that is sure to be infected with 
malicious code - Applying the list of detected C & C server to FW or IPS security policy
- Establishing analysis and improvement plan of PC terminal with possibility of malicious code infection but uncertain

- APT Vulnerability Analysis Report


Mounts. Made By Admin

© 2016. All Rights Reserved