CLIENT
A company (oil refinery)
BACKGROUND AND TOPIC
As a global company, it operates a large number of information systems and is obliged to comply with legal regulations in the Information and Communication Network Act, it regularly explores vulnerabilities and hacks to professional firms every year.
As the social issue of APT attack became big in the process of requesting diagnosis of annual simulation hacking of company A, there was no sharp countermeasure because A company did not introduce APT correspondence solution.
Company consulted with our partner companies to lease APT correspondent solution for a short period of time, analyzed the APT attacks detected in the solution for enterprise system and discussed the measures.
Checking the status of APT vulnerability on the terminal nodes on the corporate network of company A and establishing measures for it. - In case of APT-specific solution, it gives too much detection information, so there is a problem of detection of false positives or false positives Therefore; it is possible to obtain a practical effect by using a dedicated solution suitable for the correspondence.
There is a risk of APT attacks, but it can be an effective way for enterprises or organizations that do not have a countermeasure solution or have a high introduction cost.
PROJECT PERIOD
Company 2014, 1 month
IT AND INFORMATION SECURITY ENVIRONMENT
Business and IT environment
Our customers are distributed nationwide, and it is difficult to apply collective IT policies and security policies because they perform various tasks such as manufacturing, refining, logistics, B2C and B2B.
The network environment of the client company has a nationwide network, and it has a network structure that connects to the Internet by using the backbone switch of the headquarters.
Information protection environment
It is an environment where it is not easy to actively respond to security threats such as PCs, such as APT attacks, because A corporations distributed nationwide are environments that use various types of PC operating systems due to their different operating environments.
It has a policy of installing antivirus on each PC and other terminals. It operates a virus wall on the network and supports zero-day attacks that are responding to malicious codes such as viruses on the network and PC terminals. - In addition, it provides internal and external business services through the nationwide network, but since the network is not separated, organizations in the blind spot of the security control of the company may be at serious risk if the malicious code is infected and spread to the nationwide network It is constituted that there is no outside.
MAIN ACTIVITIES
- We leased a dedicated APT solution to suit the customer's situation and installed it as a TAP on the backbone switch of the headquarters in consideration of the customer's network configuration and circuit speed.
- The dedicated APT solution was located in the backbone network and collected all 3-week In / Out packets and operated according to the detection criteria provided by the internal engine. It is analyzed from various viewpoints to identify false positives or detections of detected malicious codes such as terminals communicating with external C & C servers in In / Out packets.
- We considered the accuracy of detection by not only detection based on simple domain / URL information but also DGA and Fast flux based on DNS information.
- When a PC terminal infected with ATP attack is identified, it prevents further spread of infection by blocking DNS synchhole and TCP connection in order to block the connection of the identified C & C server.
- Based on the list of detected C & C servers, it is applied to the related security policy in blocking device such as Network Firewall / IPS.
- The results of APT detection for 3 weeks and the measures to be taken are summarized, and APT diagnosis reports including infected PC status, detected C & C server address, and detailed results of infected malicious code analysis are provided.
PROJECT CSF
- Selection of APT correspondence solution with high accuracy excluding false detection or detection of various types of APT attacks
- To overcome the limits of automated solutions and provide real and accurate APT vulnerability status, professional engineers analyze the results of the solution
- If necessary, repeatedly perform and respond twice a year (upper and lower half)
MAIN ACTIVITY AND OUTPUT
The following is a list of deliverables by stage.
Steps | Key Activites | Work-output |
Identify the environment and install the solution | - Identification of network configuration and status - Installation of APT-specific solution TAP - Detailed execution plan |
- Equipment installation plan - Performance plan |
APT Detection and Analysis | - Solution policy enforcement and testing - Solution uptime and packet collection - Monitoring detection policy and detection results |
- |
Establish immediate action and improvement plan |
- Detecting and detecting PC terminal that is sure to be infected with |
- APT Vulnerability Analysis Report |