PRACTICAL WORKFLOW FOR AUTOMATION AND ORCHESTRATION OF ADDRESSING CYBER. THREAT: CASE STUDY OF MIRAI BOTNET IN MALAYSIA

No ratings

Presented at First 2017 by

Megat Mutalib

Megat Muazzam Abdul Mutalib is Head of the Malaysia Cyber Emergency Response Team or in short, MyCERT – a department within CyberSecurity Malaysia. He is responsible in Cyber999 Incident Handling and Emergency Response daily operation, which primarily focuses on incident alert or threat issue, related to Malaysia constituency and the Malware Research Centre. He has various experiences in IT security field such as network security, penetration testing, web security, malware research and honeypot technology. He is recognised for his capability of conducting numerous training and talks for various organisations locally and internationally on topics ranging from introduction to advanced security courses. He holds a Degree in Computer Science from University Putra Malaysia (UPM) and has wide experience in IT Security for more than 10 years. Actively involves in Cyber Early Warning System project, focusing in the areas of perimeter defense, detection and intrusion analysis. He is the GIAC Certified Intrusion Analyst (GCIA) and Certified Penetraton Tester (GPEN). The ever-increasing scale, complexity and globalization of cyber attacks require quick detection and eradication of the attacks based on how the information is disseminated across CSIRTS and PSIRTs globally. Having structured information that can be delivered in quick manner is important for quick eradication and mitigation of cyber attacks. In this way it saves time and effort in incident response and post-mortem analysis. Traditional way of delivering threat intelligent information has limitations that effects the quick response of incidents that may consequently affect immediate preventions of attacks at global. Thus, the need for automation and orchestration of Threat Intelligent Information is critical for quick remediation and eradication of large-scale attacks, at global level, which will be presented in our presentation. The key points to highlight in this presentation are: The important roles of CSIRTs and PSIRTs in eradicating and mitigating large-scale cyber attacks on a global level. Share our workflow that illustrates how Threat Intelligent Information is delivered with automation and orchestration for quick and efficient Incident Response. Share our in-house developed tools and applications that we used for automation and orchestration of Threat Intelligent Information delivery for effective mitigation of large-scale global cyber attacks. Another important factor to address cyber threats on how we use Threat Intelligent Information process to secure our own environment through various blocking, filtering as well as creating a repository of knowledge base index for research analysis and future reference and as a mean to increase our preparedness in facing new and large-scale cyber attacks. Share the work taken by us to further study the behavioral and anatomy of an incident so as to propagate and reduce the effect of similar type of incident in the future. To prove that the workflow has worked for us, we will highlight a case study on successful Mirai eradication activities in using automation and orchestration of Threat Intelligent Information. This includes how MyCERT received the Threat Intelligent Information on Mirai botnet infected IPs in Malaysia, identification of the infected devices in our constituency until successful takedown of the botnets in Malaysia, which in overall helped to mitigate Mirai botnet infection at the global level. The presentation hopes to give new insights into the automation and orchestration of Threat Intelligent Information for a comprehensive and global mitigation of new and large-scale cyber attacks.