How to organize a national cybersecurity drill

By on 28 Mar 2017

Category: Tech matters

Tags: , , , , ,

Blog home

Prime Minister of the Republic of Korea, Hwang Kyo-ahn, visits KISA in 2016. Image Credit: KISA

For over 12 years, Korea’s Computer Emergency Response Team and Coordination Centre (KrCERT/CC) has been involved in organizing and running national cybersecurity drills for the purpose of testing for vulnerabilities in the security of participating enterprises as well as developing stakeholder’s capacity to respond to security threats.

The first drill was conducted in 2004, in response to the previous year’s SQL Slammer Worm attacks and has continually evolved to include new participants.

Korea Internet & Security Agency (KISA), which KrCERT/CC is a division of, plays an important role in coordinating participants, which include ISPs, anti-virus companies, video game developers, financial operators, hosting providers and defence officials.

Since 2013, the drills have focused on three main scenarios: advanced persistent threats (APTs), Distributed Denial of Service (DDoS) attacks, and penetration testing.

APT drills

An APT is a network attack in which an unauthorized person gains access to a network and stays there undetected for a long period of time. APT drills are composed of seven incident handling processes:

  1. The drill Excon (KrCERT/CC) sends a weekly spear-phishing email to employees of enterprises who participate.
  2. The participating enterprises report the spear-phishing attack to the Excon as soon as it’s detected.
  3. The Excon provides a malware analysis report to request a proper measurement.
  4. The enterprises provide their measurement for mitigation.
  5. The Excon sends a request to the anti-virus companies to update their software.
  6. The anti-virus companies develop and report updates of their software.
  7. The Excon sends a request to ISPs to block corresponding Command and Control servers.

DDoS drills

DDoS drills follow a similar process as APT drills and are used to review participants’ incident handling processes when a massive complicated DDoS attack occurs.

  1. The Excon generates a DDoS attack – up to 15 Gbps(max) – targeting each enterprises’ virtual server.
  2. The enterprises report the attacks as soon as they detect them.
  3. The Excon refers the enterprises to KISA’s DDoS Shelter Service.
  4. During this time, the Excon sends a request to ISPs to block the DDoS botnet’s IPs.
  5. The ISP reports back to the Excon the results of the mitigation and blocking.

Penetration testing drills

Penetration testing drills are simpler than the previous two drills. They involve white hackers from the Excon, doing penetration testing on enterprises’ service web pages. If white hats find any vulnerabilities, they pass this on to the Excon, who forwards it to the enterprise so they can patch the vulnerability.

What’s involved in organizing scenarios/drills?

In the beginning, I was the sole person in charge of developing and running the scenario drills for every drill season. I’m still the only architect but I now have two colleagues who help with building the virtual servers with inbuilt vulnerabilities.

To develop scenarios, I examine current cybersecurity trends in Korea and focus on the concepts behind the most recent incidents. I then discuss our ideas with my colleagues and bosses and present a near-final scenario to potential participants to get their feedback. If any brilliant comments came up during this presentation, we apply them to our drill scenario.

The whole process can take up to three months.

Coordinating drills in response to national incidents

In 2016, KrCERT/CC, for the first time, ran four national cybersecurity drills, designed for different participants.

In the first drill, simulated hackers from the Democratic People’s Republic of Korea targeted participating government officials using HWP decoy documents as part of APT attacks – this is the preferred document format used by the South Korean government.

IT firms, SI firms, the military industry, and banks were the targets of the second drill. During this drill, hackers used malicious macro documents as part of their APT attack.

In August, Korean government agencies participated in the annual Ulchi-Freedom Guardian military exercise held between South Korea and the United States. The exercise, which has been running since 1976, is the world’s largest computerized command and control implementation, which mainly focuses on defending South Korea from a North Korean attack.

And finally, in November, we ran a full scenario-based drill, which involved a combination of cyber attacks including the ones mentioned above as well as ransomware and man-in-the-middle attacks. Enterprises who participated played the role of a network operator for a shopping mall website. In the drill, a hacker implanted malicious code in the customer’s Q&A board after exploiting a file upload vulnerability. Once the hacker seized the admin’s account information, they could get success in lateral movement by sending spear phishing emails to other admins. The Excon evaluated how each enterprise responded to the attacks, assessing participants on their response time and means of mitigation.

About KISA

KISA was established in 2009 as an affiliated organization of the Ministry of Science ICT future Planning (MSIP), one of the main government offices in Korea. Its role is to prevent and respond to cyber threats in the private sector by cooperating with main stakeholders such as other government agencies, ISPs, anti-virus companies, and international organizations.

KrCERT/CC is a part of KISA, which responds to cyber incidents and analyzes emerging cyber threats.

Min Sung Jung is a cybersecurity researcher at KISA and organizer of Korea’s national cybersecurity drills.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *