The Korea Internet & Security Agency (KISA) — created in 2009 — is the Ministry of Science and ICT’s suborganization dealing with the allocation and maintenance of the Republic of Korea’s (Korea) Internet number resources, and the .kr country code top-level domain. It is also the parent organization for the Korea Computer Emergency Response Team Coordination Center (KrCERT/CC), the national CERT of Korea, and a leader in supporting emerging CERTs.
A strong link in the regional trust chain, KrCERT/CC works in cooperation with the government, ISPs, and information security companies to prevent the spread of cyber attacks and is a focal point of contact for Korea on international cybersecurity incident handling.
“In the past three years, there has been paradigm shift of attacks in Korea,” says Jaeil Lee, Vice President at KISA and Chief of KrCERT/CC.
“Since 2015, Advanced Persistent Threat attacks, or APT attacks, have flourished. APT attacks usually exploit vulnerabilities of a certain document software that is used in Korean companies and organizations. APT attacks are a continuing issue.
“Secondly, the ‘Supply Chain’ attack has emerged. An attacker invades a software company’s internal environment and distributes malware. Figuring out when this type of attack starts and ends is challenging because it is conducted at the development stage of a software build.
“Lastly, there have been ransomware attacks and attacks targeting crypto currency exchange for financial purposes. Ransomware is a malware where a hacker demands a ransom from victims to restore important data. This is increasing as crypto currency becomes more popular globally. A hacker steals a crypto currency wallet and then exchanges the crypto currency into cash.”
In the past five years, in order to prevent and respond promptly, KrCERT/CC has strengthened its incident response framework, enabling 24/7/365 monitoring, detection, analysis and response. It has also created valuable threat intelligence in the use of intelligent information technology such as AI and big data.
“In 2006, personal data exposure of major domestic e-commerce company, Interpark, was a big issue in Korea. KrCERT/CC played an important role in identifying a possible route to invade as part of an incident analysis.”
KrCERT/CC also runs public cybersecurity awareness campaigns, and publishes guidelines on current security threats, as well as providing services to small and medium-sized companies to help improve their information security capabilities. KrCERT/CC provides a Distributed Denial of Service (DDoS) shelter system and tools for web security.
“Public awareness of information security is gaining momentum. In 2017, in the wake of the Wannacry ransomware attack, KrCERT/CC promptly responded to combat the spread of harm. Worldwide, 150 economies experienced harm, however, there were only 21 organizations harmed in Korea, partly because of proactive publicity.”
And KrCERT/CC collaboration in cyber incident handling isn’t limited by its borders; it works closely with Japan, China and other economies as needed, global cybersecurity vendors, as well as at a regional level through the Asia Pacific Computer Emergency Response Team (APCERT). Through APCERT, KrCERT/CC and other CERTs can have Point of Contact (PoC) information for prompt cybersecurity incident handling and share information such as major incidents and vulnerabilities. KrCERT/CC also cooperates and broadens its network with CERTs across the world through international organizations like the Forum of Incident Response and Security Teams (FIRST).
But perhaps some of their most valuable work has been in training national CERTs from around the world.
“The Republic of Korea has been targeted by many types of cyber-attacks and we have the accumulated know-how. We happily share our experiences and knowledge to increase cybersecurity capacity in the Asia Pacific region”, says Jaeil.
“For more than ten years KrCERT/CC has held an annual workshop (called APISC) to provide cyber incident response training to strengthen our counterpart’s knowledge of information security, focusing on CERT operations.”
Initially only open to national CERTs in the Asia Pacific region, it is now open to CERTs in Africa, South America and Europe.
“For any economy that would like to establish a CERT, we can invite them and provide access to our capacity-building program.”
Despite all of this progress, KrCERT/CC is not resting on their laurels.
“In line with the convergent ICT environment such as IoT and AI, KrCERT/CC has established a new unit to work specifically on convergent security. With both political and technical support, this unit will enhance the cybersecurity environment across all sectors.
“It also plans to establish a new incident analysis environment, including smart car and medical care capabilities, and development of a vulnerability inspection system,” says Jaeil.
“Last but not least, KrCERT/CC is planning to adopt intelligent information technology, based on an existing big data centre and incident analysis AI system. In doing so, KrCERT/CC will be equipped with advanced capability to deal with new cybersecurity threats.”
See KrCERT/CC present at the Cooperating To Contain Security Threats session at APRICOT 2019 on Tuesday, 26 February.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.