Date post: | 15-May-2018 |
Category: |
Documents |
Upload: | trinhtuyen |
View: | 224 times |
Download: | 1 times |
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI, Inc.
1
Workshop on “India’s 5G Vision: 2020” jointly with
Twentieth GISFI Standardization Series Meeting (GSSM)
“Collaboration on Cyber Security”
Detailed Results
Security Operations Center, KDDI Corporation, Japan
Takemasa Kamatani
2015/3/14
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
2
1. PRACTICE project overview 2. Cyber attacks recently monitored by PRACTICE system 3. Activities and outcomes of the PRACTICE project
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
3
3/21/2015
Overview of the PRACTICE Project
Sensor
Honey Pot
Infected host
Cyber-attacks
Collaborating Partners (outside of Japan)
Japan
Cyber-attack data
We’re trying to build a world-wide threat monitoring system in collaboration with our partners outside of Japan.
○Goal : The final goal is to protect users from malware infection and malicious activities in cyberspace proactively and reduce the damage.
○Outline : In cooperation with ISPs, universities and security organizations, we’re trying to implement research and practical development of technologies on a cyber-security which enable early detection of cyber-attacks.
Malwares
・Sharing of cyber-attacks and malwares information ・Collaboration on implementation & improvement of abilities to quickly respond ・Development of countermeasure against cyber- attacks
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
4
3/21/2015
Collaboration with India
Oct 3, 2013 Japan-India ICT Public-Private Partnership Dialogue
Aug 22, 2014
Sensor implementation at NEC India (Chennai) and started cyber-attacks data sharing
Sep 1, 2014
Brainstorming Workshop on 5G Standardization: WISDOM
Mar 13, 2015 This meeting (second joint-workshop of GISFI & PRACTICE)
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
Implementing Organizations Supporting Organization
• Institute of Systems, Information Technologies and Nanotechnologies
• Japan Datacom Co., Ltd. • KDDI R&D Laboratories • SecureBrain Corporation • Yokohama National University
- Technical support based on NICT’s excellent expertise; - NICT provides darknet sensor - Providing captured data and the results of analysis by NICT.
Research and practical development of technologies which investigate symptoms of cyber attacks.
Demonstration test of developed technologies toward quick and proactive response based on the cooperation among ISPs.
Visualization of cyber-attacks
Partner countries
Data & Alert
Data & expertise
Data & analysis results
5
3/21/2015
Organization - MIC organizes the PRACTICE, which has Implementing Organizations and Supporting Organization. - Implementing Organizations are ISP association(i.e. Telecom ISAC Japan) and related companies as a “field trial” part, and research institutes or security related companies as an “R&D” part.
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
6
3/21/2015
Methods of cyber-attacks Types of cyber-attacks
Malware DDoS attack
Large scale of spam
Information leakage
Targeted attack
fishing
Malware/ Social Engineering
Social engineering
Botnet (C&C, P2P) Worm diffusion Web defacement(malware distribution site) Malware attached E-mail Induction to the malware distribution sites via e-mail or SNS
Web defacement hacking
ISP’s facilities ISP customers
ISP’s facilities ISP customers
ISP’s facilities ISP customers
ISP’s facilities ISP customers
ISP’s facilities ISP customers
ISP’s facilities ISP customers
Objects that should be protected by ISP
This project is focused on cyber attacks caused by malware that have significant impact on ISP services.
Project Scope
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
7
1. PRACTICE project overview 2. Cyber attacks recently monitored by PRACTICE system 3. Activities and outcomes of the PRACTICE project
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
Japanese governmental web site “japan.kantei.go.jp” that introduce activities of both prime minister of Japan and his cabinet had been attacked on January 2, 2015.
PRACTICE team could monitor and make alerts of these attacks using their own DRDoS attacks monitoring system named “DRDoS Honeypot”.
8
3/21/2015
Network Information: a. [Network Number] 202.32.211.128/25 b. [Network Name] KANTEI25 g. [Organization] Cabinet Secretariat m.[Administrative Contact] ST10240JP n.[Technical Contact] ST10240JP p.[Nameserver] [Assigned Date] 2013/06/25 [Return Date] [Last Update] 2013/06/25 12:08:04(JST)
http://japan.kantei.go.jp/
DDoS attacks against Japanese Government web site (1)
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
【detect time】 during January 2, 19:00:42-20:00:45 (1hour) 【monitoring system】 DRDoS Honeypots 【types of attack】 NTP Amp attack 【target】 202.32.211.142/port80 (Kantei Web site http://japan.kantei.go.jp)
9
3/21/2015
Time-series data (pps) against targeted host
Approximately 1,000pps size of NTP Amp attacks were monitored by our DRDoS Honeypots.
DDoS attacks against Japanese Government web site (2)
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
PRACTICE project activities summary
Many network security researchers say that not only a few network protocols are utilized to execute DDoS attacks. Huge number of forwarders that have open services of network protocols listed below exist on the internet. DoS attackers utilize these forwarders to execute DRDoS attack.
10
DRDoS attacks infrastructure
Christian Rossow: Amplification Hell: Revisiting Network Protocols for DDoS Abuse, NDSS2014
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
11
There are many open SSDP service provided by PCs or servers on the internet, as shown in the figure below, in Japan now.
These PCs or servers can be the forwarders of DRDoS attacks. This situation is serious for ISPs in Japan.
We already finished configuring our DRDoS Honeypot to monitor this type of attacks. SSDP Amp attacks alert service started on February 19, 2015.
Open Simple Service Discovery Protocol (SSDP) Scanning Project https://ssdpscan.shadowserver.org/
Open SSDP service on the internet
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
【detect time】 during Feb 23, 21:17:54-22:49:03 (1.5hour) 【monitoring system】 DRDoS Honeypots 【types of attack】 SSDP Amp attack 【target】 203.153.47.251 (National Informatics Centre(R12-AFIN), DNS server)
12
3/21/2015
Approximately more than 1,00pps size, 1.5 hours of SSDP Amp attacks monitored by our DRDoS Honeypots.
DDoS attacks against Indian governmental DNS server
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
Japanese Cyber security forces of the Metropolitan Police Department shows that economic damage caused by financial malware that target online banking service keeps rising. It reached to 1,100 million yen by the end of 2013.
We’re trying to reduce this growing economic damage putting our countermeasure techniques into practice and respond to this types of attacks in the very early stage.
13
Economic damage of financial malware in Japan
fishing malware
Year:2011 Target 56 bank Number of incidents:165 Damage cost:300million yen
Year:2013 Target 25 bank Number of incidents:1,125 Damage cost:1,100million yen
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
14
3/21/2015
Updates of configuration information are confirmed through a long term monitoring & analysis of the financial malware named VAWTRACK → we’re preparing for sending alerts of these types of updates
Date Topics (updated information)
July, 2014 Started monitoring & analyzing VAWTRAK malware
July 15 Configuration information that are used to target 20 Japanese credit card cooperation
July 18, Configuration information that are used to target 11 Domestic regional banks
July 29、31 Information that invalidate anti-unauthorized remittance software functions
Aug 13 Update of domain name of external hosts with which this malware communicate
Aug 13 Delete of attack information to targeted domestic credit card cooperation (Bank remains of attack)
Sep 19 Configuration information that are used to target Yahoo auction and large online shopping sites
Financial malware activities monitored by PRACTICE
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
15
1. PRACTICE project overview 2. Cyber attacks recently monitored by PRACTICE system 3. Activities and outcomes of the PRACTICE project
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
16
3/21/2015
DRDoS attacks detection
Email alerts Victim host’s IP Detected time
Protocol Domain name
・・・ Network operators
DDoS attackers Reflectors
Victim host
DDoS counter measure system
Backbone
DRDoS Honeypot
Counter measuring against DDoS attacks
・DRDoS attacks detection by utilizing DRDoS Honeypots ・DRDoS Honeypots are implemented as forwarders to get early information ・Operators will be notified early alerts of DRDoS attacks ⇒ 86% of alerts were notified earlier than existing systems
DRDoS Honeypots (alerting system)
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
17
3/21/2015
Early alerts for ISP operators (2014/10 ~) DRDoS attacks start time & end time notification
DRDoS attacks detection notification
This e-mail is a notification of a DRDoS attack to the victim host in your country. [Victim host IP] XXX.XXX.XXX.XXX [detection time] 2014-11-13 23:57:37 [protocol] DNS : port 53 [Detail data] AS number : "AS2516 KDDI KDDI CORPORATION" country : "Japan" pps(max) : 2.2 pps(average) : 1.1416666666666666 [domain name] "wradish.com ANY IN":137
DRDoS attacks end time notification
This e-mail is tells you termination of a previously notified DRDoS attack to the victim host in your country. [Victim host IP] XXX.XXX.XXX.XXX [end time] 2014-11-13 23:57:37 [protocol] DNS : port 53 [Detail data] AS number : "AS2516 KDDI KDDI CORPORATION" country : "Japan" pps(max) : 2.2 pps(average) : 1.1416666666666666 [domain name] "wradish.com ANY IN":137
DRDoS attack e-mail alert example
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
We carried out evaluation about how this DRDoS Honeypot system could detect real DRDoS attacks. Honeypot could detect real DRDoS attacks with more than 56 percent accuracy. More than 86% real DRDoS attacks were detected earlier than existing DoS
attack detection system.
18
3/21/2015
Results (Aug – Dec 2014, 4 months)
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
19
P2P network on the internet
Long-term analysis of malware activities
Sandbox
malicious traffic
Zero Access
Plug-in (DLL)
Other malware
Internet
Malware samples Malware
samples Malware samples
Collect &
analyze
• Capturing Malware samples • We use (Server/Client) type Honeypot
• Carry out Long-term malware analysis in our sandbox that is connected to the internet • Parallel execution of approximately 100
sandboxes on a single HW • P2P type malware, financial malware,
botnet type malware • Make early alerts which help quick response
against cyber-attacks that are originated from same types of malware in the sandbox
Honeypot
Malware analysis using sandbox (P2P)
Malware detail analysis using sandboxes
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
Growing financial malware in Japan is a newer type that try to bypass secure information technologies. Not only a few financial malware use MITB (man in the browser) method in order to steal money from online banking customers.
This type of financial malware usually communicate with several kind of malicious servers on the internet. (you can see VAWTRACK malware’s case below)
20
3/21/2015
C&C servers Distribute configuration information to
infected hosts as follows URL of targeted financial organizations
Malicious scripts that are activated
when online banking customers access to the above URL
Manipulation servers Distribute following information to
infected hosts JavaScript Payee's account information to be used
to gain unauthorized remittance Collect below information information associated with financial
transactions
What is a financial malware?
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
3/21/2015
Behavior of the financial malware
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
22
3/21/2015
Updates of configuration information are confirmed through a long term monitoring & analysis of the financial malware named VAWTRACK → we’re preparing for sending alerts of these types of updates
Date Topics (updated information)
July, 2014 Started monitoring & analyzing VAWTRAK malware
July 15 Configuration information that are used to target 20 Japanese credit card cooperation
July 18, Configuration information that are used to target 11 Domestic regional banks
July 29、31 Information that invalidate anti-unauthorized remittance software functions
Aug 13 Update of domain name of external hosts with which this malware communicate
Aug 13 Delete of attack information to targeted domestic credit card cooperation (Bank remains of attack)
Sep 19 Configuration information that are used to target Yahoo auction and large online shopping sites
Alert
Alert
Alert
Alert
Financial malware activities monitored by PRACTICE
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
23
3/21/2015
Alerts from malware analysis (draft)
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
24
Basic data to be shared with our collaborative partner's country: 1) Cyber attack information captured in Japan by LEU located in Japan (/20 network) 2) Cyber attack information captured in our partner’s country
Results of Analysis can also be shared with our collaborative partner's country: 3) Symptoms of attack behavior
4) Attack similarity and specificity
■UDP ■TCP SYN ■TCP SYN/ACK ■TCP Other ■ICMP
Information is visualized by means of the tool developed by NICT. Using this information, cyber-attack behaviors (mainly SCANs) to Japan can be observed. Each country could interestingly compare the trend of attacks with your own country (see below 2)).
Cyber-Attack Information targeted to your own country is visualized by means of the tool developed by NICT based on the captured data from darknet space in your country.
Based on data mining and other analysis methods, you will get symptoms of cyber-attack which will be very early stage of attack behavior. For example, “a new type of scan is getting observed in a synchronized manner among several sensors” will be informed.
Based on several analysis engines, your country can grasp similar attack behaviors observed by many sensors located all over the world. This information can be shared among our all collaborative partners. Therefore, your country should be aware of this similar propagation of attack for your proactive response. On the other hand, attack behavior specificity in your country can be reported. In this case, your country will be required to take a special measure against specific attack only observed in your country (only shared with your country).
Outcomes from darknet analysis
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
25
3/21/2015
Detail results of analysis
In 2014, there were many vulnerabilities related to specific software and port numbers Heartbleed, Shellshock…etc
By means of the international darknet monitoring, we found a specific port scanning behavior simultaneously increasing in many countries.
This part shows a method that detects such scans with simple analysis.
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
26
3/21/2015
How to detect the specific port scan behavior The method is carried out in the following
steps: 1. Comparing with the number of port attack in
one month ago, the method detects 10 times port attack for each country and then make a country-level alert.
2. If the same country-level alerts are issued from 3 or more countries, then issue a global alert.
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
27
3/21/2015
Country-level alert We defined Amp_rate to evaluate increase of
scanning hosts.
Calculating the Amp_Rate for each destination port and protocol
If an Amp_Rate reaches 10 then issuing an country-level alert
Number of unique IP addresses that scan the
same port in 24h
An average of number of unique IP addresses per a
day that scanned the same port between 24 –
30 days ago
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
28
3/21/2015
Global alert If country-level alerts are issued on the same port from 3 or more countries in 7 days then issue a global alert.
Example:
In current implementation, the system processes dakrnet traffic every 1 minute issues only 1 alert per 1 day on each port
t
Country A
Country B
Country C
Global Alert
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
29
3/21/2015
Alerts in 12 months (2014/2-2015/1) Our system issued alerts on 90 distinct tcp ports 1,113 alerts were issued in last 5 months
40
20
0
01/Oct/’14 01/Dec/’14
01/Feb/’15
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
3/21/2015
SHODAN, Rapid7, Shadow Server... There are several security projects, such as SHODAN, Rapid 7, and shadow server, that perform port scan to search vulnerable devices.
x.x.x.x
IP address of scanning host
DNS Reverse Lookup
censusY.shodan.io
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
31
3/21/2015
SHODAN scans 58 ports in 12 months (2014/2-2015/2) 71% alerts were caused by SHODAN
Sometimes SHODAN scanned the same port persistently. -> We found alerts issued over 20 times on the same port.
Not SHODAN
By SHODAN
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
3/21/2015
We found some alerts on IoT(Internet of Things) related ports.
Example 32764/tcp -> Router’s unofficial backdoor 58455/tcp -> backdoor used by IoT worm
(Linux.Darlloz) 10000/tcp -> used by webmin, Shellshock related
port. 5000/tcp -> Vulnerability on Web UI for NAS
device.
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
3/21/2015
Vulnerability of Synology’s NAS (5000/TCP)
Vulnerability on Web UI on 5000/TCP of Synology’s NAS
First send HTTP GET /webman/info.cgi?host= to check the version and then send exploits
Using this vulnerability, it is possible to remotely
send and execute arbitrary codes
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
3/21/2015
Scans on Synology’s NAS (5000/TCP)
Detected on Country A, C, E
5 days later
Reached peak on country D 3 days later
Am
p_R
ate
CONFIDENTIAL & PROPRIETARY: All materials contained in this document cannot be reproduced in whole or in part, distributed, published or shared with any other third parties (except to the extent necessary solely for the purpose of receiving legal, accounting or other professional advice) without the prior written consent of KDDI , Inc.
activities toward the next GSFI meeting
35
3/21/2015
Input cyber attack detection technologies to the Field Trial part & carry out some trials of security measures in Japan
Establishment of cyber attack information & analysis result sharing and collaborative relationship
Trial of prevention & minimization of the damage based on the R&D technologies
Deploying our cyber-attack monitoring system to outside of Japan. Information sharing with our partners
Step Ⅰ
Step Ⅱ
Step Ⅲ
Step Ⅴ
【Step Ⅰ】 Cyber-attacks information sharing started on Aug 22 【Step Ⅱ】 E-mail alerts system for ISPs in Japan started operation on Oct 2 【Step Ⅲ】 Outcomes will be shared to our partners outside of Japan 【Step Ⅳ】 Outcomes from other analysis system will be utilized to carry out field trial
Schedule