Police Technical Approach to Cyber Threats

Transcription

1 Police Technical Approach to Cyber Threats Jumpei Kawahara Director of High-Tech Crime Technology Division, National Police Agency, Japan

2 1 Overview

3 (cases) Current Situation , Others Illegal and harmful information Internet auction fraud Unauthorized access and virus Defamation and abuse Spam s Fraud and fraudulent business 80,273 77, , , , H23 H24 H25 H H27 Number of consultations on cybercrimes, etc. 2

4 Advantages of Police - Authority for investigation - Nationwide working units - Own technological capability 3

5 olice Organization for High-Tech Crime Technology National Police Agency High-Tech Crime Technology (HTCT) Div. Digital Forensic Center Cyber Force Center Technical Support Counter Cybercrime Cybercrime Div. Counter Cyber Attack Security Planning Div. Other crimes General Crimes Organized Crime Traffic Child Sexual Exploitation / Abuse etc. 1

6 Mission of HTCT Organization To provide technical expertise to tackle cyber threats Digital Forensics - analysis of evidence stored in digital devices - technical support for search, seizure, inspection, etc. Cyber Forces - 24/7 basis detection and analysis of suspicious traffic - cooperation with private sectors - malware analysis - incident response activity 2

7 2 Digital Forensics

8 Digital Forensics Extract Digital devices seized at crime scenes 0AF46ED3 9EF5300C 2FE567BB 9321E8A8 Visualize s Accounts Address List etc. Electronic evidence Analyze Identification of criminals Proof of crimes Disclosing crime syndicate 4

9 Fundamentals of Digital Forensics Electronic evidence can be valuable based on: Correctness of Procedure Accuracy of Analysis Objective Verifiability 6

10 Organization for Digital Forensics National Police Agency Digital Forensics Center Highly advanced digital forensic analysis Regional Police Bureaus Prefectural Info-Communications Departments 3

11 Handling Broken Mobile Phone Transplant(1) Circuit Memory IC Broken smartphone Removed circuit 8

12 Handling Broken Mobile Phone Transplant(2) Removed circuit Memory IC ( stained ) restored the function by cleansing, reballing, etc. 1 Transplant into alternative device ( the same model as the broken one ) 2 Analysis! Alternative device 9

13 3 Cyber Forces

14 Cyber Forces Organization (CFs) - Nationwide technical task forces for counter cyber attacks CFs promote preventing cyber attacks and mitigating the damage in coordination with Critical Infrastructure providers, etc. N P A Cyber Force Center (CFC) - The headquarters 10

15 Real-time Detection Network System : sensor Darknet Observation Cyber Force Center file-sharing illegal network server file down illegal file Web Defacement Detection DoS Attack Observation P2P Network Observation 11

16 Suspicious Incoming Packets * ( packets per day per IP address ) * Captured by NPA s sensors FH 2014 SH 2015 FH 2015 SH 2016 FH 12

17 Suspicious Scanning Activities Discovered(1) ( packets / day / IP address ) Linux-based Devices are drawing interest of attackers as hop points of attacks 2,000 sharp increase 0 Oct Sep Captured packets destination port 23/TCP (telnet) CCTV (Webcam) NAS Digital video recorder 13

18 Suspicious Scanning Activities Discovered(2) ( packets / day / IP address ) Scanning Industrial Control Systems connected to the Internet are continuously exposed to scans 10 sharp increase continuous scans 0 Jan Jun /TCP 443/TCP 102/TCP 22/TCP 179/TCP 5006/TCP 80/TCP Others scan scan Potential attackers Industrial control system Search engine on online devices 14

19 4 Our Efforts

20 Measures against Cyber Threats Suspicious traffic Cyber Force Center Analysis Information sharing with local CFs polices, private sectors, etc. Police-Industry Joint Drill Calling public attention to threats on the portal ( ) 16

21 Malware Information Sharing Malware sample Malware Analysis Dynamic Analysis Static Analysis Results Information sharing Counter Cyber Attack Section of NPA Advanced Technology Industry Critical Infrastructure Anti Virus Vendors Managed Security Service Providers 15

22 International Cooperation Counter-Cybercrime Technology and Investigation Symposium (CTINS) for Police officers and technical officers in Asian & Pacific region 16 th CTINS - Discussions, Lectures & Hands-on Training Experts Meetings with digital forensics experts from foreign law enforcement agencies 17

23 Capacity Enhancement Educational Training at the National Police Academy for experts in digital forensics, etc. and for new employees Trainees learn programming, system management and digital forensics, etc. Nationwide Training Environment as the basis of remote training for nationwide CF members in terms of : - incident response - analysis of electronic evidences 18