Police Technical Approach to Cyber Threats Jumpei Kawahara Director of High-Tech Crime Technology Division, National Police Agency, Japan
1 Overview
(cases) Current Situation 140000 140,000 120000 100000 80000 60000 40000 20000 Others Illegal and harmful information Internet auction fraud Unauthorized access and virus Defamation and abuse Spam e-mails Fraud and fraudulent business 80,273 77,815 11259 3382 5905 3199 4619 4848 4803 10549 10807 11667 12099 12946 32982 29113 84,863 13217 3132 5950 6220 9425 10682 36237 118,100 14643 5080 6545 9550 9757 14185 58340 128,097 15822 4854 6274 7089 10398 16634 67026 0 2011 2012 2013 2014 H23 H24 H25 H26 2015 H27 Number of consultations on cybercrimes, etc. 2
Advantages of Police - Authority for investigation - Nationwide working units - Own technological capability 3
olice Organization for High-Tech Crime Technology National Police Agency High-Tech Crime Technology (HTCT) Div. Digital Forensic Center Cyber Force Center Technical Support Counter Cybercrime Cybercrime Div. Counter Cyber Attack Security Planning Div. Other crimes General Crimes Organized Crime Traffic Child Sexual Exploitation / Abuse etc. 1
Mission of HTCT Organization To provide technical expertise to tackle cyber threats Digital Forensics - analysis of evidence stored in digital devices - technical support for search, seizure, inspection, etc. Cyber Forces - 24/7 basis detection and analysis of suspicious traffic - cooperation with private sectors - malware analysis - incident response activity 2
2 Digital Forensics
Digital Forensics Extract Digital devices seized at crime scenes 0AF46ED3 9EF5300C 2FE567BB 9321E8A8 Visualize E-mails Accounts Address List etc. Electronic evidence Analyze Identification of criminals Proof of crimes Disclosing crime syndicate 4
Fundamentals of Digital Forensics Electronic evidence can be valuable based on: Correctness of Procedure Accuracy of Analysis Objective Verifiability 6
Organization for Digital Forensics National Police Agency Digital Forensics Center Highly advanced digital forensic analysis Regional Police Bureaus Prefectural Info-Communications Departments 3
Handling Broken Mobile Phone Transplant(1) Circuit Memory IC Broken smartphone Removed circuit 8
Handling Broken Mobile Phone Transplant(2) Removed circuit Memory IC ( stained ) restored the function by cleansing, reballing, etc. 1 Transplant into alternative device ( the same model as the broken one ) 2 Analysis! Alternative device 9
3 Cyber Forces
Cyber Forces Organization (CFs) - Nationwide technical task forces for counter cyber attacks CFs promote preventing cyber attacks and mitigating the damage in coordination with Critical Infrastructure providers, etc. N P A Cyber Force Center (CFC) - The headquarters 10
Real-time Detection Network System : sensor Darknet Observation Cyber Force Center file-sharing illegal network server file down illegal file Web Defacement Detection DoS Attack Observation P2P Network Observation 11
Suspicious Incoming Packets * ( packets per day per IP address ) * Captured by NPA s sensors 1200 1000 1119.1 800 600 400 0 773.0 684.9 534.2 448.2 2014 FH 2014 SH 2015 FH 2015 SH 2016 FH 12
Suspicious Scanning Activities Discovered(1) ( packets / day / IP address ) Linux-based Devices are drawing interest of attackers as hop points of attacks 2,000 sharp increase 0 Oct. 2015 - Sep. 2016 Captured packets destination port 23/TCP (telnet) CCTV (Webcam) NAS Digital video recorder 13
Suspicious Scanning Activities Discovered(2) ( packets / day / IP address ) Scanning Industrial Control Systems connected to the Internet are continuously exposed to scans 10 sharp increase continuous scans 0 Jan. 2016 - Jun. 2016 5007/TCP 443/TCP 102/TCP 22/TCP 179/TCP 5006/TCP 80/TCP Others scan scan Potential attackers Industrial control system Search engine on online devices 14
4 Our Efforts
Measures against Cyber Threats Suspicious traffic Cyber Force Center Analysis Information sharing with local CFs polices, private sectors, etc. Police-Industry Joint Drill Calling public attention to threats on the portal website @police ( http://www.npa.go.jp/cyberpolice/ ) 16
Malware Information Sharing Malware sample Malware Analysis Dynamic Analysis Static Analysis Results Information sharing Counter Cyber Attack Section of NPA Advanced Technology Industry Critical Infrastructure Anti Virus Vendors Managed Security Service Providers 15
International Cooperation Counter-Cybercrime Technology and Investigation Symposium (CTINS) for Police officers and technical officers in Asian & Pacific region 16 th CTINS - Discussions, Lectures & Hands-on Training Experts Meetings with digital forensics experts from foreign law enforcement agencies 17
Capacity Enhancement Educational Training at the National Police Academy for experts in digital forensics, etc. and for new employees Trainees learn programming, system management and digital forensics, etc. Nationwide Training Environment as the basis of remote training for nationwide CF members in terms of : - incident response - analysis of electronic evidences 18