2013년 4월 30일 화요일

Changing Security Awareness Training in Response to Targeted Attacks, Using Korean IT Cultural Characteristics

영어를 잘 하는 것도 아닌데, 갑자기 영어로 된 논문을 공개해서 놀라시는 분들도 있으실 것 같습니다. ^^;;

이 논문은 국내 보안 컨퍼런스나 세미나 등에서는 악성코드와 보안이라는 주제로 다수의 강연 경험이 있었지만, 2011년 11월에 처음으로 해외 보안 컨퍼런스인 AVAR(Association of anti Virus Asia Researchers) 에 제출한 논문 입니다.

항상 어떤 일들이라도 마찬가지겠지만, 시작은 아주 가볍게 시작하였습니다. 해당 논문의 동저자이신 박호진 책임님과 함께 아침에 커피를 한잔 마시며 APT(Advanced Persistent Threat)와 보안 인식 교육(Security Awareness)이라는 주제로 이야기 하다 이런 주제를 해외 컨퍼런스에서 해보는 것이 좋겠다는 생각을 하게 되었습니다. 그래서, 일단 한번 해보자라는 생각으로 몇 달 동안 고생스럽게 자료 조사하며, 생각들을 가다듬고 정리해서 제출한 것입니다.

지금 생각해보면 당시에 주말에도 계속 나오며 힘들게 작업을 하였지만, 해당 논문으로 인해 다른 해외 보안 컨퍼런스에서도 발표를 할 수 있었던 자신감을 얻은 계기가 되었던 것 같습니다.

아래는 Slideshare에 공유한 해당 논문의 프리젠테이션 파일 버전이며, 그 아래는 해당 논문의 전체입니다.


Changing Security Awareness Training in Response
to Targeted Attacks, Using Korean IT Cultural Characteristics

Ho-Jin Park, Youngjun Chang
AhnLab ASEC (AhnLab Security Emergency Response Center)


Over the past few years, most cyber attacks have been made targeting government and corporate networks. Consequently, many companies are adopting security systems to minimize damages. As a way to bypass security systems, cyber criminals break into corporate networks with targeted email to employees using social engineering techniques. With more people using information technologies in the conduct of their daily lives in Korea than any other country, cyber attackers are taking advantage of cultural and social routines to launch social engineering attacks. Credit card companies, for example, send credit card statements via email and this is exploited by attackers to spread malware. Thus, to effectively prevent the threats of social engineering, which take advantage of each country's unique cultural or social routine, companies should implement an Information Security function, such as SOC (Security Operation Center), and Security Awareness Training. Security Awareness Training is one of the best ways to prevent social engineering attacks. For the Security Awareness Training to be effective, it has to be customized for different levels, and cover social engineering as well as the latest cultural and social issues. Also, the training programs must be continually measured and tested for effectiveness, and cyber attack simulation exercises should be conducted to check how much more aware the trainees are of security threats. In this paper, we have analyzed the targeted attacks that are based on the cultural characteristics of Korea's IT environment, and presented the changes that are required of security organizations and Security Awareness Training to effectively control these modern attacks.

1. Motives behind malware creation changing

Advancement of network and information technology has made the Internet an important part of our daily lives. Information technology is now allowing people to carry out many activities like online shopping and banking, which were only available offline in the past, without the constraint of time and space.

Although the development of IT played such a positive role in the advancement of mankind, it also brought upon negative aspects like Internet threats, such as malware.

The infection and propagation of malware have diversified with time based on new technologies. In fact, the latest malware are designed not only to exploit software or system vulnerabilities, but also to manipulate people with social engineering techniques to infect many computers in a short period of time.

This change in the creation and propagation of malware greatly contributed to increasing the number of malware. This trend is also found in Korea - Ahnlab reported a 62% increase in the number of malware infection from July 2009 to August 2011 as shown in the chart below. Another reason malware is increasing in number is the changing motive for malware creation.

Fig. 1. Malware infection (July 2009-August 2011)                    Source: AhnLab, Inc.

In the past, hackers normally created and distributed malware to show off their technical skills - their goal was to infect as many computers as possible to make headlines and gain public attention.

This has now changed. Cyber attackers are now more focused on fraud and monetary gain via online banking, online shopping, online gaming and other transactions involving money.

In Korea, the popularity of MMORPG (Massive Multiplayer Online Role Playing Game) has instigated offline trading of game items that are only used in online games. This new IT culture of buying virtual assets has led to the creation of malware that steals online game accounts and passwords to rob player of their virtual assets obtained in the games.

And now, attackers not only create such malware, but also hack websites to steal mass personal information to create online game accounts. The multiplying online game related malware and stealing of personal information can be considered a unique regional malware propagation method and security incident of Korea.

2. Targeted attacks and Advanced Persistent Threats (APTs) on the rise

Changes in the motive behind malware creation have led to the creation of malware customized to accomplish the various goals of malware creators or groups - from profit making to making political statements. The characteristics of malware are also changing. Malware is now tailor-made to launch targeted attack on specific targets, using social engineering techniques. And, targeted attack is also gradually taking the form of Advanced Persistent Threat (APT), which refers broadly to a stealthy and quite often long-term attack. The corporate security incidents in Korea in 2011 show the series of changes in the motive of creating malware and its distribution method.

In particular, the social engineering techniques used in targeted attacks and APTs are also changing. Cyber attacks used in the past targeted unspecified people and mostly involved issues related to public figures or celebrity gossips to grab the attention of people. But now, the social engineering techniques used in targeted attacks and APTs gather sufficient information on targeted companies or organizations first, and then launch the attack based on the geographical characteristics or unique IT culture of the targets.

3. Social engineering techniques of targeted attacks based on Korean IT culture

Owing to the high-speed network in Korea, the Korean IT culture has rapidly grown to allow people to carry out many online activities that were only available offline in the past. For example, people can now easily get or print various data on government policies that used to be published offline only. The advanced national IT infrastructure also contributed to diversifying the IT culture.

Fig. 2. Spam message forged to appear as sent by Korean National Police Agency

In Korea, there was even a spam campaign forged to appear as sent by the Korean National Police Agency targeting Korea people. This "Daegu National Police Agency- Cyber Crime Center (Witness Summons)" themed spam with malicious links lures victims into click the link to download the form to register as a witness. This is a case of social engineering attack planned based on the fact that email is an important part of most government agency operations in Korea and that virtually all of them have websites.

 Fig. 3. Email disguised as credit card statement

Figure 3 shows a malicious email which attempts to infect systems by disguising as a credit card statement. In Korea, most banks allow customers to check credit card statements on the bank's website, and send the statements via email every month. This case of distributing fake credit card statement is a social engineering technique that exploits the Korean IT culture.

And, all the banks providing online banking service use ActiveX that customers must download to use the service. This is also the case in most Korean websites. It requires users to download ActiveX, so most Koreans will generally install the control when required without suspecting anything.

Fig. 4. ActiveX malware disguised as security program

The attacker took advantage of this Korean IT culture to send spam disguised as an email containing credit card statement that directs victims to a fake bank website when clicked, to download a malicious keyboard protection ActiveX.

4. Korean targeted attacks and APTs, and insufficient Security Awareness Training

If we take a look at the security incidents that occurred in Korean companies in 2011, the attack technique is different to that of traditional targeted attacks and APTs - it is based on the Korean IT culture.

As an example, there was an incident where 35 million personal information were stolen from a Korean social network service. When compared to targeted attacks and APTs, the only thing that is similar is that confidential information was stolen. But, the process is quite different.

The attackers hacked the update server for a free software only used by Koreans and temporarily modified the update files to be malicious. This technique infected the system of most of the software users. They then closely observed the activities of infected systems to carefully select corporate executives and staffs to observe further. When they discovered a system used by a corporate database administrator, they used the authentication information and network information of the system to access the database to steal internal information.

This series of attacks started from the attackers understanding the Korean IT culture that free software distributes update files via a separate update server, so the software users were targeted. After distributing the malware, the attackers observed corporate executives and staffs who were victimized for some time to retrieve internal IT information to steal personal information - the attack technique changed to use APT that steals internal information.

This incident started off as a targeted attack based on the Korean IT culture and changed to use APT that steals private information. There may be several reasons the attack technique succeeded, but the two main reasons are as below.

There exists a security policy that prevents corporate executives and staffs from using free software, but they still used it and had their systems infected. This is because they did not properly understand and observe the policy. This shows that the current Security Awareness Training is not effective in preventing security threats.

The most important system of a company, the database system, was infected. This is a very serious problem. Database administrators who manage systems on which important data are stored must be specially trained to observe a different security policy from other executives and staffs.

This attack shows that the existing Security Awareness Training programs conducted in companies are not effective in preventing security threats.

5. Security Awareness Training to effectively respond to targeted attacks

Many companies and government institutions are conducting Security Awareness Training and emphasizing the importance of information and IT security through various campaigns to prevent security threats. But, there exists four problems.

1) Training programs are restricted to a number of people only. They tend to be provided only to organizational users, rather than personal users.

2) Training programs are not able to catch up with the rapidly evolving Internet threats. Internet threats spread fast, but training programs are slow to incorporate the threats.

3) Training programs are standardized. The levels, and social and professional roles of trainees are different, but most training programs are not customized for different levels.

4) Training programs are not evaluated for effectiveness. There must be a procedure to evaluate training programs to check whether it is effective in raising security awareness. Most training programs are not evaluated at the moment.

The following requirements must be met to correct the flaws above.

Security Awareness Training opportunity must be provided equally to everyone.

A single vulnerability in Information Security determines the overall security level. Even if various measures are all set to prevent security threats in terms of technology and policy, one small vulnerability could make the entire system vulnerable. This also applies to human beings, so security awareness needs to be raised in every single person to effectively respond to various security threats. With this, the opportunity of Security Awareness Training must be provided equally to everyone.

Security Awareness Training must be provided constantly according to situations.

Security Awareness Training is currently being conducted regularly every year or quarter. But, in order to response to the rapidly evolving and diversifying attacks, yearly or quarterly training is just not enough. Not being able to respond to new threats will cause serious problems.

"Constant" training based on information on new threats is the only way to respond to new attacks. So, when planning Security Awareness Training, "constant" training should be considered.

Security Awareness Training must be customized according to social and professional roles.

Targeted attacks gather information on the targets first to choose the most appropriate technique. However, the current Security Awareness Training is not being conducted this way. All the trainees will have different social and professional roles. For instance, the people at the information desk will mostly deal with personal information of visitors, and the executives of a company will deal with information on corporate strategies and management. As the information managed by each person is different, the security policy that applies must also be different. Customizing Security Awareness Training according to social and professional roles will make the training more effective.

Security Awareness Training must be evaluated for effectiveness.

Various methods are usually used to evaluate whether a curriculum is effective. From the evaluation, educators learn about the areas they should improve on, and the learners get to know how much they have learned. This evaluation method must be applied to Security Awareness Training as well.

Penetration Test could be used as the evaluation method. In the case of social engineering threats, the success rate depends on the target's situation or emotional state. So, the typical evaluation method cannot be used. In order to evaluate the effectiveness of Security Awareness Training on social engineering techniques, Penetration Test must be conducted on the trainees - they must be sent email used in actual social engineering attacks to check how they respond. Also, techniques similar to actual voice phishing should also be used to see how the trainees respond.

6. SOC(Security Operations Center) based Security Awareness Training

The growth in security threats caused by changing motives behind malware creation is calling for change in the role of SOC that used to focus on technical security.

The technical security in targeted attacks using social engineering based on the Korean IT culture and APT attacks based on the regional IT culture is very restricted, so Security Awareness Training is required. But, it must change too - SOC must play the leading role in changing Security Awareness Training programs according to evolving threats.

SOC must conduct in-depth research not only on the technical aspect of the rapidly evolving IT technology and culture, but also the human aspect. They must use the result to predict how security threats will develop according to new IT technology and culture, and provide the actions to take. The actions must be included in the Security Awareness Training programs to prevent security threats that are highly expected to be launched.

SOCs in different regions must share the information and response against actual security threats that occurred in their region, to predict threats in advance. The information researched and shared must be included in the training programs, and SOCs must also share the testing method that they found effective in evaluating the training programs.

7. Summary

We have discussed how and why Security Awareness Training must change based on changes in the motives behind malware creation and attack techniques in different IT cultures. In fact, Security Awareness Training will not be able to prevent every security threat, and technical methods may also be more effective in blocking DDoS (Distributed Denial of Service) or malware with logical infection path.

However, the recent targeted attacks and APT attacks were not easy to block using technical approach. In particular, attacks using social engineering based on regional IT culture can only be effectively prevented or responded to with Security Awareness Training that includes the latest cases of threats.


Hojin Park worked as a programmer and antivirus researcher since 1999, and now is a digital forensics analyst. He is currently the Head of A-FIRST (AhnLab Forensic and Incident Response Service Team), where his primary duty involves incident response and analyzing digital evidence.

Youngjun Chang has more than 9 years of experience in antivirus and Internet threats. Chang is a Senior Advanced Threat Researcher at ASEC (AhnLab Security Emergency response Center). He spends most of his time researching new Internet threats and writing Information Security articles for newspapers and magazines. He also gives lectures on Internet threats and malware to students and IT engineers.