In 2009 and 2011, the Korean and American government, media and bank websites were knocked out in two massive DDoS attacks for three days conducted by the same attack group. Several malware used in two different attacks had not only similar code blocks but also the same TTPs (Tactics, Techniques, and Procedures). They spread through similar vulnerabilities from the installation programs provided by webhard websites. The way malware embodied target addresses and attack times not from C2 servers was unusual too. Korea Internet & Security Agency, a Ministry of Science, ICT and Future Planning's sub-organization of South Korea, built a system called Malware Management System to profile the malware collected by incident responses in private sector.

In 2013, the same attack group conducted APT(Advanced Persistent Threat) attacks called DarkSeoul at Korean major banks and media companies at the same time. One of the banks had suffered damage from an APT attack conducted by the same attack group in 2011 too. Since DarkSeoul, the Korean government felt keenly the necessity of sharing cyber threats to prevent and respond advanced cyber attacks efficiently and effectively. KISA developed C-TAS(Cyber Threat Analysis & Sharing) system to profile not only the collected malware but also the hacked hosts, used vulnerabilities and even the attackers as well as to share them. From 2014, C-TAS system has shared more than 170 million cyber threats with about 170 Korean companies and organizations called C-TAS members.

This presentation will focus on how C-TAS system collects, analyzes, and shares Cyber Threat Intelligence (CTI) in C-TAS community. What problems occurred at each step and how we solved them will be described.

The take-aways for attendees are :

1. First, how to build your own CTI platform to collect, analyze and share CTI.
2. Second, why we have to do it.
3. Third, what the challenges are and how to solve them.

Additional information on the presentation:

1. Background & Motivation: This will detail the motivation to develop C-TAS system and its brief historical background.

2. C-TAS Ecosystem & System Architecture Overall: This will detail C-TAS Ecosystem and its components. C-TAS System consists of several big data solutions. In C-TAS, CTI is not stored in RDBMS anymore, but in different NoSQLs (for example, document oriented database, graph database, search engine and so on) are used. Most of them, including mongoDB, Elasticsearch, Spark, are open-source or free software.

3. Introduction to C-TEX (Cyber Threat EXpression) and C-TEXg (C-TEX for graph): This will detail C-TEX and C-TEXg, the language used by C-TAS system to express and share CTI in the community. C-TEX is a structured language for CTI in XML or JSON format. It is similar to MITRE’s STIX/CybOX but so much simpler and much easier to use. C-TEXg, similar to JPCERT’s Hiryu, is a graph language for relationships between indicators in C-TEX. C-TEXg is also can be used to visualize CTI and some examples will be given in a later section. In C-TEX v2.0, it supports different CTI languages like STIX/CybOX and even custom open-source intelligence formats. How C-TEX/C-TEXg v2.0 can be used with STIX/CybOX v2.0 together will be shown in this section.

4. How to collect, analyze and share CTI:  C-TAS automatically collects CTI from many systems inside KISA or C-TAS members and shares back in real-time. It is possible by using RESTful API and message queuing techniques. The collected CTI should be validated and enriched to be useful enough before sharing. C-TAS system uses open-source intelligence and other resources to enrich them. Some of CTI can be analyzed automatically or manually by analysts in KISA. What happens to CTI prior to sharing will be shown.

5. CTI Visualization for Cyber Situational Awareness: As already mentioned, C-TEXg is used to store relationships between indicators and to visualize them for cyber situational awareness. There’s never enough time to analyze and response every single threat so we need to know where to start by visualizing them and their relationships.

6. Practical Usages of C-TAS Ecosystem: Today, many Korean companies and organizations utilize CTI from C-TAS system to protect themselves. C-TAS ecosystem provides not only CTI but also some useful tools in a virtual machine image. Of course, it consists of open-source or free software used in C-TAS system. This section will show some practical applications of C-TAS ecosystem and cases of use.

7. Policies & Issues in Sharing: Building C-TAS community was not easy. It takes three years to have about 170 C-TAS members. This section will talk about sharing policies and some issues in sharing. What the biggest challenge of sharing it with other members is and how we solved it will be described.

8. Closing Remarks: C-TAS is still evolving to detect and response the latest advanced cyber attacks from ransomware to nation-sponsored espionages. Finally, this section will talk about what to do for the next version of C-TAS this year.