International Journal of Technology Management and Information System (IJTMIS) eISSN: 2710-6268 [Vol. 2 No. 4 December 2020]

Journal website: http://myjms.mohe.gov.my/index.php/ijtmis

MALWARE MITIGATION FRAMEWORK IN CONTAINING VIRUS ATTACK IN THE CYBER ENVIRONMENT: MALAYSIA

CYBER SECURITY PERSPECTIVE

Nasim Aziz^1*, Zahri Yunos² and Rabiah Ahmad³

1 2 CyberSecurity Malaysia, Cyberjaya, MALAYSIA

1 3 Universiti Teknikal Malaysia Melaka, Melaka, MALAYSIA

*Corresponding author: nasim@cybersecurity.my

Article Information:

Article history:

Received date : 12 December 2020 Revised date : 19 December 2020 Accepted date : 24 December 2020 Published date : 26 December 2020

To cite this document:

Aziz, N., Yunos, Z., & Ahmad, R. (2020).

MALWARE MITIGATION FRAMEWORK IN CONTAINING VIRUS ATTACK IN THE CYBER ENVIRONMENT: MALAYSIA CYBER SECURITY PERSPECTIVE.

International Journal Of Technology Management And Information System, 2(4), 36-50.

Abstract: Malware attack is increasingly sophisticated, difficult to prevent and more often very specific and targeted. Specialized groups can be a destructive entity by launching cyber-attack towards information technology infrastructure which eventually would have tremendously impact towards individuals, organizations and a country. It is vital that cyber security organizations such as Computer Emergency Response Team (CERT) develop a malware mitigation framework to protect the Critical National Information Infrastructure (CNII) from being exploited by cyber criminals. Malware mitigation framework needs to be holistic in order to provide effective and efficient preparation to prevent or repel successful malware attacks.

To ensure effectiveness of the framework in mitigating malware, identifying of the cyber security pillars, the components within the pillars and its function, will allow effective mitigation of malware by a cyber security

1. Introduction

Underground cyber criminals collaborate to create malicious programs to attack and control technological tools for their profit and self-interest. It is crucial that cyber security organizations increase its capability in the area of cyber security technological development to prevent such activities. Cyber-attacks interfere with the normal use of IT devices in order to take advantage of information gathered, with the motivation of financial or political gains (Gandhi & Mahoney, 2011). Increase in cyber-attacks requires cyber security organisations to find new countermeasures to mitigate this epidemic trend. Cyber-attack by perpetrators causes harmful effects to computer system, and able to collapse an entire CNII services and systems as seen during the Estonian cyber-attack in 2007 (Wong, Porter, Hokanson, & Xie, 2017). Generally, successful malware attacks are exploited by sophisticated technique due to vulnerabilities and loopholes from computer system as well as weakness of the users themselves.

According to WEF, cyber-attack is a major concern to the world and is placed sixth in its evolving risk matrix in year 2014 (World Economic Forum, 2017). Similar to other countries, the Malaysian Internet landscape encounters cyber-attacks due to the widespread use of Information Technology (IT) devices connected to the Internet. According to an Internet Users Survey in 2016, it was revealed that two-thirds to three-fourths of Malaysia’s population were part of the online community (MCMC, 2016). This would provide a high level of potential malware infections of IT devices used by Malaysians as the Internet is easily acquired in the country.

According to CyberSecurity Malaysia statistics since 2011, the highest number of attacks happened in 2016, with 2,026,276.00 Malaysia Botnet Drones by unique IPs and 1,130,056.00 Malware Infections by Unique IPs (MyCERT, 2019). Figure 1 shows the yearly statistics since 2011 till 2019 on malware feeds to MyCERT, CyberSecurity Malaysia.

Malaysia. This study contribution which is not widely discussed from an academic point of view, will allow recognizing of a malware mitigation framework for CERTs to implement at its constituency as a platform to proactively eradicate and remediate malware attacks. It is hope through this study, further cooperation in the form of research and project can be achieved with other security organization that have similar aspiration to seeing a safer cyber space.

Keywords: Malware (Malicious Software), Malware Mitigation Framework, Computer Emergency Response Team (CERT), Critical National Information Infrastructure (CNII), Information Technology (IT).

Figure 1: Malaysia Botnet Drones and Malware Infections (2011-2019)

Cyber-attacks to Critical National Information Infrastructure (CNII) are a major concern to governments in the world. Cyber adversaries are aggressive and persistent in their efforts to compromise government networks and information (ACSC, 2015). Government institution, financial entities, military forces and other organization that are well-equipped with IT infrastructure are vulnerable to these attacks if appropriate protections are not established. Since Malaysia is transforming towards a knowledge-based economy and depending on digital information systems, escalating vulnerabilities and risks also increases on its CNII (Mohd Shamir Hashim, 2015). As perpetrators exploit IT vulnerabilities and cause significant losses to the CNII sector, National Computer Emergency Response Team (CERT) should provide a solution to prevent malware attacks from spreading.

2. Literature Review

Government agencies and business organizations are dependent on Information and Communication Technology (ICT) to support its key operations. To aid in the form of handling IT related incidents, establishment of security organization such as Computer Emergency Response Team (CERT) are important. CERT (Computer Emergency Response Team) is synonymously used with CSIRT (Computer Security Incident Response Team) for a term that are designated around the world to computer security teams, but historically was first registered by Carnegie Mellon University CERT/CC (Bada, Creese, Goldsmith, Mitchell, & Phillips, 2014). CERT can be recognized as a national or an organizational entity based upon its establishment, service constituency and goals that were set by its stakeholders. CERTs are security teams that provide support, to a well-defined constituency in preventing and responding to computer security incidents (Sawicka, Gonzalez, & Qian, 2005). CERT needs to manage stakeholders’ expectations in order to handle incidents so as not to be seen as incapable to managing cyber incident crisis.CERT is a service organization responsible for receiving, reviewing and responding to reports and activities related to computer problems or incidents and security events (FIRST.org, 2018). Services provided are usually defined specifically for assisting Government agencies and business organizations throughout a country or region. Two main purposes to establishing a CERT are to offer prompt incident response service to mitigate attacks, and second to coordinate security incidents to trusted parties not only in handling the incidents, but to enhance computer security awareness to the related parties (Borodkin, 2002).

Meanwhile according to ENISA, the general services provided by CERT stretch from reactive, proactive and security quality management services (ENISA, 2010). These three services according to ENISA is illustrated in Table 1.

Table 1: Services offered by CERT

Proactive Services Reactive Services Quality Management Services 1. Cyber security alerts, warnings

and announcements 2. Technology watch

3. Security audit or assessment 4. Cyber security information

dissemination

5. Cyber security monitoring (e.g.

intrusion detection, network monitoring)

6. Configuration and maintenance of security tools, applications and infrastructure

7. Awareness and training programs related to handling cyber security incidents

1. Triage function

 Incident handling - incident analysis, response on site, response support, response coordination

 Handling vulnerabilities - vulnerability analysis, response, response coordination

 Artefact handling - artefact analysis, response, response coordination

1. Risk analysis

2. Business Continuity and Disaster Recovery Planning

3. Awareness building 4. Education/training 5. Information sharing with

other teams in the organization

The establishment of CERT has given significant impact towards organization reputation and also assists in ensuring financial and operational stability. CSIRT generally engages in six sequential stages: preparation, identification, containment, eradication, recovery and follow-up (Ahmad, Maynard, & Shanks, 2015). This IT security body is established as an organizational entity or made up from members within an organization that form a security team to provide its services in handling computer security incidents. Well established CERT are expected to develop and focus on proactive services of mitigation, together with reactive services of incident handling to their stakeholders (Taylor, Street, & Wt, 2015). With widespread cyber-attacks exclusively from malware, it is therefore important that National CERTs develop a malware mitigation framework to combat against malware attacks. It is necessary for government to establish a malware mitigation system that encompass both technical and management outlook to prevent malware infection from being spread (Aziz, Yunos, & Ahmad, 2018).

CERT organizations are responsible to handle computer security incidents and issues of malicious IT activities. It is generally imperative that organizations, recognize that security threats are unpredictable where in such cases, timely recovery is critical to provide effective and adaptive security measures In developing a malware mitigation framework, it is important that certain best practices be developed in achieving to organization’s goals (Aziz et al., 2018).

Results base on an empirical study by Wang, suggest that the proposed framework and novel anomaly detection algorithm are highly effective in detecting malware on Android devices (Wang et al., 2014). A comprehensive technological framework to mitigate malware was introduced that consist of five components with its own capability which are, Collection, Analysis, Sinkhole, Wall Garden and Report based (Yusof, Abdollah, & Selamat, 2017).

In strengthening the malware mitigation framework, it is best to also have policies put in place in order for stakeholders to understand the objective of what is being implemented.

According to a study (Fulford and Doherty, 2003; Ruighaver et al., 2007; Saint-Germain, 2005), adequate policy clearly identifies goals, procedures, processes, responsibilities and provides direction to all stakeholders (Alfawaz, May, & Mohanak, 2008). In Figure 4, an Organizational Strategic Governance Framework was designed (Trim & Lee, 2014) to take into account the effectiveness of management structure, in order to increase performance and achieve sustainable shareholder value.

Figure 4: Organizational strategic governance framework

The above study also suggests that consideration of key elements of corporate governance are important and that business leaders should consider important elements of policy issues, technology innovation, training, employment, and other social involvement in order to achieve the intended goal. These elements would assist in development of a malware mitigation framework that is comprehensive in preventing malware.

Apart from governance enablers, people are considered important resource as with other elements (i.e.: infrastructure, information, application) in IT organizations (Bernard, 2012) and is a vital component in a malware mitigation framework. In the CCIC Framework, it suggest that people within organizations, create set of capabilities that influence the performance and results of integrated efforts (Evans, Dalkir, & Bidian, 2014).

2.1 Problem Statement

Malware is a dilemma in the cyber environment essentially towards the CNII and IT based business organization. Trusted security organization must develop a malware mitigation framework to identify, organise and coordinate the method to contain the spread of virus infection in the cyber environment once cyberattack occurs. Current international cybersecurity organization does not provide a comprehensive framework that identifies the People, Process and Technology to be utilized in dealing with virus infection. Research need to be performed in order to develop a comprehensive malware mitigation framework to deter successful malware attacks.

3. Method

Methodology of research will be performed through qualitative research in order to identify the primarily understanding of the effectiveness of developing a malware mitigation framework that looks into the core tenets of People, Process and Technology in dev eloping the framework.

3.1 Research Design

The design of the research will take in consideration of descriptive design where the research will be identifying problems that exist in the environment and attempt to find the best solution in improving the situation. Descriptive design describes a phenomenon, current situation or characteristics of a group of organization, people, etc. The objective of descriptive research is to describe things such as the ‘People’ components in the CERT organization, its situation, its potential and acceptance for a new concept. This research will also analyse other components such as the Process as well as the Technological side of a management framework in developing and implementing a malware mitigation system at any CERT organization.

3.1.1 Samples

Specialized systems for mitigating, coordinating or advising (alert) the government and the public of these harmful infringements, needs to be developed by national security organizations.

A good management framework needs to be available to ensure the effectiveness of managing people, process and technology (ISO 27001, 2013). In developing a malware mitigation framework, it is important to consider the three pillars of information security management framework (Dutton, 2017) as illustrated in Figure 3.

Figure 3: Pillars of Information Security Management Framework

The element of People is about specialized technical manpower abilities that are fully up -to- date with the latest skills and expertise. They have sets of skills to read and audit particular segments of security occurrences, for example network packets, malicious code signatures, logs, rule or policy configurations, and tool commands. This is to ensure that appropriate controls, technologies and practices are recognized when developing a malware mitigation system, and during the implementation phase. The right choice of people is one of the contributing factors for the successful development and implementation of malware mitigation framework for CERT. Technology meanwhile focuses on the CERT domain of introducing a suitable technology to be utilized in different places, in order to accomplish effective security response to mitigate cyber-attacks. In CERT Technology, the Internet is the CERT domain. An effective and suitable system is feasible through a combination of software, hardware and manual interventions. Process consists of managing the system development and is key to the implementation of an effective cyber security strategy through clear description of activities, roles and documentations of developing a malware mitigation system. These include policies that would guide the people, process and technology in developing the system. An effective development of a malware mitigation system is feasible through a combination of acquiring the right specialist, technology, and process.

3.1.2 Data Source

Malaysia CERT (MyCERT) organization has created a malware mitigation system that is aspired to provide a malware eradication and remediation solution within its constituency. However, it is still in the early stage of implementation and is still not fully operational throughout its constituency. The system basically consists of four core elements of Intelligent Detection System, Coordinated Intelligent System, Sinkhole and Wall Garden. Figure 2 below illustrate MyCERT’s malware mitigation technological framework that was developed by the CERT organization.

Figure 2: MyCERT Malware Mitigation Technological Framework

This malware mitigation framework however would not be able to achieve its objective if a does not consider the whole component involved within its constituency. Malware mitigation framework needs to be determined and established in order for the system to effectively function according to its intended development. This would need to incorporate cyber security core pillars of People, Process and Technology within its framework.

Based upon malware mitigation system developed by the MyCERT, the system provides a malware eradication and remediation activity that encompasses cyber security core pillars of People, Process and Technology. Elements within the core are illustrated in Figure 5 below.

Figure 5: Three Core Elements of MyCERT’s Malware Mitigation Framework

People: CERT’s staff consist of Incident Handler whom reacts to reported cases and sensors that trigger alerts on malware infection. System administrator and security architect are responsible to maintaining infrastructure of technical tools to ensure smoothness of operation.

Malware analyst are those that perform investigation on binary received from the malware mitigation system and will perform the necessary actions in eradicating malware infection.

Process: This element consists of Malware Analysis SOP (standard operation procedure), Incident Handling SOP, Bad IP and DNS Database, Escalation Flow and guidelines of ‘how to’ act in case of malware attack or infection. The guidelines would assist in providing the right action regarding the release of packets from the computer to the Wall Garden, before finally to the Internet.

Technology: The technology used for the malware mitigation system consist basically of IP and DNS sinkhole, Wall garden portal, Malware Sandbox, Coordinated Intelligence System and Malware Removal Tool. With a list of C&C server IP associated with some malware infection identified by incident handlers, it can be used for sinkholing the communication to prevent further leakage of sensitive information. Malware binary can be retrieved from infected device and simulated in Malware sandbox to learn its behaviour and extract valuable indicator of compromise. Malware analyst collect the information for further analysis and create malware removal tool specifically to remove malware infection in the machine.

In developing a malware mitigation framework, certain policy measures also need to be put in order to ensure that the framework does not contravene the security of the whole security organization. There are four basic security policy considerations to particularly ensure the safety of information infrastructure where the policy should be enforceable, small (compact), inclusive, and online (Amoroso, 2011). A study on MyCERT and its host organization CyberSecurity Malaysia, it was found that there were approximately 84 types of information security policies developed by the organization to manage its resources. The policies cover aspects of information security management system that considers the three pillars of information security. Table 2 shows selected security policies and prescribe information security pillars with regards to development of malware mitigation framework.

Table 2: Information Security Policy Related to Malware Mitigation

No Information Security Policy Prescribe Pillars

1. Physical Security Policy Process

2. Information Labelling and Handling Policy Process

3. Information Classification Policy Process

4. Cybersecurity Malaysia Information Security Policy Process

5. ISMS Risk Assessment Policy Process

6. Policy on Data Protection on Human Resource Management People 7. Mobile Computing and Teleworking Policy Technology 8. Cybersecurity Malaysia ICT Security Policy Technology

9. Backup Policy Technology

10. Network Security Policy Technology

11. Password Policy Technology

12. Malicious Code Policy Technology

13. Access Control Policy Technology

Though the policies are relevant to development of a malware mitigation system, a thorough policy that considers the full malware mitigation framework needs to be established. This will allow for full implementation of the anything that would assist in mitigating malware attack towards securing the cyber environment. Further studies need to be made on the types of policies which are relevant to the development of a Malware Mitigation Framework.

3.2 Data Analysis

Further to the data collection on malware mitigation framework, our analysis found that there are about 84 information security policies developed in CyberSecurity Malaysia. However, there are only 13 policies that are relevant to the pillars that have been discussed related to the research of this work. Moreover, out of 13 policies, only five (5) policies are related to

‘process’ pillar, one (1) for ‘people’ pillar and seven (7) for ‘technology’ pillar. Thus, we can conclude that, only 13 policies or 15 percent are developed around the three pillars of malware mitigation framework - process, people and technology. As seen from the example in table 2, only 1 policy is established on ‘people’ aspect.

In a recent study conducted by CyberSecurity Malaysia involving an internal security exercise called ISMS Cyber Awareness Exercise 2018, it was found that about 18.4% of staff had consciously responded to an email intentionally sending to trick them in clicking to a link that had phishing content in it. Out of this, about 8.6% had unknowingly provided details as requested. Information security should be an utmost important to people in an organization in order to mitigate malware attack.

As such, this shows how vulnerable people are in utilizing technology tools and always the weakest link when it comes to information technology use. Policy entailing guidance regarding any restrictions on the use of IT tools should be developed and emphasis on the need for safe and responsible utilization. The policy should also have a clear consequences and sanctions for the misuse of the technological tools. Through this method, further help to developed a malware mitigation framework that could assist in mitigating malware attacks.

3.3 Data Collection

Data collection was gathered from various primary and secondary resources. Primary data collection was acquired from several departments within CyberSecurity Malaysia (Malaysia) from surveys within the organization as well as information available data col lected.

Secondary resources meanwhile were collected through research materials from other organizations and research papers that had been published.

4. Results and Discussion

As mentioned earlier, preventing malware infection will not be effective unl ess a comprehensive malware mitigation framework is not designed to be inclusive of the stakeholders. Stakeholders are interested parties that would have a direct impact from the malware attack. These include the government sectors, internet providers, technology developers, collaborators, security handlers, and finally the end users. Malware mitigation framework should include activities, procedures and actions taken to mitigate malware attacks.

Based upon MyCERT’s malware mitigation development, there are certain segments that require a thorough involvement of the government, technology development team, the Internet provider or organization involved and finally the end user (malware targeted group). This however takes into context of MyCERT’s constituency only and will have further extension to the framework if external perspective is taken into consideration such as the international community (government, security organization and Internet user or victim). Being a cyber security organization, the researchers believe that the number of policies regarding malware mitigation should be more than 50% in order to mitigate cyber-attacks internally and externally.

Security organizations should have a strategic governance framework to mitigate such detrimental malware activities. A malware mitigation framework to deter cyberattacks is thus a necessity for CERT organizations. A CERT’s main objectives are basically to prepare for any imminent problems (proactive), respond to problems (reactive), control incidents (incident handling) and provide quality management services (policies and procedures). Because a CERT is responsible for managing cybersecurity incidents at the national level, it should act immediately and deploy comprehensive cybersecurity solutions to ensure a safe cyber environment for the Internet community at large (Haller, Merrell, Butkovic, & Willke, 2011).

The malware mitigation framework developed by a CERT should therefore include each and every group of stakeholders, who need to be well-informed of the policies, activities, procedures and actions taken to mitigate malware attacks. Such framework additionally must address the three pillars, namely People, Process and Technology.

5. Conclusion

Development studies are required to be performed by researches in order to identify the best remedy for preventing harmful Malwares in controlling computer system of IT devices connected to the Internet. Based on this study, out of 84 cyber security policies been developed by cyber security organization in Malaysia, only 15 percent is relevant to malware mitigation.

This study suggests that there is a significant amount of area in which cybersecurity organization particularly CERT should focus more in providing proactive service in mitigating malware threats. It is recommended that cyber security organizations such as CERT develop a malware mitigation framework to protect CNII organizations from being exploited by cyber criminals. Malware mitigation framework should encompass comprehensive elements in order to curb spreading of malware cyber-attacks – people, process and technology. The contribution of this study is pillars of malware mitigation framework that can be used as guidelines in order to eradicate and remediate spreading of malware cyber-attacks.

References

ACSC. (2015). 2015 Threat Report. The Australian Cyber Security Centre Threat Report 2015, 29.

Ahmad, A., Maynard, S. B., & Shanks, G. (2015). A Case Analysis of Information Systemsand Security Incident Responses. International Journal of Information Management, 35(6), 717–723. https://doi.org/10.1016/j.ijinfomgt.2015.08.001

Alfawaz, S., May, L., & Mohanak, K. (2008). E-government security in developing countries : A managerial conceptual framework. Information Systems Management, (March), 26–28.

Amoroso, E. G. (2011). Cyber Attacks Protecting National Infrastructure PREFACE. Cyber Attacks: Protecting National Infrastructure. https://doi.org/10.1016/B978-0-12-384917- 5.00001-9

Aziz, N., Yunos, Z., & Ahmad, R. (2018). A management framework for developing a malware eradication and remediation system to mitigate cyberattacks. Lecture Notes in Electrical Engineering, 481, 513–521. https://doi.org/10.1007/978-981-13-2622-6_50

Bada, M., Creese, S., Goldsmith, M., Mitchell, C., & Phillips, E. (2014). Computer Security Incident Response Teams (CSIRTs) An Overview.

Bernard, P. (2012). COBIT® 5 A Management Guide. (J. Chittenden, Ed.), Business Management (Vol. V3). Van Haren Publishing, Zaltbommel.

Borodkin, M. (2002). Computer Incident Response Team. SANS Institute InfoSec Reading Room.

Dutton, J. (2017). Three pillars of cyber security. Retrieved from https://www.itgovernance.co.uk/blog/three-pillars-of-cyber-security/

ENISA, E. N. and information S. A. (2010). Good Practice Guide for Incident Management.

Retrieved from www.enisa.europa.eu

Evans, M. M., Dalkir, K., & Bidian, C. (2014). Leading Issues in Knowledge Management Edited by. Leading Issues in Knowledge Management, 12(2), 85–97.

FIRST.org, I. (2018). Forum of Incident Response and Security Teams (FIRST).

Gandhi, R. O. B. I. N., & Mahoney, W. (2011). Dimensions of cyber-attacks: Cultural, social, economic, and political.

Haller, J., Merrell, S. a, Butkovic, M. J., & Willke, B. J. (2011). Best Practices for National Cyber Security : Building a National Computer Security Incident Management Capability.

MCMC, M. C. and M. C. (2016). Internet Users Survey 2016.

https://www.mcmc.gov.my/skmmgovmy/media/General/pdf/IUS2016.pdf.

https://doi.org/ISSN 1823-2523

Mohd Shamir Hashim. (2015). Malaysia’s National Cyber Security Policy, The Country’s Cyber Defence Initiatives. Cybersecurity Summit (WCS), 2015 Second Worldwide.

https://doi.org/10.1080/00045608.2014.973008

MyCERT. (2019). MyCERT Incident Statistics. Retrieved from https://www.mycert.org.my/portal/statistics-content?menu=b75e037d-6ee3-4d11-8169- 66677d694932&id=0d39dd96-835b-44c7-b710-139e560f6ae0

Sawicka, A., Gonzalez, J. J., & Qian, Y. (2005). Managing CSIRT Capacity as a Renewable Resource Management Challenge: An Experimental Study. Proceedings of the 23rd International Conference of the System Dynamics Society, 133.

Taylor, P., Street, M., & Wt, L. (2015). Evolution of National and Corporate CERTs - Trust, the Key Factor, (October 2013), 37–41.

Trim, P., & Lee, Y.-I. (2014). Cyber Security Management A Governance, Risk and Compliance Framework. (P. Trim & Y.-I. Lee, Eds.) (1st Editio). Gower Publishing Limited.

Wang, C., Wu, Z., Wang, A., Li, X., Yang, F., & Zhou, X. (2014). SmartMal: A service-oriented behavioral malware detection framework for smartphones. Proceedings - 2013 IEEE International Conference on High Performance Computing and Communications, HPCC 2013 and 2013 IEEE International Conference on Embedded and Ubiquitous Computing, EUC 2013, 2014, 329–336.

Wong, E. Y., Porter, N., Hokanson, M., & Xie, B. B. (2017). Benchmarking Estonia’ S Cyber Security: An On-Ramping Methodology For Rapid Adoption And Implementation.

World Economic Forum. (2017). The Global Risks Report 2017 12th Edition. The Global Competitiveness and Risks Team. https://doi.org/10.1017/CBO9781107415324.004

Yusof, R. (Universiti T. M. M., Abdollah, M. F. (Universiti T. M. M., & Selamat, S. R.