Sharifah Roziah Mohd Kassim
Malaysia CERT
Sharifah Roziah currently works as a Specialist for Malaysia Computer Emergency and Response Team (MyCERT) under the umbrella of CyberSecurity Malaysia.

Besides being a Specialist, she is also tasked as a Manager of the Security Operation Centre in MyCERT, to ensure computer security incidents reported to MyCERT are responded in a timely and efficient manner. Prior to that, she worked as a Senior Analyst at MyCERT department. Roziah has been involved in the computer security field for over 15 years, mainly in Computer Security Incident Handling. Her area of focus and interest is on Computer Security Incident Handling, Incident Analysis and Network Security.

Roziah had been a key person in handling and resolving many computer security incidents reported to MyCERT from the Malaysia constituency. Roziah had also conducted many talks, presentations, trainings in local and also in international in the field of computer security particularly in Computer Security Incident Handling. Apart from that, Roziah has also produced various Security Advisories/Alerts on latest vulnerabilities and threats, Articles, Security Best Practices, Proceeding Papers related to computer security.

Integrating Threat Intelligence with CSIRT Procedure to Increase Efficiency of Incident Response: Malaysia CERT Experience
Technical Level (3 being the highest score): 2

Incident Response procedures may not be comprehensive enough to address complex and sophisticated incidents nowadays. The ever-increasing scale, complexity and globalization of cyber attacks require quick detection, accurate analytics and eradication of the attacks. Hense, a more practical procedure and pro-active approach to fulfill this quest is necessary, which is the focus of the presentation.

The presentation helps to overcome limitations of CSIRT like:

➢ Lack of accuracy and precision of incident detection resulting in undetected incidents in an organization
➢ Time limitation in incident handling affects immediate mitigations of attacks at global level
➢ CSIRT procedures do not cover the scope of understanding attack vectors and threat actor information

A case study related to multiple IP addresses originating from Malaysia that belongs to a single network operator will be highlighted, involved in several large-scale cyber attacks around the world such as data leakage, espionage, commercial fraud and malware activities. In this case study we will show how we identified the Indicators of Compromise, Tactics, Techniques and Procedures, and the Threat Actors and how this information helped in the successful investigation of this incident.

The key points in this presentation are:

➢ The important roles of CSIRTs, CERTs and PSIRTs in eradicating and mitigating large-scale cyber attacks at global level via means of Threat Intelligence
➢ Share our integration workflow that illustrates how Threat Intelligence is delivered in the investigation of an incident for quick and efficient Incident Response, which focuses on a case study of Malaysian IP addresses involved in global large-scale attacks
➢ Share our in-house developed tools and applications that we used for the investigation of this incident
➢ Share our in-house developed tools and tips on customizing existing tools for enhancement and improvement of the Threat Intelligence delivery for effective mitigation of global cyber attacks