RESTRICTED

ASEAN CERT Incident Drill (ACID) 2020

7 October 1000hours (GMT+8)

Rules of Engagement (ROE)

For
Participating CERTs of ASEAN Member States and Dialogue Partners

Background

1. The ASEAN CERT Incident Drill (ACID) is into its fifteen iteration this year. Over
the past 14 years, ACID had successfully met its objectives of re-affirming the points-
of-contacts of the CERTs from the ASEAN Member States (AMS) and our Dialogue
Partners as well as providing an opportunity for the teams to interact, practice, and
refine our incident handling procedures to deal with cross-border incidents.

2. The invited CERTs from the AMS and Dialogue Partners are:

a. Australia – AusCERT and ACSC

b. Brunei – BruCERT
c. Cambodia – CamCERT
d. China – CNCERT
e. India – CERT-IN
f. Indonesia – ID-SIRTII
g. Japan – JPCERT
h. Korea – KrCERT
i. Laos – LaoCERT
j. Malaysia – MyCERT and MCMC
k. Myanmar – mmCERT
l. Philippines – Phi. National CERT
m. Singapore – CSA/SingCERT and SAFCERT
n. Thailand – ThaiCERT
o. Vietnam – VNCERT

All CERTs from the AMS and Dialogue Partners are strongly encouraged to participate
in ACID 2020. Refer to Annex A for ACID 2020 timeline.

Objectives

3. ACID 2020 aims to achieve the following objectives:

a. Strengthen cyber security preparedness of the AMS in handling cyber incidents,

b. Reinforce regional coordination drills to test incident response capabilities of the

AMS’ National CERTs, and

c. Enhance cooperation with key Dialogue Partners in cybersecurity.

RESTRICTED Page 1 of 7
 RESTRICTED

Theme

4. The theme for ACID 2020 is Malware Campaign Leveraging The Pandemic
Situation.

Overview

5. ACID 2020 will continue to use a latest cybersecurity trend as a case study to strengthen
cybersecurity preparedness of AMS in handling cyber incidents arising from the latest
trend.

6. The 1-day cyber drill will use a set of scenarios to facilitate participating CERTs in
carrying out incident handling, investigation, analysis, remediation and reporting.

7. The overall organisation structure will be as follows:

ACID_HiCON Control
– Emily

ACID_LoCON ACID_LoCON ACID_LoCON ACID_LoCON

– Jing Wen – Pei Fen – Wei Heng – Ray

AusCERT CamCERT mmCERT Phi. National

CERT
BruCERT CNCERT MyCERT SAFCERT

CERT-IN JPCERT MCMC CSA/SingCERT

ThaiCERT ACSC VNCERT ID-SIRTII

KrCERT LaoCERT
Participants

Preparations Needed Prior to the Actual Drill

8. ACID Organisation Structure. This structure aims to help improve the conduct of the
actual drill.

a. The ACID High Controller (ACID_HiCON) will be the overall MAIN Control for
the drill in delivering the drill scenarios. The HiCON will also be responsible for
broadcasting from the start to the end of the drill.

b. Four ACID Low Controllers (ACID_LoCONs) are assigned to the participating

CERTs, and will handle their respective enquiries and clarifications related to

RESTRICTED Page 2 of 7
 RESTRICTED

the drill scenarios. They will also be responsible to guide any participants who
require assistance with the investigations.

9. Scope of the Drill. Participating CERTs are strongly encouraged to prepare well to
handle the following scope of the actual drill:

a. Provide support to handle reported cybersecurity-related incidents and escalate to

the relevant parties for remediation.

b. Carry out investigations on the artefacts and digital evidences associated with each
drill scenario. This will require the participating CERTs to exercise their incident
response capabilities in areas such as forensic investigations, malware analysis and
log analysis to uncover what the “simulated attacker” has done. We will be
providing playbooks with instructional guidance for optional referencing.

c. Advise the affected agencies on the list of mitigation, remediation and preventive
measures that need to be taken.

d. Report and account for all actions that had been carried out by the attacker by
piecing together all the drill scenarios, artefacts, digital evidences and investigation
findings.

e. All IP addresses in this drill are fabricated to facilitate the drill scenarios.

10. Usage of Own Systems during Drill. All participating CERTs are required to prepare
their own systems to perform incident response and analysis actions for the purpose of
this drill.

a. All systems used for analysis in the drill should be non-production machines and
should not be connected to a production network. This is to avoid any
contamination or infection arising from the drill scenarios.

b. If the machine becomes infected, all participating CERTs should begin to analyse
network packets, perform log and forensic analysis to help them track down and
analyse the malware activities to contain the infection, minimise impact and
recover the infected machines.

11. Establish Connection with Webex for the Pre-Drill Dialogue. This year, we have
arranged for a short pre-drill dialogue to enhance the communications and engagement
between the participating teams. Participating CERTs can share their experiences on
how the CERT has been doing during this pandemic period. Webex will be used as the
communication channel for the session.

a. Webex meeting details:

Meeting Link: https://personal-qxp.my.webex.com/personal-

qxp.my/j.php?MTID=m6bd8d92ca572dce35bd034c9f5816e34
Meeting number (access code): 170 171 7684
Meeting password: MainH9XZJV7 (62464999 from phones and video systems)

RESTRICTED Page 3 of 7
 RESTRICTED

Call-in Number (from phones): https://personal-qxp.my.webex.com/personal-

qxp.my/globalcallin.php?MTID=mf35c21c46e2e804f6d6a97716365cf31

b. Naming convention:

For the WebEx meeting, please key in your respective CERT name, followed
by your name. As an example, the participant name for Jing Wen from
SingCERT will be “SingCERT-JingWen”.

12. Establish Connection with the Secure Internet Relay Chat (IRC). IRC will be used as
the main communication channel for the drill. SingCERT has configured a secured IRC
server for the drill. The details are as follows:

a. IRC details:

Host Name: irc.singcert.net

Port No: 6665 - 6669
Password: @cid2020

b. The naming convention for the IRC nick will be the CERT name followed by the
name. As an example, the IRC nick for Jing Wen from SingCERT will be
“SingCERT-JingWen”.

c. Participating CERTs must use IRC clients that support SSL, such as Xchat and
KiwiIRC.

d. A main IRC channel will be available to broadcast communication messages

between the ACID_HiCON and the participating CERTs. This main channel will
be used to make sure that all participating CERTs are able to receive the drill
scenarios.

e. Four Private IRC Channels will be created by the respective ACID_LoCON to

receive participating CERTs’ response to the drill scenarios, and to provide
assistance for those who require additional clarifications on the drill scenarios.

Conduct of the Pre-Drill Dialogue

13. Communications for the Pre-Drill Dialogue. On 7 October 2020, the pre-drill dialogue
will be conducted at 0930hours (GMT+8). The Webex meeting will be available from
0900hours (GMT +8) that day.

i. All participating CERTs can log into the Webex meeting and perform a
communications check with SingCERT.

ii. Participating CERTs should mute the microphone when not speaking.

RESTRICTED Page 4 of 7
 RESTRICTED

Conduct of the Drill – DOs and DON’Ts

DOs

14. Communications Checks. The following communications checks will be conducted.

a. Pre-Drill Communications Test. On 2 October 2020, a pre-drill communications

test will be conducted at 0930hours (GMT+8) using the Secure IRC channel
named “ACID_2020”.

i. All participating CERTs can log into the IRC channel and perform a
communications check with SingCERT.

b. Communications for Actual ACID. On 7 October 2020, the actual ACID will be
conducted at 1000hours (GMT+8). The Secure IRC channel will be available from
0930hours (GMT +8) on the day of the drill.

i. All participating CERTs can log into the IRC channel and perform a
communications check with SingCERT. SingCERT will announce the
commencement of the drill at 1000hours (GMT +8).

ii. The IRC server will be the main channel for co-ordination and communication
for the drill. All participating teams must ensure that they remain connected to
the IRC server for the duration of the drill.

c. Email Correspondences Related to Drill Scenarios. Please be advised on the

following:

i. For all email correspondences, both the subject line and the body of the email
should carry the tag [ACID 2020] to mark the message as belonging to the drill
so as to not confuse with real operational emails.

ii. Drill scenarios will be sent out to all participating CERTs’ email addresses as
polled earlier.

iii. Participating CERTs can email their findings and responses to the pre-assigned
ACID_LoCON. Any clarifications to the drill scenarios or further assistance
should also be sent to the assigned ACID_LoCON.

15. Start of Actual Drill. The drill scenarios will commence with all participating teams
receiving an email sent by SingCERT with a title prefixed with [ACID 2020 - Drill
Scenario #1].

16. During the Actual Drill. Participating CERTs are strongly encouraged to adhere to the
following rules:

a. SingCERT will take on the role of ACID_HiCON. [[email protected]]

b. ACID_HiCON serves as the primary source of facilitator.

RESTRICTED Page 5 of 7
 RESTRICTED

c. Participating CERTs must always keep ACID_HiCON in the loop with regards
to all communications with other CERTs.

d. Participating CERTs must communicate their investigation findings and

responses via email to their pre-assigned ACID_LoCON as stated in paragraph
7. Their emails are as follows:

Pre-assigned LoCON Email Addresses

ACID_LoCON-JingWen [email protected]
ACID_LoCON-PeiFen [email protected]
ACID_LoCON-WeiHeng [email protected]
ACID_LoCON-Ray [email protected]

e. Besides working with their respective CERTs, the ACID_LoCONs will also
play all roles including any affected parties that are required to liaise with the
CERTs during the drill. They will NOT assume the role of a CERT.

f. Please approach ACID_LoCON for details of any IP address identified during

the course of investigation.

g. There will be a live-scoreboard for participating CERTs to view their progress

at:
https://docs.google.com/spreadsheets/d/1HqrmXGmWWWGNCOsg0_I9_0Y
yfq6A5A-V2zW-y-Gyx-4/edit#grid=0.

17. End of Actual Drill. ACID_HiCON will announce the end of the drill at 1600hours
(GMT +8). Participating CERTs that have not completed their investigation or incident
response can continue to finish up their analysis.

DON’Ts

18. Participating CERTs or recipients of this ROE should at no time during the drill attempt
to attack the drill infrastructure (e.g. IRC server, Web server).

Post Drill Activities

19. All participating CERTs are to send a summary report and feedback of their activities,
investigations and findings to SingCERT by 30 October 2020.

20. SingCERT will consolidate the feedback and prepare a post-mortem report. An
executive summary report will also be submitted to the ADGSOM WG for reporting
purposes.

RESTRICTED Page 6 of 7
 RESTRICTED

ANNEX A

ACID 2020 - TIMELINE

Date Description
2 October 0930 hours Pre-Drill – IRC Comms Test
(GMT +8)
(confirmed)

7 October 1000 - 1600 Actual Drill – ACID 2020

hours (GMT +8) Theme: Malware Campaign Leveraging The Pandemic
(confirmed) Situation

7 October onwards Participating CERTs to submit the Summary Report to

SingCERT by 30 October 2020

2 to 13 November SingCERT will prepare Post-mortem Report

16 to 20 November SingCERT will send consolidated Post-mortem Report

to participating CERTs

November The ACID Report will be sent via email to

ADGMIN/ADGSOM

RESTRICTED Page 7 of 7