ASEAN CERT Incident Drill (ACID) 2020: 7 October 1000hours (GMT+8)
ASEAN CERT Incident Drill (ACID) 2020: 7 October 1000hours (GMT+8)
Background
1. The ASEAN CERT Incident Drill (ACID) is into its fifteen iteration this year. Over
the past 14 years, ACID had successfully met its objectives of re-affirming the points-
of-contacts of the CERTs from the ASEAN Member States (AMS) and our Dialogue
Partners as well as providing an opportunity for the teams to interact, practice, and
refine our incident handling procedures to deal with cross-border incidents.
2. The invited CERTs from the AMS and Dialogue Partners are:
All CERTs from the AMS and Dialogue Partners are strongly encouraged to participate
in ACID 2020. Refer to Annex A for ACID 2020 timeline.
Objectives
RESTRICTED Page 1 of 7
RESTRICTED
Theme
4. The theme for ACID 2020 is Malware Campaign Leveraging The Pandemic
Situation.
Overview
5. ACID 2020 will continue to use a latest cybersecurity trend as a case study to strengthen
cybersecurity preparedness of AMS in handling cyber incidents arising from the latest
trend.
6. The 1-day cyber drill will use a set of scenarios to facilitate participating CERTs in
carrying out incident handling, investigation, analysis, remediation and reporting.
ACID_HiCON Control
– Emily
KrCERT LaoCERT
Participants
8. ACID Organisation Structure. This structure aims to help improve the conduct of the
actual drill.
a. The ACID High Controller (ACID_HiCON) will be the overall MAIN Control for
the drill in delivering the drill scenarios. The HiCON will also be responsible for
broadcasting from the start to the end of the drill.
RESTRICTED Page 2 of 7
RESTRICTED
the drill scenarios. They will also be responsible to guide any participants who
require assistance with the investigations.
9. Scope of the Drill. Participating CERTs are strongly encouraged to prepare well to
handle the following scope of the actual drill:
b. Carry out investigations on the artefacts and digital evidences associated with each
drill scenario. This will require the participating CERTs to exercise their incident
response capabilities in areas such as forensic investigations, malware analysis and
log analysis to uncover what the “simulated attacker” has done. We will be
providing playbooks with instructional guidance for optional referencing.
c. Advise the affected agencies on the list of mitigation, remediation and preventive
measures that need to be taken.
d. Report and account for all actions that had been carried out by the attacker by
piecing together all the drill scenarios, artefacts, digital evidences and investigation
findings.
e. All IP addresses in this drill are fabricated to facilitate the drill scenarios.
10. Usage of Own Systems during Drill. All participating CERTs are required to prepare
their own systems to perform incident response and analysis actions for the purpose of
this drill.
a. All systems used for analysis in the drill should be non-production machines and
should not be connected to a production network. This is to avoid any
contamination or infection arising from the drill scenarios.
b. If the machine becomes infected, all participating CERTs should begin to analyse
network packets, perform log and forensic analysis to help them track down and
analyse the malware activities to contain the infection, minimise impact and
recover the infected machines.
11. Establish Connection with Webex for the Pre-Drill Dialogue. This year, we have
arranged for a short pre-drill dialogue to enhance the communications and engagement
between the participating teams. Participating CERTs can share their experiences on
how the CERT has been doing during this pandemic period. Webex will be used as the
communication channel for the session.
RESTRICTED Page 3 of 7
RESTRICTED
b. Naming convention:
For the WebEx meeting, please key in your respective CERT name, followed
by your name. As an example, the participant name for Jing Wen from
SingCERT will be “SingCERT-JingWen”.
12. Establish Connection with the Secure Internet Relay Chat (IRC). IRC will be used as
the main communication channel for the drill. SingCERT has configured a secured IRC
server for the drill. The details are as follows:
a. IRC details:
b. The naming convention for the IRC nick will be the CERT name followed by the
name. As an example, the IRC nick for Jing Wen from SingCERT will be
“SingCERT-JingWen”.
c. Participating CERTs must use IRC clients that support SSL, such as Xchat and
KiwiIRC.
13. Communications for the Pre-Drill Dialogue. On 7 October 2020, the pre-drill dialogue
will be conducted at 0930hours (GMT+8). The Webex meeting will be available from
0900hours (GMT +8) that day.
i. All participating CERTs can log into the Webex meeting and perform a
communications check with SingCERT.
ii. Participating CERTs should mute the microphone when not speaking.
RESTRICTED Page 4 of 7
RESTRICTED
DOs
i. All participating CERTs can log into the IRC channel and perform a
communications check with SingCERT.
b. Communications for Actual ACID. On 7 October 2020, the actual ACID will be
conducted at 1000hours (GMT+8). The Secure IRC channel will be available from
0930hours (GMT +8) on the day of the drill.
i. All participating CERTs can log into the IRC channel and perform a
communications check with SingCERT. SingCERT will announce the
commencement of the drill at 1000hours (GMT +8).
ii. The IRC server will be the main channel for co-ordination and communication
for the drill. All participating teams must ensure that they remain connected to
the IRC server for the duration of the drill.
i. For all email correspondences, both the subject line and the body of the email
should carry the tag [ACID 2020] to mark the message as belonging to the drill
so as to not confuse with real operational emails.
ii. Drill scenarios will be sent out to all participating CERTs’ email addresses as
polled earlier.
iii. Participating CERTs can email their findings and responses to the pre-assigned
ACID_LoCON. Any clarifications to the drill scenarios or further assistance
should also be sent to the assigned ACID_LoCON.
15. Start of Actual Drill. The drill scenarios will commence with all participating teams
receiving an email sent by SingCERT with a title prefixed with [ACID 2020 - Drill
Scenario #1].
16. During the Actual Drill. Participating CERTs are strongly encouraged to adhere to the
following rules:
RESTRICTED Page 5 of 7
RESTRICTED
c. Participating CERTs must always keep ACID_HiCON in the loop with regards
to all communications with other CERTs.
e. Besides working with their respective CERTs, the ACID_LoCONs will also
play all roles including any affected parties that are required to liaise with the
CERTs during the drill. They will NOT assume the role of a CERT.
17. End of Actual Drill. ACID_HiCON will announce the end of the drill at 1600hours
(GMT +8). Participating CERTs that have not completed their investigation or incident
response can continue to finish up their analysis.
DON’Ts
18. Participating CERTs or recipients of this ROE should at no time during the drill attempt
to attack the drill infrastructure (e.g. IRC server, Web server).
19. All participating CERTs are to send a summary report and feedback of their activities,
investigations and findings to SingCERT by 30 October 2020.
20. SingCERT will consolidate the feedback and prepare a post-mortem report. An
executive summary report will also be submitted to the ADGSOM WG for reporting
purposes.
RESTRICTED Page 6 of 7
RESTRICTED
ANNEX A
Date Description
2 October 0930 hours Pre-Drill – IRC Comms Test
(GMT +8)
(confirmed)
RESTRICTED Page 7 of 7