Incident response to a breach: Right of boom you find ashes

Transcription

1 Incident response to a breach: Right of boom you find ashes Dr. Samuel Liles Opinions, or other information expressed are presenters and do not reflect current, former, future, or unaffiliated employers opinions or policies.

2 Agenda Scope Cybery thoughts Through the lens of risk Threats Vulnerabilities Frameworks NCIRP Attribution Future Random image off teh webz 4/18/16 2

3 Scope, as in assumptions You can have the weeds, the field, or the stadium. Choose 1. You re in a graduate course so you already know how to mow the lawn and take care of the weeds. Goal is to answer what the heck happens in a major cyber incident. Every incident is different but every incident follows a pattern. Every stadium has a different team but every sport has rules. Be wary of playing golf with the hockey team. Lots of people are comfortable pulling weeds. You can t pull weeds fast enough to win the game. Source: ies /Hap py-gilmore- Bl u-ray /1677 1/ 4/18/16 3

4 Just because. Cyber. Lots of definitions Umbrella term for activities to increase coordination, collaboration, and understanding <break rice bowls> My definition: The term cyber itself denotes a human cognitive centric concept that deals with the disintermediation of technology centered within human activity. Random image off teh webz 4/18/16 4

5 4/18/16 5

6 Copyrights with caveats Samuel Liles 4/18/16 6

7 Threat? Copyrights with caveats Samuel Liles 4/18/16 7

8 Vulnerability? Source: Energy Sector Specific Plan 4/18/16 8

9 Copyrights with caveats Samuel Liles 4/18/16 9 Copyrights with caveats Samuel Liles

10 Boom DNI Framework Preparation Engagemen t Presence Effect/Cons equences Cyber Kill Chain Reconnaiss ance Weaponization Delivery Exploitation Installation Command and Control Actions on Objective Collect NSA TAO Reconnaissance Initial Exploitation Establish Persistence Install Tools Move Laterally Exfil Exploit MITRE ATT&CK Persistence Privilege Escalation Defense Evasion Credential Access Host Enumeratio n Lateral Movement Execution C2 Exfiltration Copyrights with caveats Samuel Liles 4/18/16 10

11 ISO/IEC 27035:2011 provides a structured and planned approach to: 1. detect, report and assess information security incidents; 2. respond to and manage information security incidents; 3. detect, assess and manage information security vulnerabilities; and 4. continuously improve information security and incident management as a result of managing information security incidents and vulnerabilities. ISO/IEC 27035:2011: Information Security Incident Management Preparation, identification, containment, eradication, recovery, and lessons learned. SANS: Creating and Managing an Incident Response Team Incident triage, incident coordination, incident resolution RFC 2350: Expectations for Computer Security Incident Response CERT: Handbook for Computer Security Incident Response Teams (CSIRTs) NIST : Computer Security Incident Handling Guide 4/18/16 11

12 4/18/16 12 Source: National Cyber Incident Response Plan Interim(2010)

13 Dr. Andy Ozment Source: National Cyber Incident Response Plan Interim(2010) 4/18/16 13

14 Mr. John Felker Mr. Brad Nix Mr. Marty Edwards Source: National Cyber Incident Response Plan Interim(2010) 4/18/16 14

15 Who is in charge? The exact composition of the Cyber Unified Coordination Group (UCG) Incident Management Team (IMT) will be determined by the Assistant Secretary for Cyber Security and Communications (CS&C) based on the nature and scope of the incident, and will always include A Senior Defense Official A Senior Federal Law Enforcement Official A Senior Intelligence Community (IC) Official Senior Private Sector Official(s) (chosen based on the specific nature of the incident) Other Cyber Unified Coordination Group (UCG) Senior Officials with primary statutory or jurisdictional responsibility and significant operational responsibility chosen based on the nature of the incident; Senior Officials may be chosen from departments, agencies, and organizations with capabilities, authorities, and responsibilities relevant to the incident. Senior = SES or GO Source: National Cyber Incident Response Plan Interim(2010) 4/18/16 15

16 What do they do? The Assistant Secretary for Cyber Security and Communications (CS&C), with the support of the National Cybersecurity and Communications Integration Center (NCCIC) and in concert with the Cyber Unified Coordination Group (UCG) Incident Management Team (IMT), is responsible for Establishing the incident action plan Ensuring overall coordination of Significant Cyber Incident management and resource allocation activities Facilitating interagency conflict resolution or elevating matters, as necessary Coordinating response between multiple cyber incidents when applicable Ensuring the National Operations Center (NOC) and National Infrastructure Coordination Center (NICC) receive timely updates on the status of response activities Coordinating external affairs activities. Source: National Cyber Incident Response Plan Interim(2010) 4/18/16 16

17 Source: National Cyber Incident Response Plan Interim(2010) 4/18/16 17

18 The NCCIC, as the national focal point for cyber incident management and coordination during cyber-specific incidents, is the point of integration for all information from Federal departments and agencies, State Local, Tribal, and Territorial governments, and the private sector related to situational awareness, vulnerabilities, intrusions, incidents, and mitigation activities This role does not change existing departments and agencies authorities or missions; however, DHS, through the NCCIC, will coordinate with all partners, including law enforcement agencies leading the national effort to investigate and prosecute cybercrime; the IC regarding threats, intelligence, and attribution; DOD elements regarding intelligence and information sharing, military operations to defend the homeland; State and Local governments; and the private sector to ensure common operational situational awareness is being leveraged by all response organizations as they execute their individual authorities and missions. Source: National Cyber Incident Response Plan Interim(2010) 4/18/16 18

19 Event Happens Time to Level of Attribution Motive, means, opportunity IOCs: IP, Hash, URL, method, time, etc. Crypto, nonrepudiation, multimode sensing, direct observation Political Possible Technical Probable Forensic Provable Evidence Required Copyrights with caveats Samuel Liles

20 Future NCIRP is being updated New cybersecurity presidential panel appointed NPPD/NCCIC is transforming Interview.html Federal CISO may be appointed (interviews happening now) 4/18/16 20

21 Questions? 4/18/16 21