Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

Similar documents
Cyber Risk Metrics Survey, Assessment, and Implementation Plan May 11, 2018

Achieving & Measuring the Value of Cyber Threat Information Sharing. Lindsley Boiney, Clem Skorupka (presenting)

Incident Response Services to Help You Prepare for and Quickly Respond to Security Incidents

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

Evaluating and Improving Cybersecurity Capabilities of the Electricity Critical Infrastructure

NATIONAL DEFENSE INDUSTRIAL ASSOCIATION Homeland Security Symposium

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Statement for the Record

Cybersecurity-Related Information Sharing Guidelines Draft Document Request For Comment

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

Chapter X Security Performance Metrics

Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

DHS Cybersecurity: Services for State and Local Officials. February 2017

Risk: Security s New Compliance. Torsten George VP Worldwide Marketing and Products, Agiliance Professional Strategies - S23

U.S. Department of Homeland Security Office of Cybersecurity & Communications

Implementing Executive Order and Presidential Policy Directive 21

December 10, Statement of the Securities Industry and Financial Markets Association. Senate Committee on Banking, Housing, and Urban Development

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

ISAO SO Product Outline

Testimony. Christopher Krebs Director Cybersecurity and Infrastructure Security Agency U.S. Department of Homeland Security FOR A HEARING ON

Homeland Security Institute. Annual Report. pursuant to. Homeland Security Act of 2002

The Office of Infrastructure Protection

SYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security

Implementing the Administration's Critical Infrastructure and Cybersecurity Policy

Cyber Security Program

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Section One of the Order: The Cybersecurity of Federal Networks.

CYBERSECURITY. Protecting Against the Financial, Regulatory and Reputational Impacts of Cyber Attack

Chapter X Security Performance Metrics

Information Security Continuous Monitoring (ISCM) Program Evaluation

CSD Project Overview DHS SCIENCE AND TECHNOLOGY. Dr. Ann Cox. March 13, 2018

The Office of Infrastructure Protection

Cyber Security & Homeland Security:

PA TechCon. Cyber Wargaming: You ve been breached: Now what? April 26, 2016

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Cybersecurity. Securely enabling transformation and change

CYBERSECURITY MATURITY ASSESSMENT

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Service. Sentry Cyber Security Gain protection against sophisticated and persistent security threats through our layered cyber defense solution

CROWDSTRIKE FALCON FOR THE PUBLIC SECTOR

PIPELINE SECURITY An Overview of TSA Programs

GPS Vulnerability and DHS Mitigation Efforts. David Wulf Acting Deputy Assistant Secretary Infrastructure Protection Department of Homeland Security

CYBER RESILIENCE & INCIDENT RESPONSE

Why you should adopt the NIST Cybersecurity Framework

Cyber Partnership Blueprint: An Outline

Federal Civilian Executive branch State, Local, Tribal, Territorial government (SLTT) Private Sector (PS) Unclassified / Business Networks

Defining Computer Security Incident Response Teams

DATA SHEET RISK & CYBERSECURITY PRACTICE EMPOWERING CUSTOMERS TO TAKE COMMAND OF THEIR EVOLVING RISK & CYBERSECURITY POSTURE

Sage Data Security Services Directory

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

INFORMATION ASSURANCE DIRECTORATE

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Table of Contents. Sample

DATA SHEET RSA NETWITNESS PLATFORM PROFESSIONAL SERVICES ACCELERATE TIME-TO-VALUE & MAXIMIZE ROI

NCSF Foundation Certification

Are we breached? Deloitte's Cyber Threat Hunting

Today s cyber threat landscape is evolving at a rate that is extremely aggressive,

Cyber Intelligence Professional Certificate Program Booz Allen Hamilton 2-Day Seminar Agenda September 2016

Cyber Risks in the Boardroom Conference

Department of Defense. Installation Energy Resilience

DHS Election Task Force Updates. Geoff Hale, Elections Task Force

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

Choosing the Right Cybersecurity Assessment Tool Michelle Misko, TraceSecurity Product Specialist

Presented by Ingrid Fredeen and Pamela Passman. Copyright 2017NAVEXGlobal,Inc. AllRightsReserved. Page 0

RBI GUIDELINES ON CYBER SECURITY AND RAKSHA APPROACH

National Policy and Guiding Principles

Water Information Sharing and Analysis Center

Choosing the Right Security Assessment

MANAGING CYBER RISK: THE HUMAN ELEMENTS OF CYBERSECURITY

Never a dull moment. Media Conference «Clarity on Cyber Security» 24 May 2016

SOLUTION BRIEF Virtual CISO

COUNTERING IMPROVISED EXPLOSIVE DEVICES

Integrating Cyber Security with Business Continuity Management to Build the Resilient Enterprise

10 Cybersecurity Questions for Bank CEOs and the Board of Directors

Cyber Threat Prioritization

CYBER SOLUTIONS & THREAT INTELLIGENCE

An ICS Whitepaper Choosing the Right Security Assessment

Federal Continuous Monitoring Working Group. March 21, DOJ Cybersecurity Conference 2/8/2011

Security Awareness Training Courses

Ensuring System Protection throughout the Operational Lifecycle

Software & Supply Chain Assurance: Enabling Enterprise Resilience through Security Automation, Software Assurance and Supply Chain Risk Management

Bradford J. Willke. 19 September 2007

Building a Resilient Security Posture for Effective Breach Prevention

2016 Nationwide Cyber Security Review: Summary Report. Nationwide Cyber Security Review: Summary Report

The CIS Security Metrics & Benchmarking Service. Clint Kreitner The Center for Internet Security

Election Infrastructure Security: The How and Why of It

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Incident Response Services

Office of Infrastructure Protection Overview

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

The Office of Infrastructure Protection

Headline Verdana Bold

The Office of Infrastructure Protection

DHS Cybersecurity. Election Infrastructure as Critical Infrastructure. June 2017

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Transcription:

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018 The Homeland Security Systems Engineering and Development Institute (HSSEDI ) is a trademark of the U.S. Department of Homeland Security (DHS). The HSSEDI FFRDC is managed and operated by The MITRE Corporation for DHS.

2 Acknowledgement for DHS Sponsored Tasks The Homeland Security Act of 2002 (Section 305 of PL 107-296, as codified in 6 U.S.C. 185), herein referred to as the Act, authorizes the Secretary of the Department of Homeland Security (DHS), acting through the Under Secretary for Science and Technology, to establish one or more federally funded research and development centers (FFRDCs) to provide independent analysis of homeland security issues. MITRE Corp. operates the Homeland Security Systems Engineering and Development Institute (HSSEDI) as an FFRDC for DHS under contract HSHQDC-14-D-00006. The HSSEDI FFRDC provides the government with the necessary systems engineering and development expertise to conduct complex acquisition planning and development; concept exploration, experimentation and evaluation; information technology, communications and cyber security processes, standards, methodologies and protocols; systems architecture and integration; quality and performance review, best practices and performance measures and metrics; and, independent test and evaluation activities. The HSSEDI FFRDC also works with and supports other federal, state, local, tribal, public and private sector organizations that make up the homeland security enterprise. The HSSEDI FFRDC s research is undertaken by mutual consent with DHS and is organized as a set of discrete tasks. This report presents the results of research and analysis conducted under: HSHQDC-16-J-00184 This HSSEDI task order is to enable the DHS Science and Technology Directorate (S&T) to facilitate improvement of cybersecurity within the Financial Services Sector (FSS). To support NGCI Apex use cases and provide a common frame of reference for community interaction to supplement institution-specific threat models, HSSEDI developed an integrated suite of threat models identifying attacker methods from the level of a single FSS institution up to FSS systems-of-systems, and a corresponding cyber wargaming framework linking technical and business views. HSSEDI assessed risk metrics and risk assessment frameworks, provided recommendations toward development of scalable cybersecurity risk metrics to meet the needs of the NGCI Apex program, and developed representations depicting the interdependencies and data flows within the FSS. The results presented in this report do not necessarily reflect official DHS opinion or policy. Approved for Public Release; Distribution Unlimited. Case Number 18-1487 / DHS reference number 16-J-00184-03

3 Abstract and Key Words The Homeland Security Systems Engineering and Development Institute (HSSEDI) assists the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) in the execution of the Next Generation Cyber Infrastructure (NGCI) Apex program. This C-Level brief presents HSSEDI s findings and recommendations in its analysis of cybersecurity threat modeling and wargaming for the NGCI program S&T s NGCI Apex program is developing an approach for threat modeling and cyber wargaming that financial services sector (FSS) organizations can use to consider cyber threats and decrease risk. This brief describes a framework for cyber wargaming that balances the strong cyber defense technology focus of detailed hands-on adversarial cyber exercises with the strong business and operational impact focus typical of highlevel tabletop exercises focused on cyber. To drive cyber wargaming and assist in managing risk, the brief also describes a framework for an integrated suite of threat models. Keywords Next Generation Cyber Infrastructure (NGCI) Cyber Threat Models Cyber Risk Metrics Cyber Wargaming Scenarios Cyber Security; Cybersecurity

Cyber Threat Environment Has Evolved: Not Just Individual But Collective Risks 4 Modern cyber threats expose institutions to systemic risks through interactions among partner organizations within the Financial Services Sector (FSS) Recommendation: Adopt a common threat model supporting enhanced wargaming and systemic analysis

Challenge: Reduce Risks to FSS from Cyber Attacks 5 Cyber defense is too reactive Anticipate attacks based on business objectives as well as technical characteristics Plan and evolve defenses Attackers Have Business Objectives Crimeware compromises employees workstations Once inside, hostile actors gain more access until they compromise the business network Money is extracted by mules Cyber risk management has gaps Gaps Cause Unrecognized Cyber Risks Understand interplay of technical and business factors Technology View Actions Risk Actions Business View Sector and systemic cyber risks may go unrecognized Risks to One Affect Others Link institution-specific frameworks to common threat model for systemic analysis

Solution: Enhanced Wargaming and Systemic Analysis Supported by a Common Threat Model Communicate across sector via a common cyber threat and risk framework Identify systemic cyber risks 6 Adopt enhanced cyber wargaming connecting business and technical perspectives Support with consistent suite of sector-specific cyber threat models Threat Modeling to go from Reactive to Proactive Wargaming validates controls Make cyber risk management more effective Reduce cyber risks and gaps Reduce cyber breaches and their costs Reuse threat analysis and leverage efforts of others in the community Engage with the NGCI Apex Program s Cyber Apex Review Team (CART) to help achieve this common approach Operational Experience evolves threat model Effective cyber risk management relies on both business and technical views of attack and impact data

7 Goals of Cyber Threat Models and Wargames Cyber threat models capture adversary capabilities and motives Anticipate attacker behavior Feed cyber wargames Cyber wargames explore potential scenarios Assess and validate defenses Uncover gaps Exercise procedures and training Inform Organizational Technology Management Strategic Planning Engineering and Test Operations

8 Cyber Risk Management Survey Conducted interviews with 11 FSS critical infrastructure institutions Financial institutions, market utilities, and industry organizations Executives responsible for cybersecurity threat modeling, risk assessment, and mitigation Performed cybersecurity literature survey 21 threat models and frameworks 26 cyber wargaming technologies, platforms, and processes Drew upon HSSEDI subject matter experts Findings: Typical FSS Practice Organization-specific risk/threat frameworks; most based on NIST 1 and OCC 2 guidance Subjective assessment of threats and vulnerabilities; some efforts to quantify consequence Documented threat model, but often not comprehensive; subset updated with ongoing intelligence, testing, and events One-time product testing against a threat model during acquisition Recurring penetration testing Tabletop wargaming for coordination and awareness 1 NIST: National Institute of Standards and Technology 2 OCC: Office of the Comptroller of the Currency No one model suitable for all uses.* * HSSEDI, Cyber Threat Modeling: Survey, Assessment, and Representative Framework, 2018.

Use an Integrated Suite of Sector-Specific Threat Models to Support Different Use Cases Cyber wargames and organizational security management are driven by threat models Consistent across levels about the nature of the threat Represent adversary s business-focused objectives 9 Security Management Use Cases Strategic Planning Risk metrics Strategies for major disruptions High-Level Threat Model High-level generic threats, adversary characteristics, goals, capabilities, and behaviors Wargaming Use Cases Tabletop Exercise Assess business-level risks and gaps Engineering and Test Design/test for effectiveness against threat behaviors Operations Determine configuration Identify patterns for detection Detailed Threat Model Concrete adversary capabilities and behaviors Detailed generic techniques and attack patterns Instantiated Threat Model Specific, realistic threat s detailed goals, capabilities, tactics, and behaviors Composite Wargame Identify risks at business-technical interface Hands-on Exercise Confirm security posture and effectiveness Develop playbook

Create Composite Wargaming Level to Connect Business & Technical Perspectives 10 Suite of wargaming levels driven by consistent suite of threat models Level of Wargame Tabletop Exercises Participants Focus Value Executives Organizational Incident Response Measure reporting and policy effectiveness Composite Wargaming Mid-level cyber and business managers Test resiliency using goaloriented scenarios Identify risks from business and technology disconnects Hands-on Exercises (e.g., ethical hacking) Working level cyber staff Adversary detection capabilities Measure technology effectiveness New composite wargaming level to complement existing methods Use to examine interaction of technology, business operations, and shared risks

Use Integrated Cyber Threat Model Suite to Develop Composite Wargaming Scenarios* 11 Choose Cyber Threat Model Behaviors Map to Institution s IT Resources and Architecture Derive Business-Motivated Technical Scenarios * HSSEDI, Cyber Wargaming: Framework for Enhancing Cyber Wargaming with Realistic Business Context, 2018.

Extend to Support Coordinated Cyber Risk Management Across the Sector 12 Wargaming to extend understanding of: Cross-sector risks resulting from risks to individual institutions Cross-sector risks from systemic factors Institutional Risk Management Strategic / Business Threats Combined Threats System-of-systems model of interactions and dependencies Technical Threats Consistent threat frameworks to enable communication/ collaboration Sector Risk Coordination there is no common method to quantify cyber risk across firms or sectors, significant time is needed to develop a consensus on a risk measurement standard that would enable financial services to measure and mitigate their individual risk." - Financial Services Sector Coordinating Council (FSSCC)

13 Contact for More Information DHS Science and Technology Directorate Dr. Douglas Maughan (Eric.Harder@hq.dhs.gov) (Douglas.Maughan@hq.dhs.gov) Cyber Security Division (CSD) Director Greg Wigton (Gregory.Wigton@hq.dhs.gov) Apex Program Manager (Gregory.Wigton@hq.dhs.gov)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback