Incident response in the energy

Similar documents
Incident response in critical infrastructure. Margrete Raaum

CSIRT in general CSIRT Service Categories Reactive Services Proactive services Security Quality Management Services CSIRT. Brmlab, hackerspace Prague

50+ Incident Response Preparedness Checklist Items.

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Detection and Response Services in the ICS Environment

Incident Response. Is Your CSIRT Program Ready for the 21 st Century?

Stakeholders Analysis

CompTIA Advanced Security Practitioner (CASP) (Exam CAS-001)

Internet of Things Toolkit for Small and Medium Businesses

Security+ SY0-501 Study Guide Table of Contents

An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

Changing face of endpoint security

Bradford J. Willke. 19 September 2007

BraindumpsVCE. Best vce braindumps-exam vce pdf free download

No Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017

The Case for National CSIRTs

Presenter Jakob Drescher. Industry. Measures used to protect assets against computer threats. Covers both intentional and unintentional attacks.

Security Issues and Best Practices for Water Facilities

How AlienVault ICS SIEM Supports Compliance with CFATS

Cyber Security Stress Test SUMMARY REPORT

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

CYBERBIT P r o t e c t i n g a n e w D i m e n s i o n

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

CND Exam Blueprint v2.0

CCISO Blueprint v1. EC-Council

MANAGEMENT OF INFORMATION SECURITY INCIDENTS

The Common Controls Framework BY ADOBE

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

NEN The Education Network

National Cyber Security Strategy - Qatar. Michael Lewis, Deputy Director

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

BERGRIVIER MUNICIPALITY

RFC2350 TLP1: WHITE. Έκδοση National CSIRT-CY RFC2350

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

Defining Computer Security Incident Response Teams

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

CompTIA CSA+ Cybersecurity Analyst

Digital Forensics Readiness PREPARE BEFORE AN INCIDENT HAPPENS

Advanced Security Tester Course Outline

From Managed Security Services to the next evolution of CyberSoc Services

No compromises for secure SCADA Communications even over 3rd Party Networks

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Cyber Common Technical Core (CCTC) Advance Sheet Windows Operating Systems

Cybersecurity Risk Mitigation: Protect Your Member Data. Introduction

eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments

Symantec Security Monitoring Services

Practical SCADA Cyber Security Lifecycle Steps

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

European Union Agency for Network and Information Security

Heavy Vehicle Cyber Security Bulletin

CSIRT capability building and enhancement

Cyber Resilience - Protecting your Business 1

CYBER RESILIENCE & INCIDENT RESPONSE

Overview of the. Computer Security Incident Response Plan. Process Resource Center

Be Secure! Computer Security Incident Response Team (CSIRT) Guide. Plan Establish Connect. Maliha Alam Mehreen Shahid

ICS Security Monitoring

A Comprehensive Guide to Remote Managed IT Security for Higher Education

Getting Started with Cybersecurity

How Breaches Really Happen

SCADA Security: How Do I Know If I ve Already Been Owned?

Software Development & Education Center Security+ Certification

Sage Data Security Services Directory

Information Security in Corporation

Keys to a more secure data environment

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

Comptia.Certkey.SY0-401.v by.SANFORD.362q. Exam Code: SY Exam Name: CompTIA Security+ Certification Exam

Cyber Defense Overview Defense in Depth

Carbon Black PCI Compliance Mapping Checklist

Information Security Incident

SANS SCADA and Process Control Europe Rome 2011

Mobile Device Security

Unit code: D/601/1956 QCF Level 5: BTEC Higher National Credit value: 15

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

IT Services IT LOGGING POLICY

Critical Information Infrastructure Protection Law

Course Outline Topic 1: Current State Assessment, Security Operations Centers, and Security Architecture

Hosted Testing and Grading

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Presentation to the ITU on the Q-CERT Incident Management Team. Ian M Dowdeswell Incident Manager, Q-CERT

Incident Response. Figure 10-1: Incident Response. Figure 10-2: Program and Data Backup. Figure 10-1: Incident Response. Figure 10-2: Program and Data

TestOut Network Pro - English 4.1.x COURSE OUTLINE. Modified

Swedish IT Incident Centre

ITU Regional Cybersecurity Forum for Asia-Pacific

Ten Ways to Prepare for Incident Response

Cybersecurity Overview

Be effective in protecting against the cybercrime

Package of initiatives on Cybersecurity

Security Management Models And Practices Feb 5, 2008

Compare Security Analytics Solutions

Chapter 12. Information Security Management

Designing and Building a Cybersecurity Program

Course overview. CompTIA Security+ Certification (Exam SY0-501) Study Guide (G635eng v107)

Information Security Controls Policy

Simplify Your Network Security with All-In-One Unified Threat Management

Threat Intel for All: There s More to Your Data than Meets the Eye

Using International Standards to Implement a Business Continuity Management System (BCMS)

TRUSTED IT: REDEFINE SOCIAL, MOBILE & CLOUD INFRASTRUCTURE. John McDonald

WHO AM I? Been working in IT Security since 1992

Transcription:

Incident response in the energy sector Margrete Raaum, Statnett SF and FIRST, Forum of Incident Response and Security Teams 4SICS, October 23. 2014

Incident response IR is more than just a characterization of an incident, it includes analysis Many companies are reluctant to share incident data because of reputation or fear of repercussions from the regulatory authority Unfortunately this is a policy that hinders good incident response

Combination attacks Vendor Target

Combination attacks Vendor Target

Combination attacks Vendor Link Target

Combination attacks Vendor Link Target

Combination attacks Vendor Link Target

Combination attacks Vendor Link Target Callback, control and information leakage

Detecting, assessing and reconstructing Vendor Link Target Callback, control and information leakage

Detecting, assessing and reconstructing Vendor Link Target Callback, control and information leakage

Detecting, assessing and reconstructing Vendor Link Target Callback, control and information leakage

Detecting, assessing and reconstructing Vendor Link Target Callback, control and information leakage

Detecting, assessing and reconstructing Vendor Link Target Callback, control and information leakage

Detecting, assessing and reconstructing Vendor Link Target Callback, control and information leakage

Detecting, assessing and reconstructing Vendor Link Target Callback, control and information leakage

Detecting, assessing and reconstructing Vendor Link Target Callback, control and information leakage

Detecting, assessing and reconstructing Vendor Information removal Link Target Callback, control and information leakage

Why a specialized incident response team? Incident handling is done faster and in a uniform manner Avoid costly mistakes The team knows what to do and whom to inform They regain control They reassure the organization AND the customers They can be an internal bridge between departments

Virtual team Upper management Control systems Administrative staff Legal Communication Plant IT Power marked systems IT Network Server Clients CSIRT

CSIRT vs the emergency response team This team gathers at a certain severity level. The CSIRT starts earlier and work continuously together ERT deal with physical disasters and accidents Most CSIRTs deal only with information security incidents with an adversary (even if it is information leakage) The CSIRT must know when to call upon the ERT The ERT uses the IRT to assess damage, decide how to contain the incident, how to gather evidence etc. FIRST.Org, Inc. All rights reserved. 20

The levels of severity need to be harmonized What the CSIRT calls a code red is not the same as for the ERT If the impact in production systems are unclear, all of the organization should be on alert, for example if a computer or a user that has access to the production network is hit by malware Again: the CSIRT should span all of the organization FIRST.Org, Inc. All rights reserved. 21

Working together The communication and setting the criticality should be exercised They should be aware of the other group's classification scheme The collaboration will evolve, and be dynamic They can be one team to rule it all, but you probably don't need the whole ERT in every meeting FIRST.Org, Inc. All rights reserved. 22

Continuous improvement The feedback loop is crucial A CSIRT can improve the processes of Policy making Risk analysis Security planning Emergency planning Evaluations & audits Risk analysis Policy Security plans Implementations Evaluation and quality assessment Incident response evaluation process

Reorganizing large organizations is like reorganizing a cemetery.

Organizational obstacles We have managed for years without! We have people doing security We have enough competence to cover this This will become a state within the state Will this just not cost us more money?

The stages of change Shock Acceptance Resistance Fight Disclaimer Passiveness

Organizational issues

Organizational issues Clear constituency

Organizational issues Clear constituency Mandate to manage and make changes

Organizational issues Clear constituency Mandate to manage and make changes Give the team time to develop culture

Who is your team?

Who is your team? The ones that log

Who is your team? The ones that log The ones that operate equipment that may be compromised

Who is your team? The ones that log The ones that operate equipment that may be compromised Communication

Who is your team? The ones that log The ones that operate equipment that may be compromised Communication Legal department

Who is your team? The ones that log The ones that operate equipment that may be compromised Communication Legal department People who are interested

They should be team players with Common sense Communication-and diplomatic skills Patience and persistence Creativity Serenity Discretion Concentration Tidy With technical skills and a good legal instinct

Incident detection Always difficult to identify an incident among false positives or from human error Even worse in control system: vague indicators, small changes, incomplete symptoms Baseline the system activity, the events and the traffic is useful, and of course log correlation with alarms.

The importance of tidiness Focus on what has happened Think of how you obtain evidence keeping the chain of custody Think of how you store evidence (sanitize and write lock) Digital signing and checksum Involve the legal department

Do I have SSL v.1.0.1? I don't knooooooooow

Knowing your network It's too late to take inventory How does the information flow? What kind of information flows where? Knowing your protocols Knowing the best way to contain an incident (especially SCADA) Knowing the criticality of the resources

Knowing your logs Servers and user devices (including tablets and phones) ICS devices Network traffic (when the device does not log) Security appliances, VPN servers Directory services Name servers and DHCP-servers Web servers, proxy logs and application logs Databases Email and chat applications IP telephony logs Key cards, surveillance camera Clocks and time format

Establishing a timeline Some PLCs became unavailable Technician is in Ouagadougou There was an email from their vendor with a link that did not work The technician asked to have his phone number changed in the 2- factor authentication system to a new domestic number

Technician goes to Ouagadougou There was an email from their vendor with a link that did not work The technician asked to have his phone number changed in the 2- factor authentication system to a new domestic number Some PLCs became unavailable

Technician goes to Ouagadougou There was an email from their vendor with a link that did not work Email systems Proxy and firewall Vendor link User system - pcap The technician asked to have his phone number changed in the 2- factor authentication system to a new domestic number Some PLCs became unavailable

Technician goes to Ouagadougou There was an email from their vendor with a link that did not work Email systems Proxy and firewall Vendor link User system - pcap The technician received email, clicked The technician asked to have his phone number changed in the 2- factor authentication system to a new domestic number Some PLCs became unavailable

Technician goes to Ouagadougou There was an email from their vendor with a link that did not work Email systems Proxy and firewall Vendor link User system - pcap The technician received email, clicked The user's computer started talking to an address in Germany The technician asked to have his phone number changed in the 2- factor authentication system to a new domestic number Some PLCs became unavailable

Technician goes to Ouagadougou There was an email from their vendor with a link that did not work The technician received email, clicked The user's computer started talking to an address in Germany The technician asked to have his phone number changed in the 2- factor authentication system to a new domestic number Some PLCs became unavailable Email systems Proxy and firewall Vendor link User system - pcap Email systems Support logs VPN concentrator Proxy and firewall User system

Technician goes to Ouagadougou There was an email from their vendor with a link that did not work The technician received email, clicked The user's computer started talking to an address in Germany The technician asked to have his phone number changed in the 2- factor authentication system to a new domestic number The new number was used to log on the business network Some PLCs became unavailable Email systems Proxy and firewall Vendor link User system - pcap Email systems Support logs VPN concentrator Proxy and firewall User system

Technician goes to Ouagadougou There was an email from their vendor with a link that did not work The technician received email, clicked The user's computer started talking to an address in Germany The technician asked to have his phone number changed in the 2- factor authentication system to a new domestic number The new number was used to log on the business network Some PLCs became unavailable Email systems Proxy and firewall Vendor link User system - pcap Email systems Support logs VPN concentrator Proxy and firewall User system VPN concentrator Proxies and firewalls Control system logs Pcaps Network logs User system

Technician goes to Ouagadougou There was an email from their vendor with a link that did not work The technician received email, clicked The user's computer started talking to an address in Germany The technician asked to have his phone number changed in the 2- factor authentication system to a new domestic number The new number was used to log on the business network The technician logged further onto the process network Some PLCs became unavailable Email systems Proxy and firewall Vendor link User system - pcap Email systems Support logs VPN concentrator Proxy and firewall User system VPN concentrator Proxies and firewalls Control system logs Pcaps Network logs User system

Technician goes to Ouagadougou There was an email from their vendor with a link that did not work The technician received email, clicked The user's computer started talking to an address in Germany The technician asked to have his phone number changed in the 2- factor authentication system to a new domestic number The new number was used to log on the business network The technician logged further onto the process network The technician logged onto the control system Some PLCs became unavailable Email systems Proxy and firewall Vendor link User system - pcap Email systems Support logs VPN concentrator Proxy and firewall User system VPN concentrator Proxies and firewalls Control system logs Pcaps Network logs User system

Technician goes to Ouagadougou There was an email from their vendor with a link that did not work The technician received email, clicked The user's computer started talking to an address in Germany The technician asked to have his phone number changed in the 2- factor authentication system to a new domestic number The new number was used to log on the business network The technician logged further onto the process network The technician logged onto the control system Some PLCs became unavailable Email systems Proxy and firewall Vendor link User system - pcap Email systems Support logs VPN concentrator Proxy and firewall User system VPN concentrator Proxies and firewalls Control system logs Pcaps Network logs User system Evidence: Statements, logs, pcap, forensic images from user, vendor and possibly control system

The answer should be "yes" to these questions Can you fire up packet capture? Corollary: do you have active taps, span ports or a hub? In the process network? Can you do a forensic image? Corollary: do you have somewhere to store it? Can you capture volatile data? USB forensic tools ready

Information plans To keep people happy To build trust To leave the team working uninterrupted To create predictability and standards Do not release info too soon. It may be plain wrong.

Information list Systems owner Several levels of management Emergency team/disaster recovery/business continuity Legal department Communications Regulatory authority The public

Being lazy

Automation If you're going to do this again, you need to automate If you can't find somebody who can If you can't find anybody, team up with someone else

I need HELP! Forensics analysis Reverse engineering Behavioral analysis Identifying the attacker Recovery is often not done by the CSIRT

The important process of lessons learned When you know how it happened, you know how to prevent it This can be powerful knowledge to share with other teams The measures should be part pf the lessons learned

If the report is put in a drawer or otherwise hidden, you are back at: 1

Collaboration and sharing Some attacks happen sector wise (and technology wise) Some attacks happen country wise Attack patterns follow certain trends We should link up for relevant early warning and for learning purposes Ideally we should learn from other people's lessons as well as our own

Questions? I can also be reached at margrete.raaum@statnett.no or margrete.raaum@first.org

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback