An Operational Cyber Security Perspective on Emerging Challenges. Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

Similar documents
Cyber Maryland 2017: Continuous Innovation and Cyber Incident Response

Why Should You Care About Control System Cybersecurity. Tim Conway ICS.SANS.ORG

The GenCyber Program. By Chris Ralph

Cyber Resilience. Think18. Felicity March IBM Corporation

ANATOMY OF AN ATTACK!

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Business continuity management and cyber resiliency

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Cyber Security Congress 2017

Cloud and Cyber Security Expo 2019

Heavy Vehicle Cyber Security Bulletin

Building Resilience in a Digital Enterprise

NEN The Education Network

Sage Data Security Services Directory

External Supplier Control Obligations. Cyber Security

Protecting Against Modern Attacks. Protection Against Modern Attack Vectors

Cybersecurity Overview

Understanding Holistic Effects of Cyber Events on Critical Infrastructure

Boston Chapter AGA 2018 Regional Professional Development Conference Cyber Security MAY 2018

Mike Spear, Ops Leader Greg Maciel, Cyber Director INDUSTRIAL CYBER SECURITY PROGRAMS

Critical Infrastructure Protection (CIP) as example of a multi-stakeholder approach.

CCISO Blueprint v1. EC-Council

Vulnerability Assessments and Penetration Testing

align security instill confidence

Canada Life Cyber Security Statement 2018

Technology Risk Management in Banking Industry. Rocky Cheng General Manager, Information Technology, Bank of China (Hong Kong) Limited

Designing and Building a Cybersecurity Program

SOLUTION BRIEF esentire Risk Advisory and Managed Prevention (RAMP)

Department of Management Services REQUEST FOR INFORMATION

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

UNCLASSIFIED. National and Cyber Security Branch. Presentation for Gridseccon. Quebec City, October 18-21

Are we breached? Deloitte's Cyber Threat Hunting

Protect Your Organization from Cyber Attacks

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

10 FOCUS AREAS FOR BREACH PREVENTION

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

Information Technology General Control Review

Security in a Converging IT/OT World

Defining Computer Security Incident Response Teams

ARC VIEW. Critical Industries Need Active Defense and Intelligence-driven Cybersecurity. Keywords. Summary. By Sid Snitkin

Information Security Controls Policy

Security by Default: Enabling Transformation Through Cyber Resilience

Train as you Fight: Are you ready for the Red Team?

Building a Threat-Based Cyber Team

Manchester Metropolitan University Information Security Strategy

Incident Response Services

Statement for the Record

The Perfect Storm Cyber RDT&E

Changing face of endpoint security

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

Securing Industrial Control Systems

UNCLASSIFIED R-1 ITEM NOMENCLATURE FY 2013 OCO

Robert Hayes Senior Director Microsoft Global Cyber Security & Data Protection Group

Cyber Hygiene: Uncool but necessary. Automate Endpoint Patching to Mitigate Security Risks

Avionics Cyber T&E Examples Testing Cyber Security Resilience to support Operations in the 3rd Offset Environment

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS

THE RISE OF GLOBAL THREAT INTELLIGENCE

CNIT 50: Network Security Monitoring. 9 NSM Operations

Cyber Defense Maturity Scorecard DEFINING CYBERSECURITY MATURITY ACROSS KEY DOMAINS

Industry Best Practices for Securing Critical Infrastructure

CYBER SOLUTIONS & THREAT INTELLIGENCE

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Internet of Things Toolkit for Small and Medium Businesses

FTA 2017 SEATTLE. Cybersecurity and the State Tax Threat Environment. Copyright FireEye, Inc. All rights reserved.

Continuous protection to reduce risk and maintain production availability

Detecting Lateral Movement in APTs ~Analysis Approach on Windows Event Logs~ June 17, 2016 Shingo ABE ICS security Response Group JPCERT/CC

Chapter 18 SaskPower Managing the Risk of Cyber Incidents 1.0 MAIN POINTS

Six Weeks to Security Operations The AMP Story. Mike Byrne Cyber Security AMP

Critical Hygiene for Preventing Major Breaches

Penetration Testing! The Nitty Gritty. Jeremy Conway Partner/CTO

Overview of NIPP 2013: Partnering for Critical Infrastructure Security and Resilience October 2013

Ransomware A case study of the impact, recovery and remediation events

CYBER RESILIENCE & INCIDENT RESPONSE

CYBERSECURITY PENETRATION TESTING - INTRODUCTION

ForeScout ControlFabric TM Architecture

ISO STANDARD IMPLEMENTATION AND TECHNOLOGY CONSOLIDATION

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

INCIDENT RESPONDER'S FIELD GUIDE INCIDENT RESPONDER'S INCIDENT RESPONSE PLAN FIELD GUIDE LESSONS FROM A FORTUNE 100 INCIDENT RESPONSE LEADER

CloudSOC and Security.cloud for Microsoft Office 365

RSA NetWitness Suite Respond in Minutes, Not Months

How Breaches Really Happen

A Common Cyber Threat Framework: A Foundation for Communication

SANS SCADA and Process Control Europe Rome 2011

Protecting organisations from the ever evolving Cyber Threat

Gujarat Forensic Sciences University

Cyber Security Maturity Model

Bundling Arrows: Making a Business Case for Adopting an Incident Command System (ICS) 2012 The Flynt Group, Inc.; All Rights Reserved. FlyntGroup.

Certified Information Security Manager (CISM) Course Overview

Question No: 1 After running a packet analyzer on the network, a security analyst has noticed the following output:

WHO AM I? Been working in IT Security since 1992

Establishing a Framework for Effective Testing and Validation of Critical Infrastructure Cyber-Security

CYBER SECURITY AIR TRANSPORT IT SUMMIT

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

Cyber Security Incident Response Fighting Fire with Fire

DEVELOP YOUR TAILORED CYBERSECURITY ROADMAP

locuz.com SOC Services

ICS-CERT Year in Review. Industrial Control Systems Cyber Emergency Response Team

Training on CREST Practitioner Security Analyst (CPSA)

Transcription:

An Operational Cyber Security Perspective on Emerging Challenges Michael Misumi CIO Johns Hopkins University Applied Physics Lab (JHU/APL)

Johns Hopkins University Applied Physics Lab (JHU/APL) University Affiliated Research Center Sponsors include DOD, NASA 6,500+ staff

Cyber Attack 2009 2 Weeks disconnected from the Internet 40 GB of unclassified data lost 5 malware versions, 13 accounts, 48 systems

Pre-Cyber Attack 2009 1. Completed risk assessment - Cross-APL team evaluated assets, assailants, tactics 2. Began distributing Application White Listing software - 2,000 systems by 6/11/09 3. Engaged Mandiant, preparing for a full network scan - 5,500 systems by 6/11/09, enterprise-wide scanning planned for 6/15/09

APL Unclassified Network 1. Analyzed network traffic, found command and control activity Internet 2. Remediated systems and accounts 3. Consultant recommendation - Attackers are A team - Slow data removal typical - High probability of layered, sophisticated intrusion tools - Partial measures drive the attackers deeper, making full remediation more difficult - Map attack via scanning without closing Internet access APL Public APL Internal 4. Decision to stay connected and map the attack

APL Unclassified Network 1. Analyzed network traffic, found command and control activity Internet 2. Remediated systems and accounts 3. Consultant recommendation - Attackers are A team - Slow data removal typical - High probability of layered, sophisticated intrusion tools - Partial measures drive the attackers deeper, making full remediation more difficult - Map attack via scanning without closing Internet access APL Public APL Internal 4. Decision to stay connected and map the attack

Timeline to Restore Internet Access Requirement Find all malware variants Secure all computers Malware types Systems impacted Login accounts Systems scanned Application white listing installed Notes Thu 6/11 1 3 1 2000 Attack discovered Fri 6/12 1 3 1 Sat 6/13 1 3 1 1000 5500 Sun 6/14 1 3 1 Mon 6/15 1 7 2 Tue 6/16 2 23 5 5000 Wed 6/17 2 25 6 Thu 6/18 3 31 8 Fri 6/19 3 34 11 7300 6500 Mon 6/22 3 37 13 Tue 6/23 3 37 13 Wed 6/24 3 37 13 Thu 6/25 3 40 13 Fri 6/26 * 5 *48 13 All All Internet access opened

Leveraging Synergy at APL Leveraging Synergy at JHU/APL Mission Systems Corporate Cyber Cyber Research

Unclassified Network Internet Public Internal

Unclassified Network Korea China Hong Kong Canada Internet Public VPN Internal

Unclassified Network Korea China Hong Kong Canada Internet Public VPN Internal Virtual Machines

Unclassified Network Korea China Hong Kong Canada Internet X Public VPN Internal Virtual Machines

Unclassified Network Korea China Hong Kong Canada Internet X Public X VPN Internal Virtual Machines

Unclassified Network Korea China Hong Kong Canada Internet Public VPN Social Networking Internal Virtual Machines

Unclassified Network Korea China Hong Kong Canada Internet Public VPN Internal Virtual Machines

Coordinating Regional Cyber Response Fusion Cell Cyber Communications Law Enforcement Legal Integrated Threat Analysis Cell Cyber Analysts Regional Defensive Teams Team 1 Team 2 Team 3 Team 4 Team 5 Team 6

Visualize the Battlespace: Galaxy Main View Filters for major event types, lets the analyst turn off noise Primary view is a node-link graph helping the analyst make sense of heterogeneous event data Interactive selection of the focal time window and playback Zoomable timeline shows all events, provides a sense of scale.

Visualize the Battlespace: Galaxy Replay Capability Replay capability helps illustrate sequences of events. Here, a malicious actor finds a vulnerability and spreads through a network.

Regional Cyber Response: Positive Exercise Outcomes 1. Increasing amount of threat information shared by defensive teams 2. Crowd-sourced intelligence leads to a broad view of adversary tactics 3. Adversaries shut down after first attack due to information sharing 4. Threat Analysts told to pause sharing Intelligence with Defensive Teams because they were too fast 5. Adversaries must bring increasing numbers of staff and infrastructure due to Intelligence-sharing capability

Information Technology (IT) Operations Technology (OT) ICS Plant / Manufacturing Systems

The scale, scope, and frequency of cyber attacks on digital and physical infrastructure systems is growing rapidly. Threats are escalating as more sophisticated and organized attackers are designing targeted attacks to damage or disrupt vital services and critical physical systems. - President s NIAC Report 8/2017 ICS Industrial Control Systems (ICS) are EVERYWHERE

IT vs ICS IT System Lifetime 3-5 years 10-30 years Control Systems (ICS) Owner CIO Technicians, operators, managers Purpose General computing, runs variety of applications Control machines, runs few applications at high availability Focus Preventing data loss Preventing operational disruption or damage Patches Security software, incident response and forensics IT staff; regularly scheduled, enterprise-wide, automated Commercial products and consulting available External vendor; nontrivial scheduling due to production impact and may break ICS functionality; ICS owners required to define acceptable risk Few solutions; forensics immature; requires good IT/ICS relationships; difficult to retrofit with security

Internet The greatest vulnerability to ICS occurs at any point of connection

Example: Fuel Delivery System 1. Phishing attack via the Internet 2. Reconnaissance to identify pump controller 3. Shutdown commands stop fuel delivery

Example Dependency Model: Fuel Delivery System Perform Operations Store Fuel Receive Fuel Distribute Fuel Provide cooling Transportation Provide safe working environment Perform preventative maintenance Perform corrective maintenance Fuel manager DB Automatic tank guage HVAC Water Treatment Building Automation Fuel handling systems Fire fighting equipment Diesel Generator Level Sensor 1 Level Sensor 2 Fuel Pump 1 Fuel Pump 2 Wireless Access Point 1 Wireless Access Point 2 Fuel Manager Server Windows Workstations

Example Assessment Findings ICS modernization has largely been ignored - Lots of end of life products (older hardware, software, expired warranties) - Operators are not fully aware of system interfaces - Systems have low funding priority (since they are so old), yet these elements directly impact the facility mission (not commonly understood) Increasing connectivity between systems - Allows a large attack surface for isolated systems to be exploited - Many systems have unencrypted wireless access System owners are not aware of cyber risks Ownership structure adds complications to management of systems - System owners and operators report to two separate chains of command

What does component failure mean for the overall system response? What does it mean for a multiple interacting systems? Overall economic impact? Potential to hold society at risk Vulnerability invites attack What about soft science consequences?

CyberWire 10/2017 30

Example Steps to Securing Control Systems (ICS) 1. Determine level of risk the organization will accept 2. Decide on cyber security ownership - Bring IT and OT together - Who owns protecting the asset? 3. Identify the ICS functions - Criticality to operations? - Common component across systems? 4. Implement ICS operational security - Baseline devices, apps, comms - Secure network connections - Harden system boundaries - Invest in detection tools - Focus on whitelisting - Create and exercise recovery options - Provide security training ICS From SANS Securing ICS 2017

Joint Defense and Red Teaming Government collaboration Consortium cyber response External red team New product penetration testing Cyber Defense is a Team Sport

Cross-Organization Response: Tabletop Lessons 1. Where to direct requests for resourcing to solve emergency needs 2. Different levels of classified communications, and staff classification levels 3. Sharing personal contacts/relationships to gather and disseminate information 4. Discussion of how we re informing the public 5. Coordinate external communications Building a CONOPS to guide restoration operations is vital

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback