NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ... · Incident Response Root Cause Analysis*...
Transcript of NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ... · Incident Response Root Cause Analysis*...
1
Presenter’s NamePresenter’s Title and Organization
CLICK TO EDIT MASTER TITLE STYLEDEFENDING CRITICAL INFRASTRUCTURE: LESSONS LEARNED FROM THE FIELD
NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS INTEGRATION CENTER
Mark BristowDeputy Division Director
Hunt and Incident Response Team (HIRT)
2NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY2
Hunt and Incident Response Team (HIRT)
• Federal agencies• State and local governments• Private sector (industry & critical infrastructure)• Academia• International organizations
• Classified & unclassified TTPs• Public & private sector partners• Established relationship with law enforcement,
intelligence community, and international partners
The NCCIC HIRT provides expert intrusion analysis and mitigation guidance to clients who lack in-house capability or require additional assistance with responding to a cyber incident
Uniquely Positioned for Comprehensive Analysis
3NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY
Incident Response Root Cause Analysis*
Implement Application Whitelisting – 38%
Ensure Proper Configuration/Patch Management – 29%
Reduce your Attack Surface Area – 17%
Build a Defendable Environment – 9%
Manage Authentication – 4%
Monitor and Respond – 2%
Implement Secure Remote Access – 1%
*Based on FY14-15 ICS-CERT Incident Response Data
2
4NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY
Application Whitelisting: Case Study
• NCCIC/HIRT on‐site incident response in the healthcare sector
• Over 80% of systems were executing malware
• Malware had a 0% detection rate on VirusTotal
• Application whitelisting would have precluded the malware from executing
5NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY
Configuration Management/Patching Program
• Vulnerabilities are regularly discovered in ICS products and commodity IT products used in ICS
• Intrusions into vendors create interesting supply chain issues
• Patch validation and management are key elements of a security program
• Intrusions from zero‐day vulnerabilities are rare
2010 2011 2012 2013 2014 2015
41
141147
181
165
177
Calendar Year
ICS‐CERT Vulnerabilities
6NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY
Reduce Surface Area: Case Study
3
7NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY
Defendable Environment: Case Study
• In a 2012 Case, a pipeline operator had directly connected corporate network to control network for users “requiring” real‐time access– Adversary had ability to
conduct unauthorized operations
– UN/PW for SCADA stolen
• Success: Nuclear sector asset owner fails to scan removable media, limits damage
8NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY
Ukraine Cyber Attacks
9NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY
Will you detect it? Tips and Tricks
• Have a centralized logging server and have a person actually look at the logs
• Periodically monitor inventory running processes and look for unsigned processes and low frequency processes
• Periodically hash all files on disk to compare against known bads
• Log DNS requests and review for known bad domains
• Monitor successful logins
• Conduct network baselining and change detectiono Look for new communications paths between hostso Review any host‐to‐host communications outside of
baselineo Look for traffic increases or decreases from baseline
Monitor!Monitor!Monitor!Monitor!
4
10NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY
Engagement Timeline
Sign a RTA or FNA
• Request for Technical Assistance (RTA)• Federal Network Authorization (FNA)
1
• Sharing of system artifacts (e.g., diagrams)• Discuss rules of engagement (RTA or FNA)• Clarify any milestones • Finalize logistics
Provide Pre‐Hunt Briefing to client
2
Kick off meeting to scope engagement
3
• Provide host‐based agent • Client installs host‐based agent • Setup Technical Engagement Network
Prepare for engagement
4
(approximately 7–21 days)On‐site5
(approximately 30–45 days after engagement)
Memorandum or Engagement Report
6
Brief Memorandum or Engagement Report to client
7
11NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY
Protected Critical Infrastructure Information - PCII• What is PCII?
– PCII is defined in Section 212.3 of the CII Act of 2002 as “…information not customarily found in the public domain and related to the security of critical infrastructure (CI) or protected systems.”
– Unique protection offered by DHS to CI asset owners and integrators under CII Act of 2002
• Freedom of Information Act (FOIA) requests made of DHS (Exemption 3b),
• State, tribal, and local disclosure laws,• Use in regulatory actions, or• Use in civil litigations.
• How easy is it to get PCII protections?– A PCII Express and Certification statement can be requested by
an asset owner or integrator over the phone. – Covers all information given over the phone or sent by email
11
12NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY
Questions?
5
13NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY