National Infrastructure
Copyright © 2012, Elsevier Inc.
All Rights Reserved
Chapter 11
Response
Cyber Attacks Protecting National Infrastructure, 1st ed.
2
• Incident response process is the most familiar component of any cyber security program
• A cyber security program will contain at least the following – Incident trigger
– Expert gathering
– Incident analysis
– Response activities
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Introduction
3
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Fig. 11.1 – General incident response process schema
4
• There are two fundamental types of triggers – Tangible, visible effects of an attack
– Early warning and indications information
• Thus, two approaches to incident response processes – Front-loaded prevention
– Back-loaded recovery
• The two approaches should be combined for comprehensive response picture
• Protecting national assets is worth suffering a high number of false positives
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Pre- Versus Post-Attack Response
5
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Fig. 11.2 – Comparison of front-loaded and back-loaded response processes
6
• Front-loaded prevention critical to national infrastructure protection
• Taxonomy of early warning process triggers – Vulnerability information
– Changes in profiled behavioral metrics
– Match on attack metric pattern
– Component anomalies
– External attack information
• Front-loaded prevention have a high sensitivity to triggers
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Indications and Warning
7
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Fig. 11.3 – Comparison of trigger intensity threshold for response
8
• Optimal incident response team includes two components – A core set of individuals
– A set of subject matter experts
• In complex settings, with multiple incidents, important for team to not work at cross-purposes
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Incident Response Teams
9
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Fig. 11.4 – Management of simultaneous response cases
10
• Response teams in a national setting must plan for multiple concurrent attacks aimed at a company or agency
• Considerations for proper planning include – Avoidance of a single point of contact individual
– Case management automation
– Organizational support for expert involvement
– 24/7 operational support
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Incident Response Teams
11
• Questions addressed in the forensic analysis process include – Root cause
– Exploits
– State
– Consequences
– Action
• Great care must be taken to protect and preserve evidence
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Forensic Analysis
12
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Fig. 11.5 – Generic high-level forensic process schema
13
• Internal expert most likely the best to lead a company investigation
• Forensic analysts need the following – Culture of relative freedom
– Access to interesting technology
– Ability to interact externally
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Forensic Analysis
14
• Should law enforcement be involved and called upon for support?
• Carefully review local, regional, and national laws regarding when law enforcement must be contacted
• Figure 11.6 outlines a decision process
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Law Enforcement Issues
15
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Fig. 11.6 – Decision process for law enforcement involvement in forensics
16
• Three Components of a Disaster Recovery Program – Preparation
– Planning
– Practice
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Disaster Recovery
17
Fig. 11.7 – Disaster recovery exercise configurations
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
18
• National programs can provide centralized coordination – Intrasector coordination should be encouraged
• Currently, coordination is not the main focus of most national emergency response team programs
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
National Response Program
19
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Fig. 11.8 – National response program coordination interfaces