Best writers. Best papers. Let professionals take care of your academic papers

Order a similar paper and get 15% discount on your first order with us
Use the following coupon "FIRST15"
ORDER NOW

National Infrastructure

National Infrastructure

Copyright © 2012, Elsevier Inc.

All Rights Reserved

Chapter 11

Response

Cyber Attacks Protecting National Infrastructure, 1st ed.

2

• Incident response process is the most familiar component of any cyber security program

• A cyber security program will contain at least the following – Incident trigger

– Expert gathering

– Incident analysis

– Response activities

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Introduction

3

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Fig. 11.1 – General incident response process schema

4

• There are two fundamental types of triggers – Tangible, visible effects of an attack

– Early warning and indications information

• Thus, two approaches to incident response processes – Front-loaded prevention

– Back-loaded recovery

• The two approaches should be combined for comprehensive response picture

• Protecting national assets is worth suffering a high number of false positives

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Pre- Versus Post-Attack Response

5

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Fig. 11.2 – Comparison of front-loaded and back-loaded response processes

6

• Front-loaded prevention critical to national infrastructure protection

• Taxonomy of early warning process triggers – Vulnerability information

– Changes in profiled behavioral metrics

– Match on attack metric pattern

– Component anomalies

– External attack information

• Front-loaded prevention have a high sensitivity to triggers

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Indications and Warning

7

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Fig. 11.3 – Comparison of trigger intensity threshold for response

8

• Optimal incident response team includes two components – A core set of individuals

– A set of subject matter experts

• In complex settings, with multiple incidents, important for team to not work at cross-purposes

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Incident Response Teams

9

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Fig. 11.4 – Management of simultaneous response cases

10

• Response teams in a national setting must plan for multiple concurrent attacks aimed at a company or agency

• Considerations for proper planning include – Avoidance of a single point of contact individual

– Case management automation

– Organizational support for expert involvement

– 24/7 operational support

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Incident Response Teams

11

• Questions addressed in the forensic analysis process include – Root cause

– Exploits

– State

– Consequences

– Action

• Great care must be taken to protect and preserve evidence

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Forensic Analysis

12

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Fig. 11.5 – Generic high-level forensic process schema

13

• Internal expert most likely the best to lead a company investigation

• Forensic analysts need the following – Culture of relative freedom

– Access to interesting technology

– Ability to interact externally

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Forensic Analysis

14

• Should law enforcement be involved and called upon for support?

• Carefully review local, regional, and national laws regarding when law enforcement must be contacted

• Figure 11.6 outlines a decision process

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Law Enforcement Issues

15

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Fig. 11.6 – Decision process for law enforcement involvement in forensics

16

• Three Components of a Disaster Recovery Program – Preparation

– Planning

– Practice

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Disaster Recovery

17

Fig. 11.7 – Disaster recovery exercise configurations

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

18

• National programs can provide centralized coordination – Intrasector coordination should be encouraged

• Currently, coordination is not the main focus of most national emergency response team programs

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

National Response Program

19

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 1 1 –

R e s p o n s e

Fig. 11.8 – National response program coordination interfaces