Incidentresponsetoabreach:Rightofboomyou

findashesDr.SamuelLileshttp://selil.com

Opinions,orotherinformationexpressedarepresentersanddonotreflectcurrent, former,future,orunaffiliatedemployersopinionsorpolicies.

Agenda

• Scope• Cybery thoughts• Throughthelensofrisk• Threats• Vulnerabilities• Frameworks• NCIRP• Attribution• Future

Randomimageofftehwebz

4/18/16 2

Scope,asinassumptions• Youcanhavetheweeds,thefield,orthestadium.Choose1.

• You’reinagraduatecoursesoyoualreadyknowhowtomowthe lawnandtakecareoftheweeds.

• Goalistoanswerwhattheheckhappens inamajorcyberincident.

• Everyincident isdifferentbuteveryincident followsapattern.

• Everystadiumhasadifferentteambuteverysporthasrules.

• Bewaryofplayinggolfwiththehockeyteam.• Lotsofpeople arecomfortablepullingweeds.• Youcan’tpullweedsfastenoughtowinthegame.

Source:http://www.blu-ray.com/mov ies/Happy-Gilmore- Blu-ray /1677 1/

4/18/16 3

Justbecause….Cyber.

• Lotsofdefinitions• Umbrella termforactivitiestoincrease coordination,collaboration, andunderstanding<break ricebowls>

• Mydefinition:Theterm“cyber”itselfdenotesahumancognitivecentricconceptthatdealswiththedisintermediationoftechnologycenteredwithinhumanactivity.

Randomimageofftehwebz

4/18/16 4

4/18/16 5

CopyrightswithcaveatsSamuelLiles©

4/18/16 6

CopyrightswithcaveatsSamuelLiles©

Threat?

4/18/16 7

Source:EnergySectorSpecificPlanhttps://www.dhs.gov/xlibrary/assets/nipp-ssp-energy-2010.pdf

Vulnerability?

4/18/16 8

CopyrightswithcaveatsSamuelLiles©4/18/16 9

CopyrightswithcaveatsSamuelLiles©

Boom

PersistencePrivilegeEscalation

DefenseEvasion

CredentialAccess

HostEnumeratio

n

LateralMovement

Execution C2 Exfiltration

CommandandControlInstallationExploitation

Reconnaissance Weaponization Delivery

Actions onObjective

PreparationEngagemen

tPresence Effect/Cons

equencesDNIFramework

Cyber Kill Chain

MITREATT&CK

NSATAO Reconnaissance Initial Exploitation Establish Persistence Install ToolsMoveLaterally

Collect

Exfil

Exploit

CopyrightswithcaveatsSamuelLiles©

4/18/16 10

ISO/IEC27035:2011providesastructuredandplannedapproachto:1.detect,reportandassessinformationsecurityincidents;2.respondtoandmanageinformationsecurityincidents;3.detect,assessandmanageinformationsecurityvulnerabilities;and4.continuouslyimproveinformationsecurityandincidentmanagementasaresultofmanaginginformationsecurityincidentsandvulnerabilities.

Preparation, identification, containment, eradication, recovery, and lessons learned.

Incident triage, incident coordination, incident resolution

ISO/IEC27035:2011:InformationSecurityIncidentManagement

SANS:CreatingandManaginganIncidentResponseTeam

RFC2350:ExpectationsforComputerSecurityIncidentResponse

CERT: Handbook for Computer Security Incident Response Teams (CSIRTs)

NIST800-61:ComputerSecurityIncidentHandlingGuide

4/18/16 11

Source: NationalCyberIncidentResponsePlanInterim(2010)http://www.federalnewsradio.com/wp-content/uploads/pdfs/NCIRP_Interim_Version_September_2010.pdf

4/18/16 12

Source: NationalCyberIncidentResponsePlanInterim(2010)http://www.federalnewsradio.com/wp-content/uploads/pdfs/NCIRP_Interim_Version_September_2010.pdf

Dr.Andy Ozment

4/18/16 13

Source: NationalCyberIncidentResponsePlanInterim(2010)http://www.federalnewsradio.com/wp-content/uploads/pdfs/NCIRP_Interim_Version_September_2010.pdf

Mr.John Felkerhttps://www.dhs.gov/national-cybersecurity-and-communications-integration-center

Mr.BradNixhttps://www.us-cert.gov

Mr.MartyEdwardshttps://ics-cert.us-cert.gov

4/18/16 14

https://www.us-cert.gov/nccic/ncc-watch https://www.dhs.gov/office-intelligence-and-analysis

Whoisincharge?TheexactcompositionoftheCyberUnifiedCoordinationGroup(UCG)IncidentManagementTeam(IMT)willbedetermined bytheAssistantSecretary forCyberSecurityandCommunications (CS&C)basedonthenatureandscopeoftheincident,andwillalwaysinclude• ASeniorDefense Official• ASeniorFederalLawEnforcement Official• ASenior IntelligenceCommunity(IC)Official• SeniorPrivateSectorOfficial(s) (chosenbasedonthespecificnatureoftheincident)

• OtherCyberUnifiedCoordinationGroup(UCG)SeniorOfficialswithprimarystatutoryorjurisdictional responsibilityandsignificantoperational responsibilitychosenbasedonthenatureoftheincident;

• SeniorOfficialsmaybechosen fromdepartments, agencies, andorganizationswithcapabilities,authorities, andresponsibilities relevanttotheincident.

Source: NationalCyberIncidentResponsePlanInterim(2010)http://www.federalnewsradio.com/wp-content/uploads/pdfs/NCIRP_Interim_Version_September_2010.pdf

Senior =SES orGO

4/18/16 15

Whatdotheydo?

TheAssistantSecretary forCyber SecurityandCommunications(CS&C),withthesupportoftheNationalCybersecurity andCommunications IntegrationCenter (NCCIC)andinconcertwiththeCyberUnifiedCoordinationGroup(UCG)IncidentManagementTeam (IMT),isresponsible for—

• Establishingtheincidentactionplan• EnsuringoverallcoordinationofSignificantCyberIncidentmanagementandresource

• allocationactivities• Facilitatinginteragencyconflictresolutionorelevatingmatters,asnecessary

• Coordinatingresponsebetweenmultiplecyberincidentswhenapplicable

• EnsuringtheNationalOperationsCenter(NOC)andNationalInfrastructureCoordinationCenter(NICC)receivetimelyupdatesonthestatusofresponseactivities

• Coordinatingexternalaffairsactivities.Source: NationalCyberIncidentResponsePlanInterim(2010)http://www.federalnewsradio.com/wp-content/uploads/pdfs/NCIRP_Interim_Version_September_2010.pdf

4/18/16 16

Source: NationalCyberIncidentResponsePlanInterim(2010)http://www.federalnewsradio.com/wp-content/uploads/pdfs/NCIRP_Interim_Version_September_2010.pdf

4/18/16 17

Source: NationalCyberIncidentResponsePlanInterim(2010)http://www.federalnewsradio.com/wp-content/uploads/pdfs/NCIRP_Interim_Version_September_2010.pdf

TheNCCIC, asthenational focalpoint forcyberincidentmanagementandcoordination during cyber-specificincidents,isthepointofintegrationforallinformation fromFederal departments and agencies, StateLocal,Tribal, andTerritorialgovernments, andtheprivate sectorrelatedtosituationalawareness,vulnerabilities, intrusions,incidents,andmitigation activities

This roledoes not changeexisting departments’ andagencies’ authorities ormissions; however, DHS,through theNCCIC,will coordinatewithallpartners, including lawenforcement agencies leading thenational efforttoinvestigateandprosecutecybercrime; theICregardingthreats,intelligence, andattribution;DODelementsregardingintelligence andinformationsharing,military operations todefend thehomeland; StateandLocal governments; andtheprivate sectortoensure common operational situational awareness isbeing leveragedbyallresponse organizations astheyexecutetheirindividual authorities andmissions.

4/18/16 18

Political

Technical

Forensic

EvidenceRequired

TimetoLevelofAttribution

EventHappens

Possible

Probable

Provable

Motive,means,opportunity

IOCs:IP,Hash,URL,method,time, etc.

Crypto,non-repudiation,multi-modesensing,direct

observation

CopyrightswithcaveatsSamuelLiles©

Future

• NCIRPisbeingupdatedhttp://www.afcea.org/content/?q=Blog-when-will-united-states-have-national-cyber-incident-response-plan

• Newcybersecuritypresidentialpanelappointedhttp://www.theverge.com/2016/4/13/11427182/president-obama-cybersecurity-panel-uber-microsoft-mastercard-nsa

• NPPD/NCCICistransforminghttp://www.emergencymgmt.com/safety/Phyllis-Schneck-

Interview.html

• FederalCISOmaybeappointed(interviewshappeningnow)http://www.federaltimes.com/story/government/cybersecurity/2016/02/09/obama-federal-

ciso/80032796/

4/18/16 20

Questions?

4/18/16 21