Lastdiscussion
Copyright © 2012, Elsevier Inc. All Rights Reserved
Chapter 11
Response
Cyber Attacks
Protecting National Infrastructure, 1st ed.
‹#›
‹#›
The University of Adelaide, School of Computer Science
12 August 2019
Chapter 2 — Instructions: Language of the Computer
1
Incident response process is the most familiar component of any cyber security program
A cyber security program will contain at least the following
Incident trigger
Expert gathering
Incident analysis
Response activities
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Introduction
‹#›
The University of Adelaide, School of Computer Science
12 August 2019
Chapter 2 — Instructions: Language of the Computer
2
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Fig. 11.1 – General incident response process schema
‹#›
There are two fundamental types of triggers
Tangible, visible effects of an attack
Early warning and indications information
Thus, two approaches to incident response processes
Front-loaded prevention
Back-loaded recovery
The two approaches should be combined for comprehensive response picture
Protecting national assets is worth suffering a high number of false positives
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Pre- Versus Post-Attack Response
‹#›
The University of Adelaide, School of Computer Science
12 August 2019
Chapter 2 — Instructions: Language of the Computer
4
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Fig. 11.2 – Comparison of front-loaded and back-loaded response processes
‹#›
Front-loaded prevention critical to national infrastructure protection
Taxonomy of early warning process triggers
Vulnerability information
Changes in profiled behavioral metrics
Match on attack metric pattern
Component anomalies
External attack information
Front-loaded prevention have a high sensitivity to triggers
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Indications and Warning
‹#›
The University of Adelaide, School of Computer Science
12 August 2019
Chapter 2 — Instructions: Language of the Computer
6
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Fig. 11.3 – Comparison of trigger intensity threshold for response
‹#›
Optimal incident response team includes two components
A core set of individuals
A set of subject matter experts
In complex settings, with multiple incidents, important for team to not work at cross-purposes
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Incident Response Teams
‹#›
The University of Adelaide, School of Computer Science
12 August 2019
Chapter 2 — Instructions: Language of the Computer
8
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Fig. 11.4 – Management of simultaneous response cases
‹#›
Response teams in a national setting must plan for multiple concurrent attacks aimed at a company or agency
Considerations for proper planning include
Avoidance of a single point of contact individual
Case management automation
Organizational support for expert involvement
24/7 operational support
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Incident Response Teams
‹#›
The University of Adelaide, School of Computer Science
12 August 2019
Chapter 2 — Instructions: Language of the Computer
10
Questions addressed in the forensic analysis process include
Root cause
Exploits
State
Consequences
Action
Great care must be taken to protect and preserve evidence
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Forensic Analysis
‹#›
The University of Adelaide, School of Computer Science
12 August 2019
Chapter 2 — Instructions: Language of the Computer
11
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Fig. 11.5 – Generic high-level forensic process schema
‹#›
Internal expert most likely the best to lead a company investigation
Root Cause
Exploits
State
Consequences
Action
Forensic analysts need the following
Culture of relative freedom
Access to interesting technology
Ability to interact externally
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Forensic Analysis
‹#›
The University of Adelaide, School of Computer Science
12 August 2019
Chapter 2 — Instructions: Language of the Computer
13
Should law enforcement be involved and called upon for support?
Carefully review local, regional, and national laws regarding when law enforcement must be contacted
Figure 11.6 outlines a decision process
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Law Enforcement Issues
‹#›
The University of Adelaide, School of Computer Science
12 August 2019
Chapter 2 — Instructions: Language of the Computer
14
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Fig. 11.6 – Decision process for law enforcement involvement in forensics
‹#›
Three Components of a Disaster Recovery Program
Preparation
Planning
Practice
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Disaster Recovery
‹#›
The University of Adelaide, School of Computer Science
12 August 2019
Chapter 2 — Instructions: Language of the Computer
16
Fig. 11.7 – Disaster recovery exercise configurations
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
‹#›
National programs can provide centralized coordination
Intrasector coordination should be encouraged
Currently, coordination is not the main focus of most national emergency response team programs
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
National Response Program
‹#›
The University of Adelaide, School of Computer Science
12 August 2019
Chapter 2 — Instructions: Language of the Computer
18
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 11 – Response
Fig. 11.8 – National response program coordination interfaces
‹#›