1 Presenter’s Name Presenter’s Title and Organization CLICK TO EDIT MASTER TITLE STYLE DEFENDING CRITICAL INFRASTRUCTURE: LESSONS LEARNED FROM THE FIELD NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS INTEGRATION CENTER Mark Bristow Deputy Division Director Hunt and Incident Response Team (HIRT) 2 NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY 2 Hunt and Incident Response Team (HIRT) • Federal agencies • State and local governments • Private sector (industry & critical infrastructure) • Academia • International organizations • Classified & unclassified TTPs • Public & private sector partners • Established relationship with law enforcement, intelligence community, and international partners The NCCIC HIRT provides expert intrusion analysis and mitigation guidance to clients who lack in-house capability or require additional assistance with responding to a cyber incident Uniquely Positioned for Comprehensive Analysis 3 NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY Incident Response Root Cause Analysis* Implement Application Whitelisting – 38% Ensure Proper Configuration/Patch Management – 29% Reduce your Attack Surface Area – 17% Build a Defendable Environment – 9% Manage Authentication – 4% Monitor and Respond – 2% Implement Secure Remote Access – 1% *Based on FY14-15 ICS-CERT Incident Response Data
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1
Presenter’s NamePresenter’s Title and Organization
CLICK TO EDIT MASTER TITLE STYLEDEFENDING CRITICAL INFRASTRUCTURE: LESSONS LEARNED FROM THE FIELD
NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS INTEGRATION CENTER
Mark BristowDeputy Division Director
Hunt and Incident Response Team (HIRT)
2NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY2
Hunt and Incident Response Team (HIRT)
• Federal agencies• State and local governments• Private sector (industry & critical infrastructure)• Academia• International organizations
• Classified & unclassified TTPs• Public & private sector partners• Established relationship with law enforcement,
intelligence community, and international partners
The NCCIC HIRT provides expert intrusion analysis and mitigation guidance to clients who lack in-house capability or require additional assistance with responding to a cyber incident
• NCCIC/HIRT on‐site incident response in the healthcare sector
• Over 80% of systems were executing malware
• Malware had a 0% detection rate on VirusTotal
• Application whitelisting would have precluded the malware from executing
5NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY
Configuration Management/Patching Program
• Vulnerabilities are regularly discovered in ICS products and commodity IT products used in ICS
• Intrusions into vendors create interesting supply chain issues
• Patch validation and management are key elements of a security program
• Intrusions from zero‐day vulnerabilities are rare
2010 2011 2012 2013 2014 2015
41
141147
181
165
177
Calendar Year
ICS‐CERT Vulnerabilities
6NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY
Reduce Surface Area: Case Study
3
7NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY
Defendable Environment: Case Study
• In a 2012 Case, a pipeline operator had directly connected corporate network to control network for users “requiring” real‐time access– Adversary had ability to
11NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY
Protected Critical Infrastructure Information - PCII• What is PCII?
– PCII is defined in Section 212.3 of the CII Act of 2002 as “…information not customarily found in the public domain and related to the security of critical infrastructure (CI) or protected systems.”
– Unique protection offered by DHS to CI asset owners and integrators under CII Act of 2002
• Freedom of Information Act (FOIA) requests made of DHS (Exemption 3b),
• State, tribal, and local disclosure laws,• Use in regulatory actions, or• Use in civil litigations.
• How easy is it to get PCII protections?– A PCII Express and Certification statement can be requested by
an asset owner or integrator over the phone. – Covers all information given over the phone or sent by email
11
12NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY
Questions?
5
13NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY