NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS ... · Incident Response Root Cause Analysis* Implement Application Whitelisting – 38% Ensure Proper Configuration/Patch Management

1

Presenter’s NamePresenter’s Title and Organization

CLICK TO EDIT MASTER TITLE STYLEDEFENDING CRITICAL INFRASTRUCTURE: LESSONS LEARNED FROM THE FIELD

NCCIC | NATIONAL CYBERSECURITY & COMMUNICATIONS INTEGRATION CENTER

Mark BristowDeputy Division Director

Hunt and Incident Response Team (HIRT)

2NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY2

Hunt and Incident Response Team (HIRT)

• Federal agencies• State and local governments• Private sector (industry & critical infrastructure)• Academia• International organizations

• Classified & unclassified TTPs• Public & private sector partners• Established relationship with law enforcement,

intelligence community, and international partners

The NCCIC HIRT provides expert intrusion analysis and mitigation guidance to clients who lack in-house capability or require additional assistance with responding to a cyber incident

Uniquely Positioned for Comprehensive Analysis

3NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY

Incident Response Root Cause Analysis*

Implement Application Whitelisting – 38%

Ensure Proper Configuration/Patch Management – 29%

Reduce your Attack Surface Area – 17%

Build a Defendable Environment – 9%

Manage Authentication – 4%

Monitor and Respond – 2%

Implement Secure Remote Access – 1%

*Based on FY14-15 ICS-CERT Incident Response Data

2

4NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY

Application Whitelisting: Case Study

• NCCIC/HIRT on‐site incident response in the healthcare sector

• Over 80% of systems were executing malware

• Malware had a 0% detection rate on VirusTotal

• Application whitelisting would have precluded the malware from executing

5NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY

Configuration Management/Patching Program

• Vulnerabilities are regularly discovered in ICS products and commodity IT products used in ICS

• Intrusions into vendors create interesting supply chain issues

• Patch validation and management are key elements of a security program

• Intrusions from zero‐day vulnerabilities are rare

2010 2011 2012 2013 2014 2015

41

141147

181

165

177

Calendar Year

ICS‐CERT Vulnerabilities

6NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY

Reduce Surface Area: Case Study

3

7NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY

Defendable Environment: Case Study

• In a 2012 Case, a pipeline operator had directly connected corporate network to control network for users “requiring” real‐time access– Adversary had ability to 

conduct unauthorized operations

– UN/PW for SCADA stolen

• Success: Nuclear sector asset owner fails to scan removable media, limits damage

8NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY

Ukraine Cyber Attacks

9NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY

Will you detect it? Tips and Tricks

• Have a centralized logging server and have a person actually look at the logs

• Periodically monitor inventory running processes and look for unsigned processes and low frequency processes

• Periodically hash all files on disk to compare against known bads

• Log DNS requests and review for known bad domains

• Monitor successful logins

• Conduct network baselining and change detectiono Look for new communications paths between hostso Review any host‐to‐host communications outside of 

baselineo Look for traffic increases or decreases from baseline

Monitor!Monitor!Monitor!Monitor!

4

10NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY

Engagement Timeline

Sign a RTA or FNA

• Request for Technical Assistance (RTA)• Federal Network Authorization (FNA)

1

• Sharing of system artifacts (e.g., diagrams)• Discuss rules of engagement (RTA or FNA)• Clarify any milestones • Finalize logistics

Provide Pre‐Hunt Briefing to client 

2

Kick off meeting to scope engagement 

3

• Provide host‐based agent • Client installs host‐based agent • Setup Technical Engagement Network

Prepare for engagement

4

(approximately 7–21 days)On‐site5

(approximately 30–45 days after engagement)

Memorandum or Engagement Report

6

Brief Memorandum or Engagement Report to client 

7

11NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY

Protected Critical Infrastructure Information - PCII• What is PCII?

– PCII is defined in Section 212.3 of the CII Act of 2002 as “…information not customarily found in the public domain and related to the security of critical infrastructure (CI) or protected systems.”

– Unique protection offered by DHS to CI asset owners and integrators under CII Act of 2002

• Freedom of Information Act (FOIA) requests made of DHS (Exemption 3b), 

• State, tribal, and local disclosure laws,• Use in regulatory actions, or• Use in civil litigations.

• How easy is it to get PCII protections?– A PCII Express and Certification statement can be requested by 

an asset owner or integrator over the phone. – Covers all information given over the phone or sent by email

11

12NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY

Questions?

5

13NCCIC | HIRT UNCLASSIFIED//FOR OFFICIAL USE ONLY