Selex ES at Le Bourget 2013 Cyber Partnership
5 likes1,950 views
This document discusses building and managing comprehensive computer incident response capabilities through multinational cybersecurity partnerships and alliances. It outlines approaches to collaboration, tooling, and building capabilities in a way that considers legal authorities and returns on investment. Effective incident response requires assessing vulnerabilities, implementing defensive measures, and taking an approach to tooling and collaboration that allows for detection, analysis, and active response or reporting to authorities while respecting applicable laws.
![Towards Cyber Systems Interoperability:
STIX: Structured Threat Information eXpression Language
Associated Campaigns[*]
HistoricalCampaigns[*]
AssociatedActors[*]
RelatedIncidents[*]
RelatedThreatActors[*]
PotentialCOAs[*]
ExploitTargets[*]
LeveragedTTPs[*]
RelatedIndicators[*
]
RelatedTTPs[*]
RelatedIndicators[*]
Related Indicators[*]
ObservedTTPs[*]
Attribution[*]
RelatedTTPs[*] IndicatedTTPs[*]
Observables[*]
Sub-Observables[*]
RelatedIncidents[*]
COATaken[*]
COARequested[*]
SuggestedCOA[*]
Campaign
TTP
Threat
Actor
Exploit
Target
COA
Incident
ObservableIndicator
Source:
MITRE Structured Threat Information eXpression (STIX) v.1.0
Source: CJCS/NATO Joint Terminology for Cyberspace Operations](https://image.slidesharecdn.com/1lebourgetcyberpartnershipslides-130617071206-phpapp01/85/Selex-ES-at-Le-Bourget-2013-Cyber-Partnership-22-320.jpg)
Selex ES at Le Bourget 2013 Cyber Partnership
- 1. Multinational Cybersecurity Partnerships & Alliances: Building & Managing a Comprehensive Computer Incident Response Capability
- 2. Outline of our talk Outline Introductions Starting with Protection & Defence Scope and ambition of CIRC Approach to tooling The need for collaboration
- 3. February 2012 British led consortium 28 Nations 22,000 users October 2013 FOC
- 4. We help clients that are key national organisations
- 5. The risks our clients run from data loss, theft or cyber attack are serious to existential Ability to recover Human Safety Accreditation Status Reputation Financial control Ability to perform Intellectual Property
- 6. Drives the nature and extent of measures required to achieve desired security The services we provide depend on the problem we find level of threat level of vulnerability Understanding the threat actors, methods and history Understanding the technical vulnerabilities and weaknesses in security governance and user habits Extent of security measures required X =
- 7. Assess Confirm Competitive Advantage. Information Superiority. Aware, Deter, Detect & Resist, DefendAssure Audit Discovery Health Checks Policy Training Accreditation support Design, build, operate Secure systems Protective Monitoring Services Respond Investigation Forensics Protect Implement Selex ES cyber services are a coherent set, designed to address threats and resolve vulnerabilities
- 8. Ensure: The Mission Protect: The Data Continuously monitor: The Network Northrop Grumman Approach to Cybersecurity Full Dimensional Assurance Blueprint People and Processes Technology Enhanced automation Temporal improvement Information protection strategy Risk based approach Data centric protection Application integrity Adaptive architecture Continuous situation awareness & response Integrated and Continual Improvements It’s how we view our job for our networks and our customer’s networks
- 9. The Northrop Grumman Cybersecurity Operations Center (CSOC) 9 Computer Network Defense Activities: 1. Monitoring o Monitors the NGGN and related devices for signs of malicious activity 2. Vulnerability Management o Security risks and ensuring appropriate remediation 3. Patch Management o Rapid deployment of vendor provided fixes to identified vulnerabilities 4. Forensics o Information security post-incident analysis 5. Incident Response o Rapid response to malicious activity on the NGGN and related environments 6. Cyber Threat o Analysis of emerging threats to the NGGN and related environments 7. Sector o Sector-specific computer network defense requirements LD-CA-BOK-004, Rev. 16, March 2013, ISHQ-2013-0024
- 10. Don’t start by building a CIRC Instead, analyse your enterprise vulnerabilites: People- yours, your suppliers and partners and your customers Processes Organisation Leadership and governance Physical sites Data Applications Information and telecoms infrastructure and bought- in services Your security maturity (e.g. ISO 27001)
- 11. Getting the house in order Probably not enough: Implementation of an appropriate defensive suite: automated vulnerability scanning ICT infrastructure and systems log collation and storage IDS/IPS and associated log collection potentially, a spectrum of active protective monitoring: o Security Information and Event Management o Full Packet Capture o Deep Packet Inspection o associated management, storage and alerting / reporting service level Credit: Active Audit Agency: Ukraine
- 12. Scope and ambition Assuming your vulnerabilities are managed, it depends on the threat you face and your freedom of movement
- 13. Typical Threat World (Offense) Time Attacker Surveillance Access Probe Target Analysis Attack Set-up Performing Reconnaissance Attack Begins System Intrusion Affecting The Attack Attack Complete Packaging Exfiltration Modification Executing The Mission Cover-up Complete Covering The Tracks LD-CA-BOK-004, Rev. 16, March 2013, ISHQ-2013-0024
- 14. Attack Forecast Physical Security Intrusion Detection Analysis Begins System ReactionDamage Identification Recovery Defender Reconnaissance Entry Monitoring & Control Impact Analysis Response Threat Analysis Attack Identified Time Preparing the Defense Monitoring For an Attack Triage and Situation Assessment After Action LD-CA-BOK-004, Rev. 16, March 2013, ISHQ-2013-0024 Typical Threat World (Defense)
- 15. It Doesn’t Always Line Up Attacker Free Time Recovery Attack Forecast Physical Security Intrusion Detection Analysis Begins System ReactionDamage Identification Defender Reconnaissance Entry Monitoring & Control Impact Analysis Response Threat Analysis Attack Identified Time Defender Action Time Time Attack Begins System Intrusion Attacker Surveillance Access Probe Attack Complete Target Analysis Attack Set-up Packaging Exfiltration Modification Cover-up Complete Reduce This By moving/shrinking this LD-CA-BOK-004, Rev. 16, March 2013, ISHQ-2013-0024
- 16. Factors affecting your respond posture: Your legal entitlement – you have heard this today! Cost of maintaining the capability The return on investment you would expect (consider insurance!)
- 17. Approach to tooling Detection Incident management Analysis Active response or reporting to Authority Evidence management Not forgetting the people!
- 18. Layered Cybersecurity Defense Framework Computer Network Defense Defense-In-Depth The FanTM Perimeter Firewall Perimeter IDS/IPS Advanced Sensor Honeypot Message Security (anti-virus, anti-malware) DLP Secure DMZs Application Security Malware Analysis NAC/Endpoint Profiler Enclave Firewall DLP Wireless/Mobile Protection Web Proxy Content Filtering Enterprise IDS/IPS VoIP Protection Virtual Network Security Enterprise Message Security Enterprise Remote Access Endpoint Security Enforcement DLP Desktop Firewall Host IDS/IPS Content Security (anti-virus, anti-malware) Patch Management USGCB Compliance SIEM Digital Forensics Security SLA/SLO Reporting Escalation Management Focused Ops SOC/NOC Monitoring (24x7) Incident Reporting, Detection, Response (CIRT) Security Dashboard Continuous Monitoring and Assessment Situational AwarenessVulnerability Assessment Security Awareness Training Continuous C&A IT Security Governance Security Policies & Compliance Security Architecture & Design Threat Modeling Penetration Testing Cyber Threat Intelligence Security Technology Evaluation Risk Management Framework WAF Static App Testing/Code Review Database Secure Gateway (Shield) Database Monitoring /Scanning Dynamic App Testing DAR/DIM/DIU Protection Data Wiping Cleansing PKI FICAM Enterprise Right Management DLP Data Classification Data/Drive Encryption Data Integrity Monitoring © 2013 Northrop Grumman Corporation Acronyms & Abbreviations: DAR: Data At Rest DIM: Data In Motion DIU: Data In Use DLP: Data Loss Prevention IDP: Intrusion Detection and Prevention FICAM: Federal Identity Credential and Access Management NAC: Network Access Control PKI: Public Key Infrastructure SIEM: Security Information Event Management USGCB: US Govt Configuration Baseline OUTSIDE THREAT Mission Critical Assets Inside Threats The “Fan™” - Layered Cybersecurity Defensive Reference Model
- 19. Why COTS Security Will Always Be a Step Behind 19 Well funded adversaries have access to the same technologies as the defenders Advanced Adversaries’ Attack Tool Test Environment Defender’s COTS-based Security Architecture
- 20. Good Guys Have Some Ways to Level the Field Behavioral analytics (Who talks and works with who) Partnerships for threat information sharing Threat intelligence team augmentation Custom file analysis Custom monitoring of network traffic for C2 channels Organizational agility to respond to changing threat tactics Perimeter Firewall Perimeter IDS/IPS Advanced Sensor Honeypot Message Security (anti-virus, anti-malware) DLP Secure DMZs Application Security Malware AnalysisNAC/Endpoint Profiler Enclave Firewall DLP Wireless/Mobile Protection Web Proxy Content Filtering Enterprise IDS/IPS VoIP Protection Virtual Network Security Enterprise Message Security Enterprise Remote Access Endpoint Security Enforcement DLP Desktop Firewall Host IDS/IPS Content Security (anti-virus, anti-malware) Patch Management USGCB Compliance SIEM Digital Forensics Security SLA/SLO Reporting Escalation Management Focused Ops SOC/NOC Monitoring (24x7) IncidentReporting, Detection, Response (CIRT) Security Dashboard Continuous Monitoring and Assessment Situational Awareness Vulnerability Assessment Security Awareness Training Continuous C&A IT Security Governance Security Policies & Compliance Security Architecture & Design Threat Modeling Penetration Testing Cyber Threat Intelligence Security Technology Evaluation Risk Management Framework WAF Static App Testing/Code Review Database Secure Gateway (Shield) Database Monitoring /Scanning Dynamic App Testing DAR/DIM/DIU Protection Data Wiping Cleansing PKI FICAM Enterprise Right Management DLP Data Classification Data/Drive Encryption Data Integrity Monitoring Mission CriticalAssets Defenders Have to Be Right Every Time… The Field Can Be Leveled by Leveraging Information Available Only to the Defender
- 21. The need for collaboration The value of developing and sharing intelligence, securely The common theme across EU, NATO, other nations and Industry bodies globally
- 22. Towards Cyber Systems Interoperability: STIX: Structured Threat Information eXpression Language Associated Campaigns[*] HistoricalCampaigns[*] AssociatedActors[*] RelatedIncidents[*] RelatedThreatActors[*] PotentialCOAs[*] ExploitTargets[*] LeveragedTTPs[*] RelatedIndicators[* ] RelatedTTPs[*] RelatedIndicators[*] Related Indicators[*] ObservedTTPs[*] Attribution[*] RelatedTTPs[*] IndicatedTTPs[*] Observables[*] Sub-Observables[*] RelatedIncidents[*] COATaken[*] COARequested[*] SuggestedCOA[*] Campaign TTP Threat Actor Exploit Target COA Incident ObservableIndicator Source: MITRE Structured Threat Information eXpression (STIX) v.1.0 Source: CJCS/NATO Joint Terminology for Cyberspace Operations