NIST Incident Response Life Cycle
PREPARATION
DETECTION AND ANALYSIS
CONTAINMENT, ERADICATION, and RECOVERY
POST-INCIDENT
... [Show More] ACTIVITY
PREPARATION
involves establishing and training an incident response team, and acquiring the necessary tools and resources. During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments.
DETECTION AND ANALYSIS
Detection of security breaches is necessary to alert the organization whenever incidents occur.
CONTAINMENT, ERADICATION, and RECOVERY
In keeping with the severity of the incident, the organization can mitigate the impact of the incident by containing it and ultimately recovering from it. During this phase, activity often cycles back to detection and analysis—for example, to see if additional hosts are infected by malware while eradicating a malware incident.
POST-INCIDENT ACTIVITY
After the incident is adequately handled, the organization issues a report that details the cause and cost of the incident and the steps the organization should take to prevent future incidents.
Threat Modeling: four steps and four key questions
What is being protected? Model system
What can go wrong with security? Apply model of security threats to system model to identify threats
What should be done about threats? Address threats
.Is this model complete and correct? Check model
Approaches to Identifying Threats
•Informal, unstructured consideration of security issues
•Brainstorming or unstructured discussions of security threats in response to system architecture
•Structured discussions using STRIDE mnemonic (or variant)
•Structured discussions using attack libraries
STRIDE
•SPOOFING: pretending to be something or someone else
•TAMPERING: modifying something
•REPUDIATION: claiming you didn't do something
•INFORMATION DISCLOSURE: exposing information to people who are not authorized to see it
•DENIAL OF SERVICE: attacks designed to present a system from providing service
•ELEVATION OF PRIVILEGE: enabling a program, device, or user to technically do things that they are not allowed to do
Secure Coding
reducing the number of vulnerabilities in software to a degree that can be mitigated by operational controls (aspirational)
Secure Software Development: Testing
•(Automated) Static and Dynamic Code Analysis to identify security policy violations, such as not validating user input
•(Manual) Peer code Reviews by developer other than the author
•Testing by security team (in addition to business functional testing)
•Web Application vulnerability scanning
•Interception proxy software that logs and examines communications between two endpoints to check for (i) input validation, (ii)parameter validation, (iii) plaintext credentials, and (iv) session tokens that aren't pseudo-random to prevent attacker guessing
•"Fuzzing" that sends large amounts of malformed and unexpected data to a program to trigger failures
•Stress testing by placing extreme demands well beyond planning thresholds to determine degree of robustness (simulating Denial of Service attacks)
Top Ten Secure Coding Practices
1.Validate all inputs
2.Don't ignore compiler warnings
3.Architect for security
4.Avoid unnecessary complexity
5.Deny by default
6.Use least privilege
7.Don't share data you don't have to
8.Defend in depth
9.Strive for quality
10.Use specific secure coding standards (SEI has developed standards for C, C++, Perl, Java, Android)
Ways to protect IoT devices:
Know the governance
Private networks must establish policies on usage, data retention, surveillance, and communicate those to employees/users
Awareness of known and suspected vulnerabilities
Good practices on configuration, limitation of attack surfaces
Research and communication to ensure continuous reevaluation of risk
Penetration testing, analysis of traffic and potential mitigations
Code of Practice for Consumer IoT Security:
1.No default passwords
2.Implement a vulnerability disclosure policy
3.Keep software updated
4.Securely store credentials and security-sensitive data
5.Communicate securely
6.Minimize exposed attack surfaces
7.Ensure software integrity
8.Ensure that personal data is protected
9.Make systems resilient to outages
10.Monitor system telemetry data
Zero Trust Model:
•Zero trust means "verify and never trust"
•Inspect and log all traffic
•Design from the inside out to protect most sensitive data
•Design with compliance in mind for sensitive data
•Embed security into network DNA by micro segmentation of network through use of security appliance gateways with access control inside the perimeter of the network
Zero Trust Architecture (NIST 800-207): Network Connectivity Assumptions
1.The enterprise private network is not trustworthy
2.Devices on the network may not be owned or configurable by the enterprise
3.No device is inherently trusted
4.Not all enterprise resources are on enterprise-owned infrastructure
5.Remote enterprise users cannot trust the local network connection
Zero Trust Architecture (NIST 800-207)Network Requirements
●Enterprise systems must have basic network connectivity
●The enterprise must be able to determine which devices/systems are owned or managed by the enterprise and which are not
●The enterprise must be able to capture all network traffic
●Enterprise resources should not be discoverable without accessing a PEP (Policy Enforcement Point)
●The data plane must be logically separate from the control plane
●Enterprise systems must be able to reach the PEP component
●The PEP must be the only component able to reach the Policy Administrator and the Policy Engine
●Remote enterprise systems must be able to access enterprise resources without needing to traverse through the enterprise infrastructure
●Enterprise systems must not be able to reach certain PEPs due to observable factors. For example, mobile systems must not be able to reach certain resources unless using enterprise infrastructure. Observable factors controlling access include location (geolocation or network location) and device type.
User Education
●Human element is a very weak security link
●Importance of having easy and friendly process for folks to report suspicious emails
User Education: Security Awareness Programs
•Mandatory annual training (often computer-based training)
•Live-fire phishing campaign
User Education: Using Strong Passwords
oEarly attempts to get users to use strong passwords:
--Assumption was that people didn't know the importance of using strong passwords
--Perceived solution: tell people what a strong password was and the importance of using them, people would use them voluntarily
--But people didn't use strong passwords even after being educated
oNext attempt: force people to use a strong password but people wrote them down
Security Through Obscurity
●Hiding assets, services, or procedures in non-standard ways
●May be an added measure
●Examples:
oSet up services on non-standard ports
oRename local administrator account
oReconfigure service banners not to report the server operating system type and version
oWhat else?
Cyber Incident Risk Transfer
●Risk transfer: insurance to cover cyber incidents
●Early cyber policies were (i) highly customized and negotiated policies or (ii) cheap, limited add-ons to other policies
●Today: mainstream policies offered by major insurance companies including (AIG, Nationwide, Zurich, among others)
Cyber Insurance Potential Coverage
•Cyber insurance can cover direct costs of a cyber incident (but policies vary)
•Network security costs (legal expenses, IT forensics, negotiation and payment of ransom, breach notifications to customers, data restoration, public relations expertise
•Network business interruptions (from attack, failed software patch, human error)
•"Errors and omissions" coverage for inability to deliver on contracts for products and services
•Reputational harm (profit impact due to brand damage)
Bricking (covers replacement of equipment rendered useless)
In light of requirements and current design, what are the key "assets" to protect of an ICS?
-If PLC attack directly and can modify firmware of PLC and can blow up the PLC the attack
-Insider threat
Solutions that mitigate these highest risks of an ICS?
-Encrypt data
-IDS
-Firewall
-Anitvirus on workstation
-Monitor control down in the sensor and make sure the data matches the historian
-2 factor authentication
CBP Data Breach (2019)
•CBP (US Customs and Border Protection) maintains databases of license plate images, travelers' ID photos, etc.
•A subcontractor transferred copies of the data from CBP to external systems; those external systems were subsequently compromised and the data copied.
•Press release inadvertently (?) identified Perceptics as the subcontractor (provider of license plate readers).
•According to CBP, fewer than 100,000 people were impacted.
CBP press release says no data on Internet or dark web, but media reports finding such data on the dark web (along with financial and location information).
Polish Airline LOT Attack (2015)
•Flight plans must be sent to aircraft before takeoff.
•Flight plans contain data such as route, weather, etc.
•DDoS attack over five hours prevented flight plan transmission.
•Cancelled 10 flights and delayed 15.
Petro Rabigh (2017)
•Saudi Arabian integrated chemical and refining complex.
•June 2017 : "Schneider Electric product specialists were called in to assess an apparently malfunctioning Triconex unit. The safety device had tripped part of Petro Rabigh offline, but it wasn't clear why. Everything seemed to be working normally."
•Safety devices are designed to act if dangerous circumstances are detected; they serve as a backup to control systems.
•August 2017: another outage, this time malware (Triton) is found.
•IT infection apparently enabled by a poorly configured firewall; then pivot to OT.
•Got to safety devices via Windows workstations.
•Malware includes memory manipulation capability on Triconex units.
•Plant down for more than one week.
•Response included password changes and 2FA.
•Attackers changed account phone numbers to intercept 2FA login codes.
Norsk Hydro (2019)
•Aluminum production operations are primarily computer controlled but have manual backup; some parts of the operation need to be kept running 24x7 (can't turn furnace off with hot metal inside).
•Expensive emergency shutdown due to cyber attack has happened: German steel mill in 2014.
•Ransomware blocked access to computer control systems.
•Some production was stopped, some switched to manual control.
•Affected plants were isolated.
•Some operations down or reduced for weeks.
•Ransomware was LockerGaga:
•Manual targeting (not a worm).
•Really destroyware (no way to decrypt files).
•Attackers leveraged the single central Active Directory domain to infect multiple workstations simultaneously.
•OT (ICS) not on AD; MS Office servers in the cloud (and unaffected).
Please match Kohnfelder and Garg's threat names to corresponding definition
Spoofing of user identity
A. Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine
B. An untrusted user performing an illegal operation without the ability to be traced
C. Compromising the user's private or business-critical information
D. Modifying system or user data with or without detection
E. Breaching the user's authentication information
F. An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system
E. Breaching the user's authentication information
Please match Kohnfelder and Garg's threat names to corresponding definition
Tampering with data
A. Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine
B. An untrusted user performing an illegal operation without the ability to be traced
C. Compromising the user's private or business-critical information
D. Modifying system or user data with or without detection
E. Breaching the user's authentication information
F. An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system
D. Modifying system or user data with or without detection
Please match Kohnfelder and Garg's threat names to corresponding definition
Repudiability
A. Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine
B. An untrusted user performing an illegal operation without the ability to be traced
C. Compromising the user's private or business-critical information
D. Modifying system or user data with or without detection
E. Breaching the user's authentication information
F. An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system
B. An untrusted user performing an illegal operation without the ability to be traced
Please match Kohnfelder and Garg's threat names to corresponding definition
Information disclosure
A. Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine
B. An untrusted user performing an illegal operation without the ability to be traced
C. Compromising the user's private or business-critical information
D. Modifying system or user data with or without detection
E. Breaching the user's authentication information
F. An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system
C. Compromising the user's private or business-critical information
Please match Kohnfelder and Garg's threat names to corresponding definition
Denial of Service
A. Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine
B. An untrusted user performing an illegal operation without the ability to be traced
C. Compromising the user's private or business-critical information
D. Modifying system or user data with or without detection
E. Breaching the user's authentication information
F. An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system
A. Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine
Please match Kohnfelder and Garg's threat names to corresponding definition
Elevation of privilege
A. Making the system temporarily unavailable or unusable, such as those attacks that could force a reboot or restart of the user's machine
B. An untrusted user performing an illegal operation without the ability to be traced
C. Compromising the user's private or business-critical information
D. Modifying system or user data with or without detection
E. Breaching the user's authentication information
F. An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system
F. An unprivileged user gains privileged access and thereby has sufficient access to completely compromise or destroy the entire system
Which of the following is not a mechanism of attack according to the CAPEC Mechanism of Attack hierarchy of attack patterns?
A.
Engage in Deceptive Interactions, such as spoofing
B.
Abuse Existing Functionality, such as flooding
C.
Inject Unexpected Items, such as code injection
D.
Reverse Engineering in the Physical Security Domain of Attack
D.
Reverse Engineering in the Physical Security Domain of Attack
According to CAPEC, firmly grasping the attacker's perspective and approaches used to exploit software systems is necessary to enhance security throughout the software development lifecycle.
True or False
True
According to CAPEC, to identify and mitigate relevant vulnerabilities in software, the development community only needs good software engineering and analytical practices, a solid grasp of software security features, and a powerful set of tools.
True or False
False
According to CAPEC, what is the typical severity of HTTP Response Splitting?
A.
CAPEC does not provide a severity
B.
High
C.
Low
D.
Medium
B.
High
OWASP
Injection
These occur when untrusted data is sent to an interpreter as part of a command or query. The attacker's hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Examples of this risk can occur in SQL, NoSQL, and LDAP.
Broken Authentication
Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.
Sensitive data exposure
Many web applications and APIs do not properly protect sensitive data, such as financial, healthcare, and PII. Attackers may steal or modify such weakly protected data to conduct credit card fraud, identity theft, or other crimes. Sensitive data may be compromised without extra protection, such as encryption at rest or in transit, and requires special precautions when exchanged with the browser.
XML External Entities
Many older or poorly configured XML processors evaluate external entity references within XML documents. External entities can be used to disclose internal files using the file URI handler, internal file shares, internal port scanning, remote code execution, and denial of service attacks [Show Less]