coalition for cybersecurity policy & law - ntia.doc.gov · deputy associate administration ......
TRANSCRIPT
Coalition for Cybersecurity Policy & Law
600 Massachusetts Ave, NW, Washington, DC 20001
February 12, 2018
VIA EMAIL: [email protected]
Evelyn L. RemaleyDeputy Associate AdministrationNational Telecommunications and Information Administration1401 Constitution Avenue, NWRoom 4725Washington, DC 20230
Re: Comment of the Coalition for Cybersecurity Policy & Law on the Report to the Presidenton Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnetsand Other Automated, Distributed Threats
The Coalition for Cybersecurity Policy & Law (“Coalition”) submits this comment inresponse to the Request for Comments (“RFC”) issued by the Department of Commerce (“DoC”),regarding the Report to the President on Enhancing the Resilience of the Internet andCommunications Ecosystem Against Botnets and Other Automated, Distributed Threats(“Report”). The Coalition appreciates the opportunity to provide feedback on the Report.
The Coalition is comprised of leading companies with a specialty in cybersecurity productsand services dedicated to finding and advancing consensus policy solutions that promote thedevelopment and adoption of cybersecurity technologies.1 We seek to ensure a robust marketplacethat will encourage companies of all sizes to take steps to improve their cybersecurity riskmanagement, and we are supportive of efforts to identify and promote the adoption ofcybersecurity best practices and voluntary standards throughout the global community.
Representatives of Coalition member companies actively participated in the workshophosted by the National Institute of Standards and Technology (“NIST”) that was held to informthis report.
The Coalition broadly supports and agrees with the findings and recommendations of thereport. In particular, we commend the Department of Commerce and the Department of HomelandSecurity (“DHS”) for repeatedly and effectively highlighting the importance of public and privatecollaboration, as well the international policy and standards development and adoption that areessential to long term success.
1 The views expressed in this comment reflect the consensus view of the Coalition and do not necessarily reflect theviews of any individual Coalition member. For more information on the Coalition, seewww.cybersecuritycoalition.org.
Coalition for CybersecurityPolicy & Law
1
In support of this, the Coalition intends to host an event bringing together government andprivate sector leaders and experts to further discuss this important issue and drive progress.
In regards to Action 2.2, the Coalition notes that it has previously provided NIST with aDDoS Mitigation and Prevention Profile based on the combined experience and expertise of itsmember companies, who include providers that offer a range of services specifically designed toachieve the stated goal. We look forward to working with NIST and other private and public sectorpartners to expand and refine this Profile.
Additionally, we believe that a Botnet Prevention and Mitigation Profile is a necessaryaddition to the body of available knowledge, and would be highly complementary to the DDoSMitigation and Prevention Profile discussed. To that end, the Coalition is providing a Profile foryour consideration and to help foster conversation within the broader community.
Conclusion. The Coalition thanks the Department of Commerce and the Department ofHomeland Security for its leadership in coordinating this important effort and for the opportunityto comment.
2
Cybersecurity Framework DDoS and BotnetPrevention and Mitigation Profile(s)
Executive Summary
The Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework)version 1.0, developed by the National Institute of Standards and Technology (NIST), withextensive private sector input, provides a risk-based and flexible approach to managingcybersecurity risk that incorporates industry standards and best practices. The CybersecurityFramework is by design crafted to allow individual organizations to determine their own uniquerisks, tolerances, threats and vulnerabilities, so that they may prioritize their resources tomaximize effectiveness.
The Framework is general in nature to allow for broad applicability to a variety of industries,
organizations, risk tolerances and regulatory environments. A Framework Profile is the application
of Framework components to a specific situation. A Profile may be customized to suit specific
implementation scenarios by applying the Framework Category and Sub-Categories appropriate to
the situation. Profiles should be constructed to take into account the organization’s:
• Business/mission objectives
• Regulatory requirements
• Operating environment
Organizations can use Profiles to define a desired state for their Cybersecurity posture based on
their business objectives, and use it to measure progress towards achieving this state. It provides
organizations with the ability to analyze cost, effort and risk for a particular objective. Profiles may
also be used by industry sectors to document best practices for protection against specific threats.
The below Cybersecurity Framework Profile focuses on Distributed Denial of Service (DDoS) and
botnet prevention and mitigation. DDoS attacks are increasing in complexity, size, and frequency.
Botnets have long been used as a method for orchestrating DDoS and other attacks. The range of
targets and methods (e.g., from using individual PCs to using connected Internet of Things (IoT)
devices) has also broadened. These threat profiles emphasize how the Cybersecurity Framework
can address DDoS attacks and prevent and mitigate devices that have become parts of a botnet.
To develop the threat profile, we have reviewed all the Cybersecurity Framework Categories andSubcategories and determined those most important to combat the DDoS and botnet threats. TheCategories and Sub-Categories were then labeled into different priorities as follows:
P1 – Minimum actions required to protect network and services against relevant attacks.
P2 – Highly recommended actions to protect network and services against relevant attacks.
P3 – Recommended actions to protect network and services against relevant attacks.
3
The DDoS and Botnet threat mitigation profile represents a Target Profile focused on the desired state
of organizational cybersecurity to mitigate DDoS and botnet threats. It may be used to assist in
identifying opportunities for improving DDoS and botnet threat mitigation and aiding in cybersecurity
prioritization by comparing current state with this desired target state.
The Coalition developed this profile based on version 1.0 of the Cybersecurity Framework. The
comments provided as part of the profile give appropriate guidance to refine the understanding of
relevant Framework subcategories as they apply to DDoS and botnet threat mitigation. While Coalition
members believe that Framework version 1.0, and its associated Core categories and subcategories,
allow for adequate flexibility to develop an effective DDoS threat mitigation profile, we welcome the
updates in draft 2 of version 1.1 of the Framework, as they reflect changes in the evolving nature of
cybersecurity threats and risk management practices, which can further assist organizations in
defending against and mitigating DDoS attacks.
Examples of beneficial changes in draft 2 include updates in Section 3.0 ‘How to Use the Framework’
on how the Framework can be applied in design, build/buy, deploy, operate, and decommission system
lifecycle phases. Cybersecurity practices must be considered throughout the full range of information
technology activities of organizations as industries across all sectors increasingly develop and leverage
IT applications and connected devices. In addition, new Framework Core categories and subcategories
focused on managing supply chain risk will help organizations better defend against key threat vectors
for DDoS attacks.
Overview of the DDoS and Botnet Threats
A DDoS attack attempts to overwhelm a network, service or application with traffic from multiple
sources. There are many methods for carrying out DDoS attacks. These can include
• Low bandwidth connection-oriented attacks designed to initiate and keep many connections
open on the victim exhausting its available resources.
• High bandwidth volumetric attacks that exhaust available network or resource bandwidth.
• Protocol oriented attacks that take advantages of stateful network protocols such as TCP.
• Application layer attacks designed to overwhelm some aspect of an application or service.
Although each of these methods can be highly effective, in recent years, there has been considerable
attention given to volumetric attacks as the result of several high-profile incidents.
One prominent example of a volumetric DDoS attack vector is reflection amplification. This is a type
of DDoS attack in which the attacker fakes the attack target’s IP address and launches queries from this
address to open services on the Internet to solicit a response. The services used in this methodology are
typically selected such that the size of the response to the initial query is many times (x100s) larger than
the query itself. The response is returned to the real owner of the faked IP. This attack vector allows
attackers to generate huge volumes of attack traffic, while making it difficult for the target to determine
the original sources of the attack traffic. Reflection amplification has been responsible for some of the
largest DDoS attacks seen on the Internet through the last decade.
DDoS is often referred to as a ‘weaponized’ threat as technical skills are no longer needed to launch an
attack and services to conduct DDoS have proliferated and become easily obtainable for relatively low4
cost. Attackers can build out their attack capability in many ways, such as the use of malware to infect
Internet connected computers, deploying servers within hosting environments, exploiting program
flaws or other vulnerabilities, and by exploiting the use of inadequate access controls on Internet
connected devices to create botnets.
Botnets are created when an attacker infects or acquires a network of hosts, then controls these
devices to remotely launch an attack at a given target. Increasingly, botnets are incorporating
Internet of Things (IoT) devices, which continue to proliferate at a remarkable rate. Botnets allow
for a wide variety of attack methods aimed at evading or overwhelming defenses. Compromised
devices within an organization can be used by the botnet to carry out attacks; DDoS or otherwise,
targeting assets and infrastructure inside or outside the organization. This can have a significant
negative impact on the overall risk posture of the organization and its reputation and responsibility
in the community. The United States continues to be the most frequent target of DDoS attacks and
infected hosts within the US public and private infrastructure are most frequently leveraged as the
source of DDoS and botnet attacks. Availability is a core information security pillar but the
operational responsibility and discipline for assessing and mitigating availability-based threats
such as DDoS often falls to network operations or application owners in addition to Risk and
Information Security teams. Because of this divided responsibility, fissures in both risk assessment
and operational procedures for addressing these threats may occur. The goal of this profile is to
ensure the strategic and operational discipline needed to protect and respond to DDoS threats is
comprehensively addressed by applying the appropriate recommendations and best practices
outlined in the Cybersecurity Framework.
5
DDoS Threat Mitigation Profile
Function Category Sub-Category Priority Framework Comment
Identify(ID)
AssetManagement
(ID.AM)
ID.AM-1: Inventoryphysical devices andsystems within theorganization
P2
Catalog critical Internetfacing services by locationand capacity
Catalog ISP connectivity byISP, bandwidth usage,bandwidth available
ID.AM-2: Inventorysoftware platforms andapplications within theorganization
P1
Determine critical Internetfacing services by type ofapplication/service, IPaddress and hostname, anddetermine which opensource softwarecomponents are usedacross applications.
7
Function Category Sub-Category Priority Framework Comment
ID.AM-3: Maporganizationalcommunication anddata flows
P2
Identify key stakeholdersin the organization criticalto availability of Internetfacing services includingapplication owners,security personnel,network operationspersonnel, executiveleadership, legal/riskpersonnel and ISP or Cloudbased DDoS mitigationservice providers
Maintain network mapsshowing data flows
Create an operationalprocess documentdetailing communicationworkflows
ID.AM-4: Catalogueexternal informationsystems
P3
Identify applications andservices that are run incloud, SaaS, hosting orother externalenvironments
ID.AM-5: Resourcesare prioritized basedon their classification,criticality, andbusiness value
P2
Determine what Internetfacing services will resultin the most businessimpact if they were tobecome unavailable
BusinessEnvironment
(IDE.BE)
ID.BE-4: Establishdependencies andcritical functions fordelivery of criticalservices
P2
Catalog externaldependencies for servicesand applications includingDNS, NTP, cloud/hostingprovider, partner networkconnections and Internetavailability
ID.BE-5: Establishresilience requirementsto support delivery ofcritical services
P3
Ensure geographicalredundancy and highavailability of equipmentproviding services,network infrastructureand Internet connections
8
Function Category Sub-Category Priority Framework Comment
Risk Assessment(ID.RA)
ID.RA-1: Identify anddocument assetvulnerabilities
P2
Determine network andapplication bottlenecksincluding throughput,connection rate and totalconnections supported
ID.RA-2: Cyber threatintelligence andvulnerabilityinformation isreceived frominformation sharingforums and sources
P3
Monitor vulnerabilitieslists (CVE, NVD andsimilar) to check if criticalInternet facing serviceshave vulnerabilities thatcould be used as acondition for Denial ofService.
ID.RA-3: Identify anddocument internal andexternal threats
P3
Continuously gatherindustry informationaround DDoS trends, peakattack sizes, frequency,targeted verticals,motivations and attackcharacteristics
ID.RA-4: Identifypotential businessimpacts and likelihoods
P2
Create a risk profile thatquantifies potential cost ofrecovery operations perDDoS incident, revenueloss, customer churn,brand damage and impactto business operations
Governance(ID.GV)
ID.GV-3: Legal andregulatory requirementsregardingcybersecurity,including privacyand civil libertiesobligations, areunderstood andmanaged
P1
Put processes in place toensure all regulatoryrequirements are met.
Train all personnelresponsible for DDoSincident response on therelevant legal andregulatory requirementssurrounding the datathat they may handle.
Document regulatory anddata privacy policies ofDDoS service providersand partners
9
Function Category Sub-Category Priority Framework Comment
Protect(PR)
Awareness andTraining(PR.AT)
PR.AT-2: Privilegedusers understand roles& responsibilities
P1
Security Operationspersonnel have beentrained on DDoSdefense processes,products and services
Equip security operationspersonnel with anoperational run bookdefining what process tofollow and who to contactshould an incident takeplace
InformationProtection
Processes andProcedures
(PR.IP)
PR.IP-1: Create andmaintain a baselineconfiguration ofinformationtechnology/industrialcontrol systems
P1
Create a baseline DDoSprotection architectureconsisting of best currentpractices for the network,network based protectioncapabilities and non-stateful Intelligent DDoSMitigation capability
Implement anti-spoofingand black/white listfiltering at network edge
Maintain DDoSprotection configurationthat provides generalprotection for all servicesand always on protectionfor all business-criticalassets
PR.IP-7: Continuouslyimprove protectionprocesses
P2
Conduct a minimum of 2annual tests of DDoSprotection capabilities
Perform after-actionreviews following all DDoSincidents and DDoSprotection tests adjustingDDoS defenses accordingly
10
Function Category Sub-Category Priority Framework Comment
PR.IP-9: Response
plans (Incident Response
and Business Continuity)
and recovery plans
(Incident Recovery and
Disaster Recovery) are
in place and managed
P3
The organization’sBusiness Continuity andDisaster Recovery plansshould have componentsto address the potentialeffects of a DDoS attack
PR.IP-10: Response
and recovery plans are
testedP3
The DDoS components ofthe Business Continuityand Disaster Recoveryplans should be tested.
PR.IP-12: A vulnerability
management plan is
developed and
implemented P3
Vulnerabilities that can beleveraged for DDoS eventsshould be documentedand remediated.
ProtectiveTechnologies(PR.PT)
PR.PT-4: Protectcommunications andcontrol networks
P1
Perform filtering oftraffic to control planenetwork and/or controlplane traffic policing
Detect(DE)
Anomalies andEvents (DE.AE)
DE.AE-1: Establish andmanage a baseline ofnetwork operations andexpected data flows forusers and systems
P1
Continuously measuretraffic to hosts, resourcesor groups of resources todetermine expectedtraffic over time.
Determine trafficbaselines at IP layers 3and 4 including IPbandwidth, TCP, UDP,ICMP, GRE, and at theapplication level includingcritical applications suchas HTTP, HTTPS, DNS,NTP, SSDP and SIP
DE.AE-2: Analyzedetected events tounderstand attacktargets and methods
P1
Determine source anddestination trafficcharacteristics whenanomalous traffic is
11
Function Category Sub-Category Priority Framework Comment
detected that is indicativeof DDoS
DE.AE-3: Eventdata are aggregatedand correlated frommultiple sources andsensors
P2
Aggregate data fordetected DDoS eventsfrom multiple networksources contributingto the attack.
DE.AE-4: Impact ofevents is determined
P2
Total traffic rates for DDoSevents can be measuredacross all contributingnetwork sources
Performance andavailability of servicescan be measured before,during and after events
DE.AE-5: Incidentalert thresholds areestablished
P1
Configure notifications tosecurity monitoringpersonnel and appropriatestakeholders when trafficexceeds measured orconfigured thresholds
SecurityContinuousMonitoring(DE.CM)
DE.CM-1: Monitornetwork to detectpotential cybersecurityevents
P1
Continuously measuretraffic install networkingress points andbetween transit pointson the internal networkfor traffic anomalies
To the extent possibleand/or practical from abusiness perspective,continually measureoutbound traffic fordetection of trafficanomalies that couldrepresent sourcescontributing tooutbound or cross-bound DDoS attacks.
12
Function Category Sub-Category Priority Framework Comment
DE.CM-8:
Vulnerability scans are
performed P1
Scan Internet facingservices and softwareapplications to identifyvulnerabilities that can beexploited for participationin DDoS events.
DetectionProcesses(DE.DP)
DE.DP-3: Testdetection processes
P2
Conduct regular testing ofDDoS defense capabilitiesincluding occasionalunannounced testsperformed with no priorwarning to assess theDDoS defense strategiesand processes
Conduct DDoS simulationwargames as part ofsecurity staff onboardingand periodically for thesecurity response team
DE.DP-5:Continuously improvedetection processes
P2
Perform after-actionreview on any defensetesting or DDoS eventsafter all operations aresuccessfully restored toidentify and improve DDoSdetection capabilities
Identify and maintainkey security metricsaround detection,identification andescalation effectiveness.
Respond(RS)
ResponsePlanning(RS.RP)
RS.RP-1: Executeresponse plan duringor after an event
P1
Follow DDoS response runbook during any detectedDDoS events
Communications(RS.CO)
RS.CO-1: Ensurepersonnel know theirroles and order ofoperations when aresponse is needed
P1
Define personnelresponsible for detection,mitigation, coordinationand communicationduring DDoS incidents
13
Function Category Sub-Category Priority Framework Comment
RS.CO-4: Coordinatewith stakeholdersconsistently withresponse plans
P1
Document operationalrun book that includesroles, responsibilities andescalation process for allparties responsible forDDoS incident responseincluding internalpersonnel and externalconsultants or services
RS.CO-5: Engage involuntary informationsharing withstakeholders to achievebroader cybersecuritysituational awareness
P3
Share and receive DDoSattack trends withconsultants, servicecompanies and/orthreat intel companiesto keep abreast ofattack scale, frequency,motivations andevolving attack vectors
Analysis(RS.AN)
RS.AN-1: Investigatenotifications fromdetection systems
P1
Add DDoS alertnotifications to monitoringand response systemsincluding security andnetwork operationsmanagement systems.
RS.AN-2: Understandthe impact of theincident
P2
Compare DDoS trafficrates, connection ratesand total connectionsagainst documentedsystem and network limits
Identify actual andpotential impact tobusiness services,customers, employeesand other stakeholders.
RS.AN-3: Forensics
are performed P3
Save raw anomalydetails in available form(logs, packet captures,flow telemetry data) toinvestigate partiesinvolved in the incidentand, where appropriate,to share incident details
14
Function Category Sub-Category Priority Framework Comment
with the operationalsecurity community.
Mitigate DDoSattacks using any orall of the following:
Volumetri- Network capabilities suchas ACLs, anti-spoofing,remote triggeredblackhole and/or flowspec
- Using intelligent DDoSmitigation systems onpremise
- Contracting a DDoSmitigation service
Critical resources shouldbe protected by alwayson mitigation capabilities
Mitigation(RS.MI)
RS.MI-2: Mitigateincidents
P1- Contract or coordinatewith upstream bandwidthprovider for defenseagainst high-magnitudeattacks.
Implement a notificationsystem to detect when onpremise bandwidth isreaching saturation thenalert and/or automatemovement of traffic to anupstream DDoS mitigationservice
Identify and maintain keysecurity metrics aroundmitigation and escalationeffectiveness.
15
Function Category Sub-Category Priority Framework Comment
Improvements(RS.IM)
RS.IM-1: Incorporatelessons learned intoresponse plans
P2
Adjust mitigationprocesses, capacity,technology andpartnerships based onDDoS attack trends,DDoS response testingand results of DDoS after-action reviews
Maintain key securitymetrics around the DDoSprogram to demonstrateprogram improvementand effectiveness.
Recover(RC)
RecoveryPlanning(RC.RP)
RC.RP-1: Executerecovery plan during orafter an event
P2
Establish an internal andexternal communicationplan as part of the DDoSrun book that is usedevery time there is aDDoS incident
Communications(RC.CO)
RC.CO-1: Managepublic relations
P2
Ensure impactedapplications are restoredand availabilitycommunicated to relevantstakeholders
Manage externalcommunications based onvisibility and impact of theDDoS attack on customers,partners or public
16
Botnet Threat Mitigation Profile
Function Category Subcategory Priority Comment
IDENTIFY (ID)
AssetManagement
(ID.AM)
ID.AM-1: Physicaldevices and systemswithin theorganization areinventoried
Catalog all devices within theorganization that have or
have had direct or indirectaccess to the Internet.
P1
ID.AM-2: Softwareplatforms andapplications within theorganization areinventoried
Catalog all applications andservices that have or have
had direct or indirect accessto the Internet.
P1
ID.AM-4: Externalinformation systemsare catalogued
P2
Identify applications andservices that are run in
cloud, SaaS, hosting or otherexternal environments.
Risk Assessment(ID.RA)
ID.RA-1: Assetvulnerabilities areidentified anddocumented
P1
All identified connecteddevices should be assessed
for known vulnerabilities andthat information should bedocumented and updated
routinely.
ID.RA-2: Threat andvulnerabilityinformation isreceived frominformation sharingforums and sources
P1
Monitor connected devicesagainst known vulnerabilities(CVE, NVD and similar) and
against a framework ofregularly updated threat
intelligence sources
ID.RA-3: Threats,both internal andexternal, are identifiedand documented
P3
Continuously gatherinformation regarding
trends, attackcharacteristics, known
vulnerabilities, and otherIndicators of Compromise
(IOC) through internal17
and/or external datasources.
PROTECT (PR)
Access Control(PR.AC)
PR.AC-1: Identitiesand credentials aremanaged forauthorized devices andusers
P1
Controlling and managingaccess to connected devices
is essential in preventingcompromise and in
mitigating compromiseddevices.
Authentication,authorization and accounting
for any user access to thenetwork and services mustbe established for local and
remote access users.
Multiple levels of accessshould be implemented toensure users have accessand control to only thosethings that they need tocarry out their position.
Network is segmented toallow only expected protocoland application traffic acrossdifferent areas of thenetwork.
PR.AC-3: Remoteaccess is managed
P2
PR.AC-4: Accesspermissions aremanaged,incorporating theprinciples of leastprivilege andseparation of duties
P2
PR.AC-5: Networkintegrity is protected,incorporating networksegregation whereappropriate
P3
Data Security(PR.DS)
PR.DS-3: Assets areformally managedthroughout removal,transfers, anddisposition
P1
Implement rigorousmonitoring processes to
detect devices that are nolonger being used and
remove these devices from18
the network to reducepotential attack surface.
PR.DS-6: Integritychecking mechanismsare used to verifysoftware, firmware,and informationintegrity
P2
Verify the authenticity andintegrity of any updates thatare applied to any devices on
the network to reduce thelikelihood of malicious code
being uploaded to thedevice.
PR.DS-7: Thedevelopment andtesting environment(s)are separate from theproductionenvironment
P3
Development environmentscan be less secure than
production environments asthey may host devices thatare being tested or pilotedand that have not yet beenfully secured. Keeping the
development and productionenvironment separate can
reduce risk.
InformationProtection
Processes andProcedures
(PR.IP)
PR.IP-1: A baselineconfiguration ofinformationtechnology/industrialcontrol systems iscreated andmaintained
P1
Creating a known baselineconfiguration for connected
devices makes it easier todetermine if unauthorizedchanges have been made.
PR.IP-2: A SystemDevelopment LifeCycle to managesystems isimplemented
P2
Implement a systemsdevelopment lifecycle (SDLC)
to build rigor into thepurchasing, deployment,
maintenance, and end-of-lifeprocesses for any devices
connected on the network.
PR.IP-3:Configuration changecontrol processes arein place
P1
Configuration changes toconnected devices shouldfollow a rigorous process
that requires authorizationand tracking. Changes made
outside this process mayindicate a potential
compromise.
PR.IP-7: Protectionprocesses arecontinuouslyimproved
P3
Review protection processeson a routine basis to ensurethat they are functioning as
expected. Make adjustmentswhen deficiencies are found.
19
PR.IP-12: Avulnerabilitymanagement plan isdeveloped andimplemented
P1
A comprehensive plan mustbe put in place for the
identification and mitigationof software and hardware
vulnerabilities. This will aid inquantifying risk and in
identifying devices thatrequire updates or
replacement.
Maintenance(PR.MA)
PR.MA-1:Maintenance andrepair oforganizational assets isperformed and loggedin a timely manner,with approved andcontrolled tools
P3
Because maintenancerequires access to connected
devices, a process thatrequires approval andmonitoring aids in the
detection of unauthorizedchanges.
PR.MA-2: Remotemaintenance oforganizational assets isapproved, logged, andperformed in a mannerthat preventsunauthorized access
P3
ProtectiveTechnology
(PR.PT)
PR.PT-1: Audit/logrecords aredetermined,documented,implemented, andreviewed inaccordance withpolicy
P1
Routine review of audit logsis essential in being able to
identify if unauthorizedaccess or changes weremade to devices on the
network.
PR.PT-3: Access tosystems and assets iscontrolled,incorporating theprinciple of leastfunctionality
P1
Connected devices should beconfigured to allow only the
access and privilegesnecessary to perform their
intended function.
DETECT (DE)Anomalies andEvents (DE.AE)
DE.AE-1: A baselineof network operationsand expected dataflows for users andsystems is establishedand managed
P1
Maintain a baseline ofnetwork operations and dataflows to enable detection of
anomalous network behaviorthat could indicate a device
has been compromised.
DE.AE-2: Detectedevents are analyzed tounderstand attacktargets and methods
P1
Implement comprehensivemonitoring across networkinfrastructure and individualnetwork elements to detectevents that are indicative of
20
DE.AE-3: Event dataare aggregated andcorrelated frommultiple sources andsensors
P2 a potentially compromisedhost.
Implement an alertingmechanism to signal eventsto operations personnel.
Implement an eventaggregation system that willstore all events and providea level of triage andprioritization of events foroperations personnel.
Event monitoring shouldinclude the ability to detectthe presence of maliciouscode on connected devicesor in transit in the networkand the presence ofmalicious traffic or devicebehaviors on the network.
SecurityContinuousMonitoring(DE.CM)
DE.CM-1: Thenetwork is monitoredto detect potentialcybersecurity events
P1
DE.CM-3: Personnelactivity is monitoredto detect potentialcybersecurity events
P2
DE.CM-4: Maliciouscode is detected
P1
DE.CM-5:Unauthorized mobilecode is detected
P1
DE.CM-6: Externalservice provideractivity is monitoredto detect potentialcybersecurity events
P3
DE.CM-7:Monitoring forunauthorizedpersonnel,connections, devices,and software isperformed
P1
DE.CM-8:Vulnerability scans areperformed
P1
Conducting routinevulnerability scans of allconnected devices andunderlying software informsrisk and provides directionon which devices andapplications have the highestrisk of compromise.
DetectionProcesses(DE.DP)
DE.DP-4: Eventdetection informationis communicated toappropriate parties
P2
Events related to connecteddevices that may beindicative of anomalousbehavior should becommunicated to
21
appropriate parties foranalysis and action.
DE.DP-5: Detectionprocesses arecontinuouslyimproved
P3
Detection processes shouldbe tested and reviewedroutinely to ensure they areperforming as expected.
RESPOND (RS)
Communication(RS.CO)
RS.CO-5: Voluntaryinformation sharingoccurs with externalstakeholders toachieve broadercybersecuritysituational awareness
P2
Multiple communities existto share and analyzevulnerability and threatinformation for connecteddevices including industryconsortiums, internationalCERT organizations, lawenforcement, threatintelligence vendors, andoperational securitycommunitiesParticipation within theseentities can providesignificant benefit inunderstanding how anorganizations connecteddevices may be introducingrisk and how best to mitigateit.
Analysis (RS.AN)
RS.AN-1:Notifications fromdetection systems areinvestigated
P1
To the extent possible basedon business and risktolerance, alerts indicatingpotential infection of aninfected host should beinvestigated by qualifiedpersonnel to determine risk.A system of triage andprioritization should be putin place to ensure that themost critical events areinvestigated first.
RS.MI-3: Newlyidentifiedvulnerabilities aremitigated ordocumented asaccepted risks
P1
Vulnerabilities identifiedthrough scans, informationsharing, or other analysis,should be documentedimmediately and eithermitigated or treated asacceptable risk. Whenpatching isn’t viable,
22