Coalition for Cybersecurity Policy & Law

600 Massachusetts Ave, NW, Washington, DC 20001

February 12, 2018

VIA EMAIL: counter_botnet@list.commerce.gov

Evelyn L. RemaleyDeputy Associate AdministrationNational Telecommunications and Information Administration1401 Constitution Avenue, NWRoom 4725Washington, DC 20230

Re: Comment of the Coalition for Cybersecurity Policy & Law on the Report to the Presidenton Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnetsand Other Automated, Distributed Threats

The Coalition for Cybersecurity Policy & Law (“Coalition”) submits this comment inresponse to the Request for Comments (“RFC”) issued by the Department of Commerce (“DoC”),regarding the Report to the President on Enhancing the Resilience of the Internet andCommunications Ecosystem Against Botnets and Other Automated, Distributed Threats(“Report”). The Coalition appreciates the opportunity to provide feedback on the Report.

The Coalition is comprised of leading companies with a specialty in cybersecurity productsand services dedicated to finding and advancing consensus policy solutions that promote thedevelopment and adoption of cybersecurity technologies.1 We seek to ensure a robust marketplacethat will encourage companies of all sizes to take steps to improve their cybersecurity riskmanagement, and we are supportive of efforts to identify and promote the adoption ofcybersecurity best practices and voluntary standards throughout the global community.

Representatives of Coalition member companies actively participated in the workshophosted by the National Institute of Standards and Technology (“NIST”) that was held to informthis report.

The Coalition broadly supports and agrees with the findings and recommendations of thereport. In particular, we commend the Department of Commerce and the Department of HomelandSecurity (“DHS”) for repeatedly and effectively highlighting the importance of public and privatecollaboration, as well the international policy and standards development and adoption that areessential to long term success.

1 The views expressed in this comment reflect the consensus view of the Coalition and do not necessarily reflect theviews of any individual Coalition member. For more information on the Coalition, seewww.cybersecuritycoalition.org.

Coalition for CybersecurityPolicy & Law

1

In support of this, the Coalition intends to host an event bringing together government andprivate sector leaders and experts to further discuss this important issue and drive progress.

In regards to Action 2.2, the Coalition notes that it has previously provided NIST with aDDoS Mitigation and Prevention Profile based on the combined experience and expertise of itsmember companies, who include providers that offer a range of services specifically designed toachieve the stated goal. We look forward to working with NIST and other private and public sectorpartners to expand and refine this Profile.

Additionally, we believe that a Botnet Prevention and Mitigation Profile is a necessaryaddition to the body of available knowledge, and would be highly complementary to the DDoSMitigation and Prevention Profile discussed. To that end, the Coalition is providing a Profile foryour consideration and to help foster conversation within the broader community.

Conclusion. The Coalition thanks the Department of Commerce and the Department ofHomeland Security for its leadership in coordinating this important effort and for the opportunityto comment.

2

Cybersecurity Framework DDoS and BotnetPrevention and Mitigation Profile(s)

Executive Summary

The Framework for Improving Critical Infrastructure Cybersecurity (Cybersecurity Framework)version 1.0, developed by the National Institute of Standards and Technology (NIST), withextensive private sector input, provides a risk-based and flexible approach to managingcybersecurity risk that incorporates industry standards and best practices. The CybersecurityFramework is by design crafted to allow individual organizations to determine their own uniquerisks, tolerances, threats and vulnerabilities, so that they may prioritize their resources tomaximize effectiveness.

The Framework is general in nature to allow for broad applicability to a variety of industries,

organizations, risk tolerances and regulatory environments. A Framework Profile is the application

of Framework components to a specific situation. A Profile may be customized to suit specific

implementation scenarios by applying the Framework Category and Sub-Categories appropriate to

the situation. Profiles should be constructed to take into account the organization’s:

• Business/mission objectives

• Regulatory requirements

• Operating environment

Organizations can use Profiles to define a desired state for their Cybersecurity posture based on

their business objectives, and use it to measure progress towards achieving this state. It provides

organizations with the ability to analyze cost, effort and risk for a particular objective. Profiles may

also be used by industry sectors to document best practices for protection against specific threats.

The below Cybersecurity Framework Profile focuses on Distributed Denial of Service (DDoS) and

botnet prevention and mitigation. DDoS attacks are increasing in complexity, size, and frequency.

Botnets have long been used as a method for orchestrating DDoS and other attacks. The range of

targets and methods (e.g., from using individual PCs to using connected Internet of Things (IoT)

devices) has also broadened. These threat profiles emphasize how the Cybersecurity Framework

can address DDoS attacks and prevent and mitigate devices that have become parts of a botnet.

To develop the threat profile, we have reviewed all the Cybersecurity Framework Categories andSubcategories and determined those most important to combat the DDoS and botnet threats. TheCategories and Sub-Categories were then labeled into different priorities as follows:

P1 – Minimum actions required to protect network and services against relevant attacks.

P2 – Highly recommended actions to protect network and services against relevant attacks.

P3 – Recommended actions to protect network and services against relevant attacks.

3

The DDoS and Botnet threat mitigation profile represents a Target Profile focused on the desired state

of organizational cybersecurity to mitigate DDoS and botnet threats. It may be used to assist in

identifying opportunities for improving DDoS and botnet threat mitigation and aiding in cybersecurity

prioritization by comparing current state with this desired target state.

The Coalition developed this profile based on version 1.0 of the Cybersecurity Framework. The

comments provided as part of the profile give appropriate guidance to refine the understanding of

relevant Framework subcategories as they apply to DDoS and botnet threat mitigation. While Coalition

members believe that Framework version 1.0, and its associated Core categories and subcategories,

allow for adequate flexibility to develop an effective DDoS threat mitigation profile, we welcome the

updates in draft 2 of version 1.1 of the Framework, as they reflect changes in the evolving nature of

cybersecurity threats and risk management practices, which can further assist organizations in

defending against and mitigating DDoS attacks.

Examples of beneficial changes in draft 2 include updates in Section 3.0 ‘How to Use the Framework’

on how the Framework can be applied in design, build/buy, deploy, operate, and decommission system

lifecycle phases. Cybersecurity practices must be considered throughout the full range of information

technology activities of organizations as industries across all sectors increasingly develop and leverage

IT applications and connected devices. In addition, new Framework Core categories and subcategories

focused on managing supply chain risk will help organizations better defend against key threat vectors

for DDoS attacks.

Overview of the DDoS and Botnet Threats

A DDoS attack attempts to overwhelm a network, service or application with traffic from multiple

sources. There are many methods for carrying out DDoS attacks. These can include

• Low bandwidth connection-oriented attacks designed to initiate and keep many connections

open on the victim exhausting its available resources.

• High bandwidth volumetric attacks that exhaust available network or resource bandwidth.

• Protocol oriented attacks that take advantages of stateful network protocols such as TCP.

• Application layer attacks designed to overwhelm some aspect of an application or service.

Although each of these methods can be highly effective, in recent years, there has been considerable

attention given to volumetric attacks as the result of several high-profile incidents.

One prominent example of a volumetric DDoS attack vector is reflection amplification. This is a type

of DDoS attack in which the attacker fakes the attack target’s IP address and launches queries from this

address to open services on the Internet to solicit a response. The services used in this methodology are

typically selected such that the size of the response to the initial query is many times (x100s) larger than

the query itself. The response is returned to the real owner of the faked IP. This attack vector allows

attackers to generate huge volumes of attack traffic, while making it difficult for the target to determine

the original sources of the attack traffic. Reflection amplification has been responsible for some of the

largest DDoS attacks seen on the Internet through the last decade.

DDoS is often referred to as a ‘weaponized’ threat as technical skills are no longer needed to launch an

attack and services to conduct DDoS have proliferated and become easily obtainable for relatively low4

cost. Attackers can build out their attack capability in many ways, such as the use of malware to infect

Internet connected computers, deploying servers within hosting environments, exploiting program

flaws or other vulnerabilities, and by exploiting the use of inadequate access controls on Internet

connected devices to create botnets.

Botnets are created when an attacker infects or acquires a network of hosts, then controls these

devices to remotely launch an attack at a given target. Increasingly, botnets are incorporating

Internet of Things (IoT) devices, which continue to proliferate at a remarkable rate. Botnets allow

for a wide variety of attack methods aimed at evading or overwhelming defenses. Compromised

devices within an organization can be used by the botnet to carry out attacks; DDoS or otherwise,

targeting assets and infrastructure inside or outside the organization. This can have a significant

negative impact on the overall risk posture of the organization and its reputation and responsibility

in the community. The United States continues to be the most frequent target of DDoS attacks and

infected hosts within the US public and private infrastructure are most frequently leveraged as the

source of DDoS and botnet attacks. Availability is a core information security pillar but the

operational responsibility and discipline for assessing and mitigating availability-based threats

such as DDoS often falls to network operations or application owners in addition to Risk and

Information Security teams. Because of this divided responsibility, fissures in both risk assessment

and operational procedures for addressing these threats may occur. The goal of this profile is to

ensure the strategic and operational discipline needed to protect and respond to DDoS threats is

comprehensively addressed by applying the appropriate recommendations and best practices

outlined in the Cybersecurity Framework.

5

APPENDIX

A

6

DDoS Threat Mitigation Profile

Function Category Sub-Category Priority Framework Comment

Identify(ID)

AssetManagement

(ID.AM)

ID.AM-1: Inventoryphysical devices andsystems within theorganization

P2

Catalog critical Internetfacing services by locationand capacity

Catalog ISP connectivity byISP, bandwidth usage,bandwidth available

ID.AM-2: Inventorysoftware platforms andapplications within theorganization

P1

Determine critical Internetfacing services by type ofapplication/service, IPaddress and hostname, anddetermine which opensource softwarecomponents are usedacross applications.

7

Function Category Sub-Category Priority Framework Comment

ID.AM-3: Maporganizationalcommunication anddata flows

P2

Identify key stakeholdersin the organization criticalto availability of Internetfacing services includingapplication owners,security personnel,network operationspersonnel, executiveleadership, legal/riskpersonnel and ISP or Cloudbased DDoS mitigationservice providers

Maintain network mapsshowing data flows

Create an operationalprocess documentdetailing communicationworkflows

ID.AM-4: Catalogueexternal informationsystems

P3

Identify applications andservices that are run incloud, SaaS, hosting orother externalenvironments

ID.AM-5: Resourcesare prioritized basedon their classification,criticality, andbusiness value

P2

Determine what Internetfacing services will resultin the most businessimpact if they were tobecome unavailable

BusinessEnvironment

(IDE.BE)

ID.BE-4: Establishdependencies andcritical functions fordelivery of criticalservices

P2

Catalog externaldependencies for servicesand applications includingDNS, NTP, cloud/hostingprovider, partner networkconnections and Internetavailability

ID.BE-5: Establishresilience requirementsto support delivery ofcritical services

P3

Ensure geographicalredundancy and highavailability of equipmentproviding services,network infrastructureand Internet connections

8

Function Category Sub-Category Priority Framework Comment

Risk Assessment(ID.RA)

ID.RA-1: Identify anddocument assetvulnerabilities

P2

Determine network andapplication bottlenecksincluding throughput,connection rate and totalconnections supported

ID.RA-2: Cyber threatintelligence andvulnerabilityinformation isreceived frominformation sharingforums and sources

P3

Monitor vulnerabilitieslists (CVE, NVD andsimilar) to check if criticalInternet facing serviceshave vulnerabilities thatcould be used as acondition for Denial ofService.

ID.RA-3: Identify anddocument internal andexternal threats

P3

Continuously gatherindustry informationaround DDoS trends, peakattack sizes, frequency,targeted verticals,motivations and attackcharacteristics

ID.RA-4: Identifypotential businessimpacts and likelihoods

P2

Create a risk profile thatquantifies potential cost ofrecovery operations perDDoS incident, revenueloss, customer churn,brand damage and impactto business operations

Governance(ID.GV)

ID.GV-3: Legal andregulatory requirementsregardingcybersecurity,including privacyand civil libertiesobligations, areunderstood andmanaged

P1

Put processes in place toensure all regulatoryrequirements are met.

Train all personnelresponsible for DDoSincident response on therelevant legal andregulatory requirementssurrounding the datathat they may handle.

Document regulatory anddata privacy policies ofDDoS service providersand partners

9

Function Category Sub-Category Priority Framework Comment

Protect(PR)

Awareness andTraining(PR.AT)

PR.AT-2: Privilegedusers understand roles& responsibilities

P1

Security Operationspersonnel have beentrained on DDoSdefense processes,products and services

Equip security operationspersonnel with anoperational run bookdefining what process tofollow and who to contactshould an incident takeplace

InformationProtection

Processes andProcedures

(PR.IP)

PR.IP-1: Create andmaintain a baselineconfiguration ofinformationtechnology/industrialcontrol systems

P1

Create a baseline DDoSprotection architectureconsisting of best currentpractices for the network,network based protectioncapabilities and non-stateful Intelligent DDoSMitigation capability

Implement anti-spoofingand black/white listfiltering at network edge

Maintain DDoSprotection configurationthat provides generalprotection for all servicesand always on protectionfor all business-criticalassets

PR.IP-7: Continuouslyimprove protectionprocesses

P2

Conduct a minimum of 2annual tests of DDoSprotection capabilities

Perform after-actionreviews following all DDoSincidents and DDoSprotection tests adjustingDDoS defenses accordingly

10

Function Category Sub-Category Priority Framework Comment

PR.IP-9: Response

plans (Incident Response

and Business Continuity)

and recovery plans

(Incident Recovery and

Disaster Recovery) are

in place and managed

P3

The organization’sBusiness Continuity andDisaster Recovery plansshould have componentsto address the potentialeffects of a DDoS attack

PR.IP-10: Response

and recovery plans are

testedP3

The DDoS components ofthe Business Continuityand Disaster Recoveryplans should be tested.

PR.IP-12: A vulnerability

management plan is

developed and

implemented P3

Vulnerabilities that can beleveraged for DDoS eventsshould be documentedand remediated.

ProtectiveTechnologies(PR.PT)

PR.PT-4: Protectcommunications andcontrol networks

P1

Perform filtering oftraffic to control planenetwork and/or controlplane traffic policing

Detect(DE)

Anomalies andEvents (DE.AE)

DE.AE-1: Establish andmanage a baseline ofnetwork operations andexpected data flows forusers and systems

P1

Continuously measuretraffic to hosts, resourcesor groups of resources todetermine expectedtraffic over time.

Determine trafficbaselines at IP layers 3and 4 including IPbandwidth, TCP, UDP,ICMP, GRE, and at theapplication level includingcritical applications suchas HTTP, HTTPS, DNS,NTP, SSDP and SIP

DE.AE-2: Analyzedetected events tounderstand attacktargets and methods

P1

Determine source anddestination trafficcharacteristics whenanomalous traffic is

11

Function Category Sub-Category Priority Framework Comment

detected that is indicativeof DDoS

DE.AE-3: Eventdata are aggregatedand correlated frommultiple sources andsensors

P2

Aggregate data fordetected DDoS eventsfrom multiple networksources contributingto the attack.

DE.AE-4: Impact ofevents is determined

P2

Total traffic rates for DDoSevents can be measuredacross all contributingnetwork sources

Performance andavailability of servicescan be measured before,during and after events

DE.AE-5: Incidentalert thresholds areestablished

P1

Configure notifications tosecurity monitoringpersonnel and appropriatestakeholders when trafficexceeds measured orconfigured thresholds

SecurityContinuousMonitoring(DE.CM)

DE.CM-1: Monitornetwork to detectpotential cybersecurityevents

P1

Continuously measuretraffic install networkingress points andbetween transit pointson the internal networkfor traffic anomalies

To the extent possibleand/or practical from abusiness perspective,continually measureoutbound traffic fordetection of trafficanomalies that couldrepresent sourcescontributing tooutbound or cross-bound DDoS attacks.

12

Function Category Sub-Category Priority Framework Comment

DE.CM-8:

Vulnerability scans are

performed P1

Scan Internet facingservices and softwareapplications to identifyvulnerabilities that can beexploited for participationin DDoS events.

DetectionProcesses(DE.DP)

DE.DP-3: Testdetection processes

P2

Conduct regular testing ofDDoS defense capabilitiesincluding occasionalunannounced testsperformed with no priorwarning to assess theDDoS defense strategiesand processes

Conduct DDoS simulationwargames as part ofsecurity staff onboardingand periodically for thesecurity response team

DE.DP-5:Continuously improvedetection processes

P2

Perform after-actionreview on any defensetesting or DDoS eventsafter all operations aresuccessfully restored toidentify and improve DDoSdetection capabilities

Identify and maintainkey security metricsaround detection,identification andescalation effectiveness.

Respond(RS)

ResponsePlanning(RS.RP)

RS.RP-1: Executeresponse plan duringor after an event

P1

Follow DDoS response runbook during any detectedDDoS events

Communications(RS.CO)

RS.CO-1: Ensurepersonnel know theirroles and order ofoperations when aresponse is needed

P1

Define personnelresponsible for detection,mitigation, coordinationand communicationduring DDoS incidents

13

Function Category Sub-Category Priority Framework Comment

RS.CO-4: Coordinatewith stakeholdersconsistently withresponse plans

P1

Document operationalrun book that includesroles, responsibilities andescalation process for allparties responsible forDDoS incident responseincluding internalpersonnel and externalconsultants or services

RS.CO-5: Engage involuntary informationsharing withstakeholders to achievebroader cybersecuritysituational awareness

P3

Share and receive DDoSattack trends withconsultants, servicecompanies and/orthreat intel companiesto keep abreast ofattack scale, frequency,motivations andevolving attack vectors

Analysis(RS.AN)

RS.AN-1: Investigatenotifications fromdetection systems

P1

Add DDoS alertnotifications to monitoringand response systemsincluding security andnetwork operationsmanagement systems.

RS.AN-2: Understandthe impact of theincident

P2

Compare DDoS trafficrates, connection ratesand total connectionsagainst documentedsystem and network limits

Identify actual andpotential impact tobusiness services,customers, employeesand other stakeholders.

RS.AN-3: Forensics

are performed P3

Save raw anomalydetails in available form(logs, packet captures,flow telemetry data) toinvestigate partiesinvolved in the incidentand, where appropriate,to share incident details

14

Function Category Sub-Category Priority Framework Comment

with the operationalsecurity community.

Mitigate DDoSattacks using any orall of the following:

Volumetri- Network capabilities suchas ACLs, anti-spoofing,remote triggeredblackhole and/or flowspec

- Using intelligent DDoSmitigation systems onpremise

- Contracting a DDoSmitigation service

Critical resources shouldbe protected by alwayson mitigation capabilities

Mitigation(RS.MI)

RS.MI-2: Mitigateincidents

P1- Contract or coordinatewith upstream bandwidthprovider for defenseagainst high-magnitudeattacks.

Implement a notificationsystem to detect when onpremise bandwidth isreaching saturation thenalert and/or automatemovement of traffic to anupstream DDoS mitigationservice

Identify and maintain keysecurity metrics aroundmitigation and escalationeffectiveness.

15

Function Category Sub-Category Priority Framework Comment

Improvements(RS.IM)

RS.IM-1: Incorporatelessons learned intoresponse plans

P2

Adjust mitigationprocesses, capacity,technology andpartnerships based onDDoS attack trends,DDoS response testingand results of DDoS after-action reviews

Maintain key securitymetrics around the DDoSprogram to demonstrateprogram improvementand effectiveness.

Recover(RC)

RecoveryPlanning(RC.RP)

RC.RP-1: Executerecovery plan during orafter an event

P2

Establish an internal andexternal communicationplan as part of the DDoSrun book that is usedevery time there is aDDoS incident

Communications(RC.CO)

RC.CO-1: Managepublic relations

P2

Ensure impactedapplications are restoredand availabilitycommunicated to relevantstakeholders

Manage externalcommunications based onvisibility and impact of theDDoS attack on customers,partners or public

16

Botnet Threat Mitigation Profile

Function Category Subcategory Priority Comment

IDENTIFY (ID)

AssetManagement

(ID.AM)

ID.AM-1: Physicaldevices and systemswithin theorganization areinventoried

Catalog all devices within theorganization that have or

have had direct or indirectaccess to the Internet.

P1

ID.AM-2: Softwareplatforms andapplications within theorganization areinventoried

Catalog all applications andservices that have or have

had direct or indirect accessto the Internet.

P1

ID.AM-4: Externalinformation systemsare catalogued

P2

Identify applications andservices that are run in

cloud, SaaS, hosting or otherexternal environments.

Risk Assessment(ID.RA)

ID.RA-1: Assetvulnerabilities areidentified anddocumented

P1

All identified connecteddevices should be assessed

for known vulnerabilities andthat information should bedocumented and updated

routinely.

ID.RA-2: Threat andvulnerabilityinformation isreceived frominformation sharingforums and sources

P1

Monitor connected devicesagainst known vulnerabilities(CVE, NVD and similar) and

against a framework ofregularly updated threat

intelligence sources

ID.RA-3: Threats,both internal andexternal, are identifiedand documented

P3

Continuously gatherinformation regarding

trends, attackcharacteristics, known

vulnerabilities, and otherIndicators of Compromise

(IOC) through internal17

and/or external datasources.

PROTECT (PR)

Access Control(PR.AC)

PR.AC-1: Identitiesand credentials aremanaged forauthorized devices andusers

P1

Controlling and managingaccess to connected devices

is essential in preventingcompromise and in

mitigating compromiseddevices.

Authentication,authorization and accounting

for any user access to thenetwork and services mustbe established for local and

remote access users.

Multiple levels of accessshould be implemented toensure users have accessand control to only thosethings that they need tocarry out their position.

Network is segmented toallow only expected protocoland application traffic acrossdifferent areas of thenetwork.

PR.AC-3: Remoteaccess is managed

P2

PR.AC-4: Accesspermissions aremanaged,incorporating theprinciples of leastprivilege andseparation of duties

P2

PR.AC-5: Networkintegrity is protected,incorporating networksegregation whereappropriate

P3

Data Security(PR.DS)

PR.DS-3: Assets areformally managedthroughout removal,transfers, anddisposition

P1

Implement rigorousmonitoring processes to

detect devices that are nolonger being used and

remove these devices from18

the network to reducepotential attack surface.

PR.DS-6: Integritychecking mechanismsare used to verifysoftware, firmware,and informationintegrity

P2

Verify the authenticity andintegrity of any updates thatare applied to any devices on

the network to reduce thelikelihood of malicious code

being uploaded to thedevice.

PR.DS-7: Thedevelopment andtesting environment(s)are separate from theproductionenvironment

P3

Development environmentscan be less secure than

production environments asthey may host devices thatare being tested or pilotedand that have not yet beenfully secured. Keeping the

development and productionenvironment separate can

reduce risk.

InformationProtection

Processes andProcedures

(PR.IP)

PR.IP-1: A baselineconfiguration ofinformationtechnology/industrialcontrol systems iscreated andmaintained

P1

Creating a known baselineconfiguration for connected

devices makes it easier todetermine if unauthorizedchanges have been made.

PR.IP-2: A SystemDevelopment LifeCycle to managesystems isimplemented

P2

Implement a systemsdevelopment lifecycle (SDLC)

to build rigor into thepurchasing, deployment,

maintenance, and end-of-lifeprocesses for any devices

connected on the network.

PR.IP-3:Configuration changecontrol processes arein place

P1

Configuration changes toconnected devices shouldfollow a rigorous process

that requires authorizationand tracking. Changes made

outside this process mayindicate a potential

compromise.

PR.IP-7: Protectionprocesses arecontinuouslyimproved

P3

Review protection processeson a routine basis to ensurethat they are functioning as

expected. Make adjustmentswhen deficiencies are found.

19

PR.IP-12: Avulnerabilitymanagement plan isdeveloped andimplemented

P1

A comprehensive plan mustbe put in place for the

identification and mitigationof software and hardware

vulnerabilities. This will aid inquantifying risk and in

identifying devices thatrequire updates or

replacement.

Maintenance(PR.MA)

PR.MA-1:Maintenance andrepair oforganizational assets isperformed and loggedin a timely manner,with approved andcontrolled tools

P3

Because maintenancerequires access to connected

devices, a process thatrequires approval andmonitoring aids in the

detection of unauthorizedchanges.

PR.MA-2: Remotemaintenance oforganizational assets isapproved, logged, andperformed in a mannerthat preventsunauthorized access

P3

ProtectiveTechnology

(PR.PT)

PR.PT-1: Audit/logrecords aredetermined,documented,implemented, andreviewed inaccordance withpolicy

P1

Routine review of audit logsis essential in being able to

identify if unauthorizedaccess or changes weremade to devices on the

network.

PR.PT-3: Access tosystems and assets iscontrolled,incorporating theprinciple of leastfunctionality

P1

Connected devices should beconfigured to allow only the

access and privilegesnecessary to perform their

intended function.

DETECT (DE)Anomalies andEvents (DE.AE)

DE.AE-1: A baselineof network operationsand expected dataflows for users andsystems is establishedand managed

P1

Maintain a baseline ofnetwork operations and dataflows to enable detection of

anomalous network behaviorthat could indicate a device

has been compromised.

DE.AE-2: Detectedevents are analyzed tounderstand attacktargets and methods

P1

Implement comprehensivemonitoring across networkinfrastructure and individualnetwork elements to detectevents that are indicative of

20

DE.AE-3: Event dataare aggregated andcorrelated frommultiple sources andsensors

P2 a potentially compromisedhost.

Implement an alertingmechanism to signal eventsto operations personnel.

Implement an eventaggregation system that willstore all events and providea level of triage andprioritization of events foroperations personnel.

Event monitoring shouldinclude the ability to detectthe presence of maliciouscode on connected devicesor in transit in the networkand the presence ofmalicious traffic or devicebehaviors on the network.

SecurityContinuousMonitoring(DE.CM)

DE.CM-1: Thenetwork is monitoredto detect potentialcybersecurity events

P1

DE.CM-3: Personnelactivity is monitoredto detect potentialcybersecurity events

P2

DE.CM-4: Maliciouscode is detected

P1

DE.CM-5:Unauthorized mobilecode is detected

P1

DE.CM-6: Externalservice provideractivity is monitoredto detect potentialcybersecurity events

P3

DE.CM-7:Monitoring forunauthorizedpersonnel,connections, devices,and software isperformed

P1

DE.CM-8:Vulnerability scans areperformed

P1

Conducting routinevulnerability scans of allconnected devices andunderlying software informsrisk and provides directionon which devices andapplications have the highestrisk of compromise.

DetectionProcesses(DE.DP)

DE.DP-4: Eventdetection informationis communicated toappropriate parties

P2

Events related to connecteddevices that may beindicative of anomalousbehavior should becommunicated to

21

appropriate parties foranalysis and action.

DE.DP-5: Detectionprocesses arecontinuouslyimproved

P3

Detection processes shouldbe tested and reviewedroutinely to ensure they areperforming as expected.

RESPOND (RS)

Communication(RS.CO)

RS.CO-5: Voluntaryinformation sharingoccurs with externalstakeholders toachieve broadercybersecuritysituational awareness

P2

Multiple communities existto share and analyzevulnerability and threatinformation for connecteddevices including industryconsortiums, internationalCERT organizations, lawenforcement, threatintelligence vendors, andoperational securitycommunitiesParticipation within theseentities can providesignificant benefit inunderstanding how anorganizations connecteddevices may be introducingrisk and how best to mitigateit.

Analysis (RS.AN)

RS.AN-1:Notifications fromdetection systems areinvestigated

P1

To the extent possible basedon business and risktolerance, alerts indicatingpotential infection of aninfected host should beinvestigated by qualifiedpersonnel to determine risk.A system of triage andprioritization should be putin place to ensure that themost critical events areinvestigated first.

RS.MI-3: Newlyidentifiedvulnerabilities aremitigated ordocumented asaccepted risks

P1

Vulnerabilities identifiedthrough scans, informationsharing, or other analysis,should be documentedimmediately and eithermitigated or treated asacceptable risk. Whenpatching isn’t viable,

22

mitigation may requirecomplete removal andreplacement of compromiseddevice.

23