semi-automated response · - nato unclassified - ciics •created as an mn cd2 project between nld,...

- NATO UNCLASSIFIED -

Semi-Automated Response

• Preparation: gathering data from disparate sources, inventorying identities, systems, maintain metrics

• Identification: integrating threat intel feeds to provide context, prioritize alerts, determine severity and impact, analyze behavior

• Containment: disconnecting network connections, limiting impact to as few systems as possible

• Eradication: deleting data, re-imaging a machine

• Recovery: automated configuration changes and system updates/patches, remediation of non-compliant endpoints

• Follow up: run reports automatically

Opportunities for automation


Semi-Automated Response

• Stage 1: Research, Review, Assess, Report • Define operational requirements, use cases and assessment framework

• Review existing response models and automatable courses of action

• Engage with researchers in academia, government and industry

• Assess most promising approaches against use cases

• Define architecture for Proof of Concept

• Provide a survey report with findings and recommendations

• Stage 2: Proof of Concept • Design, develop, and evaluated against basic attack scenarios

Overview of planned activities


MNCD2

Cyber Security Assessment Team

OBJECTIVE:

STATUS:

the ability for nations to assess the Cyber Security of operational CIS by subjecting it to controlled and realistic cyber attacks

Multinational CSAT capability, Concept, ConOps and implementation options drafted


CSAT

Cyber Security Assessment

• Holistic and realistic assessments

• Demonstrate impact

• Exercise staff

• Improve cyber security

• Complements

• Vulnerability assessments

• Risk assessments

Multinational CSAT Capability

• Split in two capabilities

• CORE Team

• Assessment Team (CSAT)

• CORE Team

• Provides Tools, Techniques, Procedures

• Multinational effort

• Assessment Team (CSAT)

• Executes assessments

The Concept Explained


CSAT

Overarching Concept

CSAT Concept of Operations

CORE Concept of Operations

Implementation Options

Deliverables


CSAT

Overarching concept

MCC rationale, approach, structure

MCC Assessments, emulated threats, activities, lifecycle

MCC fundamentals, guiding principles,

managing risk

CSAT ConOps

CSAT Instantiation and lifecycle

CSAT Assessment activities, lifecycle,

deliverables

Organizational structure & staffing

Facilities & equipment

CORE ConOps

Services & Activities

CSAT Instantiation & lifecycle

Organizational structure & staffing

Facilities, equipment, CIS

Implementation Options

Governance board

MCC Secretariat

National Coordinator

CORE

CSATs

Co

mp

on

ents


CSAT

Decision on Multinational

CORE Capability National CSAT Capability

Cyber Security Assessment Capability

Projected future end-state


MNCD2

Cyber Information and Incident Coordination System

OBJECTIVE:

STATUS:

the ability for nations to manage cyber security incidents that cross national/ organizational borders

CIICS implemented and deployed in several nations, support (software maintenance) active


CIICS

• Created as an MN CD2 project between NLD, CAN, ROU

• Scoped as an information sharing and incident coordination capability

• Requirements collected from and prioritized between the participating Nations

• Agile custom development from Rhea Group, guided by NCI Agency

• Multiple user engagement sessions, and use in CC14, CC15, and CC16

• As of March 2017, latest version is 3.1.5

Background


CIICS

• For National and Federated (peer-to-peer) use

• Web based application

Architecture

• Customizable based on national processes and preferences

Flexibibility

• Easy to use (ISO 9241)

Usability

• Multiple authentication options

• Role based access control

• Logging for audit and accountability

Secure

Coordination of cyber information

• Information Sharing Subsystem

Coordination of cyber

incidents

• Ticket Management

Subsystem

Design


CIICS

Login and dashboard


CIICS

• An attack is detected on a Canadian system.

• The Incident Handling Officer (IHO) creates an incident

• The Canadian IHO informs the community

• Shortly thereafter, it seems that a range of IPs, based in Romania and the Netherlands, may also be infected.

• The real scope of the attack can now be understood Incident Sharing


CIICS

Create new tickets


CIICS Fo

ren

sics

tem

pla

te


CIICS Jo

int

Tick

et T

emp

late


CIICS Jo

int

Co

ord

ina

tio

n W

ork

flo

w


CIICS

Promoting a local ticket to a joint ticket


CIICS Anonymization/pseudonymize


CIICS

Ticketing workflow is customizable; state and state transitions are highly configurable and dynamically represented to the user based on the programmed flow

Workflow Configuration


CIICS

Community WIKI (COI)


CIICS

Adding pages


CIICS

COI page overview


CIICS

Reference library


CIICS

Reference library - STIX


CIICS

36 Eligible Nations (NATO Nations, 7 NNN Partners, NATO)

Eligibility for any other partner is on a case by case basis at the discretion of the

Project Board

A nation does not need to join the MN CD2 Programme in order to join the

Federation

CIICS FEDERATION


CIICS CIICS Workshop Topics

• Interoperability

• CIICS Usage

• National CSIRTs

• Federated Mission Networking

• Classification

• Threat intelligence often unclassified

• Incident handling often classified

• Centralized vs. distributed deployment

• Licensing and enhancements

CIICS Workshop Details

• Logistics

• Date: 8 MAY 2017

• Location: NCI Agency, The Hague, NLD

• Objective

• Bring together 36 Nations to explore use of CIICS

• Contact

• Sarah Brown, NCI Agency [[email protected]]

CIICS WORKSHOP 8th of May 2017


MNCD2

Cyber Defence Situational Awareness

OBJECTIVE:

STATUS:

the ability for nations to perceive and understand the current status of cyber space and to project changes in the near future

Best-match commercial software identified


CDSA

CD SA process overview


CDSA

SCENARIOS


CDSA

1 Raytheon

2 HP ES

3 Deloitte

4 IBM

5 Thales Communications & Security

6 TeraMach Technologies Inc.

7 General Dynamics Mission Systems

8 BT Security

9 RSA

10 Codenomicon

11 Oracle

12 Solana Networks Inc.

13 SMT

14 Secure Decisions

15 RHEA

16 Compusult

17 Northrop Grumman

MN CD2 CIICS

MITRE Corporation

1 Raytheon

2 HP ES

3 Deloitte

4 IBM

5 Thales Communications & Security

6 General Dynamics Mission Systems

7 BT Security

8 RSA

9 Codenomicon

10 Oracle

11 Solana Networks Inc.

12 SMT

13 Northrop Grumman

MN CD2 CIICS

MITRE Corporation

Forcepoint

HPE

1 GD-MS Canada

2 Forcepoint

3 RSA

4 HPE

PROCESS


CDSA

0

0,1

0,2

0,3

0,4

0,5

0,6

0,7

0,8

0,9

1

Forcepoint HPE Forcepoint HPE Forcepoint HPE Forcepoint HPE

Pre-FAT FAT SAT 1 SAT 2

Perc

enta

ge o

f sc

enar

io s

tep

s

Assessment event

A little

Half

Mostly

Fully

Fin

al c

an

did

ate

pro

gre

ss


CDSA

• Final report shared with NATO

• Many residual benefits to Nations through the project

• Nations have Virtual Machines for further testing

• Nations can engage NCI Agency jointly or individually for procurement FP HPE

Combined weighted score

51.6 63.9

[CATEGORIENAAM]

[CATEGORIENAAM]

[CATEGORIENAAM]

CRITERIA WEIGHTING

CD SA result and way forward


Future Work

Cyber Deception Honey Net ( )

Cyber Deception Honey Token ( ) ?


Concluding Remarks

For all inquiries: [email protected] MNCD2 Project Office

semi-automated response · - nato unclassified - ciics •created as an mn cd2 project between nld,...

Documents