semi-automated response · - nato unclassified - ciics •created as an mn cd2 project between nld,...
TRANSCRIPT
- NATO UNCLASSIFIED -
Semi-Automated Response
• Preparation: gathering data from disparate sources, inventorying identities, systems, maintain metrics
• Identification: integrating threat intel feeds to provide context, prioritize alerts, determine severity and impact, analyze behavior
• Containment: disconnecting network connections, limiting impact to as few systems as possible
• Eradication: deleting data, re-imaging a machine
• Recovery: automated configuration changes and system updates/patches, remediation of non-compliant endpoints
• Follow up: run reports automatically
Opportunities for automation
- NATO UNCLASSIFIED -
Semi-Automated Response
• Stage 1: Research, Review, Assess, Report • Define operational requirements, use cases and assessment framework
• Review existing response models and automatable courses of action
• Engage with researchers in academia, government and industry
• Assess most promising approaches against use cases
• Define architecture for Proof of Concept
• Provide a survey report with findings and recommendations
• Stage 2: Proof of Concept • Design, develop, and evaluated against basic attack scenarios
Overview of planned activities
- NATO UNCLASSIFIED -
MNCD2
Cyber Security Assessment Team
OBJECTIVE:
STATUS:
the ability for nations to assess the Cyber Security of operational CIS by subjecting it to controlled and realistic cyber attacks
Multinational CSAT capability, Concept, ConOps and implementation options drafted
- NATO UNCLASSIFIED -
CSAT
Cyber Security Assessment
• Holistic and realistic assessments
• Demonstrate impact
• Exercise staff
• Improve cyber security
• Complements
• Vulnerability assessments
• Risk assessments
Multinational CSAT Capability
• Split in two capabilities
• CORE Team
• Assessment Team (CSAT)
• CORE Team
• Provides Tools, Techniques, Procedures
• Multinational effort
• Assessment Team (CSAT)
• Executes assessments
The Concept Explained
- NATO UNCLASSIFIED -
CSAT
Overarching Concept
CSAT Concept of Operations
CORE Concept of Operations
Implementation Options
Deliverables
- NATO UNCLASSIFIED -
CSAT
Overarching concept
MCC rationale, approach, structure
MCC Assessments, emulated threats, activities, lifecycle
MCC fundamentals, guiding principles,
managing risk
CSAT ConOps
CSAT Instantiation and lifecycle
CSAT Assessment activities, lifecycle,
deliverables
Organizational structure & staffing
Facilities & equipment
CORE ConOps
Services & Activities
CSAT Instantiation & lifecycle
Organizational structure & staffing
Facilities, equipment, CIS
Implementation Options
Governance board
MCC Secretariat
National Coordinator
CORE
CSATs
Co
mp
on
ents
- NATO UNCLASSIFIED -
CSAT
Decision on Multinational
CORE Capability National CSAT Capability
Cyber Security Assessment Capability
Projected future end-state
- NATO UNCLASSIFIED -
MNCD2
Cyber Information and Incident Coordination System
OBJECTIVE:
STATUS:
the ability for nations to manage cyber security incidents that cross national/ organizational borders
CIICS implemented and deployed in several nations, support (software maintenance) active
- NATO UNCLASSIFIED -
CIICS
• Created as an MN CD2 project between NLD, CAN, ROU
• Scoped as an information sharing and incident coordination capability
• Requirements collected from and prioritized between the participating Nations
• Agile custom development from Rhea Group, guided by NCI Agency
• Multiple user engagement sessions, and use in CC14, CC15, and CC16
• As of March 2017, latest version is 3.1.5
Background
- NATO UNCLASSIFIED -
CIICS
• For National and Federated (peer-to-peer) use
• Web based application
Architecture
• Customizable based on national processes and preferences
Flexibibility
• Easy to use (ISO 9241)
Usability
• Multiple authentication options
• Role based access control
• Logging for audit and accountability
Secure
Coordination of cyber information
• Information Sharing Subsystem
Coordination of cyber
incidents
• Ticket Management
Subsystem
Design
- NATO UNCLASSIFIED -
CIICS
Login and dashboard
- NATO UNCLASSIFIED -
CIICS
• An attack is detected on a Canadian system.
• The Incident Handling Officer (IHO) creates an incident
• The Canadian IHO informs the community
• Shortly thereafter, it seems that a range of IPs, based in Romania and the Netherlands, may also be infected.
• The real scope of the attack can now be understood Incident Sharing
- NATO UNCLASSIFIED -
CIICS
Create new tickets
- NATO UNCLASSIFIED -
CIICS Fo
ren
sics
tem
pla
te
- NATO UNCLASSIFIED -
CIICS Jo
int
Tick
et T
emp
late
- NATO UNCLASSIFIED -
CIICS Jo
int
Co
ord
ina
tio
n W
ork
flo
w
- NATO UNCLASSIFIED -
CIICS
Promoting a local ticket to a joint ticket
- NATO UNCLASSIFIED -
CIICS Anonymization/pseudonymize
- NATO UNCLASSIFIED -
CIICS
Ticketing workflow is customizable; state and state transitions are highly configurable and dynamically represented to the user based on the programmed flow
Workflow Configuration
- NATO UNCLASSIFIED -
CIICS
Community WIKI (COI)
- NATO UNCLASSIFIED -
CIICS
Adding pages
- NATO UNCLASSIFIED -
CIICS
COI page overview
- NATO UNCLASSIFIED -
CIICS
Reference library
- NATO UNCLASSIFIED -
CIICS
Reference library - STIX
- NATO UNCLASSIFIED -
CIICS
36 Eligible Nations (NATO Nations, 7 NNN Partners, NATO)
Eligibility for any other partner is on a case by case basis at the discretion of the
Project Board
A nation does not need to join the MN CD2 Programme in order to join the
Federation
CIICS FEDERATION
- NATO UNCLASSIFIED -
CIICS CIICS Workshop Topics
• Interoperability
• CIICS Usage
• National CSIRTs
• Federated Mission Networking
• Classification
• Threat intelligence often unclassified
• Incident handling often classified
• Centralized vs. distributed deployment
• Licensing and enhancements
CIICS Workshop Details
• Logistics
• Date: 8 MAY 2017
• Location: NCI Agency, The Hague, NLD
• Objective
• Bring together 36 Nations to explore use of CIICS
• Contact
• Sarah Brown, NCI Agency [[email protected]]
CIICS WORKSHOP 8th of May 2017
- NATO UNCLASSIFIED -
MNCD2
Cyber Defence Situational Awareness
OBJECTIVE:
STATUS:
the ability for nations to perceive and understand the current status of cyber space and to project changes in the near future
Best-match commercial software identified
- NATO UNCLASSIFIED -
CDSA
CD SA process overview
- NATO UNCLASSIFIED -
CDSA
SCENARIOS
- NATO UNCLASSIFIED -
CDSA
1 Raytheon
2 HP ES
3 Deloitte
4 IBM
5 Thales Communications & Security
6 TeraMach Technologies Inc.
7 General Dynamics Mission Systems
8 BT Security
9 RSA
10 Codenomicon
11 Oracle
12 Solana Networks Inc.
13 SMT
14 Secure Decisions
15 RHEA
16 Compusult
17 Northrop Grumman
MN CD2 CIICS
MITRE Corporation
1 Raytheon
2 HP ES
3 Deloitte
4 IBM
5 Thales Communications & Security
6 General Dynamics Mission Systems
7 BT Security
8 RSA
9 Codenomicon
10 Oracle
11 Solana Networks Inc.
12 SMT
13 Northrop Grumman
MN CD2 CIICS
MITRE Corporation
Forcepoint
HPE
1 GD-MS Canada
2 Forcepoint
3 RSA
4 HPE
PROCESS
- NATO UNCLASSIFIED -
CDSA
0
0,1
0,2
0,3
0,4
0,5
0,6
0,7
0,8
0,9
1
Forcepoint HPE Forcepoint HPE Forcepoint HPE Forcepoint HPE
Pre-FAT FAT SAT 1 SAT 2
Perc
enta
ge o
f sc
enar
io s
tep
s
Assessment event
A little
Half
Mostly
Fully
Fin
al c
an
did
ate
pro
gre
ss
- NATO UNCLASSIFIED -
CDSA
• Final report shared with NATO
• Many residual benefits to Nations through the project
• Nations have Virtual Machines for further testing
• Nations can engage NCI Agency jointly or individually for procurement FP HPE
Combined weighted score
51.6 63.9
[CATEGORIENAAM]
[CATEGORIENAAM]
[CATEGORIENAAM]
CRITERIA WEIGHTING
CD SA result and way forward
- NATO UNCLASSIFIED -
Future Work
Cyber Deception Honey Net ( )
Cyber Deception Honey Token ( ) ?