C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y

CISA CYBER MISSION ANDCYBER RESOURCES

GeorgeW.ReevesCybersecurityAdvisorRegionVI|SouthTexas&NewMexico

2

4

The Nation’sRisk Advisors

5

Significance of Critical Infrastructure

Americaremainsatriskfromavarietyofthreatsincluding:• ActsofTerrorism• CyberAttacks• ExtremeWeather• Pandemics• AccidentsorTechnicalFailures

CriticalInfrastructurereferstotheassets,systems,andnetworks,whetherphysicalorcyber,sovitaltotheNationthattheirincapacitationordestructionwouldhaveadebilitatingeffectonnationalsecurity,theeconomy,publichealthorsafety,andourwayoflife.

6

Critical Infrastructure SectorsCISAassiststhepublicandprivatesectorssecureitsnetworksandfocusesonorganizationsinthefollowing16criticalinfrastructuresectors.

7

Cybersecurity Advisors (CSAs)Toprovidedirectcoordination,outreach,andregionalsupportinordertoprotectcybercomponentsessentialtothesustainability,preparedness,andprotectionoftheNation’sCriticalInfrastructureandKeyResources(CIKR)andState,Local,Tribal,andTerritorial(SLTT)governments.

• Assess:Evaluatecriticalinfrastructurecyberrisk.• Promote:Encouragebestpracticesandriskmitigationstrategies.• Build:Initiate,developcapacity,andsupportcybercommunities-of-interestandworkinggroups.• Educate:Informandraiseawareness.• Listen:Collectstakeholderrequirements.• Coordinate:Bringtogetherincidentsupportandlessonslearned.

8

Critical Infrastructure Sectors

Cybersecurity Resources

9

Cybersecurity Resources and Assessments

RegionalResources:- CyberResilienceReview(CRR)- ExternalDependenciesManagement(EDM)- CyberInfrastructureSurvey(CIS)- Workshops(IncidentMgmt,Resilience)

NationalResources:- PhishingCampaignAssessment(PCA)- CyberTabletopExercises(CTTX)- VulnerabilityScanningService(CyHy)

- WebApplicationScanning(WAS)- ValidatedArchitectureDesignReview(VADR)- RedTeamAssessment(RTA)- Risk&VulnerabilityAssessment(RVA)/(RPT) TECHNICAL

(LOW-LEVEL)

10

Cyber Resilience Review (CRR)Purpose:TheCRRisanassessmentintendedtoevaluateanorganization’soperationalresilienceandcybersecuritypracticesofitscriticalservicesDelivery:TheCRRcanbe

• Facilitated• Self-administered

• Helpspublicandprivatesectorpartnersunderstandandmeasurecybersecuritycapabilitiesastheyrelatetooperationalresilienceandcyberrisk

• BasedontheCERT®ResilienceManagementModel(CERT®RMM)

11

External Dependency Management (EDM)Overview:In2016,DHSlaunchedtheExternalDependenciesManagement(EDM)Assessment,focusingspecificallyonensuringtheprotectionandsustainmentofservicesandassetsthataredependentontheactionsofthird-partyentities.Background:ExternalDependenciesManagementisadomaincoveredbytheCRR.However,EDMandassociatedissues(e.g.,supply-chainmanagement,vendormanagement)arenotaddressedatacomprehensivelevelwithintheCRR,resultinginthecreationofaseparateassessment.LinkagestoCRR:DespiteoperatingatamoregranularlevelthantheCRR,theEDMAssessmentborrowsheavilyfromtheCRR’smethodologicalarchitectureandscoringsystembutremainsaDHS-facilitatedassessment.

EDM process outlined in the External Dependencies Management Resource

Guide

12

Cybersecurity Infrastructure Survey (CIS)Structured,interviewbasedassessment(2½to4hours)ofessentialcybersecuritypracticesin-placeforcriticalserviceswithinyourorganization

Identifiesinterdependencies,capabilities,andtheemergingeffectsrelatedtocurrentcybersecurityposture

Focusesonprotectivemeasures,threatscenarios,andaservicebasedviewofcybersecurityincontextofthesurveyedtopics

BroadlyalignstotheNationalInstituteofStandardsandTechnology(NIST)CybersecurityFramework(CSF)

13

Workshops

CyberResilienceWorkshop• RaiseawarenesstogapsincybermanagementpracticesandtoprocessimprovementsforCIKRandSLTTcommunities.

• Introducesstakeholdersandpractitionerstocyberresilienceconceptsinkeyperformanceareasrelatedtocybersecurity,IToperations,andbusinesscontinuity.

• Reinforcecybersecuritybestpracticesandexamineresilienceconceptsandobjectives.

IncidentManagementWorkshop• Enhancecyberincidentresponseanddiscussfederalcoordinationforincidentnotification,containment,andrecovery.

• WillassistyouinengagingExecutivePersonnelinthecreationofpolicy(ies)necessaryforplandevelopment.

• Provideinsightandastartingpointforyoutocreateyourplan.

14

Critical Infrastructure Sectors

National Cyber Resources

15

Validated Architecture Design Review (VADR)

AnassessmentbasedonFederalandindustrystandards,guidelines,andbestpractices.AssessmentscanbeconductedonInformationTechnology(IT)orOperationalTechnology(OT)infrastructures(ICS-SCADA).

• ReducerisktotheNation’sCriticalInfrastructurecomponents• Analyzesystemsbasedonstandards,guidelines,andbestpractices

• Ensureeffectivedefense-in-depthstrategies• Providefindingsandpracticalmitigationsforimprovingoperationalmaturityandenhancingcybersecurityposture

16

Vulnerability Scanning Service (CyHy)AssessInternetaccessiblesystemsforknownvulnerabilitiesandconfigurationerrors

Workwithorganizationtoproactivelymitigatethreatsandriskstosystems

Activitiesinclude:• NetworkMapping

Ø IdentifypublicIPaddressspaceØ IdentifyhoststhatareactiveonIPaddressspaceØ DeterminetheO/SandServicesrunningØ Re-runscanstodetermineanychangesØ Graphicallyrepresentaddressspaceonamap

• NetworkVulnerability&ConfigurationScanningØ Identifynetworkvulnerabilitiesandweakness

17

Web Application Scanning (WAS)AnInternetbasedscanningservicetoassessthe“health”ofyourpubliclyaccessiblewebapplicationsbycheckingforknownvulnerabilitiesandweakconfigurations.

SCANNINGOBJECTIVES•Maintainenterpriseawarenessofyourpubliclyaccessibleweb-basedassets•Provideinsightintohowsystemsandinfrastructureappeartopotentialattackers•Driveproactivemitigationofvulnerabilitiestohelpreduceoverallrisk

SCANNINGPHASES•DiscoveryScanning:Identifyactive,internet-facingwebapplications•VulnerabilityScanning:Initiatenon-intrusivecheckstoidentifypotentialvulnerabilitiesandconfigurationweaknesses

18

Phishing Campaign Assessment (PCA)Objectives:• Increasecybersecurityawarenesswithinstakeholderorganizations• Decreaseriskofsuccessfulmaliciousphishingattacks,limitexposure,reduceratesofexploitation

Benefits:Ø ReceiveactionablemetricsØ Highlightneedforimprovedsecurity

Training

Scope:Ø 6-weekengagementperiodØ Phishingemailscaptureclick-rateonly,nopayloadswillbeusedØ VaryingLevelsofComplexity-- Levels1- 6(EasytoDifficult)

19

Red Team Assessment (RTA)

AcomprehensiveevaluationofanITenvironment.SimulationofAdvancedPersistentThreats(APT),canassiststakeholdersindeterminingtheirsecurityposturebytestingtheeffectivenessofresponsecapabilitiestoadeterminedadversarialpresence.RTAsarecraftedspecificallytotestthepeople,processes,andtechnologiesdefendinganetwork.

• Teststakeholder’snetworksusingrealworldAPTattackermethodologies

• Evaluatepeople,processes,andtechnologiesresponsiblefordefendingthestakeholder’snetwork

• Providestakeholderexecutivesactionableinsighttotheircybersecuritypostureandpracticaltrainingfortechnicalpersonnel

20

Risk and Vulnerability Assessment (RVA)Apenetrationtest,ortheshortformpentest,isanattackonacomputersystemwiththeintentionoffindingsecurityweaknesses,potentiallygainingaccesstoit,itsfunctionalityanddata.• Involvesidentifyingthetargetsystemsandthegoal,thenreviewingtheinformationavailableandundertakingavailablemeanstoattainthegoal

• Apenetrationtesttargetmaybeawhitebox(whereallbackgroundandsysteminformationisprovided)orblackbox(whereonlybasicornoinformationisprovidedexceptthecompanyname)

• Apenetrationtestwilladviseifasystemisvulnerabletoattack,ifthedefensesweresufficientandwhichdefenses(ifany)weredefeatedinthepenetrationtest

21

Remote Penetration Test (RPT)Utilizesadedicatedremoteteamtoassessandidentifyvulnerabilitiesandworkwithcustomerstoeliminateexploitablepathways.

Ø Focusesonexternallyaccessiblesystems

SCENARIOS:Ø ExternalPenetrationTest:Verifyingifthestakeholdernetworkisaccessiblefromthepublicdomainbyanunauthorizeduserbyassessingopenports,protocols,andservices.

Ø ExternalWebApplicationTest:Evaluatingwebapplicationsforpotentialexploitablevulnerabilities;thetestcanincludeautomatedscanning,manualtesting,oracombinationofbothmethods.

Ø PhishingAssessment:Testingthroughcarefullycraftedphishingemailscontainingavarietyofmaliciouspayloadstothetrustedpointofcontact.

22

Critical Infrastructure Sectors

Information Sharing

23

Automated Indicator Sharing (AIS)

• Automated Indicator Sharing (AIS): Rapid and wide sharing of machine-readable cyber threat indicators and defensive measures at machine-speed for network defense purposes

• AIS is about volume and velocity of sharing indicators, not human validation.

24

Homeland Security Information Network (HSIN)The Homeland Security Information Network (HSIN) provides you with a central, online location for information sharing and collaboration.

A network designed by users, for users

A trusted, secure, virtual platform to work withhomeland security partners in real-time

A platform that supports daily operations, plannedevents and exercises, and incident response

Access HSIN 24x7 through your:

Use HSIN if you want to:q Utilize a trusted, secure network to get information about incidents, plan security for large-

scale events or conduct daily operationsq Share information with trusted colleagues and partners for mission supportq Use geospatial tools to map materials, resources and intelligence informationq Chat securely during emergencies or training exercisesq Send alerts and notifications to your qualified colleagues

For more information, contact the HSIN Outreach Team atHSIN.Outreach@hq.dhs.gov or visit our website at www.dhs.gov/hsin.

25

Critical Infrastructure Sectors

Additional Cyber Resources

26

Enhanced Cybersecurity Services (ECS)AnintrusionpreventioncapabilitythathelpsU.S.-basedcompaniesprotecttheirnetworksagainstunauthorizedaccess,exploitation,anddataexfiltration.

DHSsharessensitiveandclassifiedcyberthreatinformationwithaccreditedCommercialServiceProviders,whousethatinformationtoblockcertaintypesofmalicioustrafficfromenteringtheircustomers’networks.

ECSismeanttoaugment,butnotreplace,yourexistingcybersecuritycapabilities.

Currentlyoffersthefollowingservices:• DNSSinkholing:whichblocksaccesstospecificmaliciousdomains• Email(SMTP)Filtering:whichblocksemailwithspecifiedmaliciouscriteria• Netflow Analysis:whichusespassivedetectiontoidentifythreats

Ifyou’reinterested,contactoneofouraccreditedCommercialServiceProviders:AT&T,CenturyLink,orVerizon.

27

National Cyber Exercise & Planning Program NCEPPdesigns,develops,conducts,andevaluatescyberexercisesrangingfromsmall-scale,limitedscope,discussion-basedexercisestolarge-scale,internationally-scoped,operations-basedexercises.

NCEPPoffersthefollowingservicesatno-costonanas-neededandas-availablebasis:• CyberStormExercise(DHS’sflagshipnationallevelcyberexercise)• CyberGuardPrelude• End-to-EndCyberExercisePlanning• CyberExerciseConsulting• CyberPlanningSupport• Exercise-In-A-Box

28

ICS Training OpportunitiesICS-CERT Virtual Learning Portal (VLP)• Virtual&InstructorLedTraining• NoCostCourses:• IntroductiontoControlSystems

Cybersecurity(101)- 8hrs• IntermediateCybersecurityfor

IndustrialControlSystems(201)- 8hrs• IntermediateCybersecurityfor

IndustrialControlSystems(202)- 8hrs• ICSCybersecurity(301)- 5days• ICSCybersecurity(401)- 5days

https://ics-cert-training.inl.gov/learn

29

Cyber Assessment Qualification Initiative (CQI)

QualifiesteamstoconductassessmentsfollowingCISAstandardsandmethodologies.

CQIisafour-daycoursethatenablesorganizationalteamstolearnandapplyofferedCISAassessmentmethodologiesusingtheCERTSimulated,Training,andExercisePlatform.

CQIwillinitiallyfocusonCISA’sRiskandVulnerabilityAssessments(RVAs).

CQIOBJECTIVES• Qualifyteamstoconductassessmentsinaconsistentmanner.• ProvideCISAwithnon-attributabledatathatwillaideininformingthe

creationandimprovementofcybersecuritypoliciesthroughdata-drivendecision-making.

• StandardizeCISA-offeredassessmentsacrossitsstakeholdersforthird-partyandself-assessmentimplementation.

30

Critical Infrastructure Sectors

Incident Reporting

31

Incident Reporting / Malware Analysis24x7 contact number: 888-282-0870 | CISAServiceDesk@cisa.dhs.gov

Where/How/WhentoReport:https://www.us-cert.gov/forms/report• Ifthereisasuspectedorconfirmedcyberattackorincidentthat:• Affectscoregovernmentorcriticalinfrastructurefunctions;• Resultsinthelossofdata,systemavailability;orcontrolofsystems;• Indicatesmalicioussoftwareispresentoncriticalsystems

AdvancedMalwareAnalysisCenter:• Provides24x7dynamicanalysesofmaliciouscode.Stakeholderssubmitsamplesviaanonlinewebsiteandreceiveatechnicaldocumentoutliningtheresultsoftheanalysis.Expertswilldetailrecommendationsformalwareremovalandrecoveryactivities.

• WebSubmission:https://malware.us-cert.gov

32

Hunt & Incident Response Team (HIRT)

33

GeorgeW.ReevesCybersecurityAdvisor,RegionVISouthTexas&NewMexicoRegionsEmail:george.reeves@cisa.dhs.govCell:(281)714-1259