Incident Response. CSCE 727 - Farkas2 Reading list Required: Michael N. Schmitt, Computer Network...
-
Upload
julianna-hilda-armstrong -
Category
Documents
-
view
217 -
download
0
Transcript of Incident Response. CSCE 727 - Farkas2 Reading list Required: Michael N. Schmitt, Computer Network...
CSCE 727 - Farkas 2
Reading listReading listRequired:• Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law. Thoughts on a Normative Framework., 37 Colum. J. Transnat'l L. 885, 1999, http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA471993 Interesting:•Federal Communications Commission: Computer Security Incident Response Guide, 2001, http://csrc.nist.gov/fasp/FASPDocs/incident-response/Incident-Response-Guide.pdf •Incident Response Team, R. Nellis, http://www.rochissa.org/downloads/presentations/Incidence%20Response%20Teams.ppt •NIST special publications, http://csrc.nist.gov/publications/nistpubs/index.html
CSCE 727 - Farkas 3
Due Care and LiabilityDue Care and Liability
Organizational liability for misuse– US Federal Sentencing Guidelines: chief executive
officer and top management are responsible for fraud, theft, and antivirus violations committed by insiders or outsiders using the company’s resources.
– Fines and penalties Base fine Culpability score (95%-400%)
– Good faith efforts: written policies, procedures, security awareness program, disciplinary standards, monitoring and auditing, reporting, and cooperation with investigations
CSCE 727 - Farkas 7
How to Response?How to Response? Actions to avoid further loss from intrusion Terminate intrusion and protect against reoccurrence Law enforcement – prosecute Enhance defensive security Reconstructive methods based on:
– Time period of intrusion– Changes made by legitimate users during the effected
period– Regular backups, audit trail based detection of effected
components, semantic based recovery, minimal roll-back for recovery.
CSCE 727 - Farkas 8
Roles and ResponsibilitiesRoles and Responsibilities
User: – Vigilant for unusual behavior– Report incidents
Manager:– Awareness training– Policies and procedures
System administration:– Install safeguards– Monitor system– Respond to incidents, including preservation of evidences
CSCE 727 - Farkas 9
Computer Incident Response Computer Incident Response TeamTeam
Assist in handling security incidents– Formal – Informal
Incident reporting and dissemination of incident information
Computer Security Officer– Coordinate computer security efforts
Others: law enforcement coordinator, investigative support, media relations, etc.
CSCE 727 - Farkas 10
Incident Response Process 1.Incident Response Process 1.
Preparation – Baseline Protection – Planning and guidance– Roles and Responsibilities – Training – Incident response team
CSCE 727 - Farkas 11
Incident Response Process 2.Incident Response Process 2.
Identification and assessment– Symptoms– Nature of incident
Identify perpetrator, origin and extent of attack Can be done during attack or after the attack
– Gather evidences Key stroke monitoring, honey nets, system logs, network
traffic, etc. Legislations on Monitoring!
– Report on preliminary findings
CSCE 727 - Farkas 12
Incident Response Process 3.Incident Response Process 3.
Containment– Reduce the chance of spread of incident– Determine sensitive data– Terminate suspicious connections, personnel,
applications, etc.– Move critical computing services– Handle human aspects, e.g., perception
management, panic, etc.
CSCE 727 - Farkas 13
Incident Response Process 4.Incident Response Process 4.
Eradication– Determine and remove cause of incident if
economically feasible– Improve defenses, software, hardware,
middleware, physical security, etc.– Increase awareness and training– Perform vulnerability analysis
CSCE 727 - Farkas 14
Incident Response Process 5.Incident Response Process 5.
Recovery– Determine course of action– Reestablish system functionality– Reporting and notifications– Documentation of incident handling and
evidence preservation
CSCE 727 - Farkas 15
Follow Up ProceduresFollow Up Procedures
Incident evaluation:– Quality of incident (preparation, time to
response, tools used, evaluation of response, etc.)
– Cost of incident (monetary cost, disruption, lost data, hardware damage, etc.)
Preparing reportRevise policies and procedures
CSCE 727 - Farkas 16
What is “Survivability”?What is “Survivability”?
To decide whether a computer system is “survivable”, you must first decide what “survivable” means.
CSCE 727 - Farkas 17
Vulnerable ComponentsVulnerable Components
1. Hardware2. Software3. Data4. Communications5. People
CSCE 727 - Farkas 18
Effect Modeling and Vulnerability Effect Modeling and Vulnerability DetectionDetection
Cascading effects
Seriously effectedcomponents
Weaklyeffected component
Not effectedcomponents
CSCE 727 - Farkas 19
Legal AspectsLegal Aspects National law International law Legal regime to apply Gray areas of law Legal response Evidence preservation
THEMIS: Threat Evaluation Metamodel for Information Systems
Presented at the 2nd Symposium on Intelligence and Security Informatics, 2004
Csilla Farkas, Thomas Wingfield, James B. MichaelDuminda Wijesekera
Themis, Goddess of Justice
CSCE 727 - Farkas 21
Attacks Against Critical Attacks Against Critical InfrastructuresInfrastructures
Swedish hacker jammed 911 in central Florida in 1997 Juvenile hacker penetrated and disabled a telco computer
servicing Worcester Airport in March 1997 Brisbane hacker used radio transmissions to create raw
sewage overflows on Sunshine coast in 2000 Hackers broke into Gazprom’s system controlling gas
flows in pipelines in 1999 Hackers got into California Independent Service Operator
(ISO) development network for regional power grid in spring 2001
Numerous denial-of-service attacks against ISPs – some shut down Source: D. Denning Information Warfare
CSCE 727 - Farkas 22
Rules Defining the Use of ForceSchmitt Analysis
Sources:Thomas Wingfield: The Law of Information Conflict:National Security Law in Cyberspace
Michael N. Schmitt: Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework
CSCE 727 - Farkas 26
Spectrum of Conflict
Art. 39
The Security Council shall determine the existence of any threat to the peace, breach of the peace, or act of aggression and shall make recommendations, or decide what measures shall be taken in accordance with Articles 41 and 42, to maintain or restore international peace and security.
CSCE 727 - Farkas 27
Spectrum of Conflict
All members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.
Art. 2(4)
CSCE 727 - Farkas 28
Spectrum of Conflict
Art. 51
Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defense shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.
CSCE 727 - Farkas 29
Art. 51Art. 2(4)Art. 39
Jus ad bellum applies Jus in bello applies
RESPONSE
Anticipatory
self-defense
Hostile intent Hostile act
Self-defense
Threat of force Use of forceArmed attackThreat to
the peace
Rules Defining the Use of Force
Peacetime regime applies
CSCE 727 - Farkas 30
Cyber vs. Kinetic Attack Academic State-of-the-Art: Effects-Based Analysis Problem: Charter Paradigm Means-Based The Schmitt Reconciliation
– Distinguishing Military from Diplomatic and Economic Coercion
– Seven Factors
Use of Force in Cyberspace
CSCE 727 - Farkas 31
SeverityImmediacyDirectnessInvasivenessMeasurabilityPresumptive LegitimacyResponsibility
Schmitt Factors
CSCE 727 - Farkas 32
Severity
People Killed;Severe Property Damage
Armed attacks threaten physical injury or destruction of property to a much greater extent than other forms of coercion. Physical well-being usually occupies the [lowest, most basic level] of the human hierarchy of need.
How many people were killed?
How large an area was attacked? (Scope)
How much damage was done within this area? (Intensity)
People Killed;Severe Property
Damage
People Injured;Moderate
Property Damage
People Unaffected;No Discernable
Property Damage
CSCE 727 - Farkas 33
Immediacy
People Killed;Severe Property Damage
Over how long a period did the action take place? (Duration)
How soon were its effects felt?
How soon until its effects abate?
Seconds to Minutes
Hours to Days
Weeks to Months
The negative consequences of armed coercion, or threat thereof, usually occur with great immediacy, while those of other forms of coercion develop more slowly.
CSCE 727 - Farkas 34
Directness
People Killed;Severe Property Damage
Was the action distinctly identifiable from parallel or competing actions?
Was the action the proximate cause of the effects?
Action Sole Cause of Result
Action Identifiable as One Cause of Result, and to an Indefinite
Degree
Action Played No Identifiable Role in
Result
The consequences of armed coercion are more directly tied to the actus reus than in other forms of coercion, which often depend on numerous contributory factors to operate.
CSCE 727 - Farkas 35
Invasiveness
People Killed;Severe Property Damage
Did the action involve physically crossing the target country’s borders?
Was the locus of the action within the target country?
Border Physically Crossed; Action Has
Point Locus
Border Electronically Crossed; Action Occurs
Over Diffuse Area
Border Not Crossed; Action Has No
Identifiable Locus in Target Country
In armed coercion, the act causing the harm usually crosses into the target state, whereas in economic warfare the acts generally occur beyond the target’s borders. As a result, even though armed and economic acts may have roughly similar consequences, the former represents a greater intrusion on the rights of the target state and, therefore, is more likely to disrupt international stability.
CSCE 727 - Farkas 36
Measurability
People Killed;Severe Property Damage
Can the effects of the action be quantified?
Are the effects of the action distinct from the results of parallel or competing actions?
What was the level of certainty?
Effects Can Be Quantified Immediately by Traditional Means (BDA, etc.) with High Degree of Certainty
Effects Can Be Estimated by Rough Order of
Magnitude with Moderate Certainty
Effects Cannot be Separated from Those of Other Actions; Overall
Certainty is Low
While the consequences of armed coercion are usually easy to ascertain (e.g., a certain level of destruction), the actual negative consequences of other forms of coercion are harder to measure. This fact renders the appropriateness of community condemnation, and the degree of vehemence contained therein, less suspect in the case of armed force.
CSCE 727 - Farkas 37
Presumptive Legitimacy
People Killed;Severe Property Damage
Has this type of action achieved a customary acceptance within the international community?
Is the means qualitatively similar to others presumed legitimate under international law?
Action Accomplished by Means of Kinetic
Attack
Action Accomplished in Cyberspace but Manifested by a
“Smoking Hole” in Physical Space
Action Accomplished in Cyberspace and Effects
Not Apparent in Physical World
In most cases, whether under domestic or international law, the application of violence is deemed illegitimate absent some specific exception such as self-defense. The cognitive approach is prohibitory. By contrast, most other forms of coercion—again in the domestic and international sphere—are presumptively lawful, absent a prohibition to the contrary. The cognitive approach is permissive.
CSCE 727 - Farkas 38
Responsibility
People Killed;Severe Property Damage
Is the action directly or indirectly attributable to the acting state?
But for the acting state’s sake, would the action have occurred?
Responsibility for Action Acknowledged
by Acting State; Degree of Involvement Large
Target State Government Aware of Acting State’s
Responsibility; Public Role Unacknowledged; Degree of Involvement Moderate
Action Unattributable to Acting State; Degree
of Involvement Low
Armed coercion is the exclusive province of states; only they may generally engage in uses of force across borders, and in most cases only they have the ability to do so with any meaningful impact. By contrast, non-governmental entities are often capable of engaging in other forms of coercion (propaganda, boycotts, etc.).
CSCE 727 - Farkas 39
Overall Analysis
People Killed;Severe Property Damage
Have enough of the qualities of a use of force been identified to characterize the information operation as a use of force?
Use of Force Under Article 2(4)
Arguably Use of Force or Not
Not a Use of Force Under Article 2(4)
CSCE 727 - Farkas 41
THEMISTHEMIS
Attack Response Policy (ARP) language– ARP alphabet and predicates to represent attacks,
consequences, and legal conceptsInteroperable legal ontologiesAttack evaluation and response rulesSWRL - A Semantic Web Rule Language
combining OWL and RuleML
CSCE 727 - Farkas 42
Default policy
Conflict resolution
InteroperableOntologies
ARPspecification
Security Policy Specification
CSCE 727 - Farkas 43
THEMIS THEMIS FUNCTIONALITYFUNCTIONALITY
Computer System
Attacker
Affected Assets
Response
DEFENSEOFFENSE
Policy
Attack
CascadingEffects
Characteristics
CSCE 727 - Farkas 44
Attack Response Attack Response Policy (ARP)Policy (ARP)
ARP alphabet: constant symbols, variables, functions, and terms
ARP predicates: used to build rulesARP rules: reason about the damages, express
legal restrictions, and determine legitimacy of counter actions
CSCE 727 - Farkas 45
ExampleExample Predicates:
– attack(a-id, a-name, orig, targ) – consequence(a-id, c-type, targ)– causes(c-type1, targ1, c-type2, targ 2)
Rule:– attack(a-id, a-name, orig, targ1)
attack(a-id, a-name, orig, targ)
consequence(a-id, c-type, targ)
causes(c-type, targ, c-type1, targ1)