In Focus

• Improving Data Handling
• UK National Security Strategy
• UK Cyber Security Strategy
  • Tackling UK cyber threats
  • European Cyber Strategy
  • Guiding cyber security
  • 2011 Cyber Strategy response
  • Know Thine Enemy
  • Reclaiming cyber space
  • Global cyber security threat
  • Cyber Defence Incident Mgmt
  • Information Fidelity
  • Malware Espionage
  • Cloud Computing Security
  • Darwinian Defence
  • Hacktivism
  • Digital Forensics challenges
  • Protecting CNI in cyber space
• Information Superiority
• Information Sharing
• Information Exploitation
• Olympic Security Strategy
• Managing Efficiency
• Secure Government Networks
• Acquisition Reform
• TLCM
• Business Continuity Management
• Addressing Sustainability

Home Page / In Focus / UK Cyber Security Strategy / Cyber Defence Incident Mgmt

Cyber Defence – Incident Management

On 29 February 2012, Finmeccanica and its partner Northrop Grumman were awarded a contract by NATO Consultation, Command and Control (NATO C3) Agency to develop, implement and support the NATO Computer Incident Response Capability (NCIRC) and provide information assurance to around 50 NATO sites and headquarters throughout 28 countries worldwide. The contract marks a significant step forward in an international approach to the increasingly strategic issue of Cyber Defence. In this article, the Vega / Finmeccanica Cyber Solutions team describes the importance of a dedicated Computer Incident Response Capability and the role this has in evolving and maintaining a co-ordinated response to the borderless threat of cyber-attack.

Introduction

The way in which we use computers has changed dramatically over the last few years. When NATO was formed over 60 years ago, you would be hard pushed to find a computer that weighed less than one ton; today computers are a part of our everyday life. The threat landscape in which we utilise our computer systems has become a more volatile and dangerous environment, and, as a result, we must look at our response to computer security threats. In a study   of attitudes to cyber defence, published in January 2012 by the Brussels-based defence think thank SDA, 36 per cent of respondents rated cyber security as more important than missile defence. Defence organisations such as NATO, the US DoD, and the UK MOD all realise that in addition to Air, Land and Sea, there is a fourth warzone with which we are now faced – Cyberspace.

History

In April and May 2007, a massive Denial of Service (DoS) attack temporarily crippled Estonia’s National Internet infrastructure  when a series of major cyber-attacks were launched against public and private institutions in Estonia. The attack continued until mid-June with websites belonging to the President, Parliament, Ministries, major news outlets and Estonia’s two primary banks having been impacted. Estonia’s Defence Minister called the attacks “A national security situation. It can effectively be compared to when your ports are shut to the sea.” Whilst not the first attack against a nation state, this particular incident was different. It represented the first time that a NATO member state had formally requested assistance in defending its digital assets. At this time it was clear that the NATO Alliance lacked the full capability to respond. Jump forward five years, and today the same problem of sophisticated attacks remains a priority risk. This threat has become known as “APT” – Advanced Persistent Threat. However, today NATO is not alone in being targeted; in addition to the APT, “Hacktivism” attacks from organisations such as Anonymous and LulzSec have become an additional threat vector, with major breaches being disclosed by organisations worldwide almost weekly.

The importance of understanding Enterprise networks and Incident Management has become critical to any successful organisation. More than ever it is fundamental for any organisation with a presence in ‘cyberspace’ to understand and manage its risks in order to reduce the potential harm.

The history of Computer Emergency Response Teams (CERT™s) is linked to the existence of computer worms. Whenever a new technology arrives, its misuse is not long in following. The first worm to hit the internet was detected on 3 November 1988, when the so-called Morris Worm paralysed a good percentage of it. This led to the formation of the first CERT at Carnegie Mellon University under U.S. Government contract. The concept of an organisational structure to handle incident and manage alerts gradually grew with each new Worm and Virus to hit the internet. With the considerable growth in the use of Information and Communications Technologies over the subsequent years, the now-generic term 'CERT'/'CSIRT' refers to an essential part of most large organisations' structures. Beyond responding to discrete computer security incidents, a robust incident management capability enhances the ability of an organisation to understand and respond to cyber threats.

Incident Management

Military organisations and Defence contractors have, for a number of years, been the primary focus of APT attacks (that have been detected) and in most cases are aware of the problems that are faced across their networks. Where there is a security breach (and there will always be a breach), an appropriately trained and equipped CERT should be available to investigate, identify and assist in the recovery from such attacks. In order for any organisation to recover from an attack its CERT must follow an appropriate procedure to investigate and recover its impacted business.

Computer security incident management involves the monitoring and detection of security events on a computer or computer network, and the execution of proper responses to those events. It is a specialised form of incident management, the primary purpose of which is the development of a well understood and predictable response to damaging events and computer intrusions.

Incident Management is a key component of Cyber Defence. Current thinking suggests that despite rigorous security measures, if the assets held within the network are of sufficient value, and the attacker is sufficiently well motivated and funded, then a network’s cyber defences will be breached.

Attention must therefore be directed to minimising the damage done by an attack. The time to detect a breach must be minimised, a response must be quickly initiated that is proportional to the nature of the breach and the risk inherent within the network, and a recovery programme initiated.

While many military organisations have mature and robust CERTs, the nature of the cyber threat is such that the boundaries between military and industry/civil organisations are often blurred. Theft of military information, industrial intellectual property or disruption of civilian infrastructure is all likely to be attractive to an attacker. Therefore, Incident Response must consider all communities and must seek to provide solutions across domains. Furthermore, CERT capabilities must develop at the same pace as attacks, as new vulnerabilities, exploits and malware appear daily, with little respect for governance processes or international treaties. Where an organisation has a capable incident response team, the advantages are clear:

• The team ensures that the organisation is prepared in advance for handling any system intrusion attempts, attacks or interruptions.
• It improves the likelihood of successfully recovering from a system intrusion attempt, attack or interruption.
• There is a technical capability to assess whether the interruption was accidental or intentional in nature.
• It provides alternative assessments and perspectives of the system intrusion attempt, attack or interruption in problematic determination, as well as during investigative management procedures.

 

Call to Action

In order therefore for NATO and other Defence organisations to actively respond to the latest threats, there is much groundwork that must be considered first. A robust CERT framework for incident response is essential:

• A CERT framework for managing intelligence on attacks, vulnerabilities, exploits and malware in real-time, which can be collected and propagated to stakeholders quickly, and defences and recovery mechanisms can be shared. This CERT framework needs to address problems that restrict sharing of CERT information such as national sovereignty, governance processes, classification, intellectual property, and anxieties such as reputation.
• An organisation’s senior management must understand the threats to their network, especially with the threat of punitive fines from the European Union looming when companies lose personal data. Management must be confident that their organisation has a suitable detection and remediation capability. Additionally, they must be sure that their CERT is adequately trained, and has the sufficient skill levels and tools to react to any threat posed to the networks protected.
• As cyber threats don’t recognise state borders, nor organisational boundaries, co-operation with partners on cyber defence is an important element in any CERT. Engagement with partners can be tailored and based on shared values and common approaches. In the case of NATO and the MOD, the expertise of the private sector and intelligence and experiences is essential; our adversaries are sharing information, so must we.
• Sharing of attack intelligence must happen as soon as possible to enable other peer organisations to conduct preventative actions promptly.
• Organisations must ensure their CERT engages with other organisations. If they fail to do so, there is a risk of information critical to an organisations cyber defence being overlooked.
• Development of techniques to achieve rapid detection through normalisation of network activity, to achieve Information Fidelity and allow anomalous behaviour such as APT to be rapidly detected.
• A risk-based CERT methodology to help structure responses in a way which is proportional to the network/assets under attack and recognises the nature, dimension and motivation of the attack.
• Consideration of the legal, political, and commercial considerations in a CERT response that will often cross multiple national, military and commercial domains, and consider the fine line between defence and counter-attack. Memorandums of Understanding (MoU) and Non-Disclosure Agreements (NDA) are essential in providing a framework in which CERTs are able to share intelligence.
• Development of CERT capabilities from skills to tools to operational experience through a combination of education, simulation and operational exercises.
• Development of forensic and recovery techniques to assist CERT in identification of the target, techniques, origin and motivation of an attack.
• The points laid out above in this article illustrate the key processes and frameworks required to conduct cyber incident management. A CERT must be capable, have good intelligence, understand the threats posed by their adversaries, and critically they must understand what it is they are defending. As Sun Tzu wrote in ‘Art of War’, “Know thy self, know thy enemy. A thousand battles, a thousand victories.”