Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
Homeland Security Perspectives for BuildingCyber Security Capacity, Capability, & Resilience
Franco Cappa, CISSPCyber Security AdvisorOffice of Cybersecurity & CommunicationsNational Protection and Programs Directorate
HomelandSecurity
2
“I don't know that much about cyber, but I do think that's the number one problem with mankind.”
Getty Images
Warren Buffett said …
Berkshire Hathaway’s annual shareholders’ meeting
HomelandSecurity
Cyberspace: Foundational to Our World
3
• Automation, technology, and network communications have become increasingly essential to our daily lives.
• The amount of information and data stored has grown.• There is a vast interconnectedness of relationships and
dependencies, for example:• Government• Private sector• International third‐party vendors linkages within
organizations • As a result, the country is dependent on the cyber resilience of its
critical infrastructure, such as, the power grid, banking and financial systems, telecommunications, etc..
HomelandSecurity
Some Statistics …
4
• 91 percent of hacks begin with an email• 1 in 131 emails contains a malware• More than 4,000 ransomware attacks occur every day• Ransomware attacks increased by 36 percent in 2017• The average amount demanded after a ransomware attack is
about $1,077• In 2017, 6.5 percent of people fell victims of identity fraud• It takes an average 197 days for most business to detect a breach• 43 percent of cyber attacks are aimed at small businesses• China is the country with the highest number of malware‐
infected computers in the world
HomelandSecurity
A Growing Challenge
Scale• The number of cyber attacks has never been greater.
Sophistication• Cyber attacks are increasing in complexity.
Trends• Attackers are increasing their advantage.
Attack Surface• Growing volumes of data = more targets.
5
HomelandSecurity
Critical Infrastructure Information Act of 2002
The Protected Critical Infrastructure Information (PCII) program protects infrastructure information voluntarily shared with DHS. The PCII program was created by Congress in the Critical Infrastructure Information Act of 2002, ensuring that PCII in the government’s hands is protected from disclosure.PCII cannot:• Be disclosed through a Freedom of Information Act
(FOIA) request or through a request under a similar State, local, tribal, or territorial disclosure law;
• Be disclosed in civil litigation; or• Be used for regulatory purposes.
6
HomelandSecurity
What Is Cyber Resilience?
“… the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents…”
‐ Presidential Policy Directive – PPD 21February 12, 2013
Protect (Security) Sustain (Continuity)
Perform (Capability) Repeat (Maturity)
7
HomelandSecurity
Convergence of Cyber and Physical Security
PPD 21 Identifies critical infrastructure as “interdependent functions and systems in both the physical space and cyberspace” and aims to strengthen security and resilience “against both the physical and cyber attacks”
8
• Smart cars• Smart grids• Smart medical devices• Smart manufacturing• Smart homesand so on …
HomelandSecurity
Critical Infrastructure (CI) Sectors
9
HomelandSecurity
10
Election Infrastructure
Election Infrastructure includes but is not limited to:
• Voter registration databases and associated IT systems• IT infrastructure and systems used to manage elections
(such as the counting, auditing and displaying of election results, and post-election reporting to certify and validate results)
• Voting systems and associated infrastructure• Storage facilities for election and voting system
infrastructure• Polling places, to include early voting locations
HomelandSecurity
11
US Electoral Process
HomelandSecurity
12
The Challenge
1. Cyber operations that target our election infrastructure, such as voting machines and voting databases
2. Foreign malign influence operations designed to influence the views of voters, depress voter turnout, or undermine confidence in election results.
DHS views voters, campaigns, political entities, and elections infrastructure as potential targets of threat actors who seek to undermine the confidentiality, integrity, or availability of election-related information and systems
HomelandSecurity
13
The Current Situation
Secretary Nielsen recently stated that the Department of Homeland Security “has not detected attempts by foreign adversaries, including Russia and China, intended to penetrate American election infrastructure a month ahead of the 2018 midterm elections, though the possibility still exists that they and other actors may still make those kinds of attempts”.
However …we continue to see foreign actors using a pervasive messaging campaign to try to weaken and divide the nation.
HomelandSecurity
National Risk Management Center (NRMC)
HomelandSecurity
15
National Cyber Strategy—September 2018
HomelandSecurity
Cybersecurity Advisor (CSA) Program in Brief
The CSA Mission:
To provide direct coordination, outreach, and regional support and assistance in the protection of cyber components essential to the Nation’s Critical Infrastructure.
In service of this mission, CSAs are guided by the following goals:
–Assess: Assess critical infrastructure cyber risk.
– Promote: Promote best practices and risk mitigation strategies.
– Build: Initiate, build capacity, and support cyber communities‐of‐interest and working groups.
– Educate: Educate and raise awareness.
– Listen: Collect stakeholder requirements.
– Coordinate: Coordinate incident support and lessons‐learned.
HomelandSecurity
A Wide Range of Offerings for CI
• National Cybersecurity and Communications Integration Center (NCCIC)
• National CERT• Remote / On‐Site Assistance• Malware Analysis
• Cyber Exercise Program• Hunt/HIRT
• Cyber Security Advisors• Protective Security Advisors• Preparedness Activities
• National Cyber Awareness System• Vulnerability Notes Database• Technical Threat Indicators• Cybersecurity Training• Information Products and Recommended Practices
• National Cybersecurity Assessments and Technical Services (NCATS) Evaluations
• Cyber Hygiene Service• Risk and Vulnerability Assessment (aka “Pen” Test)
• Phishing Campaign Assessment• Validated Architecture Design Review (VADR)
• Cyber Security Evaluation Tool (CSET)
• Facilitated Cyber Security Evaluations• Cyber Resilience Review (CRR)• Cyber Infrastructure Survey (CIS)• External Dependencies Management (EDM) Assessment
17
HomelandSecurity
NCCIC in Brief
ThemissionoftheNationalCybersecurityandCommunicationsIntegrationCenter(NCCIC) istoreducetheriskofsystemiccybersecurityandcommunicationschallengesinourroleastheNation’sflagshipcyberdefense,incidentresponse,andoperationalintegrationcenter.
Corefunctionsinclude:• informationexchange,• trainingandexercises,• riskandvulnerabilityassessments,• datasynthesisandanalysis,• operationalplanningandcoordination,• watchoperations,and• incidentresponseandrecovery.
18
HomelandSecurity
19
NCCIC Services for Private Industry
HomelandSecurity
- CYBER RESILIENCE REVIEW
- EXTERNAL DEPENDENCIES MANAGEMENT
- CYBER INFRASTRUCTURE SURVEY
- CYBERSECURITY EVALUATIONS TOOL
- PHISHING CAMPAIGN ASSESSMENT
- VULNERABILITY SCANNING/ HYGIENE
- VALIDATED ARCHITECTURE DESIGN REVIEW
- RISK AND VULNERABILITY ASSESSMENT
STRATEGIC(HIGH-LEVEL)STRATEGIC
(HIGH-LEVEL)
TECHNICAL(LOW-LEVEL)TECHNICAL
(LOW-LEVEL)
Cybersecurity Assessments
HomelandSecurity
Information sharing
Automated Indicator Sharing (AIS) enables the bidirectional sharing of IOCs between the Federal Government and AIS partners in real-time by leveraging industry standards for machine-to- machine communication through the sharing of STIX files through the Trusted Automated eXchange of Indicator Information (TAXII™).
Cyber Information Sharing and Collaboration Program (CISCP) provides participants with a range of timely and actionable products including threat/vulnerability indicators, early warnings and alerts focused on single threats/vulnerabilities expected to impact critical infrastructure, and recommended practices. Supports data flow and analytical collaboration to support cyber threat information sharing across each of the 16 CI sectors.
HomelandSecurity
Proactive Threat Hunt
22
Whatisit?• Anon‐sitedeploymentofSubjectMatterExpertstosearchformaliciousactivitythroughtheexaminationofanetworkenvironmentforexploitationtools,tactics,procedures,andassociatedartifacts
• Anassetowner‐drivenrequest• UsesariskreviewtoscopethebreadthoftheProactiveHunt
• Ifmaliciousactivityisobservedduringahunt,movetoIncidentResponse
• HostAnalysis:‐ RunningProcessesandServices‐ InstalledApplications‐ RunKey andScheduledTasks‐ Prefetch andShimCache
• NetworkAnalysis:‐ DNSTraffic‐ RemoteDesktopSessions‐ Cross‐BoundaryandMalformedSMB‐ Telnet,SSH,andPowerShell terminals
• DMZAnalysis:‐ SMBTraffic‐ WebShellPresence‐ Co‐locatedWebsiteLogFileReview‐ SQLInjection
• ICSAnalysis:‐ AnalyzeNetflow PatternsandAnomolies‐ MapNetworkCommunicationPaths‐ Inter‐EnclaveTrafficEvaluation‐ ProtocolAnalysis
HomelandSecurity
Incident Reporting/Response/Hunting
• IncidentTriage• NetworkTopologyReview• InfrastructureConfigurationReview• LogAnalysis• IncidentSpecificRiskOverview• HuntAnalysis
23
FOUO / UNCLASS
NCCIC’sHuntandIncidentResponseTeam(HIRT)
SecurityProgramReview MalwareAnalysis MitigationAnalysis DigitalMediaAnalysis ControlSystemsIncidentAnalysis
Providesexpertintrusionanalysisandmitigationguidancetoclientswholacktheabilitytorespondtoacyberincidentin‐houseorrequireadditionalassistance.
Supportsfederaldepartmentsandagencies,stateandlocalgovernments,theprivatesector(suchas,industryandcriticalinfrastructureassetownersandoperators),academia,andinternationalorganizations.
Services:
HomelandSecurity
NCCIC provides real-time threat analysis and incident reporting capabilities• 24x7 contact number: 1-888-282-0870 or; https://forms.us-cert.gov/report/
When to Report:If there is a suspected or confirmed cyber attack or incident that: Affects core government or critical infrastructure functions; Results in the loss of data, system availability; or control of systems; Indicates malicious software is present on critical systems
Incident Reporting
Malware Submission Process:• Please send all submissions to the
Advance Malware Analysis Center (AMAC) at: [email protected]
• Must be provided in password-protected zip files using password “infected”
• Web-submission:https://malware.us-cert.gov
24
HomelandSecurity
Types of Federal Incident Response
• Threat response includes attributing, pursuing, and disrupting malicious cyber actors and malicious cyber activity. It includes conducting criminal investigations and other actions to counter the malicious cyber activity.
• Asset response includes protecting assets and mitigating vulnerabilities in the face of malicious cyber activity. It includes reducing the impact to systems and/or data; strengthening, recovering and restoring services; identifying other entities at risk; and assessing potential risk to the broader community.
Federal Incident Response
HomelandSecurity
Threat response:FBI(855) 292-3937 or [email protected]
Internet Crime Complaint Center (IC3)https://www.ic3.gov/default.aspx
USSS and ECTFsecretservice.gov/contact/field-offices
Federal Incident Response—continued
Asset response: DHS NCCIC(888) 282-0870 or [email protected]
Report suspected or confirmed cyber incidents, including when the affected entity may be interested in government assistance in removing the adversary, restoring operations, and recommending ways to further improve security.
HomelandSecurity
National Cybersecurity Awareness Month
27
Find out how you can be a cyber advocate. Visit dhs.gov/ncsam.
HomelandSecurity
Toolkit Materials for Different Audiences
28
Find out how you can be a cyber advocate. Visit dhs.gov/ncsam.
Students K-8, 9-12, and Undergraduate Parents and Educators Young Professionals Older Americans Government Industry Small Business Law Enforcement
HomelandSecurity
Don’t be a Stranger
29
Find out how you can be a cyber advocate. Visit dhs.gov/ncsam.
STOP. THINK. CONNECT.™ https://www.dhs.gov/stopthinkconnect
BeCyberSmart https://www.dhs.gov/be-cyber-smart
NICCS Portal https://niccs.us-cert.gov
FedVTE https://fedvte.usalearning.gov/
ContactInformation
DepartmentofHomelandSecurityNationalProtectionandProgramsDirectorateOfficeofCybersecurityandCommunications
General [email protected]
HomelandSecurity
Questions?
31