Homeland Security Perspectives for BuildingCyber Security Capacity, Capability, & Resilience

Franco Cappa, CISSPCyber Security AdvisorOffice of Cybersecurity & CommunicationsNational Protection and Programs Directorate

HomelandSecurity

2

“I don't know that much about cyber, but I do think that's the number one problem with mankind.”

Getty Images

Warren Buffett said …

Berkshire Hathaway’s annual shareholders’ meeting

HomelandSecurity

Cyberspace: Foundational to Our World

3

• Automation, technology, and network communications have become increasingly essential to our daily lives.

• The amount of information and data stored has grown.• There is a vast interconnectedness of relationships and 

dependencies, for example:• Government• Private sector• International third‐party vendors linkages within 

organizations • As a result, the country is dependent on the cyber resilience of its 

critical infrastructure, such as, the power grid, banking and financial systems, telecommunications, etc..

HomelandSecurity

Some Statistics …

4

• 91 percent of hacks begin with an email• 1 in 131 emails contains a malware• More than 4,000 ransomware attacks occur every day• Ransomware attacks increased by 36 percent in 2017• The average amount demanded after a ransomware attack is 

about $1,077• In 2017, 6.5 percent of people fell victims of identity fraud• It takes an average 197 days for most business to detect a breach• 43 percent of cyber attacks are aimed at small businesses• China is the country with the highest number of malware‐

infected computers in the world

HomelandSecurity

A Growing Challenge

Scale• The number of cyber attacks has never been greater.

Sophistication• Cyber attacks are increasing in complexity.

Trends• Attackers are increasing their advantage.

Attack Surface• Growing volumes of data = more targets.

5

HomelandSecurity

Critical Infrastructure Information Act of 2002

The Protected Critical Infrastructure Information (PCII) program protects infrastructure information voluntarily shared with DHS. The PCII program was created by Congress in the Critical Infrastructure Information Act of 2002, ensuring that PCII in the government’s hands is protected from disclosure.PCII cannot:• Be disclosed through a Freedom of Information Act                                        

(FOIA) request or through a request under a similar                   State, local, tribal, or territorial disclosure law;

• Be disclosed in civil litigation; or• Be used for regulatory purposes.

6

HomelandSecurity

What Is Cyber Resilience?

“… the ability to prepare for and adapt to changing conditions and withstand and recover rapidly from disruptions. Resilience includes the ability to withstand and recover from deliberate attacks, accidents, or naturally occurring threats or incidents…”

‐ Presidential Policy Directive – PPD 21February 12, 2013

Protect (Security) Sustain (Continuity)

Perform (Capability) Repeat (Maturity)

7

HomelandSecurity

Convergence of Cyber and Physical Security

PPD 21 Identifies critical infrastructure as “interdependent functions and systems in both the physical space and cyberspace” and aims to strengthen security and resilience “against both the physical and cyber attacks”

8

• Smart cars• Smart grids• Smart medical devices• Smart manufacturing• Smart homesand so on …

HomelandSecurity

Critical Infrastructure (CI) Sectors

9

HomelandSecurity

10

Election Infrastructure

Election Infrastructure includes but is not limited to:

• Voter registration databases and associated IT systems• IT infrastructure and systems used to manage elections

(such as the counting, auditing and displaying of election results, and post-election reporting to certify and validate results)

• Voting systems and associated infrastructure• Storage facilities for election and voting system

infrastructure• Polling places, to include early voting locations

HomelandSecurity

11

US Electoral Process

HomelandSecurity

12

The Challenge

1. Cyber operations that target our election infrastructure, such as voting machines and voting databases

2. Foreign malign influence operations designed to influence the views of voters, depress voter turnout, or undermine confidence in election results.

DHS views voters, campaigns, political entities, and elections infrastructure as potential targets of threat actors who seek to undermine the confidentiality, integrity, or availability of election-related information and systems

HomelandSecurity

13

The Current Situation

Secretary Nielsen recently stated that the Department of Homeland Security “has not detected attempts by foreign adversaries, including Russia and China, intended to penetrate American election infrastructure a month ahead of the 2018 midterm elections, though the possibility still exists that they and other actors may still make those kinds of attempts”.

However …we continue to see foreign actors using a pervasive messaging campaign to try to weaken and divide the nation.

HomelandSecurity

National Risk Management Center (NRMC)

HomelandSecurity

15

National Cyber Strategy—September 2018

HomelandSecurity

Cybersecurity Advisor (CSA) Program in Brief

The CSA Mission: 

To provide direct coordination, outreach, and regional support and assistance in the protection of cyber components essential to the Nation’s Critical Infrastructure.

In service of this mission, CSAs are guided by the following goals:

–Assess: Assess critical infrastructure cyber risk.

– Promote: Promote best practices and risk mitigation strategies. 

– Build: Initiate, build capacity, and support cyber communities‐of‐interest and working groups.

– Educate: Educate and raise awareness.

– Listen: Collect stakeholder requirements.

– Coordinate: Coordinate incident support and lessons‐learned.

HomelandSecurity

A Wide Range of Offerings for CI

• National Cybersecurity and Communications Integration Center (NCCIC)

• National CERT• Remote / On‐Site Assistance• Malware Analysis

• Cyber Exercise Program• Hunt/HIRT

• Cyber Security Advisors• Protective Security Advisors• Preparedness Activities

• National Cyber Awareness System• Vulnerability Notes Database• Technical Threat Indicators• Cybersecurity Training• Information Products and Recommended Practices

• National Cybersecurity Assessments and Technical Services (NCATS) Evaluations

• Cyber Hygiene Service• Risk and Vulnerability Assessment (aka “Pen” Test)

• Phishing Campaign Assessment• Validated Architecture Design Review (VADR)

• Cyber Security Evaluation Tool (CSET)

• Facilitated Cyber Security Evaluations• Cyber Resilience Review (CRR)• Cyber Infrastructure Survey (CIS)• External Dependencies Management (EDM) Assessment

17

HomelandSecurity

NCCIC in Brief

ThemissionoftheNationalCybersecurityandCommunicationsIntegrationCenter(NCCIC) istoreducetheriskofsystemiccybersecurityandcommunicationschallengesinourroleastheNation’sflagshipcyberdefense,incidentresponse,andoperationalintegrationcenter.

Corefunctionsinclude:• informationexchange,• trainingandexercises,• riskandvulnerabilityassessments,• datasynthesisandanalysis,• operationalplanningandcoordination,• watchoperations,and• incidentresponseandrecovery.

18

HomelandSecurity

19

NCCIC Services for Private Industry

HomelandSecurity

- CYBER RESILIENCE REVIEW

- EXTERNAL DEPENDENCIES MANAGEMENT

- CYBER INFRASTRUCTURE SURVEY

- CYBERSECURITY EVALUATIONS TOOL

- PHISHING CAMPAIGN ASSESSMENT

- VULNERABILITY SCANNING/ HYGIENE

- VALIDATED ARCHITECTURE DESIGN REVIEW

- RISK AND VULNERABILITY ASSESSMENT

STRATEGIC(HIGH-LEVEL)STRATEGIC

(HIGH-LEVEL)

TECHNICAL(LOW-LEVEL)TECHNICAL

(LOW-LEVEL)

Cybersecurity Assessments

HomelandSecurity

Information sharing

Automated Indicator Sharing (AIS) enables the bidirectional sharing of IOCs between the Federal Government and AIS partners in real-time by leveraging industry standards for machine-to- machine communication through the sharing of STIX files through the Trusted Automated eXchange of Indicator Information (TAXII™).

Cyber Information Sharing and Collaboration Program (CISCP) provides participants with a range of timely and actionable products including threat/vulnerability indicators, early warnings and alerts focused on single threats/vulnerabilities expected to impact critical infrastructure, and recommended practices. Supports data flow and analytical collaboration to support cyber threat information sharing across each of the 16 CI sectors.

HomelandSecurity

Proactive Threat Hunt

22

Whatisit?• Anon‐sitedeploymentofSubjectMatterExpertstosearchformaliciousactivitythroughtheexaminationofanetworkenvironmentforexploitationtools,tactics,procedures,andassociatedartifacts

• Anassetowner‐drivenrequest• UsesariskreviewtoscopethebreadthoftheProactiveHunt

• Ifmaliciousactivityisobservedduringahunt,movetoIncidentResponse

• HostAnalysis:‐ RunningProcessesandServices‐ InstalledApplications‐ RunKey andScheduledTasks‐ Prefetch andShimCache

• NetworkAnalysis:‐ DNSTraffic‐ RemoteDesktopSessions‐ Cross‐BoundaryandMalformedSMB‐ Telnet,SSH,andPowerShell terminals

• DMZAnalysis:‐ SMBTraffic‐ WebShellPresence‐ Co‐locatedWebsiteLogFileReview‐ SQLInjection

• ICSAnalysis:‐ AnalyzeNetflow PatternsandAnomolies‐ MapNetworkCommunicationPaths‐ Inter‐EnclaveTrafficEvaluation‐ ProtocolAnalysis

HomelandSecurity

Incident Reporting/Response/Hunting

• IncidentTriage• NetworkTopologyReview• InfrastructureConfigurationReview• LogAnalysis• IncidentSpecificRiskOverview• HuntAnalysis

23

FOUO / UNCLASS

NCCIC’sHuntandIncidentResponseTeam(HIRT)

SecurityProgramReview MalwareAnalysis MitigationAnalysis DigitalMediaAnalysis ControlSystemsIncidentAnalysis

Providesexpertintrusionanalysisandmitigationguidancetoclientswholacktheabilitytorespondtoacyberincidentin‐houseorrequireadditionalassistance.

Supportsfederaldepartmentsandagencies,stateandlocalgovernments,theprivatesector(suchas,industryandcriticalinfrastructureassetownersandoperators),academia,andinternationalorganizations.

Services:

HomelandSecurity

NCCIC provides real-time threat analysis and incident reporting capabilities• 24x7 contact number: 1-888-282-0870 or; https://forms.us-cert.gov/report/

When to Report:If there is a suspected or confirmed cyber attack or incident that: Affects core government or critical infrastructure functions; Results in the loss of data, system availability; or control of systems; Indicates malicious software is present on critical systems

Incident Reporting

Malware Submission Process:• Please send all submissions to the

Advance Malware Analysis Center (AMAC) at: submit@malware.us-cert.gov

• Must be provided in password-protected zip files using password “infected”

• Web-submission:https://malware.us-cert.gov

24

HomelandSecurity

Types of Federal Incident Response

• Threat response includes attributing, pursuing, and disrupting malicious cyber actors and malicious cyber activity. It includes conducting criminal investigations and other actions to counter the malicious cyber activity.

• Asset response includes protecting assets and mitigating vulnerabilities in the face of malicious cyber activity. It includes reducing the impact to systems and/or data; strengthening, recovering and restoring services; identifying other entities at risk; and assessing potential risk to the broader community.

Federal Incident Response

HomelandSecurity

Threat response:FBI(855) 292-3937 or cywatch@ic.fbi.gov

Internet Crime Complaint Center (IC3)https://www.ic3.gov/default.aspx

USSS and ECTFsecretservice.gov/contact/field-offices

Federal Incident Response—continued

Asset response: DHS NCCIC(888) 282-0870 or NCCICCUSTOMERSERVICE@hq.dhs.gov

Report suspected or confirmed cyber incidents, including when the affected entity may be interested in government assistance in removing the adversary, restoring operations, and recommending ways to further improve security.

HomelandSecurity

National Cybersecurity Awareness Month

27

Find out how you can be a cyber advocate. Visit dhs.gov/ncsam.

HomelandSecurity

Toolkit Materials for Different Audiences

28

Find out how you can be a cyber advocate. Visit dhs.gov/ncsam.

Students K-8, 9-12, and Undergraduate Parents and Educators Young Professionals Older Americans Government Industry Small Business Law Enforcement

HomelandSecurity

Don’t be a Stranger

29

Find out how you can be a cyber advocate. Visit dhs.gov/ncsam.

STOP. THINK. CONNECT.™ https://www.dhs.gov/stopthinkconnect

BeCyberSmart https://www.dhs.gov/be-cyber-smart

NICCS Portal https://niccs.us-cert.gov

FedVTE https://fedvte.usalearning.gov/

ContactInformation

DepartmentofHomelandSecurityNationalProtectionandProgramsDirectorateOfficeofCybersecurityandCommunications

General InquiriesCyberAdvisor@hq.dhs.gov

HomelandSecurity

Questions?

31