Incident Response. CSCE 727 - Farkas2 Reading list Required: Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law. Thoughts

Incident ResponseIncident Response

CSCE 727 - Farkas 2

Reading listReading listRequired:• Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law. Thoughts on a Normative Framework., 37 Colum. J. Transnat'l L. 885, 1999, http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA471993 Interesting:•Federal Communications Commission: Computer Security Incident Response Guide, 2001, http://csrc.nist.gov/fasp/FASPDocs/incident-response/Incident-Response-Guide.pdf •Incident Response Team, R. Nellis, http://www.rochissa.org/downloads/presentations/Incidence%20Response%20Teams.ppt •NIST special publications, http://csrc.nist.gov/publications/nistpubs/index.html

CSCE 727 - Farkas 3

Due Care and LiabilityDue Care and Liability

Organizational liability for misuse– US Federal Sentencing Guidelines: chief executive

officer and top management are responsible for fraud, theft, and antivirus violations committed by insiders or outsiders using the company’s resources.

– Fines and penalties Base fine Culpability score (95%-400%)

– Good faith efforts: written policies, procedures, security awareness program, disciplinary standards, monitoring and auditing, reporting, and cooperation with investigations

CSCE 727 - Farkas 4

How to Respond?How to Respond?

CSCE 727 - Farkas 5


CSCE 727 - Farkas 6


CSCE 727 - Farkas 7

How to Response?How to Response? Actions to avoid further loss from intrusion Terminate intrusion and protect against reoccurrence Law enforcement – prosecute Enhance defensive security Reconstructive methods based on:

– Time period of intrusion– Changes made by legitimate users during the effected

period– Regular backups, audit trail based detection of effected

components, semantic based recovery, minimal roll-back for recovery.

CSCE 727 - Farkas 8

Roles and ResponsibilitiesRoles and Responsibilities

User: – Vigilant for unusual behavior– Report incidents

Manager:– Awareness training– Policies and procedures

System administration:– Install safeguards– Monitor system– Respond to incidents, including preservation of evidences

CSCE 727 - Farkas 9

Computer Incident Response Computer Incident Response TeamTeam

Assist in handling security incidents– Formal – Informal

Incident reporting and dissemination of incident information

Computer Security Officer– Coordinate computer security efforts

Others: law enforcement coordinator, investigative support, media relations, etc.

CSCE 727 - Farkas 10

Incident Response Process 1.Incident Response Process 1.

Preparation – Baseline Protection – Planning and guidance– Roles and Responsibilities – Training – Incident response team



Identification and assessment– Symptoms– Nature of incident

Identify perpetrator, origin and extent of attack Can be done during attack or after the attack

– Gather evidences Key stroke monitoring, honey nets, system logs, network

traffic, etc. Legislations on Monitoring!

– Report on preliminary findings



Containment– Reduce the chance of spread of incident– Determine sensitive data– Terminate suspicious connections, personnel,

applications, etc.– Move critical computing services– Handle human aspects, e.g., perception

management, panic, etc.



Eradication– Determine and remove cause of incident if

economically feasible– Improve defenses, software, hardware,

middleware, physical security, etc.– Increase awareness and training– Perform vulnerability analysis



Recovery– Determine course of action– Reestablish system functionality– Reporting and notifications– Documentation of incident handling and

evidence preservation


Follow Up ProceduresFollow Up Procedures

Incident evaluation:– Quality of incident (preparation, time to

response, tools used, evaluation of response, etc.)

– Cost of incident (monetary cost, disruption, lost data, hardware damage, etc.)

Preparing reportRevise policies and procedures


What is “Survivability”?What is “Survivability”?

To decide whether a computer system is “survivable”, you must first decide what “survivable” means.


Vulnerable ComponentsVulnerable Components

1. Hardware2. Software3. Data4. Communications5. People


Effect Modeling and Vulnerability Effect Modeling and Vulnerability DetectionDetection

Cascading effects

Seriously effectedcomponents

Weaklyeffected component

Not effectedcomponents


Legal AspectsLegal Aspects National law International law Legal regime to apply Gray areas of law Legal response Evidence preservation

THEMIS: Threat Evaluation Metamodel for Information Systems

Presented at the 2nd Symposium on Intelligence and Security Informatics, 2004

Csilla Farkas, Thomas Wingfield, James B. MichaelDuminda Wijesekera

Themis, Goddess of Justice


Attacks Against Critical Attacks Against Critical InfrastructuresInfrastructures

Swedish hacker jammed 911 in central Florida in 1997 Juvenile hacker penetrated and disabled a telco computer

servicing Worcester Airport in March 1997 Brisbane hacker used radio transmissions to create raw

sewage overflows on Sunshine coast in 2000 Hackers broke into Gazprom’s system controlling gas

flows in pipelines in 1999 Hackers got into California Independent Service Operator

(ISO) development network for regional power grid in spring 2001

Numerous denial-of-service attacks against ISPs – some shut down Source: D. Denning Information Warfare


Rules Defining the Use of ForceSchmitt Analysis

Sources:Thomas Wingfield: The Law of Information Conflict:National Security Law in Cyberspace

Michael N. Schmitt: Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework



Spectrum of Conflict





Art. 39

The Security Council shall determine the existence of any threat to the peace, breach of the peace, or act of aggression and shall make recommendations, or decide what measures shall be taken in accordance with Articles 41 and 42, to maintain or restore international peace and security.



All members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.

Art. 2(4)



Art. 51

Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defense shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.


Art. 51Art. 2(4)Art. 39

Jus ad bellum applies Jus in bello applies

RESPONSE

Anticipatory

self-defense

Hostile intent Hostile act

Self-defense

Threat of force Use of forceArmed attackThreat to

the peace

Rules Defining the Use of Force

Peacetime regime applies


Cyber vs. Kinetic Attack Academic State-of-the-Art: Effects-Based Analysis Problem: Charter Paradigm Means-Based The Schmitt Reconciliation

– Distinguishing Military from Diplomatic and Economic Coercion

– Seven Factors

Use of Force in Cyberspace


SeverityImmediacyDirectnessInvasivenessMeasurabilityPresumptive LegitimacyResponsibility

Schmitt Factors


Severity

People Killed;Severe Property Damage

Armed attacks threaten physical injury or destruction of property to a much greater extent than other forms of coercion. Physical well-being usually occupies the [lowest, most basic level] of the human hierarchy of need.

How many people were killed?

How large an area was attacked? (Scope)

How much damage was done within this area? (Intensity)

People Killed;Severe Property

Damage

People Injured;Moderate

Property Damage

People Unaffected;No Discernable

Property Damage


Immediacy


Over how long a period did the action take place? (Duration)

How soon were its effects felt?

How soon until its effects abate?

Seconds to Minutes

Hours to Days

Weeks to Months

The negative consequences of armed coercion, or threat thereof, usually occur with great immediacy, while those of other forms of coercion develop more slowly.


Directness


Was the action distinctly identifiable from parallel or competing actions?

Was the action the proximate cause of the effects?

Action Sole Cause of Result

Action Identifiable as One Cause of Result, and to an Indefinite

Degree

Action Played No Identifiable Role in

Result

The consequences of armed coercion are more directly tied to the actus reus than in other forms of coercion, which often depend on numerous contributory factors to operate.


Invasiveness


Did the action involve physically crossing the target country’s borders?

Was the locus of the action within the target country?

Border Physically Crossed; Action Has

Point Locus

Border Electronically Crossed; Action Occurs

Over Diffuse Area

Border Not Crossed; Action Has No

Identifiable Locus in Target Country

In armed coercion, the act causing the harm usually crosses into the target state, whereas in economic warfare the acts generally occur beyond the target’s borders. As a result, even though armed and economic acts may have roughly similar consequences, the former represents a greater intrusion on the rights of the target state and, therefore, is more likely to disrupt international stability.


Measurability


Can the effects of the action be quantified?

Are the effects of the action distinct from the results of parallel or competing actions?

What was the level of certainty?

Effects Can Be Quantified Immediately by Traditional Means (BDA, etc.) with High Degree of Certainty

Effects Can Be Estimated by Rough Order of

Magnitude with Moderate Certainty

Effects Cannot be Separated from Those of Other Actions; Overall

Certainty is Low

While the consequences of armed coercion are usually easy to ascertain (e.g., a certain level of destruction), the actual negative consequences of other forms of coercion are harder to measure. This fact renders the appropriateness of community condemnation, and the degree of vehemence contained therein, less suspect in the case of armed force.


Presumptive Legitimacy


Has this type of action achieved a customary acceptance within the international community?

Is the means qualitatively similar to others presumed legitimate under international law?

Action Accomplished by Means of Kinetic

Attack

Action Accomplished in Cyberspace but Manifested by a

“Smoking Hole” in Physical Space

Action Accomplished in Cyberspace and Effects

Not Apparent in Physical World

In most cases, whether under domestic or international law, the application of violence is deemed illegitimate absent some specific exception such as self-defense. The cognitive approach is prohibitory. By contrast, most other forms of coercion—again in the domestic and international sphere—are presumptively lawful, absent a prohibition to the contrary. The cognitive approach is permissive.


Responsibility


Is the action directly or indirectly attributable to the acting state?

But for the acting state’s sake, would the action have occurred?

Responsibility for Action Acknowledged

by Acting State; Degree of Involvement Large

Target State Government Aware of Acting State’s

Responsibility; Public Role Unacknowledged; Degree of Involvement Moderate

Action Unattributable to Acting State; Degree

of Involvement Low

Armed coercion is the exclusive province of states; only they may generally engage in uses of force across borders, and in most cases only they have the ability to do so with any meaningful impact. By contrast, non-governmental entities are often capable of engaging in other forms of coercion (propaganda, boycotts, etc.).


Overall Analysis


Have enough of the qualities of a use of force been identified to characterize the information operation as a use of force?

Use of Force Under Article 2(4)

Arguably Use of Force or Not

Not a Use of Force Under Article 2(4)


THEMIS

Threat Evaluation Metamodel for Information Systems


THEMISTHEMIS

Attack Response Policy (ARP) language– ARP alphabet and predicates to represent attacks,

consequences, and legal conceptsInteroperable legal ontologiesAttack evaluation and response rulesSWRL - A Semantic Web Rule Language

combining OWL and RuleML


Default policy

Conflict resolution

InteroperableOntologies

ARPspecification

Security Policy Specification


THEMIS THEMIS FUNCTIONALITYFUNCTIONALITY

Computer System

Attacker

Affected Assets

Response

DEFENSEOFFENSE

Policy

Attack

CascadingEffects

Characteristics


Attack Response Attack Response Policy (ARP)Policy (ARP)

ARP alphabet: constant symbols, variables, functions, and terms

ARP predicates: used to build rulesARP rules: reason about the damages, express

legal restrictions, and determine legitimacy of counter actions


ExampleExample Predicates:

– attack(a-id, a-name, orig, targ) – consequence(a-id, c-type, targ)– causes(c-type1, targ1, c-type2, targ 2)

Rule:– attack(a-id, a-name, orig, targ1)

attack(a-id, a-name, orig, targ)

consequence(a-id, c-type, targ)

causes(c-type, targ, c-type1, targ1)


Conclusions Conclusions

Automated decision support systemAttack Response Policy Language

– Alphabet– Predicates– Rules

Schmitt Analysis

Documents

Incident Response. CSCE 727 - Farkas2 Reading list Required: Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law. Thoughts