1Copyright__2012_Elsevier_IncAll_Rights_ReservedChapter

1

Chapter 11

Response

Cyber Attacks Protecting National Infrastructure, 1st ed.

2

• Incident response process is the most familiar component of any cyber security program

• A cyber security program will contain at least the following – Incident trigger

– Expert gathering

– Incident analysis

– Response activities

C h a p te

r 1 1 –

R e s p o n s e

Introduction

3

C h a p te

r 1 1 –

R e s p o n s e

Fig. 11.1 – General incident response process schema

4

• There are two fundamental types of triggers – Tangible, visible effects of an attack

– Early warning and indications information

• Thus, two approaches to incident response processes – Front-loaded prevention

– Back-loaded recovery

• The two approaches should be combined for comprehensive response picture

• Protecting national assets is worth suffering a high number of false positives

C h a p te

r 1 1 –

R e s p o n s e

Pre- Versus Post-Attack Response

5

C h a p te

r 1 1 –

R e s p o n s e

Fig. 11.2 – Comparison of front-loaded and back-loaded response processes

6

• Front-loaded prevention critical to national infrastructure protection

• Taxonomy of early warning process triggers – Vulnerability information

– Changes in profiled behavioral metrics

– Match on attack metric pattern

– Component anomalies

– External attack information

• Front-loaded prevention have a high sensitivity to triggers

C h a p te

r 1 1 –

R e s p o n s e

Indications and Warning

7

C h a p te

r 1 1 –

R e s p o n s e

Fig. 11.3 – Comparison of trigger intensity threshold for response

8

• Optimal incident response team includes two components – A core set of individuals

– A set of subject matter experts

• In complex settings, with multiple incidents, important for team to not work at cross-purposes

C h a p te

r 1 1 –

R e s p o n s e

Incident Response Teams

9

C h a p te

r 1 1 –

R e s p o n s e

Fig. 11.4 – Management of simultaneous response cases

10

• Response teams in a national setting must plan for multiple concurrent attacks aimed at a company or agency

• Considerations for proper planning include – Avoidance of a single point of contact individual

– Case management automation

– Organizational support for expert involvement

– 24/7 operational support

C h a p te

r 1 1 –

R e s p o n s e

Incident Response Teams

11

• Questions addressed in the forensic analysis process include – Root cause

– Exploits

– State

– Consequences

– Action

• Great care must be taken to protect and preserve evidence

C h a p te

r 1 1 –

R e s p o n s e

Forensic Analysis

12

C h a p te

r 1 1 –

R e s p o n s e

Fig. 11.5 – Generic high-level forensic process schema

13

• Internal expert most likely the best to lead a company investigation

• Forensic analysts need the following – Culture of relative freedom

– Access to interesting technology

– Ability to interact externally

C h a p te

r 1 1 –

R e s p o n s e

Forensic Analysis

14

• Should law enforcement be involved and called upon for support?

• Carefully review local, regional, and national laws regarding when law enforcement must be contacted

• Figure 11.6 outlines a decision process

C h a p te

r 1 1 –

R e s p o n s e

Law Enforcement Issues

15

C h a p te

r 1 1 –

R e s p o n s e

Fig. 11.6 – Decision process for law enforcement involvement in forensics

16

• Three Components of a Disaster Recovery Program – Preparation

– Planning

– Practice

C h a p te

r 1 1 –

R e s p o n s e

Disaster Recovery

17

Fig. 11.7 – Disaster recovery exercise configurations

C h a p te

r 1 1 –

R e s p o n s e

18

• National programs can provide centralized coordination – Intrasector coordination should be encouraged

• Currently, coordination is not the main focus of most national emergency response team programs

C h a p te

r 1 1 –

R e s p o n s e

National Response Program

19

C h a p te

r 1 1 –

R e s p o n s e

Fig. 11.8 – National response program coordination interfaces

PLEASE RESPOND TO THE POST BELOW USING THIS STATEMENT AS GUIDELINE. response posts (approximately 125-150 words each)

What does the concept of ‘critical consumers of information’ mean to this doctoral student and research practitioner based on their opinion below.

(ex start: Hi Trina, I think your post….)

As a critical consumer, individuals consider research as a tool to determine many choices. Critical consumers generally plan accordingly, mostly on spending, based on research. There are many factors considered before making decisions, specifically education. Working in the for-profit industry, validity and outcomes should be most important when deciding on selecting educational institutions to attend. Personal experiences in this industry, serving in many capacities, I have seen the advantages and disadvantages of choosing educational institutions without proper research. For example, the adult learner is struggling finding employment opportunities after completing their program of choice. Later finding out that the educational institution is on reporting for not meeting benchmarks. If the adult learner would have researched the important factors of attending a for-profit school, researching variables pertaining to the complete process, the decision to attend may have been different.

Being faced with daily issues of credibility for information consume via the internet and social media, adult learners believes it to be true because it's on the internet (Gamble). As a doctoral student, the concept of critical consumers of information means utilizing the most valid research tools to identify pertinent information pertaining to chosen subject matter. It also means finding an educational institution that represents solid indicators towards my success. The educational institution should focus on research-based principles promoting success and positives outcomes. David Collins, Professor of Business Administration, at Harvard University’s article, “The Student as a Consumer” in the “The Evolllution’s” stated, “as students begin to behave more like consumers, it’s critical for higher education institutions to respond to their demands in order to increase enrollments and retention.”

PLEASE RESPOND TO THE POST BELOW USING THIS STATEMENT AS GUIDELINE. response posts (approximately 125-150 words each)

What does the concept of ‘critical consumers of information’ mean to this doctoral student and research practitioner based on their opinion below.

(ex start: Hi Holly, I think your post….)

Doctoral students and research practitioners have a responsibility to be critical consumers of information. If we do not consistently check the validity of our resources, we could be passing along or expanding upon false information. One example that comes to mind is the theory of learning styles. It has been previously thought that every person had one preferred method of learning; This was their learning style. Researchers know now that learning preferences are correct but the act of recalling information and application of concepts repetitively is how one learns. Furthermore, diversifying the presentation methods is a more effective strategy than using a preferred learning style (Bartz, 2019). Despite this theory being debunked, you can still find this information being distributed. This is irresponsible and shows some do not complete their due diligence when researching. They have failed to recognize bias in their research. As mentioned in the weekly PPT, one way a researcher can avoid this is to find conflicting opinions about the topic they are gathering resources for. If this practice is followed, the learning styles theory would not be as wide-spread as it is or it would be used properly.

blog6

Get help from top-rated tutors in any subject.