1
Copyright © 2012, Elsevier Inc.
All Rights Reserved
Chapter 11
Response
Cyber Attacks Protecting National Infrastructure, 1st ed.
2
• Incident response process is the most familiar component of any cyber security program
• A cyber security program will contain at least the following – Incident trigger
– Expert gathering
– Incident analysis
– Response activities
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Introduction
3
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Fig. 11.1 – General incident response process schema
4
• There are two fundamental types of triggers – Tangible, visible effects of an attack
– Early warning and indications information
• Thus, two approaches to incident response processes – Front-loaded prevention
– Back-loaded recovery
• The two approaches should be combined for comprehensive response picture
• Protecting national assets is worth suffering a high number of false positives
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Pre- Versus Post-Attack Response
5
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Fig. 11.2 – Comparison of front-loaded and back-loaded response processes
6
• Front-loaded prevention critical to national infrastructure protection
• Taxonomy of early warning process triggers – Vulnerability information
– Changes in profiled behavioral metrics
– Match on attack metric pattern
– Component anomalies
– External attack information
• Front-loaded prevention have a high sensitivity to triggers
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Indications and Warning
7
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Fig. 11.3 – Comparison of trigger intensity threshold for response
8
• Optimal incident response team includes two components – A core set of individuals
– A set of subject matter experts
• In complex settings, with multiple incidents, important for team to not work at cross-purposes
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Incident Response Teams
9
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Fig. 11.4 – Management of simultaneous response cases
10
• Response teams in a national setting must plan for multiple concurrent attacks aimed at a company or agency
• Considerations for proper planning include – Avoidance of a single point of contact individual
– Case management automation
– Organizational support for expert involvement
– 24/7 operational support
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Incident Response Teams
11
• Questions addressed in the forensic analysis process include – Root cause
– Exploits
– State
– Consequences
– Action
• Great care must be taken to protect and preserve evidence
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Forensic Analysis
12
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Fig. 11.5 – Generic high-level forensic process schema
13
• Internal expert most likely the best to lead a company investigation
• Forensic analysts need the following – Culture of relative freedom
– Access to interesting technology
– Ability to interact externally
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Forensic Analysis
14
• Should law enforcement be involved and called upon for support?
• Carefully review local, regional, and national laws regarding when law enforcement must be contacted
• Figure 11.6 outlines a decision process
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Law Enforcement Issues
15
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Fig. 11.6 – Decision process for law enforcement involvement in forensics
16
• Three Components of a Disaster Recovery Program – Preparation
– Planning
– Practice
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Disaster Recovery
17
Fig. 11.7 – Disaster recovery exercise configurations
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
18
• National programs can provide centralized coordination – Intrasector coordination should be encouraged
• Currently, coordination is not the main focus of most national emergency response team programs
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
National Response Program
19
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 1 1 –
R e s p o n s e
Fig. 11.8 – National response program coordination interfaces
PLEASE RESPOND TO THE POST BELOW USING THIS STATEMENT AS GUIDELINE. response posts (approximately 125-150 words each)
What does the concept of ‘critical consumers of information’ mean to this doctoral student and research practitioner based on their opinion below.
(ex start: Hi Holly, I think your post….)
Doctoral students and research practitioners have a responsibility to be critical consumers of information. If we do not consistently check the validity of our resources, we could be passing along or expanding upon false information. One example that comes to mind is the theory of learning styles. It has been previously thought that every person had one preferred method of learning; This was their learning style. Researchers know now that learning preferences are correct but the act of recalling information and application of concepts repetitively is how one learns. Furthermore, diversifying the presentation methods is a more effective strategy than using a preferred learning style (Bartz, 2019). Despite this theory being debunked, you can still find this information being distributed. This is irresponsible and shows some do not complete their due diligence when researching. They have failed to recognize bias in their research. As mentioned in the weekly PPT, one way a researcher can avoid this is to find conflicting opinions about the topic they are gathering resources for. If this practice is followed, the learning styles theory would not be as wide-spread as it is or it would be used properly.

Get help from top-rated tutors in any subject.
Efficiently complete your homework and academic assignments by getting help from the experts at homeworkarchive.com