Incident Response

1
Incident Response
2
Incident Response

• Federal Communications Commission Computer
  Security Incident Response Guide, 2001,
  http//csrc.nist.gov/fasp/FASPDocs/incident-respon
  se/Incident-Response-Guide.pdf
• Incident Response Team, R. Nellis,
  http//www.rochissa.org/downloads/presentations/In
  cidence20Response20Teams.ppt
• NIST special publications, http//csrc.nist.gov/pu
  blications/nistpubs/index.html

3
Due Care and Liability

• Organizational liability for misuse
• US Federal Sentencing Guidelines chief executive
  officer and top management are responsible for
  fraud, theft, and antivirus violations committed
  by insiders or outsiders using the companys
  resources.
• Fines and penalties
• Base fine
• Culpability score (95-400)
• Good faith efforts written policies, procedures,
  security awareness program, disciplinary
  standards, monitoring and auditing, reporting,
  and cooperation with investigations

4
How to Respond?
5
How to Respond?
6
How to Respond?
7
How to Response?

• Actions to avoid further loss from intrusion
• Terminate intrusion and protect against
  reoccurrence
• Law enforcement prosecute
• Enhance defensive security
• Reconstructive methods based on
• Time period of intrusion
• Changes made by legitimate users during the
  effected period
• Regular backups, audit trail based detection of
  effected components, semantic based recovery,
  minimal roll-back for recovery.

8
Roles and Responsibilities

• User
• Vigilant for unusual behavior
• Report incidents
• Manager
• Awareness training
• Policies and procedures
• System administration
• Install safeguards
• Monitor system
• Respond to incidents, including preservation of
  evidences

9
Computer Incident Response Team

• Assist in handling security incidents
• Formal
• Informal
• Incident reporting and dissemination of incident
  information
• Computer Security Officer
• Coordinate computer security efforts
• Others law enforcement coordinator,
  investigative support, media relations, etc.

10
Incident Response Process 1.

• Preparation
• Baseline Protection
• Planning and guidance
• Roles and Responsibilities Training
• Incident response team

11
Incident Response Process 2.

• Identification and assessment
• Symptoms
• Nature of incident
• Identify perpetrator, origin and extent of attack
• Can be done during attack or after the attack
• Gather evidences
• Key stroke monitoring, honey nets, system logs,
  network traffic, etc.
• Legislations on Monitoring!
• Report on preliminary findings

12
Incident Response Process 3.

• Containment
• Reduce the chance of spread of incident
• Determine sensitive data
• Terminate suspicious connections, personnel,
  applications, etc.
• Move critical computing services
• Handle human aspects, e.g., perception
  management, panic, etc.

13
Incident Response Process 4.

• Eradication
• Determine and remove cause of incident if
  economically feasible
• Improve defenses, software, hardware, middleware,
  physical security, etc.
• Increase awareness and training
• Perform vulnerability analysis

14
Incident Response Process 5.

• Recovery
• Determine course of action
• Reestablish system functionality
• Reporting and notifications
• Documentation of incident handling and evidence
  preservation

15
Follow Up Procedures

• Incident evaluation
• Quality of incident (preparation, time to
  response, tools used, evaluation of response,
  etc.)
• Cost of incident (monetary cost, disruption, lost
  data, hardware damage, etc.)
• Preparing report
• Revise policies and procedures

16
What is Survivability?

• To decide whether a computer system is
  survivable, you must first decide what
  survivable means.

17
Vulnerable Components
1. Hardware 2. Software 3. Data 4.
Communications 5. People
18
Effect Modeling and Vulnerability Detection
Seriously effected components
Weakly effected component
Cascading effects
Not effected components
19
Legal Aspects

• National law
• International law
• Legal regime to apply
• Gray areas of law
• Legal response
• Evidence preservation

20

THEMIS Threat Evaluation Metamodel for
Information Systems Presented at the 2nd
Symposium on Intelligence and Security
Informatics, 2004 Csilla Farkas, Thomas
Wingfield, James B. Michael Duminda Wijesekera
Themis, Goddess of Justice
21
Attacks Against Critical Infrastructures

• Swedish hacker jammed 911 in central Florida in
  1997
• Juvenile hacker penetrated and disabled a telco
  computer servicing Worcester Airport in March
  1997
• Brisbane hacker used radio transmissions to
  create raw sewage overflows on Sunshine coast in
  2000
• Hackers broke into Gazproms system controlling
  gas flows in pipelines in 1999
• Hackers got into California Independent Service
  Operator (ISO) development network for regional
  power grid in spring 2001
• Numerous denial-of-service attacks against ISPs
  some shut down

Source D. Denning Information Warfare
22
Rules Defining the Use of Force Schmitt
Analysis Sources Thomas Wingfield The Law of
Information Conflict National Security Law in
Cyberspace Michael N. Schmitt Computer Network
Attack and the Use of Force in International Law
Thoughts on a Normative Framework
23
(No Transcript)
24
Spectrum of Conflict
25
Spectrum of Conflict
26
Spectrum of Conflict
Art. 39
The Security Council shall determine the
existence of any threat to the peace, breach of
the peace, or act of aggression and shall make
recommendations, or decide what measures shall be
taken in accordance with Articles 41 and 42, to
maintain or restore international peace and
security.
27
Spectrum of Conflict
Art. 2(4)
All members shall refrain in their international
relations from the threat or use of force against
the territorial integrity or political
independence of any state, or in any other manner
inconsistent with the Purposes of the United
Nations.
28
Spectrum of Conflict
Art. 51
Nothing in the present Charter shall impair the
inherent right of individual or collective
self-defense if an armed attack occurs against a
Member of the United Nations, until the Security
Council has taken measures necessary to maintain
international peace and security. Measures taken
by Members in the exercise of this right of
self-defense shall be immediately reported to the
Security Council and shall not in any way affect
the authority and responsibility of the Security
Council under the present Charter to take at any
time such action as it deems necessary in order
to maintain or restore international peace and
security.
29
Rules Defining the Use of Force
Art. 51
Art. 2(4)
Art. 39
Threat of force
Use of force Armed attack
Threat to the peace
Hostile intent
Hostile act
Anticipatory self-defense
Self-defense
Jus in bello applies
30
Use of Force in Cyberspace

• Cyber vs. Kinetic Attack
• Academic State-of-the-Art Effects-Based Analysis
• Problem Charter Paradigm Means-Based
• The Schmitt Reconciliation
• Distinguishing Military from Diplomatic and
  Economic Coercion
• Seven Factors

31
Schmitt Factors

• Severity
• Immediacy
• Directness
• Invasiveness
• Measurability
• Presumptive Legitimacy
• Responsibility

32
Severity
Armed attacks threaten physical injury or
destruction of property to a much greater extent
than other forms of coercion. Physical
well-being usually occupies the lowest, most
basic level of the human hierarchy of need.
How many people were killed? How large an area
was attacked? (Scope) How much damage was done
within this area? (Intensity)
People Killed Severe Property Damage
People Killed Severe Property Damage
People Injured Moderate Property Damage
People Unaffected No Discernable Property Damage
33
Immediacy
Over how long a period did the action take place?
(Duration) How soon were its effects felt? How
soon until its effects abate?
The negative consequences of armed coercion, or
threat thereof, usually occur with great
immediacy, while those of other forms of coercion
develop more slowly.
People Killed Severe Property Damage
Seconds to Minutes
Hours to Days
Weeks to Months
34
Directness
Was the action distinctly identifiable from
parallel or competing actions? Was the action the
proximate cause of the effects?
The consequences of armed coercion are more
directly tied to the actus reus than in other
forms of coercion, which often depend on numerous
contributory factors to operate.
Action Sole Cause of Result
People Killed Severe Property Damage
Action Identifiable as One Cause of Result, and
to an Indefinite Degree
Action Played No Identifiable Role in Result
35
Invasiveness
Did the action involve physically crossing the
target countrys borders? Was the locus of the
action within the target country?
In armed coercion, the act causing the harm
usually crosses into the target state, whereas in
economic warfare the acts generally occur beyond
the targets borders. As a result, even though
armed and economic acts may have roughly similar
consequences, the former represents a greater
intrusion on the rights of the target state and,
therefore, is more likely to disrupt
international stability.
Border Physically Crossed Action Has Point Locus
People Killed Severe Property Damage
Border Electronically Crossed Action Occurs Over
Diffuse Area
Border Not Crossed Action Has No Identifiable
Locus in Target Country
36
Measurability
Can the effects of the action be quantified? Are
the effects of the action distinct from the
results of parallel or competing actions? What
was the level of certainty?
Effects Can Be Quantified Immediately by
Traditional Means (BDA, etc.) with High Degree of
Certainty
While the consequences of armed coercion are
usually easy to ascertain (e.g., a certain level
of destruction), the actual negative consequences
of other forms of coercion are harder to measure.
This fact renders the appropriateness of
community condemnation, and the degree of
vehemence contained therein, less suspect in the
case of armed force.
People Killed Severe Property Damage
Effects Can Be Estimated by Rough Order of
Magnitude with Moderate Certainty
Effects Cannot be Separated from Those of Other
Actions Overall Certainty is Low
37
Presumptive Legitimacy
Has this type of action achieved a customary
acceptance within the international community? Is
the means qualitatively similar to others
presumed legitimate under international law?
In most cases, whether under domestic or
international law, the application of violence is
deemed illegitimate absent some specific
exception such as self-defense. The cognitive
approach is prohibitory. By contrast, most other
forms of coercionagain in the domestic and
international sphereare presumptively lawful,
absent a prohibition to the contrary. The
cognitive approach is permissive.
Action Accomplished by Means of Kinetic Attack
People Killed Severe Property Damage
Action Accomplished in Cyberspace but Manifested
by a Smoking Hole in Physical Space
Action Accomplished in Cyberspace and Effects Not
Apparent in Physical World
38
Responsibility
Is the action directly or indirectly attributable
to the acting state? But for the acting states
sake, would the action have occurred?
Armed coercion is the exclusive province of
states only they may generally engage in uses of
force across borders, and in most cases only they
have the ability to do so with any meaningful
impact. By contrast, non-governmental entities
are often capable of engaging in other forms of
coercion (propaganda, boycotts, etc.).
Responsibility for Action Acknowledged by Acting
State Degree of Involvement Large
People Killed Severe Property Damage
Target State Government Aware of Acting States
Responsibility Public Role Unacknowledged
Degree of Involvement Moderate
Action Unattributable to Acting State Degree of
Involvement Low
39
Overall Analysis
Have enough of the qualities of a use of force
been identified to characterize the information
operation as a use of force?
Use of Force Under Article 2(4)
People Killed Severe Property Damage
Arguably Use of Force or Not
Not a Use of Force Under Article 2(4)
40
THEMIS Threat Evaluation Metamodel for
Information Systems
41
THEMIS

• Attack Response Policy (ARP) language
• ARP alphabet and predicates to represent
  attacks, consequences, and legal concepts
• Interoperable legal ontologies
• Attack evaluation and response rules
• SWRL - A Semantic Web Rule Language combining
  OWL and RuleML

42
Security Policy Specification
43
THEMIS FUNCTIONALITY
44
Attack Response Policy (ARP)

• ARP alphabet constant symbols, variables,
  functions, and terms
• ARP predicates used to build rules
• ARP rules reason about the damages, express
  legal restrictions, and determine legitimacy of
  counter actions

45
Example

• Predicates
• attack(a-id, a-name, orig, targ)
• consequence(a-id, c-type, targ)
• causes(c-type1, targ1, c-type2, targ 2)
• Rule
• attack(a-id, a-name, orig, targ1) ?
• attack(a-id, a-name, orig, targ)
• consequence(a-id, c-type, targ)
• causes(c-type, targ, c-type1, targ1)

46
Conclusions

• Automated decision support system
• Attack Response Policy Language
• Alphabet
• Predicates
• Rules
• Schmitt Analysis