1 / 46

Incident Response

Incident Response. Reading list. Required: Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law. Thoughts on a Normative Framework., 37 Colum. J. Transnat'l L. 885, 1999, http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA471993 Interesting:

mikko
Télécharger la présentation

Incident Response

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Incident Response

  2. Reading list • Required: • Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law. Thoughts on a Normative Framework., 37 Colum. J. Transnat'l L. 885, 1999, http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA471993 • Interesting: • Federal Communications Commission: Computer Security Incident Response Guide, 2001, http://csrc.nist.gov/fasp/FASPDocs/incident-response/Incident-Response-Guide.pdf • Incident Response Team, R. Nellis, http://www.rochissa.org/downloads/presentations/Incidence%20Response%20Teams.ppt • NIST special publications, http://csrc.nist.gov/publications/nistpubs/index.html

  3. Due Care and Liability • Organizational liability for misuse • US Federal Sentencing Guidelines: chief executive officer and top management are responsible for fraud, theft, and antivirus violations committed by insiders or outsiders using the company’s resources. • Fines and penalties • Base fine • Culpability score (95%-400%) • Good faith efforts: written policies, procedures, security awareness program, disciplinary standards, monitoring and auditing, reporting, and cooperation with investigations

  4. How to Respond?

  5. How to Respond?

  6. How to Respond?

  7. How to Response? • Actions to avoid further loss from intrusion • Terminate intrusion and protect against reoccurrence • Law enforcement – prosecute • Enhance defensive security • Reconstructive methods based on: • Time period of intrusion • Changes made by legitimate users during the effected period • Regular backups, audit trail based detection of effected components, semantic based recovery, minimal roll-back for recovery.

  8. Roles and Responsibilities • User: • Vigilant for unusual behavior • Report incidents • Manager: • Awareness training • Policies and procedures • System administration: • Install safeguards • Monitor system • Respond to incidents, including preservation of evidences

  9. Computer Incident Response Team • Assist in handling security incidents • Formal • Informal • Incident reporting and dissemination of incident information • Computer Security Officer • Coordinate computer security efforts • Others: law enforcement coordinator, investigative support, media relations, etc.

  10. Incident Response Process 1. Preparation • Baseline Protection • Planning and guidance • Roles and Responsibilities – Training • Incident response team

  11. Incident Response Process 2. Identification and assessment • Symptoms • Nature of incident • Identify perpetrator, origin and extent of attack • Can be done during attack or after the attack • Gather evidences • Key stroke monitoring, honey nets, system logs, network traffic, etc. • Legislations on Monitoring! • Report on preliminary findings

  12. Incident Response Process 3. Containment • Reduce the chance of spread of incident • Determine sensitive data • Terminate suspicious connections, personnel, applications, etc. • Move critical computing services • Handle human aspects, e.g., perception management, panic, etc.

  13. Incident Response Process 4. Eradication • Determine and remove cause of incident if economically feasible • Improve defenses, software, hardware, middleware, physical security, etc. • Increase awareness and training • Perform vulnerability analysis

  14. Incident Response Process 5. Recovery • Determine course of action • Reestablish system functionality • Reporting and notifications • Documentation of incident handling and evidence preservation

  15. Follow Up Procedures • Incident evaluation: • Quality of incident (preparation, time to response, tools used, evaluation of response, etc.) • Cost of incident (monetary cost, disruption, lost data, hardware damage, etc.) • Preparing report • Revise policies and procedures

  16. What is “Survivability”? To decide whether a computer system is “survivable”, you must first decide what “survivable” means.

  17. Vulnerable Components 1. Hardware 2. Software 3. Data 4. Communications 5. People

  18. Effect Modeling and Vulnerability Detection Seriously effected components Weakly effected component Cascading effects Not effected components

  19. Legal Aspects • National law • International law • Legal regime to apply • Gray areas of law • Legal response • Evidence preservation

  20. THEMIS: Threat Evaluation Metamodel for Information Systems Presented at the 2nd Symposium on Intelligence and Security Informatics, 2004 Csilla Farkas, Thomas Wingfield, James B. Michael Duminda Wijesekera Themis, Goddess of Justice

  21. Attacks Against Critical Infrastructures • Swedish hacker jammed 911 in central Florida in 1997 • Juvenile hacker penetrated and disabled a telco computer servicing Worcester Airport in March 1997 • Brisbane hacker used radio transmissions to create raw sewage overflows on Sunshine coast in 2000 • Hackers broke into Gazprom’s system controlling gas flows in pipelines in 1999 • Hackers got into California Independent Service Operator (ISO) development network for regional power grid in spring 2001 • Numerous denial-of-service attacks against ISPs – some shut down Source: D. Denning Information Warfare

  22. Rules Defining the Use of Force Schmitt Analysis Sources: Thomas Wingfield: The Law of Information Conflict: National Security Law in Cyberspace Michael N. Schmitt: Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework

  23. Spectrum of Conflict

  24. Spectrum of Conflict

  25. Spectrum of Conflict Art. 39 The Security Council shall determine the existence of any threat to the peace, breach of the peace, or act of aggression and shall make recommendations, or decide what measures shall be taken in accordance with Articles 41 and 42, to maintain or restore international peace and security.

  26. Spectrum of Conflict Art. 2(4) All members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations.

  27. Spectrum of Conflict Art. 51 Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defense shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.

  28. R E S P O N S E Jus ad bellum applies Peacetime regime applies Rules Defining the Use of Force Art. 39 Art. 2(4) Art. 51 Threat of force Use of force Armed attack Threat to the peace Hostile intent Hostile act Anticipatory self-defense Self-defense Jus in bello applies

  29. Use of Force in Cyberspace • Cyber vs. Kinetic Attack • Academic State-of-the-Art: Effects-Based Analysis • Problem: Charter Paradigm Means-Based • The Schmitt Reconciliation • Distinguishing Military from Diplomatic and Economic Coercion • Seven Factors

  30. Schmitt Factors • Severity • Immediacy • Directness • Invasiveness • Measurability • Presumptive Legitimacy • Responsibility

  31. Severity Armed attacks threaten physical injury or destruction of property to a much greater extent than other forms of coercion. Physical well-being usually occupies the [lowest, most basic level] of the human hierarchy of need. How many people were killed? How large an area was attacked? (Scope) How much damage was done within this area? (Intensity) People Killed; Severe Property Damage People Killed; Severe Property Damage People Injured; Moderate Property Damage People Unaffected; No Discernable Property Damage

  32. Immediacy The negative consequences of armed coercion, or threat thereof, usually occur with great immediacy, while those of other forms of coercion develop more slowly. Over how long a period did the action take place? (Duration) How soon were its effects felt? How soon until its effects abate? People Killed; Severe Property Damage Seconds to Minutes Hours to Days Weeks to Months

  33. Directness The consequences of armed coercion are more directly tied to the actus reus than in other forms of coercion, which often depend on numerous contributory factors to operate. Was the action distinctly identifiable from parallel or competing actions? Was the action the proximate cause of the effects? Action Sole Cause of Result People Killed; Severe Property Damage Action Identifiable as One Cause of Result, and to an Indefinite Degree Action Played No Identifiable Role in Result

  34. Invasiveness In armed coercion, the act causing the harm usually crosses into the target state, whereas in economic warfare the acts generally occur beyond the target’s borders. As a result, even though armed and economic acts may have roughly similar consequences, the former represents a greater intrusion on the rights of the target state and, therefore, is more likely to disrupt international stability. Did the action involve physically crossing the target country’s borders? Was the locus of the action within the target country? Border Physically Crossed; Action Has Point Locus People Killed; Severe Property Damage Border Electronically Crossed; Action Occurs Over Diffuse Area Border Not Crossed; Action Has No Identifiable Locus in Target Country

  35. Measurability While the consequences of armed coercion are usually easy to ascertain (e.g., a certain level of destruction), the actual negative consequences of other forms of coercion are harder to measure. This fact renders the appropriateness of community condemnation, and the degree of vehemence contained therein, less suspect in the case of armed force. Effects Can Be Quantified Immediately by Traditional Means (BDA, etc.) with High Degree of Certainty Can the effects of the action be quantified? Are the effects of the action distinct from the results of parallel or competing actions? What was the level of certainty? People Killed; Severe Property Damage Effects Can Be Estimated by Rough Order of Magnitude with Moderate Certainty Effects Cannot be Separated from Those of Other Actions; Overall Certainty is Low

  36. Presumptive Legitimacy In most cases, whether under domestic or international law, the application of violence is deemed illegitimate absent some specific exception such as self-defense. The cognitive approach is prohibitory. By contrast, most other forms of coercion—again in the domestic and international sphere—are presumptively lawful, absent a prohibition to the contrary. The cognitive approach is permissive. Has this type of action achieved a customary acceptance within the international community? Is the means qualitatively similar to others presumed legitimate under international law? Action Accomplished by Means of Kinetic Attack People Killed; Severe Property Damage Action Accomplished in Cyberspace but Manifested by a “Smoking Hole” in Physical Space Action Accomplished in Cyberspace and Effects Not Apparent in Physical World

  37. Responsibility Armed coercion is the exclusive province of states; only they may generally engage in uses of force across borders, and in most cases only they have the ability to do so with any meaningful impact. By contrast, non-governmental entities are often capable of engaging in other forms of coercion (propaganda, boycotts, etc.). Is the action directly or indirectly attributable to the acting state? But for the acting state’s sake, would the action have occurred? Responsibility for Action Acknowledged by Acting State; Degree of Involvement Large People Killed; Severe Property Damage Target State Government Aware of Acting State’s Responsibility; Public Role Unacknowledged; Degree of Involvement Moderate Action Unattributable to Acting State; Degree of Involvement Low

  38. Overall Analysis Have enough of the qualities of a use of force been identified to characterize the information operation as a use of force? Use of Force Under Article 2(4) People Killed; Severe Property Damage Arguably Use of Force or Not Not a Use of Force Under Article 2(4)

  39. THEMIS Threat Evaluation Metamodel for Information Systems

  40. THEMIS • Attack Response Policy (ARP) language • ARP alphabet and predicates to represent attacks, consequences, and legal concepts • Interoperable legal ontologies • Attack evaluation and response rules • SWRL - A Semantic Web Rule Language combining OWL and RuleML

  41. Interoperable Ontologies Default policy Conflict resolution ARP specification Security Policy Specification

  42. OFFENSE DEFENSE Computer System Attack Cascading Effects Attacker Affected Assets Characteristics Policy Response THEMIS FUNCTIONALITY

  43. Attack Response Policy (ARP) • ARP alphabet: constant symbols, variables, functions, and terms • ARP predicates: used to build rules • ARP rules: reason about the damages, express legal restrictions, and determine legitimacy of counter actions

  44. Example • Predicates: • attack(a-id, a-name, orig, targ) • consequence(a-id, c-type, targ) • causes(c-type1, targ1, c-type2, targ 2) • Rule: • attack(a-id, a-name, orig, targ1)  attack(a-id, a-name, orig, targ) consequence(a-id, c-type, targ) causes(c-type, targ, c-type1, targ1)

  45. Conclusions • Automated decision support system • Attack Response Policy Language • Alphabet • Predicates • Rules • Schmitt Analysis

More Related