Presentation is loading. Please wait.

Presentation is loading. Please wait.

Incident Response. CSCE 727 - Farkas2 Reading list Required: Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law. Thoughts.

Published byJulianna Hilda Armstrong Modified over 8 years ago

Similar presentations

Presentation on theme: "Incident Response. CSCE 727 - Farkas2 Reading list Required: Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law. Thoughts."— Presentation transcript:

1 Incident Response

2 CSCE 727 - Farkas2 Reading list Required: Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law. Thoughts on a Normative Framework., 37 Colum. J. Transnat'l L. 885, 1999, http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA471993 http://www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA471993 Interesting: Federal Communications Commission: Computer Security Incident Response Guide, 2001, http://csrc.nist.gov/fasp/FASPDocs/incident-response/Incident- Response-Guide.pdf http://csrc.nist.gov/fasp/FASPDocs/incident-response/Incident- Response-Guide.pdf Incident Response Team, R. Nellis, http://www.rochissa.org/downloads/presentations/Incidence%20R esponse%20Teams.ppt http://www.rochissa.org/downloads/presentations/Incidence%20R esponse%20Teams.ppt NIST special publications, http://csrc.nist.gov/publications/nistpubs/index.html http://csrc.nist.gov/publications/nistpubs/index.html

3 CSCE 727 - Farkas3 Due Care and Liability Organizational liability for misuse – US Federal Sentencing Guidelines: chief executive officer and top management are responsible for fraud, theft, and antivirus violations committed by insiders or outsiders using the company’s resources. – Fines and penalties Base fine Culpability score (95%-400%) – Good faith efforts: written policies, procedures, security awareness program, disciplinary standards, monitoring and auditing, reporting, and cooperation with investigations

4 CSCE 727 - Farkas4 How to Respond?

5 CSCE 727 - Farkas5 How to Respond?

6 CSCE 727 - Farkas6 How to Respond?

7 CSCE 727 - Farkas7 How to Response? Actions to avoid further loss from intrusion Terminate intrusion and protect against reoccurrence Law enforcement – prosecute Enhance defensive security Reconstructive methods based on: – Time period of intrusion – Changes made by legitimate users during the effected period – Regular backups, audit trail based detection of effected components, semantic based recovery, minimal roll- back for recovery.

8 CSCE 727 - Farkas8 Roles and Responsibilities User: – Vigilant for unusual behavior – Report incidents Manager: – Awareness training – Policies and procedures System administration: – Install safeguards – Monitor system – Respond to incidents, including preservation of evidences

9 CSCE 727 - Farkas9 Computer Incident Response Team Assist in handling security incidents – Formal – Informal Incident reporting and dissemination of incident information Computer Security Officer – Coordinate computer security efforts Others: law enforcement coordinator, investigative support, media relations, etc.

10 CSCE 727 - Farkas10 Incident Response Process 1. Preparation – Baseline Protection – Planning and guidance – Roles and Responsibilities – Training – Incident response team

11 CSCE 727 - Farkas11 Incident Response Process 2. Identification and assessment – Symptoms – Nature of incident Identify perpetrator, origin and extent of attack Can be done during attack or after the attack – Gather evidences Key stroke monitoring, honey nets, system logs, network traffic, etc. Legislations on Monitoring! – Report on preliminary findings

12 CSCE 727 - Farkas12 Incident Response Process 3. Containment – Reduce the chance of spread of incident – Determine sensitive data – Terminate suspicious connections, personnel, applications, etc. – Move critical computing services – Handle human aspects, e.g., perception management, panic, etc.

13 CSCE 727 - Farkas13 Incident Response Process 4. Eradication – Determine and remove cause of incident if economically feasible – Improve defenses, software, hardware, middleware, physical security, etc. – Increase awareness and training – Perform vulnerability analysis

14 CSCE 727 - Farkas14 Incident Response Process 5. Recovery – Determine course of action – Reestablish system functionality – Reporting and notifications – Documentation of incident handling and evidence preservation

15 CSCE 727 - Farkas15 Follow Up Procedures Incident evaluation: – Quality of incident (preparation, time to response, tools used, evaluation of response, etc.) – Cost of incident (monetary cost, disruption, lost data, hardware damage, etc.) Preparing report Revise policies and procedures

16 CSCE 727 - Farkas16 What is “Survivability”? To decide whether a computer system is “survivable”, you must first decide what “survivable” means.

17 CSCE 727 - Farkas17 Vulnerable Components 1. Hardware 2. Software 3. Data 4. Communications 5. People

18 CSCE 727 - Farkas18 Effect Modeling and Vulnerability Detection Cascading effects Seriously effected components Weakly effected component Not effected components

19 CSCE 727 - Farkas19 Legal Aspects National law International law Legal regime to apply Gray areas of law Legal response Evidence preservation

20 THEMIS: Threat Evaluation Metamodel for Information Systems Presented at the 2nd Symposium on Intelligence and Security Informatics, 2004 Csilla Farkas, Thomas Wingfield, James B. Michael Duminda Wijesekera Themis, Goddess of Justice

21 CSCE 727 - Farkas21 Attacks Against Critical Infrastructures Swedish hacker jammed 911 in central Florida in 1997 Juvenile hacker penetrated and disabled a telco computer servicing Worcester Airport in March 1997 Brisbane hacker used radio transmissions to create raw sewage overflows on Sunshine coast in 2000 Hackers broke into Gazprom’s system controlling gas flows in pipelines in 1999 Hackers got into California Independent Service Operator (ISO) development network for regional power grid in spring 2001 Numerous denial-of-service attacks against ISPs – some shut down Source: D. Denning Information Warfare

22 CSCE 727 - Farkas22 Rules Defining the Use of Force Schmitt Analysis Sources: Thomas Wingfield: The Law of Information Conflict: National Security Law in Cyberspace Michael N. Schmitt: Computer Network Attack and the Use of Force in International Law: Thoughts on a Normative Framework

23 CSCE 727 - Farkas23

24 CSCE 727 - Farkas24 Spectrum of Conflict

25 CSCE 727 - Farkas25 Spectrum of Conflict

26 CSCE 727 - Farkas26 Spectrum of Conflict Art. 39 The Security Council shall determine the existence of any threat to the peace, breach of the peace, or act of aggression and shall make recommendations, or decide what measures shall be taken in accordance with Articles 41 and 42, to maintain or restore international peace and security.

27 CSCE 727 - Farkas27 Spectrum of Conflict All members shall refrain in their international relations from the threat or use of force against the territorial integrity or political independence of any state, or in any other manner inconsistent with the Purposes of the United Nations. Art. 2(4)

28 CSCE 727 - Farkas28 Spectrum of Conflict Art. 51 Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs against a Member of the United Nations, until the Security Council has taken measures necessary to maintain international peace and security. Measures taken by Members in the exercise of this right of self-defense shall be immediately reported to the Security Council and shall not in any way affect the authority and responsibility of the Security Council under the present Charter to take at any time such action as it deems necessary in order to maintain or restore international peace and security.

29 CSCE 727 - Farkas29 Art. 51Art. 2(4)Art. 39 Jus ad bellum appliesJus in bello applies RESPONSERESPONSE Anticipatory self-defense Hostile intent Hostile act Self-defense Threat of force Use of force Armed attack Threat to the peace Rules Defining the Use of Force Peacetime regime applies

30 CSCE 727 - Farkas30 Cyber vs. Kinetic Attack Academic State-of-the-Art: Effects-Based Analysis Problem: Charter Paradigm Means-Based The Schmitt Reconciliation – Distinguishing Military from Diplomatic and Economic Coercion – Seven Factors Use of Force in Cyberspace

31 CSCE 727 - Farkas31 Severity Immediacy Directness Invasiveness Measurability Presumptive Legitimacy Responsibility Schmitt Factors

32 CSCE 727 - Farkas32 Severity People Killed; Severe Property Damage Armed attacks threaten physical injury or destruction of property to a much greater extent than other forms of coercion. Physical well-being usually occupies the [lowest, most basic level] of the human hierarchy of need. How many people were killed? How large an area was attacked? (Scope) How much damage was done within this area? (Intensity) People Killed; Severe Property Damage People Injured; Moderate Property Damage People Unaffected; No Discernable Property Damage

33 CSCE 727 - Farkas33 Immediacy People Killed; Severe Property Damage Over how long a period did the action take place? (Duration) How soon were its effects felt? How soon until its effects abate? Seconds to Minutes Hours to Days Weeks to Months The negative consequences of armed coercion, or threat thereof, usually occur with great immediacy, while those of other forms of coercion develop more slowly.

34 CSCE 727 - Farkas34 Directness People Killed; Severe Property Damage Was the action distinctly identifiable from parallel or competing actions? Was the action the proximate cause of the effects? Action Sole Cause of Result Action Identifiable as One Cause of Result, and to an Indefinite Degree Action Played No Identifiable Role in Result The consequences of armed coercion are more directly tied to the actus reus than in other forms of coercion, which often depend on numerous contributory factors to operate.

35 CSCE 727 - Farkas35 Invasiveness People Killed; Severe Property Damage Did the action involve physically crossing the target country’s borders? Was the locus of the action within the target country? Border Physically Crossed; Action Has Point Locus Border Electronically Crossed; Action Occurs Over Diffuse Area Border Not Crossed; Action Has No Identifiable Locus in Target Country In armed coercion, the act causing the harm usually crosses into the target state, whereas in economic warfare the acts generally occur beyond the target’s borders. As a result, even though armed and economic acts may have roughly similar consequences, the former represents a greater intrusion on the rights of the target state and, therefore, is more likely to disrupt international stability.

36 CSCE 727 - Farkas36 Measurability People Killed; Severe Property Damage Can the effects of the action be quantified? Are the effects of the action distinct from the results of parallel or competing actions? What was the level of certainty? Effects Can Be Quantified Immediately by Traditional Means (BDA, etc.) with High Degree of Certainty Effects Can Be Estimated by Rough Order of Magnitude with Moderate Certainty Effects Cannot be Separated from Those of Other Actions; Overall Certainty is Low While the consequences of armed coercion are usually easy to ascertain (e.g., a certain level of destruction), the actual negative consequences of other forms of coercion are harder to measure. This fact renders the appropriateness of community condemnation, and the degree of vehemence contained therein, less suspect in the case of armed force.

37 CSCE 727 - Farkas37 Presumptive Legitimacy People Killed; Severe Property Damage Has this type of action achieved a customary acceptance within the international community? Is the means qualitatively similar to others presumed legitimate under international law? Action Accomplished by Means of Kinetic Attack Action Accomplished in Cyberspace but Manifested by a “Smoking Hole” in Physical Space Action Accomplished in Cyberspace and Effects Not Apparent in Physical World In most cases, whether under domestic or international law, the application of violence is deemed illegitimate absent some specific exception such as self-defense. The cognitive approach is prohibitory. By contrast, most other forms of coercion—again in the domestic and international sphere—are presumptively lawful, absent a prohibition to the contrary. The cognitive approach is permissive.

38 CSCE 727 - Farkas38 Responsibility People Killed; Severe Property Damage Is the action directly or indirectly attributable to the acting state? But for the acting state’s sake, would the action have occurred? Responsibility for Action Acknowledged by Acting State; Degree of Involvement Large Target State Government Aware of Acting State’s Responsibility; Public Role Unacknowledged; Degree of Involvement Moderate Action Unattributable to Acting State; Degree of Involvement Low Armed coercion is the exclusive province of states; only they may generally engage in uses of force across borders, and in most cases only they have the ability to do so with any meaningful impact. By contrast, non- governmental entities are often capable of engaging in other forms of coercion (propaganda, boycotts, etc.).

39 CSCE 727 - Farkas39 Overall Analysis People Killed; Severe Property Damage Have enough of the qualities of a use of force been identified to characterize the information operation as a use of force? Use of Force Under Article 2(4) Arguably Use of Force or Not Not a Use of Force Under Article 2(4)

40 CSCE 727 - Farkas40 THEMIS Threat Evaluation Metamodel for Information Systems

41 CSCE 727 - Farkas41 THEMIS Attack Response Policy (ARP) language – ARP alphabet and predicates to represent attacks, consequences, and legal concepts Interoperable legal ontologies Attack evaluation and response rules SWRL - A Semantic Web Rule Language combining OWL and RuleML

42 CSCE 727 - Farkas42 Default policy Conflict resolution Interoperable Ontologies ARP specification Security Policy Specification

43 CSCE 727 - Farkas43 THEMIS FUNCTIONALITY Computer System Attacker Affected Assets Response DEFENSEOFFENSE Policy Attack Cascading Effects Characteristics

44 CSCE 727 - Farkas44 Attack Response Policy (ARP) ARP alphabet: constant symbols, variables, functions, and terms ARP predicates: used to build rules ARP rules: reason about the damages, express legal restrictions, and determine legitimacy of counter actions

45 CSCE 727 - Farkas45 Example Predicates: – attack(a-id, a-name, orig, targ) – consequence(a-id, c-type, targ) – causes(c-type1, targ1, c-type2, targ 2) Rule: – attack(a-id, a-name, orig, targ1)  attack(a-id, a-name, orig, targ) consequence(a-id, c-type, targ) causes(c-type, targ, c-type1, targ1)

46 CSCE 727 - Farkas46 Conclusions Automated decision support system Attack Response Policy Language – Alphabet – Predicates – Rules Schmitt Analysis

Download ppt "Incident Response. CSCE 727 - Farkas2 Reading list Required: Michael N. Schmitt, Computer Network Attack and the Use of Force in International Law. Thoughts."

Similar presentations

Promoting Cooperative Solutions for Space Security 1 www.SecureWorldFoundation.org Is Current International Humanitarian Law Sufficient to Regulate a Potential.

Promoting Cooperative Solutions for Space Security 1 Is Current International Humanitarian Law Sufficient to Regulate a Potential.
186 National Socities.

186 National Socities.
The Ethics of War Spring 2007. Main normative questions When, if ever, is resort to war justified? What can we permissibly do in war? Who are responsible.

The Ethics of War Spring Main normative questions When, if ever, is resort to war justified? What can we permissibly do in war? Who are responsible.
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
INTERNATIONAL LAW THE USE OF FORCE. THE PROHIBITION OF FORCE: Art 2 t 3. All Members shall settle their international disputes by peaceful means in such.

INTERNATIONAL LAW THE USE OF FORCE. THE PROHIBITION OF FORCE: Art 2 t 3. All Members shall settle their international disputes by peaceful means in such.
Incident Response Need for Attack Analysis. CSCE 727 - Farkas2 Reading List This class – Michael N. Schmitt, Computer Network Attack and the Use of Force.

Incident Response Need for Attack Analysis. CSCE Farkas2 Reading List This class – Michael N. Schmitt, Computer Network Attack and the Use of Force.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.

ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
National Space-Based Positioning, Navigation, and Timing (PNT) Federal Advisory Board DHS Challenges & Opportunities Captain Curtis Dubay, P.E. Department.

National Space-Based Positioning, Navigation, and Timing (PNT) Federal Advisory Board DHS Challenges & Opportunities Captain Curtis Dubay, P.E. Department.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
USE OF FORCE IN INTERNATIONAL LAW

USE OF FORCE IN INTERNATIONAL LAW
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
International Law Unit 9: Use of Force Fall 2005 Mr. Morrison.

International Law Unit 9: Use of Force Fall 2005 Mr. Morrison.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.

Similar presentations

Ads by Google