Tema 2. Auditoría de Incidentes de Ciberseguridad PDF

# Tema 2. Auditoría de incidentes de ciberseguridad ## 2.1. Introducción The training unit 2 "Introduction to Security Incidents" shows the main introductory concepts of cyber incidents and their management. The following describes the blocks into which it has been divided. * Cybersecurity incident taxonomy - The main concepts surrounding cyber incidents, such as their nature, types and classification, and determining their criticality level to be able to adapt the most efficient response. * Cyber incident management - Explains the basic principles of incident management, the phases that make up the life cycle of an incident from preparation and post-incident activities. The NIST model will be taken as a reference. Finally, the main metrics associated with determining the degree of maturity in incident management within an organization will be described. * CERT-CSIRT-SOC - This topic introduces incident response centers. It will be explained what a CSIRT is, the main security capabilities they have, the differentiation between preventive or proactive services and reactive ones. The technical organization of a CSIRT is also addressed. * Action procedures in cyber incident management - This topic presents the main procedures for this management, paying special attention to the preparatory phase in the domains of technology, operations, legal and communication. - **Sources and exchange of information and labeling of cyber incidents** – This section presents the main sources of information, including cyber threat intelligence, such as the MISP platform. It will also explain the formats for sharing cyber security related information and incident labeling. ## 2.2. Taxonomy of cyber security incidents ### What is a cyber security incident? A cyber security incident is a compromise or violation of the security of IT assets of an organization. These assets include: * Information * Services * Infrastructure (servers, computers, networks, smartphones, etc.) The scope of this definition includes: * Hardware or electrical failures * Security policy violations * System compromises by malicious actors, including disgruntled employees. ### Consequences of a cyber security incident A cyber security incident leads to an undesirable situation where one or more of the basic principles of information security may be compromised. These principles are: * Confidentiality * Integrity * Availability **Figure 16. Basic principles of information security. Source: own elaboration.** * **Confidentiality** – Prevents unauthorized access to information. * **Integrity** – Ensures that information remains unaltered, unless authorized changes are made. * **Availability** – Ensures that information and related resources are available to authorized personnel. ## Taxonomy Managing cyber incidents requires the establishment of a taxonomy or classification that facilitates their identification, analysis, containment and eradication. Here are some important factors in this classification: * **Type of threat** - Malicious code, intrusions, fraud, etc. * **Origin of the threat** – Internal or external. * **Category of security of the affected systems**. * **Profile of the affected users** – Including their position within the organization and their access privileges for sensitive or confidential information. * **Number and type of affected systems**. * **Impact of the incident** – This includes impact on the organization’s ability to protect information, provide services, comply with legal and regulatory requirements, and maintain its public image. * **Legal and regulatory requirements**. ### Types of Cyber Security Incidents A generic classification of cyber security incidents yields the following types: * **Denial of service (DoS) incidents** - These incidents aim to disrupt or hinder access to networks, systems or applications by overloading them. * **Malicious code incidents** – These incidents target systems and applications with viruses, worms or Trojan horse malware. * **Unauthorized access incidents** - These incidents involve the use of hardware or software to access systems, networks, applications or data without appropriate authorization. * **Inappropriate use incidents** - These incidents occur when individuals bypass organization security policies. For example, they might use peer-to-peer applications on the organization’s network to download music. * **Multiple incidents** – This involves multiple incidents of other types. ### Classification of Cyber security Incidents Further detailed classification is available in the national security framework (ENS) and the *CCN-STIC 817 Guidelines for IT Security (2020)*. * **The table with detailed incident classification is accessible here:** https://www.ccn-cert.cni.es/es/series-ccn-stic/800-guia-esquema-nacional-de-seguridad/988-ccn-stic-817-gestion-de-ciberincidentes/file?format=html ## Criticality After classifying incidents, it is important to determine the level of danger or criticality based on their likely impact on the organization and its assets. This information makes it possible to make the right decisions about how to handle each incident. ### How to measure criticality Criticality involves assessing two factors: * **Impact** - The potential impact on the organization and/or its sector in case of an incident. For example, a DDoS attack or a software vulnerability that affects multiple systems can have major impact. Another example could be the manipulation of SCADA systems that control critical infrastructure, such as power grids. * **Probability** - The likelihood of an incident occurring. While there may be many severe threats, some have a very low chance of actually impacting the organization. Since resources are limited, it is important to focus on the most likely incidents that could significantly impact the organization. * **Levels of criticality** - The **ENS outlines levels of severity/criticality:** 1. Low 2. Medium 3. High 4. Very high 5. Critical **Figure 17. Levels of severity/criticality. Source: CCN, 2020.** * **Target** – Individuals, small businesses, medium businesses, local government, national infrastructure, large businesses, strategic sectors, national critical infrastructure, and infrastructure with a million or more users. * **Attacker danger** – Low, medium, high, very high, and critical. ## Probability Every potential threat requires careful analysis of its probability. The probability of a threat materializing should be carefully examined. While some threats may be very important, they may also have a very low probability of occurring. It is, therefore, important to prioritize efforts by focusing on those threats with the highest probability of impacting the organization. ## Level of impact Impact refers to the consequences of an incident, that is, the gravity of the threat if it materializes. For example, a DDoS attack could have a serious impact on a company’s sector. The same applies to an exploit that affects a large volume of systems. ## Sectors impacted Organizations must also factor in the sectors where a cyber incident might occur. It is more critical to address strategic sectors, as those incidents have a broader impact. The following sectors are particularly vulnerable to cyber attacks: * **Energy** - This sector includes sectors like electric power, oil and natural gas. Attacks can target utility providers, power plants, transmission systems, oil and gas transport systems, and distribution networks. * **Transportation** - The impact of cyber attacks can affect air, rail, maritime, and road transport. This could include air traffic control, railway companies, maritime port authorities, and road management. * **Banking** – Cyber attacks impact banks, online banking, credit services, payment services, etc. * **Finance** – This sector includes stock exchanges, financial operations, and clearing services. * **Healthcare** – Cyber attacks affect hospitals, pharmaceutical companies, medical devices, and pharmacies. * **Drinking water** - Cyber attacks can affect drinking water supply and distribution. * **Digital infrastructure** - This sector includes internet exchange points, domain name systems, top-level domain registries, etc. * **Communications** - These incidents can disrupt mobile networks, fixed telephone lines, and satellite communications. * **Digital services** – This includes cloud services, online markets, and search engine operations. * **Trust and identification services** - It comprises certification authorities and user identification systems, such as digital identity systems and smart cards. * **Government** – This sector includes government operations, public administrations, elections, and emergency services. An example could be a large-scale disruption of mobile networks. While this incident would be classified as a malware attack on the communications sector, it could also have a significant impact on other critical sectors due to its cascading effect, ultimately having a broad impact on society and the economy. ## 2.3. Cyber incident management: Phases ### Understanding the principles of cyber incident management Before exploring cyber incident management and its lifecycle, it’s essential to understand the key principles involved. These principles are important for effective management: * **Cybersecurity event** – This is a change in cyber security that could impact the organization’s operational capabilities (mission, resources, reputation, etc.) * **Cybersecurity incident (cyber incident)** – This involves one or more events that could jeopardize the organization’s operations. These events are not expected or intended to cause disruptions to normal operations. * **Cyber incident management** – This is the process of preparing for, detecting, reporting, evaluating, and responding to security issues within a continuous improvement framework. ### Key principles of cyber incident management These principles will guide the implementation of an effective cyber incident management system. 1. **No one-size-fits-all approach** - Every organization is unique with its own characteristics, mission, resources, and infrastructure. Instead of relying on “best practices,” it’s vital for each organization to adopt a customized incident management strategy. While learning from experience is crucial, it is important to get started with a solid plan. 2. **Commitment from senior leadership** - Cyber incidents are a serious risk that must be incorporated into overall risk management and security policy. Technological implementation alone cannot mitigate all risks. It is crucial to develop an integrated plan that includes all processes and organizational structures, especially those relevant to critical business functions. It is important for leadership to be actively involved in developing and implementing the organization’s cyber incident prevention and response plan. The support of senior management is critical for the success of this plan, evident through clear communication and allocation of resources. Well-informed leaders will be aware of cybersecurity risks and understand their responsibility to encourage their teams to manage their roles responsibly. 3. **Involve all members of your organization** - Human involvement is essential. However, organizations often have a lot of untapped potential for detecting and responding to cyber incidents. It is vital to train employees to understand and recognize potential security issues. This involves educating them about the organization's cyber incident response plan and their individual responsibilities within that plan. Ensure that all employees, from top to bottom, are aware of how to report suspicious activity and how to follow the proper procedures when they encounter an anomaly. 4. **Keep an offline copy of your documents** - A cyber security incident can make digital access difficult. It is vital to have copies of important documents, such as the cyber incident response plan, readily available offline. **Table 4: Source: own elaboration.** 5. **Maintain a system for backups that is separate from your main system** - It’s very important to back up critical data. However, the backup system must be independent from the main system. Otherwise, if the system becomes compromised, the backup will also likely be compromised. This would render the backup useless. 6. **Keep detailed records of all incidents and make them available for regular audits.** - These incident records can be used to trace the origin of a cyber incident. This information can help in identifying a specific attacker and help the organization return to business quickly. These records are also crucial for complying with legal obligations, which may require keeping records for a reasonable period (up to 6 months). 7. **Ensure your cyber incident response plan includes all legal aspects and all information and related documents** - If a legal case arises, evidence should be properly collected and stored, following all legal requirements. 8. **It is crucial to comply with all relevant legislation when handling a cyber incident** - This includes any relevant laws, regulations, and data protection guidelines. If an incident arises, you may need to contact authorities, such as a national data protection agency or the relevant organization for reporting network or information security incidents. 9. **Document every step of the incident** – Make sure that all actions during the incident are meticulously documented. This includes reporting the incident, gathering evidence, communicating with affected parties and the organization, etc. This documentation serves as a valuable time machine. You can use it to review your actions and pinpoint what happened. It is also important to have this documentation so that everyone involved in the incident is aware of the steps taken. This can help prevent the knowledge of what was done from remaining solely with a small group of people. **Table 5. Source: own elaboration.** ## Cyber incident Management The management of cyber incidents and their lifecycle have to constantly adapt to new attack strategies. Cyber criminals are continually innovating, just like businesses; however, they are motivated by the increasing opportunities that the cyberspace offers. The growing use of cyberspace by businesses increases the potential gains for cyber criminals. As a result, they have gained access to powerful tools, which they use to analyze the targets of their attacks and exploit those targets to achieve their goals. Their business has also been boosted by the availability of readily accessible markets for buying and selling tools and exploiting tactics. ## Phases of a Cyber Attack When analyzing a cyber attack in detail, we find several phases: 1. **Recon** – This involves identifying a target and reconnaissance to gather information about the target. This includes: * **Identifying a Target** – The attackers choose their target, which could be an individual, an organization or a particular sector. * **Searching for Vulnerabilities** – The aggressors investigate the target, looking for potential weak points or security flaws. 2. **Initiating an Attack** – This phase involves: * **Exploiting vulnerabilities** – The attackers attempt to take advantage of identified vulnerabilities. * **Bypass security controls** – The attackers attempt to avoid security measures or to circumvent them. 3. **Achieving the Objective** - This phase includes: * **Taking down systems** – The attackers compromise the operation of the target's systems. * **Stealing information, funds, etc.** – The attackers may target classified information, financial assets, or other valuable resources. * **Manipulating information** – The attackers can add, modify, delete, or corrupt critical data. This can have a significant impact on the target’s systems and operations. ## Handling sophisticated cyber attacks It is crucial to address every stage of a sophisticated cyber attack. This is true whether the attack is carried out by cyber criminals, criminals, or state-sponsored actors. However, there are many organizations that take only limited action during the early stages of a cyber attack. This is often because they lack awareness, resources, or the technical skills to deal with the threats and take appropriate action. This inaction is a major vulnerability. You can prevent this problem by prioritizing the first phase of a cyber incident: * **Recognition** – Prepare for the unexpected in advance by focusing on preventive measures. * **Development** – Develop plans, scenarios, and strategies for dealing with potential threats. * **Collaboration** – Partner with other organizations and experts in the sector, as it is one of the best ways to improve cyber security. ## The Lifecycle of Cyber Incident Management An incident management system should be an iterative process that continuously improves and adapts to new threats. The basic steps of this lifecycle include: * **Preparation** – * **Detection & Analysis** – * **Containment Eradication & Recovery** – * **Post incident Activity** – **Figure 18. Cyber incident lifecycle. Source: Cichonski, 2012.** ### Preparation The initial step in incident management is to establish a Cyber Incident Response Team (CIRT). This team is trained and equipped with the necessary tools and resources. The organization also needs to conduct a thorough risk assessment to determine potential threats and vulnerabilities. It should identify safety measures, processes, and procedures. The team should also have access to specialized staff with the right skills and knowledge. It is vital for an organization to have a comprehensive strategy for incident response, which includes both proactive and reactive measures. The CIRT is not responsible for preventing incidents, but its existence is crucial for the success of all preventative efforts. ### Detection, Analysis, and Identification Cyber incidents can manifest in many different ways. It’s impractical to develop specific steps for every possible incident. Instead, organizations need to be prepared to handle any possible incident; they must have procedures specifically designed for the most common types of attacks. The detection and analysis of an incident can be difficult. The accuracy of indicators and alert systems is often questionable. For example, users may provide misleading information, such as “The server is down.” Intrusion detection systems often generate false positives. Furthermore, a significant number of alerts are generated every day, making it challenging to identify genuine security incidents among a large volume of noise. ### Recommended steps for addressing a cyber security incident An incident response team should take action when a cyber incident is suspected. This includes: * **Record keeping** – It’s essential to keep detailed records of any incident, including changes to the system. This record-keeping process should be systematic, thorough, and accurate to facilitate efficient incident management. * **Document everything** – This documentation should include a chronological record of everything that occurred during the incident, from the initial detection to the final resolution. Each step should be documented and timestamped. * **Assign responsibility** – Every document should be signed and dated by the relevant team member. This information can be helpful as proof if legal action is taken. ### Notification During an incident, the incident response team must notify all relevant stakeholders. This information should be relayed efficiently to the people who need it to ensure that everyone involved in the incident response is informed. The notification of incidents should be clear, concise, and timely and include details about the incident, the affected systems, and the actions planned. It’s crucial to establish clear guidelines for incident notification. These guidelines should specify what needs to be communicated, when, and to whom. This could cover the initial notification, periodic updates, and the final status report. ## Containment, Mitigation, and Recovery When an incident has been analyzed and prioritized, the incident response team must: * **Contain the incident** – This involves taking steps to minimize the impact of the incident on the organization’s systems, data, and operations. * **Mitigate the effects of the incident** – This involves working to reduce the impact of the incident. * **Recover any affected systems** – This step involves restoring the systems and data to a normal state of operation. #### Containment The initial goal in incident management is to reduce the impact of the incident. This includes: * **Minimizing damage** – The organization tries to minimize the impact of the incident. * **Preventing further damage** – This step ensures that the incident does not spread. Any relevant systems that are affected must be isolated from the broader network and monitored regularly. A key element of containment is the ability to make crucial decisions quickly. This can include shutting down a system, disconnecting it from the network, or disabling some of its functions. It’s critical to have well-defined strategies and workflows in place to ensure that an incident can be effectively contained. #### Mitigation The mitigation phase involves addressing the causes of the incident. This might involve: * **Determining the origin of the incident** – It is essential to identify how the incident occurred. The investigation into the incident should review the security controls in effect, such as access management, system configurations, and user permissions. It is important to identify the attackers and their methods. * **Addressing the root cause of the problem** – It’s critical to identify and address the root cause of the incident to prevent recurrence. This might involve vulnerabilities in systems, software, or user behavior. * **Restoring affected systems** – The team focuses on restoring systems to a normal state of operation. This includes tasks like removing malware, restoring data backups, patching vulnerabilities, and reviewing security configurations. #### Recovery The recovery phase involves restoring operations to a normal state. It comprises the following major activities: * **Data restoration from backups** – This is necessary to restore lost data. * **Verification of system integrity** – Ensure that all systems are functional and operational. * **Analysis of the lessons learned** – This involves identifying the weaknesses in the organization's security and preparing to address those vulnerabilities in the future. Good recovery procedures help to ensure that an organization avoids the same mistakes and improves its overall security posture. Incident management is a continuous process that involves ongoing vigilance, planning, and preparedness. It is about anticipating security threats and responding effectively when they occur. Through effective incident management, organizations can limit the impact of these threats and ensure the continued security of their systems and information.

Tema 2. Auditoría de Incidentes de Ciberseguridad PDF

Document Details

Tags

Related

Summary

Full Transcript

Upgrade to continue