CASSIDIAN CYBERSECURITY

Transcription

1 CASSIDIAN CYBERSECURITY ADVANCED PERSISTENT THREAT (APT) SERVICE In a world where cyber threats are emerging daily, often from unknown sources, information security is something no organisation can afford to take for granted. Cassidian CyberSecurity has the expertise to take on the security challenges facing today s organisations, providing services and systems that work tirelessly to stem the tide of cyber threats.

2 APT Overview Cassidian Limited (hereon referred to as Cassidian, and incorporating Cassidian UK, Cassidian CyberSecurity and Regency IT Consulting) have been providing security services to government and industry for over 10 years. The Cassidian Advanced Persistent Threat (APT) service provides: Rapid response to targeted cyber attacks against both government and commercial organisations. Diagnosis and clean up of deliberate, targeted, on-going attacks without the need to remove computer equipment from customer premises for analysis, or to disrupt ongoing operations. Cassidian, is one of four companies selected by the UK Government to pilot an approach to certify Cyber Incident Response (CIR) and clean-up services to government and industry following such attacks Cassidian provides this service to customers by placing specialist and trusted equipment within their networks and through exploiting our technical expertise and intelligence to identify the root cause of any malicious attack. Cassidian also has the capability to leverage its 2

3 significant and related post remediation services from the broader services portfolio. This includes, but is not limited to, policy writing, security architecture consultancy, protective monitoring and advanced Security Operations Centre (SOC) services. This document describes the Cassidian Advanced Incident Response (APT) proposition for government and commercial organisations. Business Benefits Targeted attacks in cyber space are ubiquitous, dynamic and complex, and represent an unprecedented threat to industry and Governments worldwide. Confronting these threats is a non-trivial task and requires a proportionate level of knowledge, experience and expertise to the skilled adversaries that action them. Traditionally, Advanced Persistent Threat (APT) has been portrayed as the consummate cyber threat (attributable in part to Google s public disclosure of attacks in early 2010 and explosive marketing material around Operation Aurora) but more recently is used as a general term for advanced cyber security attacks undertaken by national states and organised crime bodies,. Therefore, it is only one component of the targeted attack problem. Instead, cyber threats are perceived in terms of distinct threat actors and their associated Tactics, Techniques, and Procedures (TTPs). Viewing a given targeted attack intrusion as an interaction with one or more of these threat actors enables the Cassidian Cyber Incident Response team to invoke measured response actions with maximum effectiveness. 3

4 4

5 Services Cassidian offers a number of services to support customers at all stages of advanced cyber attacks. These range from consultancy offerings focused on the definition of an incident response strategies, to forensic readiness plans and monitoring strategies to identify current and future attempted breaches. In terms of an active breach, initially either detected through a Cassidian run APT health check or informed via law enforcement or national authorities, Cassidian are able to support the customer through the full incident lifecycle to a strategic plan of longer term security improvements. Cassidian adopt a staged, incremental approach to an investigation. This allows the customer to make fully informed decisions throughout an investigation and to easily control and monitor the ongoing costs. Our approach also ensures the customer is able to influence and steer the flow of the investigation in a manner which remains consistent and sympathetic with the ongoing operational needs of the business. In order to provide the most flexible and cost effective solution, many of the available technology solutions within the Cassidian toolset are capable of being deployed and managed remotely. In the case of networks which are restricted from external access, the Cassidian toolset can be deployed onsite and managed through a dedicated onsite presence. Tooling and Methodology In order to effectively retain the ability to scale across international borders or across multiple organisations, it remains of paramount importance to Cassidian that any tooling options are selected based on a combination of key criteria. The Cassidian toolset combines a blend of in-house developed technologies as well as selected key best of breed strategic vendor 5

6 solutions underpinned by a number of partnerships and working relationships with specialist companies within this field. It is through such relationships and a vendor agnostic approach that Cassidian is able to offer a high level of capability to all sizes and types of organisations on an international platform. Cassidian s in-house capabilities are derived from the extensive Cassidian Research and Development programmes. In most cases, our in-house tools are designed and developed by members of our operational teams to address a shortfall in commercially available products. Methodology In addition to best of class tool selection, Cassidian adopts the well established SANS 6 stage incident handling methodology to give team members a common core approach to incident handling. Preparation Cassidian adapt this initial stage depending on the customer scenario. In the case of providing pre-breach consultancy, this is normally where Cassidian would assist the customer in developing an effective incident response strategy within the organisation. This strategy would include work around policies, procedures and suitable response mechanisms to be deployed in the event of a breach. If the customer is experiencing an active breach at the time of engagement then Cassidian will identify and confirm either the active or historical presence of a targeted threat actor. 6

7 At the same time, Cassidian works with the customer to help re-align the customer network in order to better facilitate and support an active investigation through low impact, non invasive configuration changes to their existing estate. Identification Cassidian works with the customer to quickly deploy the surveillance strategy defined in the preparation stage. By co-ordinating any suitable changes to the existing estate and the deployment of appropriate toolset technologies we are able to quickly establish a monitoring presence and provide insight into the attacker s movements. This technology deployment should ideally allow for analysis of both ingress and egress network traffic as well as data resident on the customer server and workstation estate. In addition to this, Cassidian would also use this stage as an opportunity to brief and prepare the customer for the full incident investigation lifecycle as well as establishing a series of regular update meetings to provide progress reports and insight into the investigation as it proceeds. Containment and Eradication Under our normal operating process, Cassidian merges the containment and eradication stages into the same activity. These stages commence with the planning around a suitable window of opportunity to stop and remove the malicious presence from the customer estate. Within the Cassidian approach however, it is important to understand the fullest extent of the breach prior to attempting any eradication actions from the network. Failure to properly identify and understand the threat posed can result in a major impact on recovery efforts. During this stage, Cassidian work closely with the customer to understand the business processes which are dependent on the availability of the IT systems and, accordingly, provide the customer with a tailored remediation plan which minimises the impact to the customers business. Recovery The return to business as usual can be critical to the overall success of an incident. The customer business will be focused on how quickly and painlessly the services can be returned and future incidents will benefit from a good investigation track record. Compromised machines will be recovered and rebuilt from last known good state. 7

8 Having started the recovery planning as early as the preparation stage, Cassidian will have worked with the customer to identify the potential impact of each of the required remediation activities on the active business operations. This includes identifying any remediation activities which are deemed to be too invasive or undesirable to the business and establishing either an alternative work around or mechanism for mitigation for each aspect of the threat. Lessons Learned The final stage allows the customer to reflect on the experiences and provides input back to the first stage 'Preparation'. The process should be viewed as a cycle which continues to refine and renew with the business drivers and the changing threat landscape. This stage commonly takes the form of provision of the final incident report, a final tailored remediation plan and an out-brief meeting with the customer. Training Developing services that are intuitive and require minimal amounts of training has always been a primary goal of Cassidian. However, it is inevitable that some training will be needed, as ensuring our customers are fully comfortable in using our services is essential. Cassidian work closely with customers to understand the training needs to develop the most cost effective training solution. Trial Services Cassidian offers services on a trial basis, prices can be provided upon request. Backup/Restore and Disaster Recovery Business Continuity (BC) and Disaster Recovery (DR) are firmly embedded within our organisation and our BC Team have designed, implemented and tested Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP) for our customers. Using processes such as Major Incident Management, Risk Analysis, Business Impact Analysis and Critical Activity Analysis, Cassidian provides duplicated infrastructure, alternative location facilities, mirrored data centres and diverse power and connectivity solutions to achieve BC requirements for the MOD, Emergency Services and Private sector. 8

9 Information Assurance Cassidian are recognised for their knowledge and experience in the field of information assurance. This has been accumulated through the provision, evaluation and accreditation of many system solutions for Government departments and MoD contracts. These solutions have been created to cater for business impact levels IL0-2, IL3, IL4 and IL5. Cassidian has extensive experience in the creation and auditing of security solutions, and are designed to ISO27001 and accredited under HMG standards (IS1 and IS2). Financial Recompense Specific requirements for financial recompense will be negotiated and agreed on an individual contract basis. Termination Terms Termination terms for this service are specified in the accompanying terms and conditions. Pricing The price quoted for Advanced Persistent Threat on the G Cloud catalogue is 10,000. This is for a fixed period initial healthcheck of a typical network segment, including a report of any findings. This charge does not include any hardware costs and other expenses potentially incurred. We envisage that this would be followed up by further detailed investigation based on the findings. However, Advanced Persistent Threat services are bespoke in nature and therefore Cassidian will tailor its pricing accordingly. Upon receipt of an enquiry, Cassidian will work with the potential customer to provide a specific proposal, with a service offering that delivers maximum value against the customer s business objectives. Service Levels Service Availability and Performance metrics will be detailed, post mutual agreement, and captured in a formal SLA between Cassidian and the Service Consumer. Each Service Performance Level will be categorised as either a Key Performance Indicator (KPI) or a Performance Indicator (PI). A KPI will be subject to the Service Credit regime. 9

10 A PI is measured and reported to the Service Consumer but will not be subject to the Service Credit calculation. PI s are measured so that the Cassidian can make reasonable efforts to improve reported performance as part of the Continuous Service Improvement process. Service Constraints & Dependencies For the successful delivery of these services Cassidian and the customer will need to establish and agree the constraints and dependencies that affect the service. These constraints and dependencies will be established during the initial engagement with the customer. Ordering Process Cassidian will utilise the G Cloud catalogue ordering process. On-Boarding Cassidian employs a standard service introduction approach to deliver against proposals. Cassidian s Take On Service Plan (TOSP) is used to manage the on-boarding process that transitions Service users from their existing Service to the new Service (and off again at the Service off-boarding point). Technical Requirements and Consumer Responsibilities Cassidian Advanced Persistent Threat offering is designed to give potential customers maximum flexibility. This allows the service to be tailored to meet individual needs, with technical requirements and consumer responsibilities being agreed on a case by case basis. 10

11 Cassidian Cybersecurity Limited intends sub-contracting part of the service to Cassidian Limited. Cassidian Limited is a company incorporated in England and Wales (company number ) and its registered office is at Quadrant House, Celtic Springs, Coedkernew, Newport, NP10 8FZ. Cassidian Cybersecurity Limited is a wholly owned subsidiary of Cassidian Limited. Cassidian Limited has the following capabilities and experiences in the provision of the service. Copyright This document and its content are the property of Cassidian Limited and must not be duplicated and /or disclosed without authorisation. Any use other than that for which it was intended is prohibited. Cassidian Limited 2013 All rights reserved. Point of Contact Enquiries regarding the content of this document should be addressed to: Chantelle Walkden opportunities@regencyitc.co.uk Regency IT Consulting is a Business Unit of Cassidian CyberSecurity Limited Unit 1.1, Montpellier House, Montpellier Drive, Cheltenham, Glos, GL50 1TY Tel.:

12