EXTREME CYBER SCENARIO PLANNING & ATTACK TREE ANALYSIS

Similar documents
Cybersecurity: What CFO s Need to Know

Into the cybersecurity breach

Practical Steps To Securing Process Control Networks

Who s Doing the Hacking?

Threat Agent Library Helps Identify Information Security Risks

MEMORANDUM. Date: October 28, Federally Regulated Financial Institutions. Subject: Cyber Security Self-Assessment Guidance

A Layperson s Guide To DoS Attacks

Sytorus Information Security Assessment Overview

How do we Police Cyber Crime?

OCIE Technology Controls Program

FFIEC Cybersecurity Assessment Tool

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

Cyber Security for SCADA/ICS Networks

Cybercrime: risks, penalties and prevention

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Insurance Considerations Related to Data Security and Breach in Outsourcing Agreements

ICBA Summary of FFIEC Cybersecurity Assessment Tool

Critical Controls for Cyber Security.

A Primer on Cyber Threat Intelligence

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Defending Against Data Beaches: Internal Controls for Cybersecurity

2012 Infrastructure Security Report. 8th Annual Edition Kleber Carriello Consulting Engineer

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

Managing cyber risks with insurance

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

DDoS Overview and Incident Response Guide. July 2014

National Cyber Crime Unit

Advanced Threats: The New World Order

FFIEC Cybersecurity Assessment Tool Overview for Chief Executive Officers and Boards of Directors

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

2012 雲 端 資 安 報 告. 黃 建 榮 資 深 顧 問 - Verizon Taiwan. August 2012

Five keys to a more secure data environment

Specific recommendations

White Paper. Intelligent DDoS Protection Use cases for applying DDoS Intelligence to improve preparation, detection and mitigation

Modern Cyber Threats. how yesterday s mind set gets in the way of securing tomorrow s critical infrastructure. Axel Wirth

DISTRIBUTED DENIAL OF SERVICE OBSERVATIONS

Gregg Gerber. Strategic Engagement, Emerging Markets

How To Create An Insight Analysis For Cyber Security

The FBI Cyber Program. Bauer Advising Symposium //UNCLASSIFIED

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

Zak Khan Director, Advanced Cyber Defence

Information Technology

Ten Questions Your Board Should be asking about Cyber Security. Eric M. Wright, Shareholder

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

CYBER SECURITY GUIDANCE

Exercising Your Enterprise Cyber Response Crisis Management Capabilities

CS5008: Internet Computing

Italy. EY s Global Information Security Survey 2013

External Supplier Control Requirements

idata Improving Defences Against Targeted Attack

Accenture Intelligent Security for the Digital Enterprise. Archer s important role in solving today's pressing security challenges

Arbor s Solution for ISP

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

Coping with a major business disruption. Some practical advice

Cyber-Security Risk- IP Theft and Data Breaches Protecting your Crown Jewels Internally and with Your Key Third Parties

How To Protect Yourself From A Dos/Ddos Attack

Client Update NFA Adopts Interpretive Notice Regarding Information Systems Security Programs

This document is licensed for use, redistribution, and derivative works, commercial or otherwise, in accordance with the Creative Commons

SHARE THIS WHITEPAPER. On-Premise, Cloud or Hybrid? Approaches to Mitigate DDoS Attacks Whitepaper

PREPARE YOUR INCIDENT RESPONSE TEAM

Denial of Service Attacks

Chapter 3.3: IT and Cloud Computing

DDoS Attacks: The Latest Threat to Availability. Dr. Bill Highleyman Managing Editor Availability Digest

2 Gabi Siboni, 1 Senior Research Fellow and Director,

Knowing Your Enemy How Your Business is Attacked. Andrew Rogoyski June 2014

How to ensure control and security when moving to SaaS/cloud applications

September 20, 2013 Senior IT Examiner Gene Lilienthal

Cyber Security Risk Management

Cyber Insurance Presentation

BUSINESS CONTINUITY POLICY

2015 CEO & Board University Cybersecurity on the Rise. Matthew J. Putvinski, CPA, CISA, CISSP

The FBI and the Internet

What is Penetration Testing?

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

SHARE THIS WHITEPAPER. Top Selection Criteria for an Anti-DDoS Solution Whitepaper

Trends in Malware DRAFT OUTLINE. Wednesday, October 10, 12

THE NEW REALITY OF RISK CYBER RISK: TRENDS AND SOLUTIONS

CYBER-ATLAS A COMPLETE CYBER RISK MANAGEMENT SOLUTION

A HELPING HAND TO PROTECT YOUR REPUTATION

Unit 3 Cyber security

Understanding and Defending Against the Modern DDoS Threat

Internet Safety and Security: Strategies for Building an Internet Safety Wall

ITL BULLETIN FOR JULY Preparing for and Responding to Certification Authority Compromise and Fraudulent Certificate Issuance

12/11/15. Evolving Cybersecurity Risks. Agenda. The current cyber risk landscape Overview. Results on EY s Global Information Security Survey

Cyber security Building confidence in your digital future

Cyber security trends & strategy for business (digital?)

Cybersecurity: Considerations for Internal Audit. IIA Atlanta Chapter Meeting January 9, 2015

Security Controls Implementation Plan

Transcription:

EXTREME CYBER SCENARIO PLANNING & ATTACK TREE ANALYSIS Ian Green Manager, Cybercrime & Intelligence Commonwealth Bank of Australia Session ID: GRC T17 Session Classification: ADVANCED

WHY?

What keeps you up at night?

What keeps you up at night?

Extreme events are costly Global Payments Inc. 10% or $400m wiped off market cap

How prepared are you? General Keith Alexander Director, National Security Agency Commander, United States Cyber Command Source: The Aspen Security Forum 2012 http://www.youtube.com/watch?v=rtvi_rifzoc&feature=plcp

How prepared are you? General Keith Alexander Director, National Security Agency Commander, United States Cyber Command Source: The Aspen Security Forum 2012 http://www.youtube.com/watch?v=rtvi_rifzoc&feature=plcp

Cyber Resilience mean time to failure mean time to recovery Can only be achieved by adopting a holistic approach of the management of cyber risk While failures are unavoidable, cyber resilience prevents systems from completely collapsing http://www3.weforum.org/docs/wef_it_pathwaystoglobalcyberresilience_report_2012.pdf

HOW?

Threat Actor Analysis For each scenario Threat Actor Analysis Controls Assessment Remediation Scenario Selection Attack Tree Development Impact Analysis Response Planning Exercise Aim: Identify actors who pose a significant threat to the organisation

Threat Agent Library Intel http://www.intel.com/it/pdf/threat agent library.pdf

Agent Attributes - Intel WHO HOW Intent: Non-hostile, Hostile Access: Internal, External Skill Level: None, Minimal, Operational, Adept Resources: Individual, Club, Contest, Team, Organisation, Government Limits: Code of conduct, Legal, Extra-legal (minor), Extralegal (major) Visibility: Overt, Covert, Clandestine, Don t Care Objective: Copy, Destroy, Injure, Take, Don t Care Outcome: Acquisition / Theft, Business Advantage, Damage, Embarrassment, Technical Advantage

Agent Attributes - Intel WHO HOW Intent: Non-hostile, Hostile Access: Internal, External Skill Level: None, Minimal, Operational, Adept Resources: Individual, Club, Contest, Team, Organisation, Government Limits: Code of conduct, Legal, Extra-legal (minor), Extralegal (major) Visibility: Overt, Covert, Clandestine, Don t Care Objective: Copy, Destroy, Injure, Take, Don t Care Outcome: Acquisition / Theft, Business Advantage, Damage, Embarrassment, Technical Advantage

Consolidated Threat Actors Corrupt Government Official Government Cyber Warrior Government Spy Civil Activist Radical Activist Mobster Terrorist Competitor Internal Spy Nation State Hacktivist Organised Crime Terrorists Trusted Insider

Threat Actor Analysis Organised Crime Nation State Trusted Insider Hacktivist Group Terrorist

Threat Actor Analysis Organised Crime Hacktivist Group Nation State Trusted Insider Hacktivist Group Intent: Hostile Access: External Skill Level: Adept Resources: Organisation Limits: Extra-legal (major) Visibility: Overt Objective: Copy, Injure Outcome: Damage, Embarrassment Terrorist

Threat Actor Analysis Nation State Organised Crime Terrorist Trusted Insider Organised Crime Intent: Hostile Access: External Skill Level: Adept Resources: Organisation Limits: Extra-legal (major) Visibility: Covert Objective: Take Outcome: Acquisition / Theft Hacktivist Group

Threat Actor Analysis Terrorist Nation State Hacktivist Group Trusted Insider Nation State Intent: Hostile Access: External Skill Level: Adept Resources: Government Limits: Extra-legal (major) Visibility: Clandestine Objective: Copy Outcome: Technical Advantage Organised Crime

Threat Actor Analysis Hacktivist Group Terrorist Organised Crime Trusted Insider Terrorist Intent: Hostile Access: External Skill Level: Adept Resources: Organisation Limits: Extra-legal (major) Visibility: Covert Objective: Destroy Outcome: Damage Nation State

Impact Analysis For each scenario Threat Actor Analysis Controls Assessment Remediation Scenario Selection Attack Tree Development Impact Analysis Response Planning Exercise Aim: Determine what your organisation really cares about protecting

Business Impact Matrix Financial Customer Service & Operations Reputation / Brand Legal / Regulatory Compliance People Customers Impact 5 >$500m Significant loss of customers due to extensive interruption to service capability Substantial damage to brands resulting from extensive negative national publicity Loss of license, loss of public listing or substantial penalties on Directors Death or severe injury to employees 4 $200m $500m..... Serious financial impact to all customers 3 $50m $200m 2 <$50m. 1 <$50m

Values at Risk Health and safety of employees Customer funds and stocks Customer data (private information) Customer data (intellectual property) Corporate data (sensitive information) Corporate data (intellectual property) Availability of banking channels (Internet facing) Availability of banking channels (back end)

Scenario Selection For each scenario Threat Actor Analysis Controls Assessment Remediation Scenario Selection Attack Tree Development Impact Analysis Response Planning Exercise Aim: Select scenarios that could have a catastrophic impact on the organisation

Scenario Selection Threat Actor Analysis Impact Analysis Outcome Objective Value at Risk Potential Business Impact Acquisition / Theft Copy Customer Funds Customer Service / Operational Business Advantage Destroy Customer Data Financial Technical Advantage Injure Corporate Data Reputational / Brand Damage Take Employee health and safety Legal / Regulatory Compliance Embarrassment Availability of banking systems Customers People

Scenario Selection Threat Actor Analysis Impact Analysis Outcome Objective Value at Risk Potential Business Impact Acquisition / Theft Business Advantage Technical Advantage Damage Embarrassment Copy Organised Crime Destroy Intent: Hostile Access: External Skill Level: Adept Injure Resources: Organisation Limits: Extra-legal (major) Visibility: Covert Objective: Take Take Outcome: Acquisition / Theft Customer Funds Customer Data Corporate Data Employee health and safety Availability of banking systems Customer Service / Operational Financial Reputational / Brand Legal / Regulatory Compliance Customers Scenario: Organised crime gang steals customer funds causing significant financial loss. People

Scenario Selection Threat Actor Analysis Impact Analysis Outcome Objective Value at Risk Potential Business Impact Acquisition / Theft Business Advantage Technical Advantage Damage Embarrassment Copy Hacktivist Group Destroy Intent: Hostile Access: External Skill Level: Adept Resources: Organisation Injure Limits: Extra-legal (major) Visibility: Overt Objective: Copy, Injure Take Outcome: Damage, Embarrassment Customer Funds Customer Data Corporate Data Employee health and safety Availability of banking of banking systems systems Customer Service / Operational Financial Reputational / Brand Legal / Regulatory Compliance Customers Scenario: Socio-political group performs prolonged denial-ofservice attack causing sustained outages. People

Is it Extreme? Financial Customer Service & Operations Reputation / Brand Legal / Regulatory Compliance People Customers Impact 5 >$500m Significant loss of customers due to extensive interruption to service capability Substantial damage to brands resulting from extensive negative national publicity Loss of license, loss of public listing or substantial penalties on Directors Death or severe injury to employees 4 $200m $500m Serious financial impact to all customers 3 $50m $200m 2 <$50m. 1 <$50m

Scenarios on Risk Matrix 5 L M M H VH Likelihood 4 3 2 1 L L M H VH I L M H VH I L M H VH 4 5 3 6 1 2 I I L M H 7 1 2 3 4 5 Impact

Scenario Selection Financial Gain Organised Crime 1 Large scale targeting of bank customers using malware to steal funds. 2 High value fraud conducted against backend payment system. Hacktivist Group Nation State Terrorist Theft / Exposure 4 Exfiltrate and disclose large sets of corporate data to embarrass or discredit the bank. 6 Exfiltrate corporate intellectual property for strategic, commercial or political gain. 5 Compromise bank IT systems and exfiltrate large sets of customer data. Sabotage / Operations Impact 3 Targeted, prolonged DDoS against multiple Internet facing systems. 7 Destructive cyber-attack against multiple bank data centres.

Attack Tree Development For each scenario Threat Actor Analysis Controls Assessment Remediation Scenario Selection Attack Tree Development Impact Analysis Response Planning Exercise Aim: Develop detailed attack trees for each extreme scenario

Attack Tree Analysis Steal Car AND Unlock Door Start Engine Smash Window Pick lock Hot wire Screwdriver in ignition

Attack Tree Analysis How? Steal Car AND Unlock Door Start Engine Smash Window Pick lock Hot wire Screwdriver in ignition

Attack Tree Analysis Steal Car And then? AND Unlock Door Start Engine Smash Window Pick lock Hot wire Screwdriver in ignition

Attack Tree Demonstration Demonstration of attack trees (Prezi)

Controls Assessment For each scenario Threat Actor Analysis Controls Assessment Remediation Scenario Selection Attack Tree Development Impact Analysis Response Planning Exercise Aim: Map controls to attack trees and assess effectiveness

Industry Standard Control Sets Provides a consistent set of controls for assessment and comparison May not be relevant to a particular scenario May not be pitched at the right level to be useful Options available: DSD Top 35 Mitigation Strategies http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm NIST Special Publication 800-53 http://web.nvd.nist.gov/view/800-53/home SANS 20 Critical Controls for Effective Cyber Defense http://www.sans.org/critical-security-controls/

Hybrid Control Set Application Whitelisting Data Encryption Physical Security Controls Third Party Governance Data Loss Prevention Penetration Testing Layer 7 DDoS Prevention Network Segmentation MiTB Detection

Controls Assessment Type of control: Predict Prevent Detect Respond Status of control: Control has not been implemented Control has known gaps Control operating effectively Potential to mitigate: 25% 50% 75% 100% Cost of control: $ Low cost $$ Moderate cost $$$ High cost

Control Mapping Steal Car Unlock Door AND Start Engine Smash Window Pick lock Hot wire Screwdriver in ignition Prevent Bullet proof glass $$$ 100% Prevent Sidewinder Lock $ 75% Engine Immobiliser Prevent $ 75% Car Alarm Detect $ 75%

Attack Tree Demonstration Demonstration of attack trees (Prezi)

Remediation For each scenario Threat Actor Analysis Controls Assessment Remediation Scenario Selection Attack Tree Development Impact Analysis Response Planning Exercise Aim: Use controls assessment to plan remediation projects which address control gaps

Response Planning For each scenario Threat Actor Analysis Controls Assessment Remediation Scenario Selection Attack Tree Development Impact Analysis Response Planning Exercise Aim: Create or enhance existing response plans to cater for extreme scenarios

Incident Response Framework IRP IRSOP Incident Response Plan Incident Response Standard Operating Procedure IRG Incident Response Guidelines

Incident Response Standard Operating Procedures Denial of Service Compromised Information Compromised Asset Unlawful Activity Probing Malware

IR Considerations Will your incident response plans hold up to extreme scenarios? What outside resources will you lean on for assistance in an extreme scenario? Have you documented and shared all your contacts into government, law enforcement, service providers? Have you discussed & planned your response with external stakeholders? Do you know what you will expect from each other if such a scenario occurs? Have you practiced your incident response?

Exercise For each scenario Threat Actor Analysis Controls Assessment Remediation Scenario Selection Attack Tree Development Impact Analysis Response Planning Exercise Aim: Test control strength, response plan and overall preparedness

Example: BYO Botnet HTTP large resource request HTTPS large resource request HTTPS slow POST attack HTTPS search query attack SSL Exhaustion DNS Query attack TCP SYN flood IP Fragmentation Attack ICMP flood

Cyber Risk Management Maturity Model The organisation s leadership takes ownership of cyber risk management they understand the organisation s vulnerabilities and controls. The organisation is highly connected to their peers and partners, sharing information and jointly mitigating cyber risk Source: World Economic Forum http://www3.weforum.org/docs/wef_it_pathwaystoglobalcyberresilience_report_2012.pdf

extremecyber.net INSERT SCREENSHOT Traffic light protocol Methodology Control taxonomy Threat actor library Generic attack trees Full scenario analysis Join Extreme Cyber Scenario Planning on

extremecyber.net Information shared using the traffic light protocol: http://www.us-cert.gov/tlp/ Private Restricted Commitment to contribute to knowledge base Full attack trees with control mapping and effectiveness Full attack trees without control effectiveness Vetted Verified members of IT security community Generic attack trees Control taxonomy Threat actor library Public Methodology only

Questions? Join LinkedIn Group Extreme Cyber Scenario Planning @pragmaticsec cybercrime@cba.com.au

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information