and Analysis Center DHS Hunt and Incident Response Team September - - PowerPoint PPT Presentation

and analysis center
SMART_READER_LITE
LIVE PREVIEW

and Analysis Center DHS Hunt and Incident Response Team September - - PowerPoint PPT Presentation

Jul 18, 2023 247 likes •430 views

SUPERCHARGE YOUR SECURITY Water Information Sharing and Analysis Center DHS Hunt and Incident Response Team September 12, 2018 SUPERCHARGE YOUR SECURITY Presenter Brian Draper, DHS NCCIC HIRT Slides and recording will be posted by

slide-1
SLIDE 1

SUPERCHARGE YOUR SECURITY

Water Information Sharing and Analysis Center

DHS Hunt and Incident Response Team September 12, 2018

slide-2
SLIDE 2

SUPERCHARGE YOUR SECURITY

Presenter

  • Brian Draper, DHS NCCIC HIRT

Slides and recording will be posted by Thursday.

slide-3
SLIDE 3

HUNT AND INCIDENT RESPONSE TEAM (HIRT)

National Cybersecurity & Communications Integration Center (NCCIC)

Brian Draper

  • Sr. Incident Response Analyst

NCCIC Hunt and Incident Response Team (HIRT)

slide-4
SLIDE 4

UNCLASSIFIED

5

slide-5
SLIDE 5

UNCLASSIFIED

Agenda nda

HIRT Overview w HIRT Service ce Offerings gs Proacti tive Hunt vs. Incide ident nt Respons nse Incide ident nt Respons nse Life ifecycl cle Prio ioritizi zing ng Incide idents nts Enga gagement nt Types Enga gagement nt Workflo low How

  • w to Contac

act t HIRT

slide-6
SLIDE 6

UNCLASSIFIED

7

Hunt & Incident Response Team (HIRT)

The National Cybersecurity Communications and Integration Center (NCCIC) Hunt and Incident Response Team (HIRT) provides expert intrusion analysis and mitigation guidance to clients who lack the in-house capability or require additional assistance with responding to a cyber incident.

HIRT’s clients include: Uniquely positioned to provide comprehensive analysis

Federal departments and agencies State, Local, Tribal and Territorial (SLTT) governments Private Sector (Industry & Critical Infrastructure) Academia International Organizations Classified and unclassified tactics, techniques and procedures (tips) Public and private sector partners Established relationships with Law Enforcement, Intelligence Community and International Partners

slide-7
SLIDE 7

UNCLASSIFIED

HIRT RT Servic ice e Offerin ings gs

 Incide dent t Triage ge  Hunt Analysis  Network

  • rk Topol
  • log
  • gy

y Re Review  Mitigati tion

  • n

 Infras astr truc ucture ure Configurat guration

  • n

Re Review  Malwar ware Analys ysis  Log Analysis  Digital Media Analys ysis  Incide dent t Specific Risk Overview w  Control rol Syste tem m Incide dent t Analys ysis

slide-8
SLIDE 8

UNCLASSIFIED

Proac

  • active

tive Hun unt Incident cident Res espo ponse nse

A search for malicious activity through the examination of a network environment for exploitation tools, tactics, procedures, and associated artifacts An asset owner-driven request Uses a risk review to scope the breadth

  • f the Proactive Hunt

If malicious activity is observed during a hunt, move to Incident Response HIRT takes action to respond to a reported incident and to address the increased risks generated by the incident Asset owners and trusted third parties report information to NCCIC.

Trusted reporters include FBI, Information Sharing and Analysis Centers (ISACs), and

  • ther government agencies

Uses a risk review to scope the breadth

  • f the Incident Response
slide-9
SLIDE 9

UNCLASSIFIED

HIR IRT T In Incident ent Response sponse Lifec ecycle ycle

slide-10
SLIDE 10

UNCLASSIFIED

NCISS S Solution ion

Based ed on NIST T 800-61 Rev Revision 2

  • Functional Impact
  • Information Impact
  • Recoverability
  • Adds Actor Characterization
  • Adds Observed Activity
  • Adds Location of Observed Activity
  • Adds Cross Sector Dependency
  • Adds Potential Impact

NCCIC Cyber Incident nt Scori

  • ring

ng System em (NCISS)

Uses a weighted average (math) of the above criteria for a repeatable process

slide-11
SLIDE 11

UNCLASSIFIED

En Engageme gement nt Typ ypes es

Re Remot

  • te Assistance

nce Providing assistance without being physically

  • nsite

Advisory y Deploym yment nt Advising for mitigation onsite but technical analysis capabilities not deployed Re Remot

  • te Deploym

yment nt Deploying Equipment, remotely conducting analysis Onsite te Deploym yment nt Deployment of equipment and personal onsite to conduct technical analysis

slide-12
SLIDE 12

UNCLASSIFIED

Inci cident dent Re Respon

  • nse

se Workflow rkflow

slide-13
SLIDE 13

UNCLASSIFIED

Onsit ite e Deplo loym yment ent Tea eam m Composit positio ion

slide-14
SLIDE 14

UNCLASSIFIED

Engag gagement ment Timeli meline ne

slide-15
SLIDE 15

UNCLASSIFIED

How to Contact ntact NCCIC IC for Hun unt and Inci cident dent Re Respon

  • nse

se Services vices OPERATIONS

Emai ail: : ncciccustomerservice@hq.dhs.gov Phone ne: : 888-282-0870

slide-16
SLIDE 16
slide-17
SLIDE 17

SUPERCHARGE YOUR SECURITY

Upcoming WaterISAC Events and Opportunities

  • Monthly Water Sector Cyber Threat Web Briefing
  • Wednesday, September 26, 2018; 2:00 – 3:00 PM ET
slide-18
SLIDE 18

SUPERCHARGE YOUR SECURITY

Thank You

WaterISAC Contact Information:

1-866-H2O-ISAC Michael Arceneaux Paul Laporte Managing Director Member Relations Manager arceneaux@waterisac.org laporte@waterisac.org Chuck Egli Jennifer Walker Lead Analyst Cybersecurity Risk Analyst egli@waterisac.org walker@waterisac.org