what we learn from cyber exercises or not
play

What We Learn from Cyber Exercises, or Not Jim Duncan CSIRT - PowerPoint PPT Presentation

Sep 12, 2023 •114 likes •351 views

What We Learn from Cyber Exercises, or Not Jim Duncan CSIRT Coordinator, BB&T 2007 June 20 2007 FIRST Annual Technical Conference Sevilla, Espaa Overview Background Purpose of exercises Examples of what we can

  1. What We Learn from Cyber Exercises, or Not Jim Duncan CSIRT Coordinator, BB&T 2007 June 20 2007 FIRST Annual Technical Conference – Sevilla, España

  2. Overview • Background • Purpose of exercises • Examples of what we can learn… • And what we fail to learn (repeatedly) • Purpose of exercises, redux • Future improvements • What else? Duncan - What We Learn from Cyber Exercises, or Not 2 2007 FIRST Annual Technical Conference – Sevilla, España

  3. Background • General cyber-security expertise with a special focus on incident response • Product security work as well as critical infrastructure protection issues (ISACs) • Varying amounts of involvement with many different cyber exercises including Cyber Storm, Livewire, various ISACs… • And many real disasters, too • Exercise details not included Duncan - What We Learn from Cyber Exercises, or Not 3 2007 FIRST Annual Technical Conference – Sevilla, España

  4. Why Conduct Exercises? • So we know what to expect & what to do! ▪ People in disasters fall into 3 categories: • 10% -- 15% remain calm & act quickly • 15% or less COMPLETELY FREAK OUT! • Remainder are “stunned and bewildered”. [John Leach in Aviation, Space, and Environmental Medicine , 2004] ▪ Survivors anticipate & plan accordingly ▪ Do you review the safety card every time you fly? Duncan - What We Learn from Cyber Exercises, or Not 4 2007 FIRST Annual Technical Conference – Sevilla, España

  5. What Can We Learn? • How will we react? • Who will be the real stakeholders? • What capabilities will succeed or fail? • What are the unforeseen obstacles? • What serendipity awaits us? • What better estimates can we calculate for cost-benefit analyses? Duncan - What We Learn from Cyber Exercises, or Not 5 2007 FIRST Annual Technical Conference – Sevilla, España

  6. How Will We React? • Perhaps the most obvious goal is to test an organization’s response to a crisis • When handling new information, the brain slows down (e.g.,1977 Tenerife accident) • Under stress, it slows down even more! 45% of people “shut down” in a crisis • Minimize “milling”; time is very valuable • Mitigate “disbelief”; Act now! Duncan - What We Learn from Cyber Exercises, or Not 6 2007 FIRST Annual Technical Conference – Sevilla, España

  7. Who Will Be the Real Stakeholders? • A critical point in the development of an incident response plan is to identify who has authority over an asset and who pays for it, too; they might not be the same unit • Exercises have the potential to expose that information, at times with great relief • Results should be included in plan review • Good justification for exercise Duncan - What We Learn from Cyber Exercises, or Not 7 2007 FIRST Annual Technical Conference – Sevilla, España

  8. What Capabilities Succeed or Fail? • Text paging has failed, but not noticed because the monitoring system pages the operators to report problems • How many of you provision your support teams with toll-free numbers? • How many of you know that toll-free dialing won’t be available in a disaster? • Or that it can’t be dialed from outside the region (overseas)? Duncan - What We Learn from Cyber Exercises, or Not 8 2007 FIRST Annual Technical Conference – Sevilla, España

  9. What are the Unforeseen Obstacles? • Another obvious reason for an exercise; many hope to find the “gotchas” before a real crisis occurs • Unfortunately, it’s based totally on luck • TIP: review your toll-free number uses • TIP: make sure your teams really know how to use PGP and have had their keys signed & published Duncan - What We Learn from Cyber Exercises, or Not 9 2007 FIRST Annual Technical Conference – Sevilla, España

  10. What Serendipity Awaits Us? • Exercises are a good thing, and every one in which I have participated has produced valuable results with practical application • It’s easy to forget about positive stuff when we worry so much about negative things • One example: other teams rewrote my faux advisory and discovered aspects that hadn’t occurred to me earlier Duncan - What We Learn from Cyber Exercises, or Not 10 2007 FIRST Annual Technical Conference – Sevilla, España

  11. What Estimates Can We Calculate? • Cyber security is catching up with metrics • Still horribly lacking with incident response • Exercises can expose unforeseen costs as well as unanticipated rewards • Both help to reinforce the value of CSIRTs to management up to the board room level • Also helps to reveal intangibles like sharing opportunities and potential future relationships Duncan - What We Learn from Cyber Exercises, or Not 11 2007 FIRST Annual Technical Conference – Sevilla, España

  12. What We Fail To Learn • We fail to bring in the existing experts • We fail to discover existing stakeholders, groups, capabilities, relationships • We fail to assess authority & responsibility • We fail to appreciate the resources and time involved in anticipated responses • We fail to imagine the threats • We fail to keep it secure Duncan - What We Learn from Cyber Exercises, or Not 12 2007 FIRST Annual Technical Conference – Sevilla, España

  13. We Fail to Bring in the Experts, 1 • FS-ISAC tabletop considered a power failure at a telephone switching facility due to sabotaged diesel backup systems • Organizers unaware of battery systems and alternative fueling systems • Credibility was suspended and the participants were unmotivated • Value of exercise questionable Duncan - What We Learn from Cyber Exercises, or Not 13 2007 FIRST Annual Technical Conference – Sevilla, España

  14. We Fail to Bring in the Experts, 2 • Exercise planners spent considerable time on scenario involving railroad cars and the lack of real-time tracking ability; expected major fumbling by participants to resolve • In reality, locomotives are needed to move train cars & their locations are well known! • As before, credibility was suspended, etc. • Exercise value plummeted! Duncan - What We Learn from Cyber Exercises, or Not 14 2007 FIRST Annual Technical Conference – Sevilla, España

  15. We Fail to Discover Current Players • “FIRST” means many things to many folks ▪ The “Federal Incident Response Support Team” might not be who you think it is; insist on clarification • Misunderstandings about FIRST influence incorrect conclusions favoring involvement ▪ Information sharing ▪ Web of Trust Duncan - What We Learn from Cyber Exercises, or Not 15 2007 FIRST Annual Technical Conference – Sevilla, España

  16. We Fail to Assess Authority, 1 • ISACs are defined per CIP sector for information-sharing and analysis ▪ IT-ISAC handles information technology ▪ Telecom-ISAC handles telephony ▪ Who handles the ISPs? Each ISAC says the other has superior authority • And the ISPs “just want to be left alone, thank you…” Duncan - What We Learn from Cyber Exercises, or Not 16 2007 FIRST Annual Technical Conference – Sevilla, España

  17. We Fail to Assess Authority, 2 • The U.S. National Response Plan divides activities by defined functional areas • Emergency Support Function #2 handles telecom and information technology, while ESF#7 supports office equipment • When a server in a disaster agency’s remote field office starts attacking other systems, who will handle it? • Answer: “No one, immediately” Duncan - What We Learn from Cyber Exercises, or Not 17 2007 FIRST Annual Technical Conference – Sevilla, España

  18. We Fail to Anticipate Response Cost • Most plans (and thus most exercises) are oriented toward physical events • In cyber-space, most planning ignores the international angle (Cyber Storm is trying hard to get this right, and will succeed) • For example, for an international attack I was instructed to notify the Department of State’s 24-hour Watch Desk... • Guess how long that takes! Duncan - What We Learn from Cyber Exercises, or Not 18 2007 FIRST Annual Technical Conference – Sevilla, España

  19. We Fail to Imagine Threats • Following Hurricane Katrina, IT/Telecom restoration initially followed rules oriented toward public safety, not toward critical infrastructure protection issues • A major bank couldn’t get essential parts for back-office transaction processing • “Instant cash” was unusable because bank was completely unreachable Duncan - What We Learn from Cyber Exercises, or Not 19 2007 FIRST Annual Technical Conference – Sevilla, España

  20. We Fail To Keep It Secure • Multi-site exercise connected to the Internet reduces cost but poses risks • Collected diverse set of security experts connect to web pages for net simulation • Traffic is not SSL-enabled nor tunneled • Links to “bad sites” were genuine and HTTP referrers had not been disabled! • To their credit, Cyber Storm staff fixed that within hours Duncan - What We Learn from Cyber Exercises, or Not 20 2007 FIRST Annual Technical Conference – Sevilla, España

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The future of cyber security exercises more than just education? The Problem: how can

The future of cyber security exercises more than just education? The Problem: how can

The future of cyber security exercises more than just education? The Problem: how can we run large cyber security exercises once a week? 2 Stepping back Looking at the configuration management problem, e.g., the gap

749 views • 20 slides
KYPO A PLATFORM FOR CYBER DEFENCE EXERCISES Symposium on M&S Support to Operational

KYPO A PLATFORM FOR CYBER DEFENCE EXERCISES Symposium on M&S Support to Operational

KYPO A PLATFORM FOR CYBER DEFENCE EXERCISES Symposium on M&S Support to Operational Tasks Including War Gaming, Logistics, Cyber Defence (MSG- 133 ), Munich, Germany 15 th October, 2015 Pavel ELEDA, Jakub EGAN Jan VYKOPAL,

644 views • 19 slides
Evaluation of Cyber Defense Exercises Using Visual Analytics Process Radek Olejek, Jan

Evaluation of Cyber Defense Exercises Using Visual Analytics Process Radek Olejek, Jan

Evaluation of Cyber Defense Exercises Using Visual Analytics Process Radek Olejek, Jan Vykopal, Karolna Bursk , and Vt Rusk IEEE Frontier in Education Conference, San Jose, USA, 2018 1 KYPO Cyber Range Cloud-based simulator

538 views • 14 slides
Defence Exercises in a Cyber Range Frontiers in Education 2017 October 21, 2017 Jan Vykopal

Defence Exercises in a Cyber Range Frontiers in Education 2017 October 21, 2017 Jan Vykopal

Lessons Learned From Complex Hands-on Defence Exercises in a Cyber Range Frontiers in Education 2017 October 21, 2017 Jan Vykopal Masaryk University, Brno Who am I? Post-doc researcher with KYPO academic cloud-based cyber range.

451 views • 16 slides
Exercises on the Internet for researchers and students to learn Stata M. Escobar (modesto@usal.es)

Exercises on the Internet for researchers and students to learn Stata M. Escobar (modesto@usal.es)

Exercises on the Internet for researchers and students to learn Stata M. Escobar (modesto@usal.es) Universidad de Salamanca 11th Spanish Stata Users Group meeting Barcelona, 24 th October-2018 Modesto Escobar (USAL) Exercises on the Internet

429 views • 20 slides
Hands-on Exercises C H I P S T E R A N D F E D E R A T E D C L O U D Slides and Exercises m

Hands-on Exercises C H I P S T E R A N D F E D E R A T E D C L O U D Slides and Exercises m

Hands-on Exercises C H I P S T E R A N D F E D E R A T E D C L O U D Slides and Exercises m odified from the CSC presentation (EMBO event) Outline 2 Introduction to Chipster NGS data analysis and visualization Quality control

920 views • 46 slides
Course setup 9 ec course examination based on computer exercises weekly exercises

Course setup 9 ec course examination based on computer exercises weekly exercises

Course setup 9 ec course examination based on computer exercises weekly exercises discussed in tutorial class All course materials (slides, exercises) and schedule via http://www.snn.ru. nl/bertk/machinelearning/ Bert Kappen ML

696 views • 43 slides
Seminar Series Resiliency in the Electricity Subsector Information Sharing and Exercises against

Seminar Series Resiliency in the Electricity Subsector Information Sharing and Exercises against

Seminar Series Resiliency in the Electricity Subsector Information Sharing and Exercises against Black Sky Events Bill Lawrence, Director of Programs and Engagement Cyber Resilient Energy Delivery Consortium February 3, 2017 1 Agenda

820 views • 48 slides
For Monday Read lectures 1 -5 of Learn Prolog Now:

For Monday Read lectures 1 -5 of Learn Prolog Now:

For Monday Read lectures 1 -5 of Learn Prolog Now: http://www.coli.uni-saarland.de/~kris/learn- prolog-now/ Prolog Handout 1 Chapter 9, exercises 4, 9 Note that 9 must be proper Horn clauses Same Variable Exact variable

639 views • 45 slides
Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L.

Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L.

Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L. Reiher {pahp, reiher}@cs.ucla.edu Laboratory for Advanced Systems Research (LASR) University of California Los Angeles The 3 rd Workshop on Cyber

314 views • 28 slides
EXERCISES EXERCISES Important Perfectly safe for the vast majority of people Those with

EXERCISES EXERCISES Important Perfectly safe for the vast majority of people Those with

EXERCISES EXERCISES Important Perfectly safe for the vast majority of people Those with any medical issues should perform the workout only with the consent of your medical practitioner. Certain exercises, such as strong breath holds,

1.07k views • 72 slides
1 Analysis of SNP data with R The data we will be working with here can be read into R using the

1 Analysis of SNP data with R The data we will be working with here can be read into R using the

Statistical methods in bioinformatics April 9, 2018 Exercises day 2 Claus Ekstrm These exercises will use a combination of R and specific programmes. The exercises are build up over two types of problems: introductory text that you should run

282 views • 5 slides
Transformation Exercises: Denavit- Hartenberg Method Some images and exercises from:

Transformation Exercises: Denavit- Hartenberg Method Some images and exercises from:

Transformation Exercises: Denavit- Hartenberg Method Some images and exercises from: Introduction to Autonomous Mobile Robots, Siegwart, Nourbakhsh, 2011 Robot Dynamics and Control Second Edition, Spong, Hutchinson, Vidyasagar, 2004 Spacecraft

711 views • 23 slides
Learn Blackboard Learn Learn with others Learn in your own time, pace, space Learn through

Learn Blackboard Learn Learn with others Learn in your own time, pace, space Learn through

Learn Blackboard Learn Learn with others Learn in your own time, pace, space Learn through designing for teaching Learn with others 1. Black Swan Conferences Hear The bigger picture Higher Education Blackboard UWA Experience

478 views • 16 slides
NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For

NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For

NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For ACM CCS I ndustry/ Govt Track Oct. 26, 2004 Carl Landwehr ( clandweh@nsf.gov ) Cyber Trust Coordinator National Science Foundation What s the

439 views • 17 slides
Exercises, II part Forward Chaining: 12 Jul 2012 Exercises, II part Consider the following set

Exercises, II part Forward Chaining: 12 Jul 2012 Exercises, II part Consider the following set

Exercises, II part Exercises, II part Forward Chaining: 12 Jul 2012 Exercises, II part Consider the following set of clauses in propositional logic: J = Q A I = J E F = I B = F A B = E A B 1 Show and execution

478 views • 6 slides
The Empirical Data: Do infants generalize identity rules? PARTICIPANTS: 7 month old infants

The Empirical Data: Do infants generalize identity rules? PARTICIPANTS: 7 month old infants

de li de ji we ji... Pre-Wiring & Pre-Training : What does a neural network need to learn truly general identity rules? Raquel G. Alhama Willem Zuidema The Empirical Data: Do infants generalize identity rules? PARTICIPANTS: 7 month old

578 views • 29 slides
Transition Pathways for a Low Carbon Electricity System in the UK Dr Timothy J Foxon

Transition Pathways for a Low Carbon Electricity System in the UK Dr Timothy J Foxon

Transition Pathways for a Low Carbon Electricity System in the UK Dr Timothy J Foxon Sustainability Research Institute and Centre for Climate Change Economics and Policy University of Leeds, UK CCCEP seminar, University of Leeds, 7 December

619 views • 27 slides
PDP focus session summary Main outcomes of Vista25-NG Essential for Nikhefs impact Stoomboot

PDP focus session summary Main outcomes of Vista25-NG Essential for Nikhefs impact Stoomboot

PDP focus session summary Main outcomes of Vista25-NG Essential for Nikhefs impact Stoomboot E s s e n Specifically as related to Advanced-Beta & Vendor Collaboration t i a l long-term benefit to physics computing F u P t

597 views • 11 slides
How to Become a More Valuable Engineer Video 3 of 3 Presented by: Anthony Fasano, PE Author

How to Become a More Valuable Engineer Video 3 of 3 Presented by: Anthony Fasano, PE Author

How to Become a More Valuable Engineer Video 3 of 3 Presented by: Anthony Fasano, PE Author of Engineer Your Own Success Founder of The Engineering Career Coach Step #1: Develop a Niche Step #2: Build Your Confidence Step #3:

433 views • 14 slides
Table of contents 1. Introduction: You are already an experimentalist 2. Conditions 3. Items

Table of contents 1. Introduction: You are already an experimentalist 2. Conditions 3. Items

Table of contents 1. Introduction: You are already an experimentalist 2. Conditions 3. Items Section 1: 4. Ordering items for presentation Design 5. Judgment Tasks 6. Recruiting participants 7. Pre-processing data (if necessary) 8.

602 views • 37 slides
Getting Crowds to Work Leah Birch Naor Brown October 24, 2012 Leah Birch Naor Brown Getting

Getting Crowds to Work Leah Birch Naor Brown October 24, 2012 Leah Birch Naor Brown Getting

Getting Crowds to Work Leah Birch Naor Brown October 24, 2012 Leah Birch Naor Brown Getting Crowds to Work October 24, 2012 1 / 44 POP QUIZ 1 Take out a sheet of paper and pen. 2 Write your name at the top. 3 The quiz has 3 questions, so

743 views • 56 slides
Genres: Discourse, Speech, and Tweets Sentiment, Subjectivity & Stance Ling 575 April 15,

Genres: Discourse, Speech, and Tweets Sentiment, Subjectivity & Stance Ling 575 April 15,

Genres: Discourse, Speech, and Tweets Sentiment, Subjectivity & Stance Ling 575 April 15, 2014 Roadmap Effects of genre on sentiment: Spoken multi-party dialog Guest lecturer: Valerie Freeman Discourse and dialog

546 views • 54 slides
BBM406 Fundamentals of Machine Learning Lecture 2: Machine Learning by Examples, Nearest

BBM406 Fundamentals of Machine Learning Lecture 2: Machine Learning by Examples, Nearest

photo:@rewardyfahmi // Unsplash BBM406 Fundamentals of Machine Learning Lecture 2: Machine Learning by Examples, Nearest Neighbor Classifier Aykut Erdem // Hacettepe University // Fall 2019 When Do We Use Machine Learning? ML is

1.33k views • 110 slides

More recommend