what we learn from cyber exercises or not
play

What We Learn from Cyber Exercises, or Not Jim Duncan CSIRT - PowerPoint PPT Presentation

Sep 12, 2023 •114 likes •351 views

What We Learn from Cyber Exercises, or Not Jim Duncan CSIRT Coordinator, BB&T 2007 June 20 2007 FIRST Annual Technical Conference Sevilla, Espaa Overview Background Purpose of exercises Examples of what we can

  1. What We Learn from Cyber Exercises, or Not Jim Duncan CSIRT Coordinator, BB&T 2007 June 20 2007 FIRST Annual Technical Conference – Sevilla, España

  2. Overview • Background • Purpose of exercises • Examples of what we can learn… • And what we fail to learn (repeatedly) • Purpose of exercises, redux • Future improvements • What else? Duncan - What We Learn from Cyber Exercises, or Not 2 2007 FIRST Annual Technical Conference – Sevilla, España

  3. Background • General cyber-security expertise with a special focus on incident response • Product security work as well as critical infrastructure protection issues (ISACs) • Varying amounts of involvement with many different cyber exercises including Cyber Storm, Livewire, various ISACs… • And many real disasters, too • Exercise details not included Duncan - What We Learn from Cyber Exercises, or Not 3 2007 FIRST Annual Technical Conference – Sevilla, España

  4. Why Conduct Exercises? • So we know what to expect & what to do! ▪ People in disasters fall into 3 categories: • 10% -- 15% remain calm & act quickly • 15% or less COMPLETELY FREAK OUT! • Remainder are “stunned and bewildered”. [John Leach in Aviation, Space, and Environmental Medicine , 2004] ▪ Survivors anticipate & plan accordingly ▪ Do you review the safety card every time you fly? Duncan - What We Learn from Cyber Exercises, or Not 4 2007 FIRST Annual Technical Conference – Sevilla, España

  5. What Can We Learn? • How will we react? • Who will be the real stakeholders? • What capabilities will succeed or fail? • What are the unforeseen obstacles? • What serendipity awaits us? • What better estimates can we calculate for cost-benefit analyses? Duncan - What We Learn from Cyber Exercises, or Not 5 2007 FIRST Annual Technical Conference – Sevilla, España

  6. How Will We React? • Perhaps the most obvious goal is to test an organization’s response to a crisis • When handling new information, the brain slows down (e.g.,1977 Tenerife accident) • Under stress, it slows down even more! 45% of people “shut down” in a crisis • Minimize “milling”; time is very valuable • Mitigate “disbelief”; Act now! Duncan - What We Learn from Cyber Exercises, or Not 6 2007 FIRST Annual Technical Conference – Sevilla, España

  7. Who Will Be the Real Stakeholders? • A critical point in the development of an incident response plan is to identify who has authority over an asset and who pays for it, too; they might not be the same unit • Exercises have the potential to expose that information, at times with great relief • Results should be included in plan review • Good justification for exercise Duncan - What We Learn from Cyber Exercises, or Not 7 2007 FIRST Annual Technical Conference – Sevilla, España

  8. What Capabilities Succeed or Fail? • Text paging has failed, but not noticed because the monitoring system pages the operators to report problems • How many of you provision your support teams with toll-free numbers? • How many of you know that toll-free dialing won’t be available in a disaster? • Or that it can’t be dialed from outside the region (overseas)? Duncan - What We Learn from Cyber Exercises, or Not 8 2007 FIRST Annual Technical Conference – Sevilla, España

  9. What are the Unforeseen Obstacles? • Another obvious reason for an exercise; many hope to find the “gotchas” before a real crisis occurs • Unfortunately, it’s based totally on luck • TIP: review your toll-free number uses • TIP: make sure your teams really know how to use PGP and have had their keys signed & published Duncan - What We Learn from Cyber Exercises, or Not 9 2007 FIRST Annual Technical Conference – Sevilla, España

  10. What Serendipity Awaits Us? • Exercises are a good thing, and every one in which I have participated has produced valuable results with practical application • It’s easy to forget about positive stuff when we worry so much about negative things • One example: other teams rewrote my faux advisory and discovered aspects that hadn’t occurred to me earlier Duncan - What We Learn from Cyber Exercises, or Not 10 2007 FIRST Annual Technical Conference – Sevilla, España

  11. What Estimates Can We Calculate? • Cyber security is catching up with metrics • Still horribly lacking with incident response • Exercises can expose unforeseen costs as well as unanticipated rewards • Both help to reinforce the value of CSIRTs to management up to the board room level • Also helps to reveal intangibles like sharing opportunities and potential future relationships Duncan - What We Learn from Cyber Exercises, or Not 11 2007 FIRST Annual Technical Conference – Sevilla, España

  12. What We Fail To Learn • We fail to bring in the existing experts • We fail to discover existing stakeholders, groups, capabilities, relationships • We fail to assess authority & responsibility • We fail to appreciate the resources and time involved in anticipated responses • We fail to imagine the threats • We fail to keep it secure Duncan - What We Learn from Cyber Exercises, or Not 12 2007 FIRST Annual Technical Conference – Sevilla, España

  13. We Fail to Bring in the Experts, 1 • FS-ISAC tabletop considered a power failure at a telephone switching facility due to sabotaged diesel backup systems • Organizers unaware of battery systems and alternative fueling systems • Credibility was suspended and the participants were unmotivated • Value of exercise questionable Duncan - What We Learn from Cyber Exercises, or Not 13 2007 FIRST Annual Technical Conference – Sevilla, España

  14. We Fail to Bring in the Experts, 2 • Exercise planners spent considerable time on scenario involving railroad cars and the lack of real-time tracking ability; expected major fumbling by participants to resolve • In reality, locomotives are needed to move train cars & their locations are well known! • As before, credibility was suspended, etc. • Exercise value plummeted! Duncan - What We Learn from Cyber Exercises, or Not 14 2007 FIRST Annual Technical Conference – Sevilla, España

  15. We Fail to Discover Current Players • “FIRST” means many things to many folks ▪ The “Federal Incident Response Support Team” might not be who you think it is; insist on clarification • Misunderstandings about FIRST influence incorrect conclusions favoring involvement ▪ Information sharing ▪ Web of Trust Duncan - What We Learn from Cyber Exercises, or Not 15 2007 FIRST Annual Technical Conference – Sevilla, España

  16. We Fail to Assess Authority, 1 • ISACs are defined per CIP sector for information-sharing and analysis ▪ IT-ISAC handles information technology ▪ Telecom-ISAC handles telephony ▪ Who handles the ISPs? Each ISAC says the other has superior authority • And the ISPs “just want to be left alone, thank you…” Duncan - What We Learn from Cyber Exercises, or Not 16 2007 FIRST Annual Technical Conference – Sevilla, España

  17. We Fail to Assess Authority, 2 • The U.S. National Response Plan divides activities by defined functional areas • Emergency Support Function #2 handles telecom and information technology, while ESF#7 supports office equipment • When a server in a disaster agency’s remote field office starts attacking other systems, who will handle it? • Answer: “No one, immediately” Duncan - What We Learn from Cyber Exercises, or Not 17 2007 FIRST Annual Technical Conference – Sevilla, España

  18. We Fail to Anticipate Response Cost • Most plans (and thus most exercises) are oriented toward physical events • In cyber-space, most planning ignores the international angle (Cyber Storm is trying hard to get this right, and will succeed) • For example, for an international attack I was instructed to notify the Department of State’s 24-hour Watch Desk... • Guess how long that takes! Duncan - What We Learn from Cyber Exercises, or Not 18 2007 FIRST Annual Technical Conference – Sevilla, España

  19. We Fail to Imagine Threats • Following Hurricane Katrina, IT/Telecom restoration initially followed rules oriented toward public safety, not toward critical infrastructure protection issues • A major bank couldn’t get essential parts for back-office transaction processing • “Instant cash” was unusable because bank was completely unreachable Duncan - What We Learn from Cyber Exercises, or Not 19 2007 FIRST Annual Technical Conference – Sevilla, España

  20. We Fail To Keep It Secure • Multi-site exercise connected to the Internet reduces cost but poses risks • Collected diverse set of security experts connect to web pages for net simulation • Traffic is not SSL-enabled nor tunneled • Links to “bad sites” were genuine and HTTP referrers had not been disabled! • To their credit, Cyber Storm staff fixed that within hours Duncan - What We Learn from Cyber Exercises, or Not 20 2007 FIRST Annual Technical Conference – Sevilla, España

Recommend

The future of cyber security exercises more than just education? The Problem: how can

The future of cyber security exercises more than just education? The Problem: how can

The future of cyber security exercises more than just education? The Problem: how can we run large cyber security exercises once a week? 2 Stepping back Looking at the configuration management problem, e.g., the gap

749 views • 20 slides
KYPO A PLATFORM FOR CYBER DEFENCE EXERCISES Symposium on M&S Support to Operational

KYPO A PLATFORM FOR CYBER DEFENCE EXERCISES Symposium on M&S Support to Operational

KYPO A PLATFORM FOR CYBER DEFENCE EXERCISES Symposium on M&S Support to Operational Tasks Including War Gaming, Logistics, Cyber Defence (MSG- 133 ), Munich, Germany 15 th October, 2015 Pavel ELEDA, Jakub EGAN Jan VYKOPAL,

644 views • 19 slides
Evaluation of Cyber Defense Exercises Using Visual Analytics Process Radek Olejek, Jan

Evaluation of Cyber Defense Exercises Using Visual Analytics Process Radek Olejek, Jan

Evaluation of Cyber Defense Exercises Using Visual Analytics Process Radek Olejek, Jan Vykopal, Karolna Bursk , and Vt Rusk IEEE Frontier in Education Conference, San Jose, USA, 2018 1 KYPO Cyber Range Cloud-based simulator

538 views • 14 slides
Defence Exercises in a Cyber Range Frontiers in Education 2017 October 21, 2017 Jan Vykopal

Defence Exercises in a Cyber Range Frontiers in Education 2017 October 21, 2017 Jan Vykopal

Lessons Learned From Complex Hands-on Defence Exercises in a Cyber Range Frontiers in Education 2017 October 21, 2017 Jan Vykopal Masaryk University, Brno Who am I? Post-doc researcher with KYPO academic cloud-based cyber range.

451 views • 16 slides
Exercises on the Internet for researchers and students to learn Stata M. Escobar (modesto@usal.es)

Exercises on the Internet for researchers and students to learn Stata M. Escobar (modesto@usal.es)

Exercises on the Internet for researchers and students to learn Stata M. Escobar (modesto@usal.es) Universidad de Salamanca 11th Spanish Stata Users Group meeting Barcelona, 24 th October-2018 Modesto Escobar (USAL) Exercises on the Internet

429 views • 20 slides
Hands-on Exercises C H I P S T E R A N D F E D E R A T E D C L O U D Slides and Exercises m

Hands-on Exercises C H I P S T E R A N D F E D E R A T E D C L O U D Slides and Exercises m

Hands-on Exercises C H I P S T E R A N D F E D E R A T E D C L O U D Slides and Exercises m odified from the CSC presentation (EMBO event) Outline 2 Introduction to Chipster NGS data analysis and visualization Quality control

920 views • 46 slides
Course setup 9 ec course examination based on computer exercises weekly exercises

Course setup 9 ec course examination based on computer exercises weekly exercises

Course setup 9 ec course examination based on computer exercises weekly exercises discussed in tutorial class All course materials (slides, exercises) and schedule via http://www.snn.ru. nl/bertk/machinelearning/ Bert Kappen ML

696 views • 43 slides
Seminar Series Resiliency in the Electricity Subsector Information Sharing and Exercises against

Seminar Series Resiliency in the Electricity Subsector Information Sharing and Exercises against

Seminar Series Resiliency in the Electricity Subsector Information Sharing and Exercises against Black Sky Events Bill Lawrence, Director of Programs and Engagement Cyber Resilient Energy Delivery Consortium February 3, 2017 1 Agenda

820 views • 48 slides
For Monday Read lectures 1 -5 of Learn Prolog Now:

For Monday Read lectures 1 -5 of Learn Prolog Now:

For Monday Read lectures 1 -5 of Learn Prolog Now: http://www.coli.uni-saarland.de/~kris/learn- prolog-now/ Prolog Handout 1 Chapter 9, exercises 4, 9 Note that 9 must be proper Horn clauses Same Variable Exact variable

639 views • 45 slides
Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L.

Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L.

Security Exercises for the Online Classroom with DETER Peter A. H. Peterson and Dr. Peter L. Reiher {pahp, reiher}@cs.ucla.edu Laboratory for Advanced Systems Research (LASR) University of California Los Angeles The 3 rd Workshop on Cyber

314 views • 28 slides
EXERCISES EXERCISES Important Perfectly safe for the vast majority of people Those with

EXERCISES EXERCISES Important Perfectly safe for the vast majority of people Those with

EXERCISES EXERCISES Important Perfectly safe for the vast majority of people Those with any medical issues should perform the workout only with the consent of your medical practitioner. Certain exercises, such as strong breath holds,

1.07k views • 72 slides
1 Analysis of SNP data with R The data we will be working with here can be read into R using the

1 Analysis of SNP data with R The data we will be working with here can be read into R using the

Statistical methods in bioinformatics April 9, 2018 Exercises day 2 Claus Ekstrm These exercises will use a combination of R and specific programmes. The exercises are build up over two types of problems: introductory text that you should run

282 views • 5 slides
Transformation Exercises: Denavit- Hartenberg Method Some images and exercises from:

Transformation Exercises: Denavit- Hartenberg Method Some images and exercises from:

Transformation Exercises: Denavit- Hartenberg Method Some images and exercises from: Introduction to Autonomous Mobile Robots, Siegwart, Nourbakhsh, 2011 Robot Dynamics and Control Second Edition, Spong, Hutchinson, Vidyasagar, 2004 Spacecraft

711 views • 23 slides
Learn Blackboard Learn Learn with others Learn in your own time, pace, space Learn through

Learn Blackboard Learn Learn with others Learn in your own time, pace, space Learn through

Learn Blackboard Learn Learn with others Learn in your own time, pace, space Learn through designing for teaching Learn with others 1. Black Swan Conferences Hear The bigger picture Higher Education Blackboard UWA Experience

478 views • 16 slides
NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For

NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For

NSF Activities in Cyber Trust NSF Activities in Cyber Trust NSF Activities in Cyber Trust For ACM CCS I ndustry/ Govt Track Oct. 26, 2004 Carl Landwehr ( clandweh@nsf.gov ) Cyber Trust Coordinator National Science Foundation What s the

439 views • 17 slides
Exercises, II part Forward Chaining: 12 Jul 2012 Exercises, II part Consider the following set

Exercises, II part Forward Chaining: 12 Jul 2012 Exercises, II part Consider the following set

Exercises, II part Exercises, II part Forward Chaining: 12 Jul 2012 Exercises, II part Consider the following set of clauses in propositional logic: J = Q A I = J E F = I B = F A B = E A B 1 Show and execution

478 views • 6 slides
Exercises in the lectures on Exercises in the lectures on Superconducting RF - I and - II

Exercises in the lectures on Exercises in the lectures on Superconducting RF - I and - II

Exercises in the lectures on Exercises in the lectures on Superconducting RF - I and - II p g Kenji Saito, KEK Exercise I. Using the Abrikosovs theory: h c ( hc / 2 ) e = = = 0 = 0 = 0 H ,

95 views • 6 slides
Cyber Security Mark Danaj City of Fremont ICMA Conference Presenter Who am I? Why Am I

Cyber Security Mark Danaj City of Fremont ICMA Conference Presenter Who am I? Why Am I

Cyber Security Mark Danaj City of Fremont ICMA Conference Presenter Who am I? Why Am I Here? What will I accomplish? What can you learn from this presentation? Cyber Security Why is cyber security important? Who is

619 views • 23 slides
Introduction to Bioinformatics Dortmund, 16.-20.07.2007 Lectures: Sven Rahmann Exercises: Udo

Introduction to Bioinformatics Dortmund, 16.-20.07.2007 Lectures: Sven Rahmann Exercises: Udo

Introduction to Bioinformatics Dortmund, 16.-20.07.2007 Lectures: Sven Rahmann Exercises: Udo Feldkamp, Michael Wurst 1 Goals of this course Learn about Software tools Databases Methods (Algorithms) in bioinformatics Know

458 views • 21 slides
TeamDefend TeamDefend Organizational and Inter-Organizational Cyber Defense Training S C I E N

TeamDefend TeamDefend Organizational and Inter-Organizational Cyber Defense Training S C I E N

TeamDefend TeamDefend Organizational and Inter-Organizational Cyber Defense Training S C I E N C E A P P L I C A T I O N S I N T E R N A T I O N A L C O R P O R A T I O N Agenda Agenda Background on Cyber Exercises Introduction

428 views • 15 slides
Timely Feedback in Unstructured Cybersecurity Exercises Jan Vykopal, Radek Olejek, Karolna

Timely Feedback in Unstructured Cybersecurity Exercises Jan Vykopal, Radek Olejek, Karolna

Timely Feedback in Unstructured Cybersecurity Exercises Jan Vykopal, Radek Olejek, Karolna Bursk, Kristna Zkopanov vykopal@ics.muni.cz, oslejsek@fi.muni.cz, { burska|zakopcanova } @mail.muni.cz February 22, 2018 Outline Cyber

284 views • 11 slides
CYBER CYBER-SAFETY CYBER CYBER SAFETY SAFETY SAFETY BASICS BASICS Engineering Staff College

CYBER CYBER-SAFETY CYBER CYBER SAFETY SAFETY SAFETY BASICS BASICS Engineering Staff College

3/29/2012 CYBER CYBER-SAFETY CYBER CYBER SAFETY SAFETY SAFETY BASICS BASICS Engineering Staff College of India I N T R O D U C T I O N What is Cyber-safety Consequences Threats of Inaction Cyber-safety? Cyber-safety Cyber-safety at

215 views • 7 slides
What is Cyber Crime? Cyber Enabled Crime Cyber Dependant Crime Traditional crime that is

What is Cyber Crime? Cyber Enabled Crime Cyber Dependant Crime Traditional crime that is

R egional C yber C rime U nit DC Louise Gibson Prepare, Prevent & Protect What is Cyber Crime? Cyber Enabled Crime Cyber Dependant Crime Traditional crime that is enhanced in scale or Crimes that can only be committed solely reach by use

316 views • 9 slides
Goals for Today Learning Objective: Learn about directory structures Run through some

Goals for Today Learning Objective: Learn about directory structures Run through some

Goals for Today Learning Objective: Learn about directory structures Run through some disk performance exercises Announcements, etc: C4: I removed 2 papers from your reading list No longer need to read Multics Security Eval

421 views • 27 slides

More recommend