Grc t17
-
Upload
selectedpresentations -
Category
Documents
-
view
30 -
download
6
Transcript of Grc t17
![Page 1: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/1.jpg)
Session ID:
Session Classification:
Ian GreenManager, Cybercrime & IntelligenceCommonwealth Bank of Australia
GRC‐T17
ADVANCED
EXTREME CYBER SCENARIO PLANNING & ATTACK TREE ANALYSIS
![Page 2: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/2.jpg)
WHY?
![Page 3: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/3.jpg)
“What keeps you up at night?”
![Page 4: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/4.jpg)
“What keeps you up at night?”
![Page 5: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/5.jpg)
Extreme events are costly
►10% or $400m wiped off market cap
Global Payments Inc.
![Page 6: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/6.jpg)
How prepared are you?
General Keith Alexander Director, National Security AgencyCommander, United States Cyber Command
Source: The Aspen Security Forum 2012http://www.youtube.com/watch?v=rtvi_RiFzOc&feature=plcp
![Page 7: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/7.jpg)
How prepared are you?
General Keith Alexander Director, National Security AgencyCommander, United States Cyber Command
Source: The Aspen Security Forum 2012http://www.youtube.com/watch?v=rtvi_RiFzOc&feature=plcp
![Page 8: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/8.jpg)
http://www3.weforum.org/docs/WEF_IT_PathwaysToGlobalCyberResilience_Report_2012.pdf
► Cyber Resilience► mean time to failure► mean time to recovery
► “Can only be achieved by adopting a holistic approach of the management of cyber risk”
► “While failures are unavoidable, cyber resilience prevents systems from completely collapsing”
![Page 9: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/9.jpg)
HOW?
![Page 10: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/10.jpg)
Threat Actor Analysis
Controls Assessment
Response Planning
Attack Tree Development
Remediation
Exercise
Scenario Selection
Impact Analysis
Threat Actor Analysis
For each scenario
Aim: Identify actors who pose a significant threat to the organisation
![Page 11: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/11.jpg)
Threat Agent Library – Intel
http://www.intel.com/it/pdf/threat‐agent‐library.pdf
![Page 12: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/12.jpg)
► Intent: Non-hostile, Hostile► Access: Internal, External► Skill Level: None, Minimal, Operational, Adept► Resources: Individual, Club, Contest, Team, Organisation,
Government ► Limits: Code of conduct, Legal, Extra-legal (minor), Extra-
legal (major)► Visibility: Overt, Covert, Clandestine, Don’t Care► Objective: Copy, Destroy, Injure, Take, Don’t Care► Outcome: Acquisition / Theft, Business Advantage, Damage,
Embarrassment, Technical Advantage
Agent Attributes - IntelW
HO
HO
W
![Page 13: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/13.jpg)
► Intent: Non-hostile, Hostile► Access: Internal, External► Skill Level: None, Minimal, Operational, Adept► Resources: Individual, Club, Contest, Team, Organisation,
Government ► Limits: Code of conduct, Legal, Extra-legal (minor), Extra-
legal (major)► Visibility: Overt, Covert, Clandestine, Don’t Care► Objective: Copy, Destroy, Injure, Take, Don’t Care► Outcome: Acquisition / Theft, Business Advantage, Damage,
Embarrassment, Technical Advantage
Agent Attributes - IntelW
HO
HO
W
![Page 14: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/14.jpg)
► Corrupt Government Official► Government Cyber Warrior► Government Spy► Civil Activist► Radical Activist► Mobster ► Terrorist ► Competitor ► Internal Spy
Consolidated Threat Actors
Hacktivist
Nation State
Organised Crime
Terrorists
Trusted Insider
![Page 15: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/15.jpg)
Threat Actor Analysis
Trusted Insider
Organised Crime
HacktivistGroup
Terrorist
Nation State
![Page 16: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/16.jpg)
Threat Actor Analysis
Trusted Insider
Organised Crime
HacktivistGroup
Terrorist
Nation State
Hacktivist Group
Intent: HostileAccess: ExternalSkill Level: AdeptResources: Organisation Limits: Extra-legal (major)Visibility: OvertObjective: Copy, InjureOutcome: Damage, Embarrassment
![Page 17: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/17.jpg)
Threat Actor Analysis
Trusted Insider
Nation State
Organised Crime
HacktivistGroup
Terrorist
Organised Crime
Intent: HostileAccess: ExternalSkill Level: AdeptResources: OrganisationLimits: Extra-legal (major)Visibility: CovertObjective: TakeOutcome: Acquisition / Theft
![Page 18: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/18.jpg)
Threat Actor Analysis
Trusted Insider
Terrorist
Nation State
Organised Crime
HacktivistGroup
Nation State
Intent: HostileAccess: ExternalSkill Level: AdeptResources: GovernmentLimits: Extra-legal (major)Visibility: ClandestineObjective: CopyOutcome: Technical Advantage
![Page 19: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/19.jpg)
Threat Actor Analysis
Trusted Insider
HacktivistGroup
Terrorist
Nation State
Organised Crime
Terrorist
Intent: HostileAccess: ExternalSkill Level: AdeptResources: OrganisationLimits: Extra-legal (major)Visibility: CovertObjective: DestroyOutcome: Damage
![Page 20: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/20.jpg)
Impact Analysis
Controls Assessment
Response Planning
Attack Tree Development
Remediation
Exercise
Scenario Selection
Impact Analysis
Threat Actor Analysis
For each scenario
Aim: Determine what your organisation really cares about protecting
![Page 21: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/21.jpg)
Business Impact MatrixFinancial Customer
Service & Operations
Reputation / Brand
Legal / Regulatory Compliance
People Customers
5 >$500m Significant loss of customers due to extensiveinterruption to service capability
Substantialdamage to brands resulting from extensive negative national publicity
Loss of license, loss of public listing or substantial penalties on Directors
Death or severe injury to employees
Serious financial impact to allcustomers
4 $200m‐$500m …. …. …. …. ….
3 $50m‐$200m … … … … …
2 <$50m … …. … … …
1 <$50m … … … … …
Impa
ct
![Page 22: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/22.jpg)
► Health and safety of employees► Customer funds and stocks► Customer data (private information)► Customer data (intellectual property)► Corporate data (sensitive information)► Corporate data (intellectual property)► Availability of banking channels (Internet facing)► Availability of banking channels (back end)
Values at Risk
![Page 23: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/23.jpg)
Scenario Selection
Controls Assessment
Response Planning
Attack Tree Development
Remediation
Exercise
Scenario Selection
Impact Analysis
Threat Actor Analysis
For each scenario
Aim: Select scenarios that could have a catastrophic impact on the organisation
![Page 24: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/24.jpg)
Outcome Objective Value at Risk Potential Business Impact
Scenario Selection
Injure
Destroy
Take
Acquisition / Theft
Business Advantage
Technical Advantage
Damage
Copy
Financial
Customer Service / Operational
Reputational / Brand
Legal / Regulatory Compliance
Customers
People
Customer Funds
Customer Data
Corporate Data
Employee health and safety
Threat Actor Analysis Impact Analysis
Availability of banking systemsEmbarrassment
![Page 25: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/25.jpg)
Outcome Objective Value at Risk Potential Business Impact
Scenario Selection
Destroy
Take
Acquisition / Theft
Technical Advantage
Damage
Copy
Financial
Customer Service / Operational
Reputational / Brand
Legal / Regulatory Compliance
Customers
People
Customer Funds
Employee health and safety
Threat Actor Analysis Impact Analysis
Availability of banking systemsEmbarrassment
Business Advantage
Injure
Take
Customer Data
Corporate Data
Customers
Financial
Acquisition / Theft Customer Funds
Scenario: Organised crime gang steals customer funds causing significant financial loss.
Organised Crime
Intent: HostileAccess: ExternalSkill Level: AdeptResources: OrganisationLimits: Extra-legal (major)Visibility: CovertObjective: TakeOutcome: Acquisition / Theft
![Page 26: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/26.jpg)
Outcome Objective Value at Risk Potential Business Impact
Scenario Selection
Destroy
Take
Acquisition / Theft
Technical Advantage
Damage
Copy Customer Service / Operational
Reputational / Brand
Customers
People
Customer Funds
Threat Actor Analysis Impact Analysis
Availability of banking systemsEmbarrassment
Business Advantage
InjureInjure
Customer Data
Corporate Data
Customer Service / Operational
Damage
Availability of banking systems
Scenario: Socio-political group performs prolonged denial-of-service attack causing sustained outages.
Employee health and safety
Legal / Regulatory Compliance
Financial
Reputational / Brand
Hacktivist Group
Intent: HostileAccess: ExternalSkill Level: AdeptResources: Organisation Limits: Extra-legal (major)Visibility: OvertObjective: Copy, InjureOutcome: Damage, Embarrassment
![Page 27: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/27.jpg)
Is it “Extreme”?Financial Customer
Service & Operations
Reputation / Brand
Legal / Regulatory Compliance
People Customers
5 >$500m Significant loss of customers due to extensiveinterruption to service capability
Substantialdamage to brands resulting from extensive negative national publicity
Loss of license, loss of public listing or substantial penalties on Directors
Death or severe injury to employees
Serious financial impact to allcustomers
4 $200m‐$500m … … … … …
3 $50m‐$200m … … … … …
2 <$50m … …. … … …
1 <$50m … … … … …
Impa
ct
![Page 28: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/28.jpg)
Scenarios on Risk MatrixLi
kelih
ood
5L M M H VH
4L L M H VH
3I L M H VH
2I L M H VH
1I I L M H
1 2 3 4 5
Impact
12
34 5
6
7
![Page 29: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/29.jpg)
Scenario SelectionOrganised Crime
Hacktivist Group Nation State Terrorist
Financial Gain
Theft / Exposure
Sabotage / Operations Impact
Large scale targeting of bank customers using malware to steal
funds.
1
High value fraud conducted against backend payment
system.
2
Targeted, prolonged DDoS against multiple
Internet facing systems.
3Destructive cyber-attack
against multiple bank data centres.
7
Exfiltrate and disclose large sets of corporate data to embarrass or
discredit the bank.
4 Exfiltrate corporate intellectual property for strategic, commercial or
political gain.
6
Compromise bank IT systems and exfiltrate large sets of customer data.5
![Page 30: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/30.jpg)
Attack Tree Development
Controls Assessment
Response Planning
Attack Tree Development
Remediation
Exercise
Scenario Selection
Impact Analysis
Threat Actor Analysis
For each scenario
Aim: Develop detailed attack trees for each extreme scenario
![Page 31: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/31.jpg)
Attack Tree Analysis
Steal Car
Unlock Door
Smash Window Pick lock
Start Engine
Hot wire Screwdriver in ignition
AND
![Page 32: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/32.jpg)
Attack Tree Analysis
Steal Car
Unlock Door
Smash Window Pick lock
Start Engine
Hot wire Screwdriver in ignition
AND
“How”?
![Page 33: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/33.jpg)
Attack Tree Analysis
Steal Car
Unlock Door
Smash Window Pick lock
Start Engine
Hot wire Screwdriver in ignition
AND
“And then”?
![Page 34: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/34.jpg)
Demonstration of attack trees (Prezi)
Attack Tree Demonstration
![Page 35: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/35.jpg)
Controls Assessment
Controls Assessment
Response Planning
Attack Tree Development
Remediation
Exercise
Scenario Selection
Impact Analysis
Threat Actor Analysis
For each scenario
Aim: Map controls to attack trees and assess effectiveness
![Page 36: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/36.jpg)
Industry Standard Control Sets
► Options available:► DSD Top 35 Mitigation Strategies
► http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm
► NIST Special Publication 800-53► http://web.nvd.nist.gov/view/800-53/home
► SANS 20 Critical Controls for Effective Cyber Defense► http://www.sans.org/critical-security-controls/
► Provides a consistent set of controls for assessment and comparison
► May not be relevant to a particular scenario
► May not be pitched at the right level to be useful
![Page 37: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/37.jpg)
Hybrid Control Set
Third Party Governance
Network Segmentation
Data Encryption
Data Loss Prevention
MiTBDetection
Penetration Testing
Physical Security Controls
Application Whitelisting
Layer 7 DDoSPrevention
![Page 38: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/38.jpg)
Controls Assessment
Control has not been
implemented
Control operating effectively
Control has known gaps
Predict Prevent Detect Respond►Type of control:
►Status of control:
►Cost of control: $Low cost
$$Moderate cost
$$$High cost
►Potential to mitigate:
25% 50% 75% 100%
![Page 39: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/39.jpg)
Engine Immobiliser
Car Alarm
Sidewinder LockBullet proof glass
Control MappingSteal Car
Unlock Door
Smash Window Pick lock
Start Engine
Hot wire Screwdriver in ignition
AND
Engine Immobiliser$ 75%
Prevent
Car Alarm$ 75%
Detect
Sidewinder Lock$ 75%
Prevent
Bullet proof glass$$$ 100%
Prevent
![Page 40: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/40.jpg)
Demonstration of attack trees (Prezi)
Attack Tree Demonstration
![Page 41: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/41.jpg)
Remediation
Controls Assessment
Response Planning
Attack Tree Development
Remediation
Exercise
Scenario Selection
Impact Analysis
Threat Actor Analysis
For each scenario
Aim: Use controls assessment to plan remediation projects which address control gaps
![Page 42: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/42.jpg)
Response Planning
Controls Assessment
Response Planning
Attack Tree Development
Remediation
Exercise
Scenario Selection
Impact Analysis
Threat Actor Analysis
For each scenario
Aim: Create or enhance existing response plans to cater for extreme scenarios
![Page 43: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/43.jpg)
IRP• Incident Response Plan
IRSOP• Incident Response
Standard Operating Procedure
IRG• Incident Response Guidelines
Incident Response Framework
![Page 44: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/44.jpg)
Incident Response Standard Operating Procedures
Denial of Service
Compromised Information
Compromised Asset
Unlawful Activity Probing Malware
![Page 45: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/45.jpg)
► Will your incident response plans hold up to extreme scenarios?
► What outside resources will you lean on for assistance in an extreme scenario?
► Have you documented and shared all your contacts into government, law enforcement, service providers?
► Have you discussed & planned your response with external stakeholders? Do you know what you will expect from each other if such a scenario occurs?
► Have you practiced your incident response?
IR Considerations
![Page 46: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/46.jpg)
Exercise
Controls Assessment
Response Planning
Attack Tree Development
Remediation
Exercise
Scenario Selection
Impact Analysis
Threat Actor Analysis
For each scenario
Aim: Test control strength, response plan and overall preparedness
![Page 47: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/47.jpg)
► HTTP “large resource” request► HTTPS “large resource” request► HTTPS “slow” POST attack► HTTPS search query attack► SSL Exhaustion► DNS Query attack► TCP SYN flood► IP Fragmentation Attack► ICMP flood
Example: “BYO Botnet”
![Page 48: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/48.jpg)
Source: World Economic Forumhttp://www3.weforum.org/docs/WEF_IT_PathwaysToGlobalCyberResilience_Report_2012.pdf
The organisation’s leadership takes ownership of cyber risk management… they understand the organisation’s vulnerabilities and controls.
The organisation is highly connected to their peers and partners, sharing information and jointly mitigating cyber risk
Cyber Risk Management Maturity Model
![Page 49: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/49.jpg)
► Traffic light protocol► Methodology► Control taxonomy► Threat actor library► Generic attack trees► Full scenario analysis
extremecyber.net
INSERTSCREENSHOT
► Join “Extreme Cyber Scenario Planning” on
![Page 50: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/50.jpg)
extremecyber.net
Private
Restricted Commitment to contribute to knowledge base
Vetted Verified members of IT security community
Public Methodology only
Generic attack treesControl taxonomyThreat actor library
Full attack trees without control effectiveness
Full attack trees with control mapping and
effectivenessInformation shared using the traffic light protocol:
http://www.us-cert.gov/tlp/
![Page 51: Grc t17](https://reader031.fdocuments.in/reader031/viewer/2022020307/55c74490bb61eb73578b4712/html5/thumbnails/51.jpg)
► Join LinkedIn Group “Extreme Cyber Scenario Planning”
► @pragmaticsec
Questions?