Purple seven-ntxissacsc5 walcutt
27
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Tabletop exercises ARE more fun than setting fires Christopher Walcutt, CISM, CISSP Director DirectDefense 11/11/2017
-
Upload
north-texas-chapter-of-the-issa -
Category
Internet
-
view
100 -
download
1
Transcript of Purple seven-ntxissacsc5 walcutt
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Tabletop exercises ARE more fun than setting fires
Christopher Walcutt, CISM, CISSP
Director
DirectDefense
11/11/2017
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Why Tabletop?
2
This Photo by Unknown Author is licensed under CC BY-NC-SA
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
How?
3
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Why Now?
4
This Photo by Unknown Author is licensed under CC BY-NC-SA
Information Sharing
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
What to Expect?
5
Simulated exercise Designed to challenge
Foster interaction and communication across
organizations
Coordinated physical and cyber attacks
Practice, Practice, Practice!Check your readiness
KNOW the phases
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Who’s involved?
6
Planning (Security/Business Continuity)
Business HR ExecsPhysical Security
Corp Comms
IT
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
How it works?
7
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
You are not alone
8
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Expectations of you
9
Full two day commitment
Need buy-in and support from management to participate
No “day job” activities during the exercise
Teamwork is key
Be prepared to learn and teach
Most scenarios will require multiple disciplines/skill sets
Scenarios will change during the course of the day
Effective communication is essential
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
What to Expect?
10
• Post meeting discussions
• Establish Incident Command Structure positions
• Determine future meeting schedule
• Where, when, and how long to meet
• Determine how communications will be handled
• SharePoint or other appropriate site
• Identify other groups needed to participate
• Continue to mature the exercise
• Metrics
• Simulations
• Advanced Attack Methods
• Increased Information Protection
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
What to Expect?
11
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Incident Reporting
12
• Regulators
• Industry ISACs (REN-ISAC, FS-ISAC, E-ISAC)
• Timing Requirements
• Interface with third parties
• Contractual Requirements
• Insurance Requirements
• Outside Counsel
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
What the MSEL?
13
Injects are scenarios
They appear quickly and overlap
Designed to test and may induce stress
Beware the modifiers
Take notes
Stay engaged
Phone a friend
Use the facilitator
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Resource Planning (Timing)
14
`
Phase 2 5 10 15 20 25 30 35 40 45 50 55 60
Technical
Operations
Physical
Phase 3 5 10 15 20 25 30 35 40 45 50 55 60
Technical
Operations
Physical
Phase 4 5 10 15 20 25 30 35 40 45 50 55 60
Technical
Operations
Physical
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Resource Planning (Effort)
15
Day Move Inject Technical Operations Physical Group Interaction Start Time (minutes)
Day 1
Move 1
NERC 1.3 1 2 2 Technical contacts others T-0 Hold other inject sheets
NERC 1.3.2 3 0 0 None T-5
NERC 1.5 0 0 3 None T-10
NERC 1.8 2 3 3 Coordination required T-20 Ties to NERC 1.5
NERC 1.4 2 0 0 None T-30
NERC 1.11 3 0 0 None T-0 Ties to NERC 1.8
NERC 1.7 2 3 0 Coordination required T-0
SOC Breach 1 0 0 5 None T-0 TBD
NERC 1.5.1
NERC 1.5.22 3 4 Coordination required T-30
Move 2
NERC 2.1 1 2 0 Technical contacts Operations T-0 Hold Operations inject sheets
NERC 2.19 0 0 3 None T-0
NERC 2.7 2 2 0 Technical contacts Operations T-15 Hold Operations inject sheets; ties to NERC 1.11
NERC 2.4 2 3 0 Operations contacts Technical T-30 Hold Technical inject sheets
NERC 2.8 2 3 2 Coordination required T-40
SOC Breach 2 0 0 5 None T-0
NERC 2.1.1 4 2 0 Coordination required T-0
NERC 2.4.1 1 2 0 Coordination required T-10
NERC 2.12 3 2 3 Operations contacts others T-30 Hold other inject sheets
NERC 2.17 3 0 0 None T-45
Day 2
Move 3
NERC 3.2.1 2 2 2 None T-0 Remind teams of personnel limitations incurred
NERC 3.11 2 0 0 None T-10 Remind teams of resource limitations incurred
NERC 3.12 2 3 3 Coordination required T-10 Damage ties to NERC 2.7
NERC 3.12.1 3 3 2 Coordination required T-15
NERC 3.5.1 4 4 3 Coordination required T-30
NERC 3.9 3 2 0 Coordination required T-0
NERC 3.14 2 2 3 Coordination required T-10 Dependent on documented processes
NERC 3.10 1 0 0 None T-20
NERC 3.13 3 3 2 Coordination required T-30
Move 4
NERC 4.2.1 3 2 2 Coordination required T-0
NERC 4.3 2 4 0 Coordination required T-10
SOC Breach 3 0 0 5 None T-10 TBD
NERC 4.5 2 2 0 Coordination required T-20
NERC 4.7 1 0 2 Coordination required T-30
NERC 4.6 2 2 0 Coordination required T-30
NERC 4.8 2 4 0 Coordination required T-40
Estimated Effort Level Phase 2
0 Inject does not apply to group Phase 3
1 Minimal effort; 5 minutes Phase 4
2 10 minutes Phase 5
3 Moderate effort; 15 minutes Phase 6
4 20 minutes Phase 7
5 Extreme effort; 30+ minutes Borders indicate breaks
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Resource Planning (Count)
16
Move 1 P2 Move 1 P3 Move 2 P4 Move 2 P5 Move 3 Move 4
Technical 4 3.5 4 4 9 6
Operations 2 2.5 4 3 7 5
Physical 3 2.5 2 2 6 3
0 1 2 3 4 5 6 7 8 9 10
Move 1 P2
Move 1 P3
Move 2 P4
Move 2 P5
Move 3
Move 4
Physical
Operations
Technical
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
Roles
•Interfaces directly with the AC
•Coordinates incident response activities
•Empowered to make departmental decisions
Deputy Incident Commander (D-IC)
•Fills the same role as the D-ICBackup Deputy
Incident Commander
•Collects, evaluates, and disseminates information
•Maintains intelligence on the situation
•Maintains and monitors status of resources assigned to the incident
•Coordinates department on-call and schedule rotations, vendor services
Planning Section Chief (P-SC)
•Manages on-scene tactical operations goals
•Goals relate to mitigation/remediation, protection and control
•Collect and preserve data
•Liaison between incident personnel and D-IC
Operations Section Chief (O-SC)
17
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
ACTIVATING THE SIRT
18
SIRT must be contacted when the incident classification table is utilized!
State Public Commission Committee must be notified if incidents meet CIP parameters!
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
DOCUMENT STRUCTURE
19
• UIRP:• This document addresses cyber and physical security events affecting corporate assets which may
negatively impact the risk posture of the corporation
• This document covers a corporate-level framework; individual departments are responsible for creating detailed procedures
• Personnel involved in this framework are part of the IUSAN Incident Command System (ICS)
• ICS:
• A two-tiered command structure coordinated at a company level by the Area Command layer and specific division level activities carried out by the Incident Command layer
• Enacted for physical and cyber incidents that are not related to storms
• The UIRP document and ICS structure must meet requirements laid out by:
• National Institute of Standards and Technology (SP 800-61 Rev 2, SP 800-122)
• International Organization for Standardization ISO/IEC 27035:2011
• North American Electric Reliability Corporation CIP-008-5
• Sarbanes-Oxley Act of 2002
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
ICS
20
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
REPORTING WORKFLOW
21
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
BOOM
22
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
LESSONS LEARNED
23
Normal Operations & Contingency
Planning
Incident Response Training
Information Sharing
Security ClearancesOff-hours Support from SpainEvent Notification, Discussions, and TrainingOT Backbone Network MonitoringElectric Operations Resource PrioritizationSDLC with Security FocusResourcing During Events
Corporate Mechanism for Lessons LearnedPaper Copies of Procedures (Go Bags)Hot Line PhonesCriteria for IT / OT Network DisconnectReviewing Recent Alerts / Past EventsTalking Points for PLO / PIO ExecsData Owner / Data CustodianFirst Responder Training / Forensics
Notification Sharing & RepositoryNotification TriggersCentral Inventory RepositoryEstimated Time to RecoveryAsset ClassificationData RetentionBaseline Configuration
People
Process
Technology
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
LESSONS LEARNED PLANNING
24
Post Exercise – 5-Year Development Plan
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
PRIORITIZATION
25
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
TRACKING
26
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5
27
Thank you
