A New Approach to Cyber Incident Response
According to a report issued by the Government Accountability Office (GAO) in February 2013, the number of cybersecurity incidents reported that could impact "federal and military operations; critical infrastructure; and the confidentiality, integrity, and availability of sensitive government, private sector, and personal information" has increased by 782 percent--from 5,503 in 2006 to 48,562 in 2012. In that report, GAO also stated that while there has been incremental progress in coordinating the federal response to cyber incidents, "challenges remain in sharing information among federal agencies and key private sector entities, including critical infrastructure owners."
Progress in this area was hindered by "difficulties in sharing and accessing classified information and the lack of a centralized information-sharing system," the report stated. This blog post describes a tool that members of the CERT Cyber Security Solutions (CS2) Directorate are developing to provide the various agencies and organizations that respond to cyber incidents a platform by which to share information and forge collaborations.
I have witnessed these challenges to effective collaboration first-hand. In my role, I am often called upon to observe subject matter experts who advise incident responders while they manage cyber incidents to assist in collecting evidence and presenting it to authorities working criminal cases. In this role, I have repeatedly observed incident responders, including law enforcement and subject matter experts, operating in disconnected siloes. Representatives from these agencies literally set up separate work stations.
While attackers are organized and well-coordinated in their efforts, agencies and organizations that respond to these cyber incidents operate in disconnected siloes that are in need of a shared platform for trusted collaboration. The aim of our work is to create this platform. We intend the platform to be used across a range of groups, such as computer security incident response teams (CSIRTs), incident responders, commercial companies, and law enforcement.
Our Approach: Cerebro
At its core, Cerebro is a prototype that allows collaborators to identify and tag actionable information. The information is collected at a level of granularity that allows collaborators to specify the extent to which they want to share this information: at a group level, an organizational level, or with all participants of an organization.
As outlined in the IEEE paper Cerebro: A Platform for Collaborative Incident Response and Investigation, which I co-authored along with Tim Palko, our approach incorporates a six-phase model that represents the process an incident responder/assessor goes through when responding to a cyber incident:
- Site assessment. The primary goal of this phase is to develop a response plan to handle the incident based on its assessment and prior experience. Activities in this phase include assembling and training the team and creating situational awareness of the systems that comprise the site or event.
- Site aggregation. Activities in this phase include conducting a network assessment of a site or event and minimizing the scope and impact of the attack. The site assessor also begins site categorization and collection and uses forensic software or toolkits to obtain and extract evidence.
- Site analysis. Activities in this phase include identifying lessons learned from the handling of the assessment. A meta-profile containing the reduced critical assessment of the site is imported to the data store to generate rules or steps for creating better preparedness, which may include modifying policy or process or making changes to configurations.
- Collaborative investigation/correlation. Activities in this phase involve the establishment of a trusted environment that enables communication about the site, which is essential when preparing for a collaborative response. This environment must provide analysts a space to make observations and correlate disparate data types (site security, network analysis, etc.). Applied machine learning is also performed on the dataset. The machine learning produces the predictive analysis that is pushed to the analyst.
- Policy/rule application. Activities in this phase focus on data analysis, a crucial part of the investigation process. The availability of data from multiple sites and/or events opens the possibility of cross-site analysis to establish links among events occurring at individual sites. During investigation and correlation, the collaborative mechanism runs and shares watch-lists, security events, and rule sets. Reports from individual sites and/or events are collected and sent to Cerebro. After a detailed analysis--which might involve two analysts who have the same observation or the system's autonomously identifying links happening at multiple events--Cerebro generates push notifications to alert the user of the associations.
- Site incident strategy. Activities in this phase occur once the incident investigation has concluded. The site administrator and site responder (both humans) take appropriate steps to mitigate any risks or bring compromised systems back online. Policy and rules developed automatically in the analysis stage are presented as a critical stage to disseminate information, but ultimately any action taken based on these notifications and rules is taken by a person.
Cerebro takes a practical approach to defining a system model that collects and analyzes data in a trusted cloud-computing platform, which allows us to store large volumes of data while simultaneously processing them to find, store, and categorize evidence of malicious attacks. We will host our tool on an extensible large-scale analysis platform for managing and analyzing data (such as logs and communications). The analysis platform provides better management and a better security mode, and is equipped with a suite of open-source tools for log and data extraction, data and evidence storage, data and log analysis, and forensics.
In a cyber attack, organizations may encounter an adversary who targets communication between administrators to disrupt the effectiveness of their response. In designing a framework to foster collaboration in the wake of a large-scale cyber attack, we envisioned role-based access control that draws upon the principle of least privilege.
Cerebro comprises two main components:
- a Roles and Responsibilities Model that defines the entities involved in the response and investigation, their responsibilities, and their interactions
- a Process Model that defines the phases of the response and investigation process, as well as the execution of responsibilities in these phases
Together, these components ensure that the response and investigation team members are able to effectively manage the required tasks. In particular, the system model integrates the technical incident response and the legal investigation and prosecution process in a multi-site collaborative manner.
Our approach builds on several well-known principles for effective collaboration. For trust establishment, we rely on an incentive-based approach in which organizations learn more about vital watch-list information and obtain access to tools and resources to respond to and recover from attacks.
Cerebro also relies on an approach involving organizational access policy; organizations providing value in the identification and response process can collectively define important pieces (IP addresses, type of attack, pattern identification) of an investigation.
For managing tasks and processes, we focus on identifying and indexing areas of interest that warrant collaboration to integrate them into an well-defined process workflow for each organization.
Challenges of Our Approach
One challenge of our approach with Cerebro involves addressing security issues so that potential users can be assured that their information will circulate within an intended audience. To address this issue, we designed a system that uses two-factor authentication: role-based and signature-based.
Ideally, our tool fosters 100 percent participation by all involved. Cerebro observes the 90-9-1 rule. This is the basic observation that in a collaborative platform, such as a wiki
- 90 percent of participants will "lurk" and simply observe information being posted
- 9 percent of participants will actively edit and produce the information being created
- 1 percent of participants will be involved in content validation, administration, and rule generation
Our approach hypothesizes that if only 9 percent of participants are involved in information analysis, that group can act on the information and ideally retain enough so it doesn't compromise their organization. The lurkers will hopefully retain some of the lessons learned by the methodologies employed by the real subject matter experts. The lurkers, however, cannot be relied upon to provide actionable intelligence.
Early Influences and Collaborations
As with any research effort, our work has been influenced by many other researchers including Dr. Eric Nyberg, a professor in the Language Technologies Institute in Carnegie Mellon University's School of Computer Science. Dr. Nyberg's research in this field helped us gain a greater understanding of machine learning and rule generation.
This research also draws upon theories introduced by Dr. Carolyn Rosé who teaches an applied machine learning vlass in the Human Computer Interaction Institute. Dr. Rose's research focuses on better understanding the social and pragmatic nature of conversatio, and using this understanding to build computational systems that can improve the efficacy of conversation between people, and between people and computers.
Working with our customers over the past few years, we developed prototypes of tools that contribute to the data collection, analysis, and collaboration space. Alongside the development efforts for these prototypes, we are working on a version of Cerebro that will act as the trusted platform between them.
To read the paper Cerebro: A Platform for Collaborative Incident Response and Investigation, by Anne Connell, Tim Palko, and Hasan Yasar, please visit https://ieeexplore.ieee.org/document/6699007.
To read the February 2013 report, CYBERSECURITY: National Strategy, Roles, and Responsibilities Need to Be Better Defined and More Effectively Implemented, please visit http://www.gao.gov/assets/660/652170.pdf