Cyber Defense Blueprint · 2018-11-20 · Asset management is a vital building block underpinning any Cyber Security Capability. Effective and complete asset and configuration management

November 14, 2018© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company

Cyber Defense BlueprintCyber Reference ArchitectureVersion 2.1DXC Security

For further information, please contact [email protected]

mailto:[email protected]

November 14, 2018© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company

1. Cyber Defense (CD) blueprint

2. Work packages summary

3. SOC Foundation key work packages (extract)

4. SOC threat intelligence & profiling key work packages (extract)

5. Vulnerability management key work packages (extract)

6. Appendix

Table of contents

November 14, 2018 3© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company

1. Cyber Defense (CD) blueprint


Physical Security (PS)

Cyber Defense (CD)

Identity & Access

Management (IAM)

Infrastructure & Endpoint

Security (IES)Applications Security (AS)

Data Protection &

Privacy (DPP)

Converged Security (CS)

Resilient Workforce (RW)

Security Orchestration (SO)

Strategy,Leadership

& Governance(SLG)

Risk & ComplianceManagement (RCM)

Security ResilientArchitecture (SRA)

- CD Layers - Related CRA Layers

Actionable Security & Threat Intelligence

Correlated events

Containment, Clean-up, Eradication, Disruption, Remediation Physical

eventsIT

eventsOT

events

Intelligence LayerContext & Behavior Layer

Vulnerability Layer

Strategic Layer

Controls Layer

Operations Layer

Layers


Physical Security (PS)

Cyber Defense (CD)

Identity & Access

Management (IAM)

Infrastructure & Endpoint

Security (IES)Applications Security (AS)

Data Protection &

Privacy (DPP)

Converged Security (CS)

Resilient Workforce (RW)

Security Orchestration (SO)

Strategy,Leadership

& Governance(SLG)

Risk & ComplianceManagement (RCM)

Security ResilientArchitecture (SRA)

- CD Layers - Related CRA Layers


Correlated events


eventsIT

eventsOT

events

Layers

Security Analytics

Context & Behavior Layer

Threat Intelligence &

Profiling

Digital Investigation &

Forensics

Intelligence Layer

Vulnerability Management

Vulnerability Layer

Security Monitoring

Security Incident Response & Remediation Management

Forensic Analysis & Response

Operations Layer

Controls Layer

Strategic Layer

Asset Management


Blueprint Layer

Description

Examples of typical issues

ControlsLayer

OperationsLayer

Context &Behavior Layer

VulnerabilityLayer

IntelligenceLayer

StrategicLayer

Onboard new and existing feeds

Identify and remediate gaps in feeds and controls

Limited types of data feeds, limited coverage of feeds, etc.

Deliver a consolidated SOC environment with business-aligned use cases and a service provider model

No SOC or multiple local SOCs working in silos, poor engagement and information sharing efficiency, etc.

Establish a baseline of normal behavior

Identify which CMDB information can be integrated

Align with critical assets definition

Inconsistent and incomplete asset and configuration awareness, little contextual information for decision making

Identify, integrate and manage vulnerability landscape

Lack of knowledge of vulnerability landscape to prioritize incident management activities

Provide Digital Investigation & Forensics service

Active hunting and threat actor profiling capabilities

Lack of knowledge of threat landscape, poor detection rate for advanced threat, inconsistent response, etc.

Map Security objectives with business risk profile to help prioritize security investment and decision making

No defined metrics/ KPIs, limited engagement with customers, limited understanding of business impact, etc.

Layers – summary


Controls layer ControlsLayer

OperationsLayer


VulnerabilityLayer

IntelligenceLayer

StrategicLayer

Supporting background informationData feeds are absolutely essential to drive improved detection. They bring more events for analysis and provide the basis for more correlation of data.If the necessary feeds are not available there can be a significant impact to security operations, such as:• Enterprise is dependent only on noisy and lower value feeds such as

Firewalls and IPS.• The lack of required feeds can mean identified critical risk use cases cannot

be created and acted upon. This results in a large information & security awareness gap.

• Where feeds are available in many cases they do not contain the needed information and require retuning.

• A lack of feeds can mean that only relatively simplistic use cases can be created. To produce more complex, behavior-orientated and correlated use cases more feeds are required.

• Compliance programs need to be aligned with identified detection requirements, which are invariably supported by specific data feeds.

• Creation of a centralized view of the current state of security of the Enterprise network, enhancing situational awareness, correlation capability and security operational efficiency

• Ability to quickly and efficiently respond to threats, vulnerabilities and incidents• Ability to respond as and when needed across all departments, business units

and local markets• Regulatory compliance in-line with device control logging, monitoring and

analysis

Benefits of investing

Onboard new and existing feeds, identify and remediate gaps in feeds and controls

• Significantly increased risk of a successful attack/breach with possibility of the attack not being detected at all, resulting in a potential financial loss/competitive loss (e.g., IP loss)/brand damage

• Risk of inappropriate and/or incomplete security response to a threat, vulnerability or incident, resulting in a potential financial loss/competitive loss (e.g., IP loss)/brand damage

• Lack of regulatory and audit compliance

Risks of NOT investing


Operations layer ControlsLayer

OperationsLayer


VulnerabilityLayer

IntelligenceLayer

StrategicLayer

Supporting background informationWithout a consolidated and architecturally well designed SOC Layer, a number of problems will occur that will inhibit security operations. They include:• Security working in silos, with little engagement between the SOC and other

security/operational functions• Lack of SOC engagement, visibility and a service orientated function leads

to a loss of confidence. In the worst case this can manifest itself into the creation/development of de-centralized, localized SOC capabilities

• Operational effectiveness is degraded and efficiency reduced, potential blind-spots to attacks mounted across multiple areas/silos are created

• Information sharing opportunities are reduced• Risk of creating differentiated rather than common local incident responses

• Centralized capability with a clear mission statement and scope• Integrated SOC function across all localizations providing the most efficient

functional and cost model• Security information viewed and managed from a central point, providing a

consistent, efficient and thorough approach, analysis and response. Lessons learned from initiatives, events and incidents communicated clearly and consistently to all localizations, enhancing the unified security posture

• Reduction in risk as organizational objectives and risks underpinned by security-relevant risks are more effectively managed due to security having a complete, single enterprise view


Deliver a consolidated SOC environment with business-aligned use cases and a service provider model

• Security working in silos with increased risk of inappropriate and/or incomplete security response to a threat, vulnerability or incident

• Increased risk as wider business objectives and risks underpinned by the SOC will not be mitigated and managed

• Additional cost of operating the central SOC and local SOCs



Context & behavior layer ControlsLayer

OperationsLayer


VulnerabilityLayer

IntelligenceLayer

StrategicLayer

Supporting background informationAsset management is a vital building block underpinning any Cyber Security Capability. Effective and complete asset and configuration management of both hardware and software are seen as services that must be present for consumption (SANS Top 20 Critical Controls For Cyber Defense and the NIST Cyber Security Framework). If the necessary controls are not available, there can be significant impact to security operations, such as:• Lack of required context information of an appropriate quality, meaning

critical risk use cases identified cannot be created based on existing context. This results in a large information & security awareness gap

• Lack of context means that only relatively simplistic use cases can be created. To produce more complex behavior-orientated and correlated use cases more context is required

• Inability to focus security investment and protection on the “crown jewels”

• Creation of a centralized view of the current asset and configuration state of the Enterprise

• Awareness of all assets on the network, allowing for risk assessment and application of appropriate controls and monitoring, as well as better business continuity management

• Prioritization and proportional response to threats, vulnerabilities and incidents impacting the network

• Regulatory compliance


Establish a baseline of normal behavior, identify which CMDB information can be integrated, align with critical assets definition

• Incomplete view of assets and/or incomplete coverage precludes security situational awareness

• Unknown assets not being monitored or protected thus providing weak points of entry into the network and precluding appropriate prioritization and response to threats, vulnerabilities and incidents

• Risks underpinned by the SOC capability not being mitigated and managed appropriately



Vulnerability layer ControlsLayer

OperationsLayer


VulnerabilityLayer

IntelligenceLayer

StrategicLayer

Supporting background informationThe advanced nature of attacks and malicious activity increases risk as well as sophistication and likelihood of exploitation of vulnerabilities.Key areas of future threats exploiting vulnerabilities through complex vectors:• Increasing globalization with drive for interconnectivity• Uncontrolled introduction of consumer devices introducing new attack

vectors and exploitation methods• Gradually disappearing boundaries between work and personal life including

BYOD• Business Application attack vectors will remain unexplored, increasing the

vulnerability volume through 3rd party failures or inability to protect own footprint when 3rd parties interface to it

• Social media opening the door to social engineering• Increasing complexity and use of IP networks and devices in infrastructure• Attacks on SCADA and other specialized infrastructure systems across

multiple platforms and the ability to proliferate undercover (children of Stuxnet)

• Identification and understanding of threats, vulnerability and risks relevant to the enterprise

• Prioritization and focusing of resources to respond to the most significant threats

• Ability to achieve and gain value from a widespread digital presence while managing related risks to brand and reputation and safeguarding positive brand image

• Compliance with regulation where increasing government action is taken to reduce the impact and calm the public concerns over the use of cyberspace


Identify, integrate and manage vulnerability landscape

• Lack of investment in intelligence-driven vulnerability/threat assessments and inability to maintain close observations on the emerging threat attack stack causing isolation and reducing the ability to conduct business in the new market place

• Increased risk of single issue hacktivism and aggression against multi-nationals destroying consumer confidence in online systems and companies that cannot protect such systems



Intelligence layer ControlsLayer

OperationsLayer


VulnerabilityLayer

IntelligenceLayer

StrategicLayer

Supporting background informationEnterprises will come under pressure from targeted attacks and are unlikely to be able to provide the appropriate level of assurance of data confidentiality, integrity and/or availability.Organizations will continue to make important business decisions based on flawed or poorly analyzed data.The aim of Advanced Incident Response is to pull together the volumes of available data and translate it into actionable security intelligence, provide an active hunting capability to proactively identify advanced threat actors already in place, and to allow accurate threat actor profiling to prioritize activities to efficiently respond to the incident and conduct remediation exercise. This security intelligence can be used in anything ranging from threat prediction and supporting strategic investment decisions to tactical incident response decisions.A key aspect of this is the integration of Incident Response/CERT and forensic capabilities including hunting capability which are vital for managing and recovering from incidents/attacks against the enterprise.

• Threat intelligence driven pre-emptive actions and service support reducing the impact of emerging threats

• Security data turning into actionable security intelligence that can be utilized to protect the business

• Support for a proactive security stance that will reduce the likelihood of attack success

• Advanced incident/emergency response and forensic capability• Development of closer information sharing across industry sectors to support

cyber resilience


Provide a Digital Investigation & Forensics service, active hunting and threat actor profiling capabilities

• Inability to understand and respond to current and emerging threats, advanced threats and risks

• Inability to move rapidly into a defensive posture on the discovery of an attack against the enterprise

• Limited or no ability to understand the impact of and recover from a successful attack



Strategic layer ControlsLayer

OperationsLayer


VulnerabilityLayer

IntelligenceLayer

StrategicLayer

Supporting background informationThe purpose of strategy, leadership, governance as well as risk and compliance management is primarily to:• Provide and support security strategic direction and security transformation

plan aligned with corporate business objectives• Ensure that objectives are achieved by:

• understanding the criticality of information to the organization• understanding emerging threats• ensuring proper execution of security programs• ensuring proper decision making to address and minimize business risk

• Ensure that risks are evaluated in light of business activities, value and criticality for the business and legal requirements. Risk mitigation activities are then defined to determine an appropriate level of risk balanced with cost/budget and the remaining risk to reputation, business activities and other market factors

• Ensure that compliance with policy is assessed, gaps are identified and remediation efforts are detailed in order to comply with legal, regulatory, privacy and industry requirements

• Proper deployment of SOC services in line with corporate security strategy• Visibility and understanding of the current enterprise security state• Common language to support business decision making on security issues by

stakeholders/sponsors


Map security objectives with risk profile of business to help direct and inform security investment and decision making

• Lack of clear understanding at the enterprise of the current risk posture, significantly inhibiting the enterprise’s ability to assess and respond to cyber threats, vulnerabilities and attacks/incidents

• Wider range of business objectives and risks underpinned by Security and the SOC function not being measured, mitigated and managed appropriately

• Lack of unified metrics and KPIs causing security to be seen as a negative influence on key business objectives, key measures (revenue, profit, etc.) and brand reputation



CD.1 CD.2 CD.3 CD.4 CD.5 CD.6

1

2

3

4

5

6

7

8

9

10

11

12

13

Security Monitoring Threat Intelligence & Profiling

Security Incident Response &

Remediation MngtSecurity AnalyticsVulnerability

ManagementDigital Investigation &

Forensics

Incident & Defect Notification

CERT & Authority Information Request

Incident Analysis

Incident Triage

Root Cause Analysis

Incident Validation

Incident Classification

Incident Mitigation & Remediation

Incident Recovery

Crisis Communication

Incident Reporting

Crisis Leadership & Organization

Escalation Procedure

Threat Intelligence Platform

Cyber Threat Intelligence Sources

Threat Actor Profiling

Cyber Threat Intelligence Sharing

Malware Analysis

Security Trends

Technical Threat Modeling

Threat Intelligence Knowledge

Management

Digital Investigations

Digital Forensics

E-Discovery

Active Threat Hunting

Static Code Analysis

Dynamic Code Analysis

Social Engineering

Penetration Testing

Vulnerability Remediation

Attack Simulation

Vulnerability Scanning

Patch Management

Vulnerability Notification

Vulnerability Monitoring

Vulnerability Validation &

Criticality

Vulnerability Research

Big Data Security Analytics

Baselining

Social Media Analysis

Data Anomaly Detection

Network Anomaly Detection

User Behavior Analysis

Privileged Threat Analytics

DNS Analytics

Technical Attack Reconstruction &

Visualization

Log Policy Definition

Log Management

Monitoring & Alerting Processes

Log Correlation

Event Query

Log Integrity

Use Case Management

Log Reporting

Shift-Handover Process

Daily Operations Meeting Procedure

Subdomains and capabilities


2. Work packages summary


Work packages per subdomain

Security Monitoring

CD.1.a – Infrastructure Security MonitoringCD.1.b – Application & Middleware Security Monitoring


Profiling

CD.3.a – Threat Intelligence Platform developmentCD.3.b – Cyber Threat Intelligence feed establishment CD.3.c – Threat Actor Profiling & TrackingCD.3.d – Technical Threat ModellingCD.3.e – Technical Security Trends


CD.5.a – Vulnerability Scan CD.5.b – Penetration TestingCD.5.c – Specialized Penetration TestingCD.5.d – Social EngineeringCD.5.e – Static Code AnalysisCD.5.f – Dynamic Code AnalysisCD 5.h – Patch Management


IES.5.a – End Point Forensic & Incident Response Tooling deploymentIES.5.b – Full Packet Capture Capability definitionIES.5.c – Network Forensic tooling deployment


CD.2.a – Assess/define Security Operation Center processesCD.2.b – Security Incident Management processCD.2.c – Crisis Management process updateCD.2.d – Security Operation Center core processes deployment


ForensicsCD.4.a – Establish a Digital Investigation & Forensics ServiceCD.4.b – Cyber Hunting

Security Analytics

CD.6.a – DNS Design ReviewCD 6.b – BaseliningCD 6.c – User Behaviour Analytics CD 6.d – Network Anomaly DetectionCD 6.e – Privileged Threat Analytics

Work package in next release

Work package available


Work packages summary (1/4)

WP name Subdomain WP description WP outcomes Objective TimescaleCD.1.a – InfrastructureSecurity Monitoring

Security Monitoring • Define security information and event management (SIEM) use cases

• Define the corresponding requirements for log policy, log generation (setting) and log storage for critical IT security infrastructure

• Define or revisit SIEM architecture requirements to support additional requirements and to support new use cases

• Define and execute the corresponding transformation plan

• Log analysis• Targeted and accurate alerting• Ability to quickly identify when the threat

actor is in the environment and then quarantine and remove such actor

• Ensuring the service is performing as expected

VISIBILITY 9 months

CD.2.a – Assess/Define Security Operation Center processes


• Define core SOC processes or review the current SOC processes • Validate the overall maturity of SOC processes• Define the future state transformation plan of SOC processes

• Efficient security operations allowing an attack to be quickly identified, quarantined and removed

RESPONSE 3 months

CD.2.b – Security Incident Management Process


• Define or review the current Security Incident Management process and validate this overall maturity

• Define an interim solution if necessary for Security Incident Management process including support materials for delivery

• Define the future state transformation plan of the process

• Robust service for managing security incidents

RESPONSE 3 months

CD.2.c – Crisis Management Process update


• Ensure security and privacy requirements are covered in the Crisis management process to deal with serious, disruptive or catastrophic event impacting and harming the organization and its businesses

• Robust service for managing security incidents

RESPONSE 2 months

CD.3.a – Threat Intelligence Platform development

Threat Intelligence & Profiling

• Develop Threat Intelligence Platform supporting collection, validation, storage and automated use of threat intelligence

• Provide custom scripting flexibility and programing language options • Allow automated enrichment via community feeds and sources• Allow automated triage, allowing automated application of indicators

of compromise (IOCs), Scripts, customized signatures on endpoint IR tooling, etc.

• Intelligence lead alerting and identification of security breach

VISIBILITY

INTELLIGENCE

2 months



WP name Subdomain WP description WP outcomes Objective TimescaleCD.3.b – Cyber Threat Intelligence feed establishment


• Establish a feed from international CSIRTs or other threat intelligence communities for the introduction of proactive IOC to improve security incident identification

• Additional IOCs and intelligence VISIBILITY

INTELLIGENCE

2 months

CD.3.c – Threat Actor Profiling & Tracking


• Provide Threat Actor Profiling & Tracking as well as remediation guidance

• Identify the compromised endpoints or ”touched devices”• Understand threat actors’ activities, scenario, tools and techniques

used as well as what they target within the customer’s environment

• Threat actor profiling: Tools, techniques & procedures (TTP) & attribution

VISIBILITY

INTELLIGENCE

3 months

CD.3.d – Technical Threat Modelling


• Identify threat actor objectives and vulnerabilities in organisations infrastructure and applications

• Optimize security by defining countermeasures to prevent or mitigate the effects of threats to the systems

• Additional IOCs and intelligence VISIBILITY

INTELLIGENCE

1 month

CD.3.e – Technical Security Trends


• Understand threat actors’ activities, scenario tools and techniques used in general to understand security trend emerging taken into account threat actors’ motivations, objectives, geo-political influences and geographic locations, digital transformation and technology innovation.

• Threat actor profiling• Security trends by industry vertical

VISIBILITY

INTELLIGENCE

1 month

CD.4.a – Establish a Digital Investigation & Forensics Service

Digital Investigation & Forensics

• Implement a Digital Investigation & Forensics Service including Rapid Security Incident Response and Threat Actor Profiling of Advanced Threats

• Deploy Forensic & Incident Response Tooling to support the Digital Investigation & Forensics Service

• Service and tooling to identify, contain andprofile threat actors

• Additional IOCs and intelligence

VISIBILITY

RESPONSE

1 month

CD.4.b – Cyber Hunting Threat Intelligence & Profiling

• Establish infrastructure and processes to utilize feeds from international CSIRTs and Threat Intelligence communities to actively search network and systems for the existence of Indicators of Compromise (IOC) which will allow active security incident identification not found via security monitoring mechanisms

• Additional IOCs and intelligence• IR activities

VISIBILITY

INTELLIGENCE

2 months



WP name Subdomain WP description WP outcomes Objective TimescaleCD.5.a – Vulnerability Scanning

Vulnerability Management • Initiate automated scanning of network infrastructure and systems to identify vulnerabilities

• Perform scans on either ad-hoc or regular timelines• Provide the basis for a comprehensive vulnerability management

program

• Risk ranked remediation guidance VISIBILITY 1 – 2 weeks+

CD.5.b – Penetration Testing

Vulnerability Management • Test computer systems, networks and applications for security vulnerabilities that an attacker could exploit

• Exercise potential vulnerabilities to remove false positives• Evaluate the different devices that make up the environment

• Infrastructure (servers, end points and network devices)• Applications• Mobile devices & Applications• Wireless Networks

• Ensure that testing inside the network border ensures coverage against insider threats

• Risk ranked remediation guidance VISIBILITY

RESPONSE

1 – 2 weeks+

CD.5.c – Specialized Penetration Testing

Vulnerability Management • Implement specialized penetration testing for IT/network aware devices

• IoT Testing• SCADA/ICS testing• Vehicle security

• Evaluate people and process security using Social Engineering

• Risk ranked remediation guidance VISIBILITY

RESPONSE

1 – 2 weeks+

CD.5.d – Social Engineering

Vulnerability Management • Test people and processes to ensure that they form part of the organizational cyber defenses

• Phishing/Email• Telephone• Face to Face

• Evaluate the success of security awareness training

• Risk ranked remediation guidance VISIBILITY 1 week



WP name Subdomain WP description WP outcomes Objective TimescaleCD.5.e – Static Code Analysis

Vulnerability Management • Analyze the source code of an application for security issues without executing it

• Review the structure and design of the application source code• Identify root causes of software security vulnerabilities• Catch security vulnerabilities early and before building the application


CD.5.f – Dynamic Code Analysis

Vulnerability Management • Analyze the source code of an application for security issues by running an instance of the application and tracing the execution paths

• Accurately mimic how a malicious attacker would attack an application

• Expose vulnerabilities in the deployment environment


CD.6.a – DNS Design Review

Security Analytics • Review the DNS design in the context of investigation and check if it’s possible to identify endpoints requesting known bad domains and ensure integration with SIEM for additional correlation (use cases) coverage

• Identification of compromised endpoints VISIBILITY 2 months

IES.5.a – End Point Forensic & Incident Response Tooling deployment


• Define the requirements and implement Forensic & IncidentResponse Tooling on endpoints to provide virtual capability to collect endpoint device evidence related to security incidents and to perform incident response and threat actor profiling

• A foundation for the overall intelligence on endpoints to detect and contain “unknown bad” threats

VISIBILITY

RESPONSE

2 months

IES.5.b – Full Packet Capture Capability definition


• Deploy a network Full Packet Capture Capability in the locations of the backdoors once found to support Threat Actor Profiling & Tracking

• All network traffic recorded to allow threat actor activity to be tracked across network

VISIBILITY 2 months

IES.5.c – Network Forensic Tooling deployment


• Define the requirements and implement Forensic & Incident Response Tooling within the network infrastructure to provide virtual capability to collect network evidence related to security incidents and to perform incident response and threat actor profiling

• A foundation for the overall intelligence to detect and contain “unknown bad” threats

VISIBILITY

RESPONSE

2 months


3. SOC foundation key work packages (extract)


Work package mapping: CD.1.a


Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management

Infrastructure Security Monitoring

(CD.1.a)

Centralized storage of normalized data. Detect security incidents quickly based on use cases

Comprehensive breadth & depth of collection of events across the infrastructure

SOC foundation key work packages




Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management


(CD.1.a)



Assess/define SOC processes (CD.2.a) Monitor and analyze security events 24x7x365



Work package mapping: CD.2.b


Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management


(CD.1.a)




Security Incident Management

process (CD.2.b)Manage security incidents quickly

Security Operations

Management



Work package mapping: CD.2.c


Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management


(CD.1.a)






Security Operations

Management


Ensure security and privacy requirements are covered in the crisis management process

Crisis Management

Process update (CD.2.c)




Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management


(CD.1.a)








Establish a Digital Investigation &

Forensics Service(CD.4.a)

Digital investigation & forensics service for rapid security incident response

Crisis Management



Work package mapping: IES.5.a, IES.5.b, IES.5.c


Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management


(CD.1.a)











End Point Forensic & Incident

Response Tooling deployment

(IES.5.a)

Full Packet Capture Capability definition (IES.5.b)

Network Forensic Tooling deployment

(IES.5.c)

Crisis Management





Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management


(CD.1.a)







Crisis Management






End Point Forensic & Incident

Response Tooling deployment

(IES.5.a)

Full Packet Capture Capability definition (IES.5.b)

Network Forensic Tooling deployment

(IES.5.c)

DNS DesignReview (CD.6.a)

DNS analytics, identify bad DNS domains and affected devices


Work package: CD.1.aInfrastructure security monitoring

Name: Infrastructure Security Monitoring Work Package ID: CD.1.aPurpose and High Level Description:• Define SIEM use cases to support SOC objectives or known threat actors targeting the organization. This has to be done based on the outcomes of several

Work Packages helping to profile threat actors (CD.3.c, CD.3.d, CD.4.a, CD.4.b are examples but others as well). This will allow the corresponding alerting to be automated

• Create a “use cases to log source mapping” to identify and justify onboarding of new log sources• To support the deployment of identified use cases, define the requirements for log policy, log generation and log storage, for critical IT security

infrastructure for SIEM Part 1 project (MS domain controllers, firewalls, VPN GW, DHCP, DNS, email GW, web proxies, NIPS, endpoint threat management solutions, sandboxing solutions, “touched” devices, etc.)

• Define logging setting changes to be made on targeted systems to allow proper logging• Define or revisit and update SIEM architecture requirements to support additional onboarding of log sources• Perform design and sizing impact analysis of the current solution if any and upgrade the existing SIEM solution or define a new solution, to support

additional requirements and to support new use cases• Review and update security incident management and incident response processes if necessary (dependency on Work Package CD.2.b)• Define the transformation plan to deploy the log policy across the environment• Define the transformation plan to upgrade the existing SIEM solution or to deploy a new solution as well as use cases implementation• Execute the transformation planIdeally, if affordable during phase 1 (optional):

• Integrate the Asset Management system as an information source to optimize prioritization decision making (make sure to obtain Asset name, Host name, IP@, MAC@, Asset classification as a minimum)

• Integrate IPAM information (IP subnets, start address, end address, classification)• Integrate NetFlow information from core networks (could be filtered first with another tool before feeding into the SIEM) for at least 1 day history• Define the requirements for log protection (including separation of duty and compliance requirements)

Staffing Requirements:• DXC Roles:

• 1 x Security Principal (10 days)• 1 x Program Director (5 days) • N x Security Consultant & Security Architect (25

days)• 2 x SIEM SMEs (100 days)• 1 x Content SME (50 days)• 1 x Account Security Officer (15 days)• 1 x SME per o/s platform (Wintel, Linux/Unix,

Mainframe, VMWare, network security infra. components, applications, etc.) (~30 days)

• 1 x Project Manager (45 days or 50% of time)• Customer Roles:

• 1 x Head of IT Security (3 days)• 1 x Chief Information Security Officer (2 days)• 1 x Head of Security Operations (2 days)• 1 x Head of Risk Management, Group Internal

Auditor (2 days)• 1 x Program Director (5 days) • 1 x Project Coordinator (5 days)

Key Activities:(1) Perform Project initiation and team briefings (2) Define use cases (3) Perform Current State Assessment to establish critical infrastructure and asset feeds (4) Define both technical and service requirements (5) Create a detailed technical and service design (6) Build (7) Test (8) DeployDeliverables:• Project Plan & Schedule, Processes & Plans including Test Plan and Success Criteria• SIEM solution deployment, onboarding of feeds, implementation of use cases and fine tuning• SIEM architecture and standard service documentation update including use cases • Existing security processes updated with corresponding use cases

Workload estimation:• Estimated project duration = 9 months• Estimated number of man days effort for DXC = 210 man days• Estimated number of man days effort for Customer = 19 man days• Hardware and Software costs not included

Business Benefits and Outcomes:• Ability to achieve faster identification of incidents and mitigation of threats by implementing the Cyber

Defense Strategy and SIEM Phase I; centralized log management and alerting solution • A more complete view of security throughout the infrastructure• A more accurate and integrated security incident & response process. Less downtime through an

integrated and experienced response process• Reduced cyber risk by implementing key log policies and improved security incident handling

processes• 24x7x365 rapid response from a highly experienced and industry-certified global security incident

response team

Business Challenges and Problems Foregoing Commitment:• Breaches of information security (e.g., loss of confidentiality, integrity and availability). Intellectual

property theft (trade secrets, competitive information, IP theft, secured collaboration)• Breaches of legal, regulatory or contractual requirements (legal exposure, data loss, privacy breaches,

information leakage, etc.)• Less visibility of events and hack attempts across the entire estate• Lack of proactive monitoring and addressing threats, reacting to security incidents• Loss of business and financial value• Damage to reputation• Productivity loss, disruption of plans and deadlines, impaired operations (internal or third parties)

Duration

Business impact/disruption

Cost

CD.1.1 ; CD.1.2 ; CD.1.3 ; CD.1.4 ; CD.1.5 ; CD.1.7 ; CD.1.8

Capabilities addressedL

M

M

Work package example ---

The CRA library of work packages is DXC Intellectual Property. For further information,

please contact [email protected]


4. SOC threat intelligence and profiling key work packages(extract)




Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management

SOC threat intelligence and profiling key work packages


development(CD.3.a)

Support collection, validation, storage and automated use of threat intelligence for incident identification and analysis




Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management



development(CD.3.a)


Cyber Threat Intelligence feed establishment

(CD.3.b)

Security Intelligence data to to supply complete threat landscape analysis and optimize threat profiling, hunting and alerting


Work package mapping: CD.3.c


Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management



development(CD.3.a)



(CD.3.b)


Threat Actor Profiling & Tracking

(CD.3.c)Threat actor profiling linked to identified security incident




Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management



development(CD.3.a)



(CD.3.b)




Cyber Hunting (CD.4.b)

Utilization of Security Intelligence source information to drive identification of threat actors via non-security monitoring methods


Work package mapping: CD.3.e


Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management



development(CD.3.a)



(CD.3.b)






Technical Security Trends

(CD.3.e)Identify, track and report on attack and vulnerability trends


Work package mapping: CD.3.d


Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management



development(CD.3.a)



(CD.3.b)






Technical Security Trends

(CD.3.e)Identify, track and report on attack and vulnerability trends

Identify attacker objectives and vulnerable assets to define preventative countermeasures and mitigations

Technical Threat Modelling (CD.3.d)


Work package: CD.3.cThreat actor profiling and tracking

Name: Threat Actor Profiling (TAP) & Tracking Work Package ID: CD.3.cPurpose and High Level Description:• The goal of the TAP is to get an understanding of the Technics, Tactics, Tools and Procedures of an attacker. Based on these findings the short term

tactical and long term strategic activities are planned.• To be able to drive these activities the following tasks need to be further driven:

• Get external & internal management awareness and commitment for the activities (internal especially important for service providers)• Define internally and externally the scope of the activities and assign the responsibilities and tasks • Drive and define/understand the commercial conditions related to all these activities• Get the appropriate skills into the IR Team

• From the various teams get the relevant information belonging to the case:• How does the infrastructure looks like• Which monitoring devices already in place, where can additional information gathered from• Which systems are suspicious and how can data be gathered and transferred from location to analysts• What are the data privacy conditions and is privacy team involved and approved the activities• Does the team want to have the case handled legally correct so that the attacker could be held responsible• Define the way of documentation and cooperation between the various teams involved. Have especially in mind that tools like Exchange could have been

compromised and out of band communication that has been encrypted must always been used.• Perform threat actor profiling and tracking using services and tooling deployed as part of CD.3.a work Package• Identify entities (Systems, accounts, apps…) that have been used or touched by the threat actor, identify top talkers and document all these information in a

timeline documentation and facts sheet to have an actual overview of the activities and findings. Specially important to have a list of IOCs that can be used to customize scanners and tools to have a better visibility (could be compromised public hosts)

• Understand threat actor’s activities, technical scenarios used to infiltrate the customer environment and malware infrastructure used to search, capture and exfiltrate customer data (malwares, backdoors, RAT, C2, beacons, Webshell, etc.)

• Understand what they target within the customer environment (intellectual property, customer and personal data, business processes, trade secrets, etc.)• Identify IP addresses, URL’s, DNS domain names, SMTP domain names related to attacker activities• Create and maintain associated blacklists, Create and maintain threat actors activities management report• Update inventory of “touched” devices containing systems, applications, end user devices accessed by the threat actor as well as the list of compromised

User ID's used by the threat actor• Optimally leverage Threat Intelligence service/feeds

Staffing Requirements:• DXC Roles:

• 1 x Security Principal (5% of time)• n x Security Architect (5% of time)• 1 x Account Security Officer (5% of time)• 1 x Program Director (10% of time)• 1 x Project Manager (10% of time)• n x Hunter, Incident Responder, Investigation

and Forensics SMEs, (n * full time for the duration of the remediation exercise)

• Customer Roles:• 1 x Head of IT Security (10% of time)• 1 x Chief Information Security Officer (5% of

time)• 1 x Head of SOC (20% of time)• 1 x Program Director (10% of time)• 1 x Risk Officer, Compliance Officer, Group

Internal Auditor (10% of time)• n x Hunter, Incident Responder, Investigation

and Forensics SME’s, (n * full time for the duration of the remediation exercise)

Key Activities:Drive the communication between the various teams (Cert, Operations, Forensics and Consulting…) and perform the ongoing Threat Actor Profiling & Tracking: hunting, investigation, forensics, incident response, disruption, remediation, tracking and monitoring according to Digital Investigation & Forensics service Statement of WorkDeliverables:• Threat actor profiles, Blacklists, “Touched” devices inventory and compromised User ID inventory• Threat actors case repository and threat actors activities management report• Drive understanding off the attacker use case and his ability to move in the it-environment

Workload estimation:• Estimated project duration = the duration of the remediation exercise (could be from 3 to 9 months,

depending on the case)• Workload associated with DXC Digital Investigation & Forensics service

Business Benefits and Outcomes:• Improved identification of threat actors and profiling activity• Improved coverage of Cyber Defense Strategy• Cyber risk reduced by providing rapid response from a highly experienced Digital Investigation team• Ability to achieve faster identification of new threat actors • Improved management and response to security incidents

Business Challenges and Problems Foregoing Commitment:• Inability to sufficiently detect threat actors activity and to organize proper response.• Inability to conduct remediation exercise• Inability to properly profile threat actors and define proper countermeasures for disruption exercises

and removal of the threat actors• Inefficient breach detection or inappropriate access to physical systems due to outsourcing

Duration


Cost

CD.3.6 Capabilities addressed

L

L

L





5. Vulnerability management key work packages: Part 1(extract)


Work package mapping: CD.5.a, CD.5.b


Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management

Vulnerability Scanning (CD.5.a)

Penetration Testing (CD.5.b)

Automated scanning and reporting of applications and infrastructure to identify security vulnerabilities

Test computer systems, networks and applications for security vulnerabilities that an attacker could exploit

Foundation work packages

Advanced work packages

Source code analysis work packages


Work package mapping: CD.5.c, CD.5.d


Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management








Manual testing of people and processes to identify weaknesses and training requirements

Specialized Penetration

Testing (CD.5.c)

Social Engineering

(CD.5.d)

Specialized penetration testing for IOT and SCADA/ICS devices


Work package mapping: CD.5.e, CD.5.f


Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management








Manual testing of people and processes to identify weaknesses and training requirements

Specialized Penetration

Testing (CD.5.c)

Social Engineering

(CD.5.d)

Specialized penetration testing for IOT and SCADA/ICS devices

Static Code Analysis(CD.5.e)

Analyze the source code of an application for security issues without executing it

Analyze the source code of an application for security issues by running an instance of the application and tracing the execution paths

Dynamic Code Analysis(CD.5.f)


Work package: CD.5.cSpecialized penetration testing

Name: Specialized Penetration Testing Work Package ID: CD.5.cPurpose and High Level Description:• Specialized penetration testing evaluates the security of specialist electronic systems by safely analyzing the devices and protocols in use for security

vulnerabilities in operating systems, applications, services, improper configurations and risky end-user behavior. The length and depth of an engagement can vary greatly depending on the assessment requirements and systems characteristics and may last between 1 week and a couple of months.

• Define the scope and define program to execute specialized penetration testing. Specialized testing may fall into one of the following types of specialized electronic systems, applications and networks:• Industrial Control Systems (ICS) – Security testing of ICS systems including Supervisory Control and Data Acquisition systems (SCADA), Distributed

Control Systems (DCS) and other smaller control systems such as Programmable Logic Controllers (PLC)• Internet of Things devices (IoT) – Security testing for Operational Technologies and Micro-electromechanical Systems (MEMS) used in precision

agriculture, building management, healthcare, energy, transportation and manufacturing.• Connected Vehicle Security – Local and Remote testing of electronic computing units, control systems, sensors and communications networks used

in modern connected vehicles. • Cyber Attack Simulation – Assess the resilience of an organizations network to targeted cyber attack and their ability to detect and respond to an

attack using threat intelligence data to determine likely attack vectors and real world tools and techniques to assess their Internet facing IT systems.• Agreed on the funding to execute the plan • Execution of the penetration testing plan:

• Determine the security of Specialized systems, applications and networks through the use of attacker tools and techniques• Demonstrate compliance with organizational policy and regulatory requirements• Produce report and provide recommendations in order to fix identified vulnerability

Staffing Requirements:Assumption : 5 Systems • DXC Roles :

• 5 days - 1 x Security Consultant/SME• 1 day - Project Manager

• Customer Roles: • 2 days - Project point of contact

Assumption : 5 Applications • DXC Roles :

• 10 days - 1 x Security Consultant/SME• 1 day - Project Manager

• Customer Roles: • 2 days - Project point of contact

Key Activities:(1) Understand and define the organizational requirements for penetration testing including any legal or regulatory requirements in any geography in order to correctly define the scope of work(2) Understand any limitations to the testing such as times and systems that must be excluded from testing as well as types of testing that must be avoided due to safety grounds and other concerns(3) Define and agree the Scope of work and ensure that it fulfils the organizational and business needs (4) Deploy the penetration testing organization to execute against the scope of work(5) Report the test findings including a prioritized list of remediation recommendations and activitiesDeliverables:• Scope of work for penetration testing engagement• Penetration test report including prioritized list of remediation recommendations and activities

Workload estimation:• Estimated project duration = the duration of the execution of the penetration testing plan depends on

the scope (could be between 1 week and 2 months)• Hardware and software costs not included

Business Benefits and Outcomes:• Demonstrate due diligence for IT system security• Determine compliance of IT connected systems with corporate security policy/regulatory compliance• Protection of brand and company reputation

Business Challenges and Problems Foregoing Commitment:• Unknown level of exposure of specialist IT systems connected to external networks• Increased risk of cyber attacks causing real world consequences• Potential of reputational damage and lost revenue due to cyber attack on key business operations• Potential fines from industry regulators

Duration


Cost

CD.5.3Capabilities addressed

L

L

L




© 2018 DXC Technology CompanyThe underlying methodologies and information are confidential and proprietary information of DXC Technology Company

For further information, please contact [email protected]


7. Appendix


Additional work packages


Work packages

WP name Subdomain WP description WP outcomes Objective TimescaleCD.5.x – Internet-facing website inventory and review

Vulnerability Management • Identify all Internet-facing websites and perform vulnerability scanning and/or penetration testing to identify vulnerabilities that may be exploited by a threat actor to gain access to the target's internal network or to change the tactics when disrupted

• Define and execute the website remediation plan

• Improved threat actor profiling as a result of correlation of known vulnerability knowledge

• Reduced threat landscape

VISIBILITY

THREAT ACTOR PROFILING

2 months

CD.5.y – Vulnerability Scan & Penetration Testing outcomes analysis

Vulnerability Management • (if available) Review the outcomes of penetration testing done in the last 2 years

• (if available) Review the outcomes of vulnerability scanning done last year targeting primarily Internet facing services (VPN gateways, web services, email gateways, etc.)

• Improved threat actor profiling as a result of correlation of known vulnerability knowledge

• Reduced threat landscape

VISIBILITY

THREAT ACTOR PROFILING

1 month

IES.1.z – Secure Machine & Clone creation factory

IES/Security Enforcement by Design

• Create images and clones to distribute corporate endpoint images aligned with security technical standards to support incident remediation and recovery so that a large amount of systems can be created very fast

• Reduce attack surface through secure creation and latest security updates

RESPONSE 2 months

CD.4.c – Cloud Forensic Readiness

Digital Investigation & Forensics

• Implement a Digital Investigation & Forensics service including rapid security incident response and threat actor profiling of advanced threats for cloud based services

• Service and tooling to identify, contain andprofile threat actors

• Additional IOCs and intelligence

VISIBILITY

RESPONSE

1 month


Work package mapping: CD.5.x, CD.5.y


Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management

SOC threat intelligence and contextualization work packages

Internet-facing website inventory

and review(CD.5.x)

A particular attention to identify vulnerabilities on internet facing services

Vulnerability Scan & Penetration

Testing outcomes analysis (CD.5.y)

Reduce the threat landscape by continually scanning assets and identifying vulnerabilities


Work package mapping: IES.1.z


Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling


Forensics

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management


Internet-facing Website inventory

and review(CD.5.x)





Secure Machine & Clone creation

factory (IES.1.z)

Create images and clones to distribute corporate endpoint images aligned with security technical standards


Work package mapping: IES.1.z


Correlated events


eventsIT

eventsOT

events

Security Analytics



Profiling

Intelligence Layer


Vulnerability Layer

Security Monitoring



Operations Layer

Controls Layer

Strategic Layer

Asset Management


Internet-facing Website inventory

and review(CD.5.x)





Secure Machine & Clone creation

factory (IES.1.z)

Create images and clones to distribute corporate endpoint images aligned with security technical standards

Cloud Forensic Readiness(CD.4.c)

Define requirements to appropriately define and implement a forensic and digital investigation capability for cloud based services


Forensics


Blueprint structure


Blueprint structure: Layers

• One single picture is used to outline the Blueprint• Layers represent the key functional areas and are mapped to domains• Relevant subdomains are mapped to layers providing the end-to-end

story

Blueprint layering model 1-page summarized description of all Layers

Supporting background information Benefits of investing


+ 1 page per Layer


Blueprint structure: Work packagesWork packages mapping to subdomains

• Each work package has the objective to deploy, setup and implement capabilities addressing one subdomain (with sometimes dependencies with other subdomains)

Work packages summary list

Work package detailed description


Work package structure

Description of the WPs scope and objective along with some

solution requirementsWP title Reference

Number

List of Capabilities addressed by the

WP

Evaluation Criteria

Staffing estimation provided for DXC and for the customer

Workload estimation summary and elapsed time to complete the work package

Deliverables: what will be provided/ delivered to the customer once WP is completed

Key activities to be executed as part of this WP

Impacts to the customer by not implementing this WP

Expected benefits from successful delivery of this Project


Subdomain, capability and work package ID assignment rulesSubdomains

An ID for a subdomain is made up of:- The acronym for its parent Domain (for example, CD

for Cyber Defense)- The position of the subdomain in the header of the

matrixExample: the ID of Security Monitoring subdomain will be CD.1

An ID for a Capability is defined by its position in the matrix and is made up of:- The ID of the subdomain it belongs to- Its row number in the matrixExample: the ID of Big Data Security Analytics Capability will be CD.6.1

Capabilities

Work packages

CD.1.aAn ID for a work package is made up of:- the ID of the subdomain it is related to- a lowercase letter (a, b, c, etc.)Example: the IDs of work packages related to CD.1 subdomain can be CD.1.a, CD.1.b, CD.1.c, etc.

Work package evaluation criteria

Criteria Low if… Medium if… High if…

Cost < USD 100k USD 100 –500k > USD 500k

Duration < 3 months 3 – 6 months > 6 months

Business Impact/ Disruption Low Medium High

Duration


Cost

LMM

Documents

Cyber Defense Blueprint · 2018-11-20 · Asset management is a vital building block underpinning any Cyber Security Capability. Effective and complete asset and configuration management