Dynamic cyber-incident response

Permission to make digital or hard copies of this publication for internal use within NATO and for personal or educational use when for non-profi t or non-commercial purposes is granted providing that copies bear this notice and a full citation on the first page. Any other reproduction or transmission requires prior written permission by NATO CCD COE.Traditional cyber-incident response models have not changed significantly since the early days of the Computer Incident Response with even the most recent incident response life cycle model advocated by the US National Institute of Standards and Technology (Cichonski, Millar, Grance, & Scarfone, 2012) bearing a striking resemblance to the models proposed by early leaders in the field e.g. Carnegie-Mellon University (West-Brown, et al., 2003) and the SANS Institute (Northcutt, 2003). Whilst serving the purpose of producing coherent and effective response plans, these models appear to be created from the perspectives of Computer Security professionals with no referenced academic grounding. They attempt to defend against, halt and recover from a cyber-attack as quickly as possible. However, other actors inside an organisation may have priorities which conflict with these traditional approaches and may ultimately better serve the longer-term goals and objectives of an organisation

ECHO Information sharing models

As part of the ECHO project, the Early Warning System (EWS) is one of four technologies under development. The E-EWS will provide the capability to share information to provide up to date information to all constituents involved in the E-EWS. The development of the E-EWS will be rooted in a comprehensive review of information sharing and trust models from within the cyber domain as well as models from other domains

Guide to Australia’s national security capability

This paper provides a single consolidated picture of the capabilities that enable Australia to achieve national security outcomes in a range of environments, including domestically, at the border, offshore and in cyberspace. Introduction The period since 2001 has been transformative for Australia’s national security and our national security challenges continue to evolve. To meet these challenges, we need new ways to coordinate and develop our capability and to shape the national security environment. Significant advances have been made in recent years to build greater collaboration and interoperability across the national security community. However, the increasing complexity of national security threats requires an even more consistent and connected approach to capability planning that complements existing individual agency arrangements. To that end, the Government has developed a security classified National Security Capability Plan to provide a single consolidated picture of the capabilities that enable Australia to achieve national security outcomes. This Guide offers an overview of Australia’s national security capability planning. It identifies the functions performed by the national security community and how these achieve the objectives outlined in the National Security Strategy (2013). Capability planning is one of the tools that support Government to better consider how capabilities can be directed to meet national security objectives. This ensures that capability investment is focussed and that Government can give appropriate consideration to redirecting existing capabilities to meet new or emerging risks and opportunities. It also highlights areas where agencies’ capabilities are interdependent, identifying focus areas for collaboration and interoperability. Having a better understanding of our capabilities will help us to make more informed decisions about what we need. Australia’s national security arrangements are underpinned by a number of agencies working across areas such as diplomacy, defence, development, border protection, law enforcement and intelligence. Australia’s national security agencies include: Attorney-General’s Department (AGD) Australian Agency for International Development (AusAID) Australian Crime Commission (ACC) Australian Customs and Border Protection Service (ACBPS) Australian Federal Police (AFP) Australian Security Intelligence Organisation (ASIO) Australian Secret Intelligence Service (ASIS) Australian Geospatial-Intelligence Organisation (AGO) Australian Signals Directorate (ASD) Department of Agriculture, Fisheries and Forestry (DAFF) Department of Defence (Defence) Department of Foreign Affairs and Trade (DFAT) Department of Health and Ageing (DoHA) Department of Immigration and Citizenship (DIAC) Department of Infrastructure and Transport (DIT) Department of the Prime Minister and Cabinet (PM&C) Office of National Assessments (ONA). The Capability Plan brings together, for the first time, a single view of the capabilities maintained by these agencies with the exception of Defence capabilities. Defence has a separate established capability planning process that includes the Defence White Paper (2013) and Defence Capability Plan (2012). Defence is a key contributor to Australia’s national security arrangements including leading the coordination and delivery of national security science and technology and works in close cooperation with other national security agencies. Defence capabilities will continue to be managed through existing mechanisms, principally the Defence Capability Plan. For the first time, the Capability Plan, and the accompanying Guide to Australia’s National Security Capability, presents a unified picture of the capabilities that exist across non-Defence national security agencies. Together with other strategic planning tools, this work informs the broader national security planning cycle and supports the objectives and implementation of overarching policy documents such as the National Security Strategy and the Australia in the Asian Century White Paper. The Capability Plan complements the Defence Capability Plan and does not seek to duplicate it. It should also be noted that the Guide has not been designed to signal specific initiatives or tender opportunities. Such processes will continue to be managed by individual agencies

CISE as a Tool for Sharing Sensitive Cyber Information in Maritime Domain

The ECHO project aims at organizing and coordinating an approach to strengthen proactive cyber security in the European Union through effective and efficient multi-sector collaboration. One important tool for this aim is the ECHO Early Warning System (E-EWS). The development of the E-EWS will be rooted in a comprehensive review of information sharing and trust models from within the cyber domain, as well as models from other domains. In 2009, the Commission adopted a Communication Towards the integration of maritime surveillance in the EU: “A common information sharing environment for the EU maritime domain (CISE),” setting out guiding principles towards its establishment. The aim of the COM(2010)584 final was to generate a situational awareness of activities at sea and impact overall maritime safety and security. As a outcome of COM(2010)584 final, the EUCISE2020 project has developed a test-bed for maritime information sharing. This case study analyses information sharing models in the maritime domain, the EUCISE2020 test bed and the CISE itself as an alternative for cyber information sharing system. The maritime sector represents a suitable research case because it is already digitized in many aspects

Trusted CI Experiences in Cybersecurity and Service to Open Science

This article describes experiences and lessons learned from the Trusted CI project, funded by the US National Science Foundation to serve the community as the NSF Cybersecurity Center of Excellence. Trusted CI is an effort to address cybersecurity for the open science community through a single organization that provides leadership, training, consulting, and knowledge to that community. The article describes the experiences and lessons learned of Trusted CI regarding both cybersecurity for open science and managing the process of providing centralized services to a broad and diverse community.Comment: 8 pages, PEARC '19: Practice and Experience in Advanced Research Computing, July 28-August 1, 2019, Chicago, IL, US

Applying Cyber Threat Intelligence to Industrial Control Systems

A cybersecurity initiative known as cyber threat intelligence (CTI) has recently been developed and deployed. The overall goal of this new technology is to help protect network infrastructures. Threat intelligence platforms (TIPs) have also been created to help facilitate CTI effectiveness within organizations. There are many benefits that both can achieve within the information technology (IT) sector. The industrial control system (ICS) sector can also benefit from these technologies as most ICS networks are connected to IT networks. CTI and TIPs become resourceful when using indicators of compromise (IOCs) from known ICS malware attacks and an open source intrusion detection system (IDS). This research shows how these IT-based technologies may help protect ICS. Three known malware attack scenarios are used to showcase its likely deployment. These scenarios are well-documented campaigns that targeted ICS environments and consisted of numerous IOCs. Equipped with this data, critical asset owners can obtain situational awareness on potential attacks and protect their devices with the proper implementation of CTI and TIP technologies

Expanding alliance: ANZUS cooperation and Asia–Pacific security

Is an alliance conceived as a bulwark against a resurgence of Japanese militarism and which cut its military and intelligence teeth in the Cold War is still relevant to today’s strategic concerns? Overview The alliance between Australia and the US, underpinned by the formal ANZUS Treaty of 1951, continues to be a central part of Australian defence and security thinking and an instrument of American policy in the Asia–Pacific. How is it that an alliance conceived as a bulwark against a resurgence of Japanese militarism and which cut its military and intelligence teeth in the Cold War is still relevant to today’s strategic concerns? The answer is partly—and importantly—that the core values of the ANZUS members are strongly aligned, and successive Australian governments and American presidential administrations have seen great value in working with like-minded partners to ensure Asia–Pacific security. Far from becoming a historical curiosity, today it’s not just relevant, but of greater importance than has been the case in the past few decades. To explore new ideas on how to strengthen the US–Australia alliance, ASPI conducted a high-level strategic dialogue in Honolulu in July this year. Discussions canvassed the future strategic environment; the forthcoming Australian Defence White Paper; budget, sovereignty and expectation risks; and cooperation in the maritime, land, air, cyber, space and intelligence domains. A key purpose of the Honolulu dialogue was to help ASPI develop policy recommendations on the alliance relationship for government. This report is the product of those discussions

Cyber Storm II: final report

As an outcome of a 2006 review of e-security arrangements, the department was tasked to develop a cyber exercise program to improve the ability of governments and critical infrastructure owners and operators to manage incidents affecting the National Information Infrastructure. As part of this role, the department coordinated a national cyber exercise, Cyber Storm II. As an outcome of a 2006 review of e-security arrangements, the Attorney-General\u27s Department was tasked to develop a cyber exercise program to improve the ability of governments and critical infrastructure owners and operators to manage incidents affecting the National Information Infrastructure. As part of this role, the department coordinated a national cyber exercise, Cyber Storm II