Determining the Impact

of Incidents
CHAPTER 8

CYBERSECURITY ANALYSIS - UCC 1

 Threat Classifications
Threat Classifications
 Incident: This describes any action that results in a direct harm to your system, or increases the likelihood for
unauthorized exposure of your sensitive data.
 Baseline: To understand what normal looks like. This will then give you some clue when things are out of line or out of
place. Without knowing what is normal it is difficult to identify what is out of place.
 Incident response: In some organizations making an incident response plan is compulsory, this can depend on your
environment.

Known Threat vs Unknown Threat

 We discussed that there are signature-based and anomaly-based methods for intrusion detection. Your Antivirus
program works in a similar way. Signature-based systems rely on prior knowledge of a threat and is only as good as the
historical data in the system.
 What we are experiencing today are threats that are constantly changing their form, or have not previously been
observed, so they pass through the system undetected.
 An alternative is to use a system that looks on the files action, rather than what it looks like. This kind of system relies on
Heuristics analysis to observe the commands the executable invokes, the files it writes etc.

Zero Day
 This refers to a vulnerability or exploit never before seen in public. A zero day vulnerability is a flaw in a piece of software
that the vendor is unaware of and thus not issued a patch or advisory for.

CYBERSECURITY ANALYSIS - UCC 2

Preparation
The way we defend today is by enriching our tools with threat intelligence – understanding what
tools malicious hackers are using and analyzing indicators for the presence of a threat; we use
this intelligence to create signatures to detect threat activity and inform incident response (IR).
While it can be a very cost effective way of dealing with threats, it requires knowledge of the
indicators, and it has a very short half-life of effectiveness.
Although response is in Incidence response, the team should develop a methodology that is
proactive as well. Two great resources are the SANs Internet Storm center and CERT
Coordination Center at Carnegie Mellon University.

CYBERSECURITY ANALYSIS - UCC 3

APT
Advanced Persistent Threat (APT)
In 2003 analysts discovered a series of coordinated attack against the DOD, Department of
Energy , NASA and DOJ. And it was found to have been in progress for at least three years at that
point. The actors tried to hide their footprint and took extra steps to ensure they trail was
hidden, this was later called “Titan Rain” and the work of an APT.
The goal of APT is gain and maintain persistent access to target systems while remaining
undetected.
An advanced persistent threat (APT) is a network attack in which an unauthorized person gains
access to a network and stays there undetected for a long period of time. The intention of an
APT attack is to steal data rather than to cause damage to the network or organization.

CYBERSECURITY ANALYSIS - UCC 4

 The Most Famous Advanced Persistent Threats in
History
https://
www.itbusinessedge.com/slideshows/the-most-famous-advanced-persistent-threats-in-history-02.html
Advanced
The operators g=behind these campaigns are often well equipped, funded and formally educated.
Their attacks suggests a high degree of coordination between technical and nontechnical information
sources.
Persistent
The campaigns are normally coordinated by government and military organizations, the operation is
focused and on specific targets. The operators will ignore opportunistic targets and remain focus on
the campaign at hand.

Threat
Their campaigns show capability and intent. Like a military strike, APT campaigns often serve as an
extension of political will. Due to the complex nature of APTs, it may be difficult to handle them alone.

CYBERSECURITY ANALYSIS - UCC 5

Factors Contributing to Incident Severity
and Prioritization.
Scope of Impact:
It is not enough to state that the network is slow to make a good determination of what to do
next. SCOPE OF IMPACT is the formal determination of whether an event is enough of a
deviation from normal operations to be called and incident.
As an administrator you yourself may trigger events that may appear as an attack including
those that is effect a DOS triggered from the inside. When you are faced with these anomalies,
they need to be documented, this will in effect reduce the number of false positives and hence
build confidence in your alerting system.
Remember!!! For some organizations, the mention of a security breach can be damaging
regardless of what was the compromised.
Research RSA’s SecureID. Pg. 171 of text.

CYBERSECURITY ANALYSIS - UCC 6

 Maximum Tolerable Downtime
The key is to determine which of the organizations critical systems are needed for survival and
estimate the outage time that can be tolerated by the company as a result of an incident.

CYBERSECURITY ANALYSIS - UCC 7

Factors Contributing to Severity levels
Scope of the Impact
Downtime and Recovery Time
◦ Maximum Tolerable downtime Nonessential 30 days
◦ Recovery Point Objective Normal 7 days
◦ Recovery Time Objective Important 72 hours
◦ Urgent 24 hours
Mean Time between failure
Critical Minutes to hours
◦ Mean Time to Repair

CYBERSECURITY ANALYSIS - UCC 8

On a given point in time, disaster occurs and systems needs to be recovered. At this point
the Recovery Point Objective (RPO) determines the maximum acceptable amount of data loss
measured in time. For example, the maximum tolerable data loss is 15 minutes.

CYBERSECURITY ANALYSIS - UCC 9

At this stage the system are recovered and back online but not ready for production yet. The
Recovery Time Objective (RTO) determines the maximum tolerable amount of time needed to
bring all critical systems back online. This covers, for example, restore data from back-up or fix of
a failure. In most cases this part is carried out by system administrator, network administrator,
storage administrator etc.

CYBERSECURITY ANALYSIS - UCC 10

At this stage all systems are recovered, integrity of the system or data is verified and all critical
systems can resume normal operations. The Work Recovery Time (WRT) determines the
maximum tolerable amount of time that is needed to verify the system and/or data integrity.
This could be, for example, checking the databases and logs, making sure the applications or
services are running and are available.

CYBERSECURITY ANALYSIS - UCC 11

The sum of RTO and WRT is defined as the Maximum Tolerable Downtime (MTD) which defines
the total amount of time that a business process can be disrupted without causing any
unacceptable consequences. This value should be defined by the business management team or
someone like CTO, CIO or IT manager.
This is of course a simple example of a Business Continuity/Disaster Recovery plan and should be
included in your Business Impact Analysis (BIA)

CYBERSECURITY ANALYSIS - UCC 12

Types of Data
Personally Identifiable Information (PII)
Personally Identifiable Information (PII) is a category of sensitive information that is associated with an individual person, such as
an employee, student, or donor. PII should be accessed only on a strictly need-to-know basis and handled and stored with care.
PII is information that can be used to uniquely identify, contact, or locate a single person. Personal information that is “de-
identified” (maintained in a way that does not allow association with a specific person) is not considered sensitive. While Social
Security numbers are a type of PII, the legal requirements for protecting them are much more stringent than for other PII.
The company policies, contractual obligations, and federal and state laws and regulations require appropriate protection of PII
that is not publicly available. These regulations apply to PII stored or transmitted via any type of media: electronic, paper,
microfiche, and even verbal communication. PII does not include publicly available information that is lawfully made available to
the general public from federal, state, or local government records.
Payment Card Information
Information related to credit, debit, or other payment cards. This data type is governed by the Payment Card Industry (PCI) Data
Security Standards (PCI-DSS) and overseen by the organization. Credit or debit card numbers cannot be stored in any electronic
format without the expressed, written consent of the stakeholders Office. That office is responsible for the only PCI-compliant
environment.
Intellectual Property
Personal Health Information (PHI)

CYBERSECURITY ANALYSIS - UCC 13