The best cyber defense mechanisms cannot prevent all cyber incidents.
Even with well-trained staff, properly configured firewalls, current antivirus systems, and a solid network, a cyber attack could still be successful.
Therefore, proper planning and preparation are invaluable to respond to and recover from a cyber incident.
Organizations without an existing incident response capability should consider establishing one. To aid control systems owners and operators, the CSSP has prepared a Recommended Practice: Developing an Industrial Control Systems Cybersecurity Incident Response Capability.
Even without a detailed and complete response plan, organizations can familiarize themselves with some basic concepts and actions that will make for a more effective incident response if and when a cyber compromise occurs.
Detection of Compromise
The ability to detect and identify the source and analyze the extent of a compromise is crucial to rapid incident response, minimizing loss, mitigating exploited weaknesses, and restoring services.
Detecting an incident early limits or even prevents possible damage to control systems and reduces the level of effort required to contain, eradicate, recover, and restore affected systems. Many tools are available to assist with the detection of network and system compromises.
Network traffic analysis tools, intrusion detection systems (IDSs), antivirus systems, and real-time log analysis (including security information and event management [SEIM] systems) combine to aid in detecting malware, intrusion attempts, policy violations, exploitation, and component failure. ICS-CERT releases indicators of compromise, when available, to assist critical infrastructure asset owners and operators in the detection of compromise by known attackers.
In addition, ICSCERT provides analytic services to companies requesting support in response to an incident. ICS-CERT is able to analyze hard drives, log files, malware, and other artifacts and provide detailed indicators/analysis reports to assist organizations in detecting and mitigating malicious activity.
The following different types of indicators are commonly provided by ICS-CERT through analysis and reports:
• IP addresses
• Domain names
• Web browser user agent strings
• File hashes
• File names
• E-mail addresses
• E-mail subject lines
Using this information, network administrators should be able to identify which internal hosts have communicated with which IP addresses or domains and what type of traffic was generated.
Domain Name Service (DNS) queries, e-mail activity, and the presence of specific files on systems are all detection capabilities that asset owners are encouraged to develop.
Preserving Forensic Data
Other critical components of incident response are forensic data collection, analysis, and reporting. These elements are essential to preserving important evidence. To avoid the loss of essential forensic data, the following activities should be conducted:
• Keep detailed notes of what is observed, including dates/ times, mitigation steps taken/not taken, device logging enabled/disabled, and machine names and IP addresses for suspected compromised equipment.
• When possible, capture live system data (i.e., current network connections and open processes) prior to disconnecting a machine from the network you suspect is compromised.
• Capture forensic images of the system memory and hard drive prior to powering down the system.
• Avoid running antivirus software “after the fact” as the antivirus scan changes critical file dates and impedes discovery and analysis of suspected malicious files and timelines.
• Avoid making changes to the operating system or hardware, including updates and patches, as they will overwrite important information about the suspected malware. Organizations should consult with trained forensic investigators for advice and assistance prior to implementing any recovery or forensic efforts. Control system environments have special needs that should be evaluated when establishing a cyber forensic plan.
ICS-CERT recommends the following source on Control System forensics:
• Recommended Practice: Creating Cyber Forensics Plans for Control Systems, Department of Homeland Security, 2008.b Reporting and Coordination
When an incident is suspected, working with ICS-CERT can enhance an organization’s ability to detect and understand the problem. CSSP and ICS-CERT encourage organizations to report suspicious cyber activity, incidents, and vulnerabilities affecting critical infrastructure control systems.
Reporting both suspected and known incidents assists ICS-CERT with tracking and correlation against other incidents.