Ebook: Best Practices in Computer Network Defense: Incident Detection and Response

Malicious cyber activities are an emerging security challenge for all countries, and the members of the North Atlantic Treaty Organization (NATO) share a responsibility to help the global community strengthen its cyber defenses. One of NATO's unique strengths lies in its ability to tap into the operational capabilities and expertise of its members' militaries, and to harness the innovations and technologies of its members' industrial base to ensure national and Euro-Atlantic prosperity, security, and stability. This commitment was reinforced in the Chicago Summit Declaration of May 2012 when NATO members agreed to address cyber threats to improve their common security. [1]

NATO seeks ways to jointly research, develop, implement, and field interoperable cyber defense capabilities to enhance the cyber defense posture of the Alliance. The NATO Communications and Information Agency (NCIA) is instrumental in meeting this challenge. The NCIA is implementing the best of the capabilities used by its member states and transforming the NATO operating model toward being ‘services based.’ Cyber defense is being consolidated into one portfolio and cyber services will be offered in a catalogue of services from early 2014. This allows NATO to fulfill some of the requirements outlined in the cyber defense policy by broadening the pooling and sharing of more information on defense technologies, intelligence, and best practices.

NATO is also engaging its network of partnerships, which includes one-third of the world's countries, by facilitating cooperation between all stakeholders—public and private, state and non-state, civilian and military—to reduce the vulnerabilities of national critical infrastructures and achieve a minimum level of cyber defense. NATO recognizes that the more alike each country's approach is, the greater protection we all will enjoy.

NATO Science for Peace and Security (SPS) Programme is an excellent mechanism for NATO's members and partners to share effective practices and solutions for emerging security challenges like those presented by malicious cyber threats. The Advanced Research Workshop (ARW) entitled, ‘Best Practices in Computer Network Defense (CND): Incident Detection & Response’ generated actionable information that will inform NATO cyber defense policy for the foreseeable future. It identified the state-of-the art tools and processes being used for cyber defense and highlighted our technology gaps. It presented industry and government best practices for incident detection and response, and examined indicators and metrics to measure our maturity along that security continuum.

Our security relies on assurances that our defenses—local, global, procedural, political, and technological—are leading edge and address effectively the threats these services face. These defenses are tested routinely, and cannot fail. We believe that this book will provide operators and decision makers with genuine tools and expert advice for computer network defense, incident detection and incident response. It is our hope that the twenty-one findings from the workshop and the technical papers that underpin those insights will serve to strengthen the cyber defenses of the global community.

Mr. Koen Gijsbers

General Manager, NATO Communications and Information Agency

November 2013

References

[1] Heads of State and Government participating in the meeting of the North Atlantic Council in Chicago, 2012. Chicago Summit Declaration, para. 49. [online] Available at: <http://www.nato.int/cps/en/SID-D03EFAB6-46AC90F8/natolive/official_texts_87593.htm?selectedLocale=en> [Accessed 15 November 2013].

New technology trends invariably impact prospects for computer network defense (CND) – including the protection of critical infrastructures and services. Three evolving trends that stand out in particular include: 1) critical infrastructures' increasing reliance on commercial off the shelf (CoTS) technologies; 2) societies' growing reliance on mobile technologies coupled with a movement towards the ‘Internet of Things;’ and 3) the advent of cloud computing and big data. While these ICT trends contribute to economic growth and development, they will also generate new vulnerabilities, many of which may negatively impact segments of society. While policymakers play an important role in strengthening cyber security and resiliency, they may not always fully grasp the security implications of these and other technology trends – including the potential for ripple effects across different critical services and sectors. Minimizing this knowledge gap, as well as bringing tighter alignment and shared understanding of the operational realities and policy implications associated with new trends, is essential to promote effective computer network defense.

New techniques, tactics, and procedures (TTPs) are now available to strengthen security postures and become more resilient to cyber threats. Most of these technologies are accessible and affordable, and they are showing promising results. This paper exemplifies eight specific advanced techniques, tactics, and procedures to counter cyber threats, including using moving target architectures to confuse the adversary, monitoring the dark space of the Internet, and using honey pots to detect adversaries and infected machines within an organization's infrastructure. It also explains what is required to enable these techniques and what metrics should be used to measure their results. These advanced practices should become common security standards.

Cyber threats are now so pervasive, sophisticated, and targeted that traditional, reactive computer network defense is no longer sufficient to counter them. Upstream security, which represents a new layer of safeguards that can be deployed well beyond the enterprise perimeter, intercepts malicious activity before it reaches an organization's network. Telecommunications providers are well positioned to offer this type of proactive cyber defense and defense-in-depth, as they possess significant technical capabilities and a unique view on traffic flow. Together, these assets can create a security layer that may operate at higher efficiencies and effectiveness than any enterprise security program. The evidence demonstrates that upstream security and upstream intelligence provide innovative and effective techniques for network defense.

In the past, Computer Network Defense (CND) intended to be minimally intrusive to the other requirements of IT development, business, and operations. This paper outlines how different security paradigms have failed to become effective defense approaches, and what the root cause of the current situation is. Based on these observations, a different point of view is proposed: acknowledging the inherent composite nature of computer systems and software. Considering the problem space from the composite point of view, the paper offers ways to leverage composition for security, and concludes with a list of recommendations.

The North Atlantic Treaty Organization (NATO) has a key role to play in improving member states' and partners' overall cyber defense posture. To achieve this objective, NATO must ensure it is not imposing overlapping or conflicting requirements that may make national cyber security programs less effective, and must drive efforts to improve national incident response and international coordination. Developing these capabilities will require coordinated planning, implementation, and performance management of mature national cyber security strategies across NATO countries. Understanding all layers of the NATO cyber ecosystem, including the stakeholders' priorities, maturity levels of current guidance on cyber security, and NATO's own ability to influence and add value to each layer of its ecosystem is essential to ensure NATO can issue effective guidance.

This paper discusses the evolution of Computer Emergency Response Teams (CERTs) due to trends in technology and society. It shows how these trends affect the selection of services a CERT can provide to its constituency, and the effects on its resources. The argument is that CERTs need to focus more and more on the specific services they can provide. The selection of these services must be driven by the objectives of their parent organization, the constituency they serve, and the urgency by which services must be provided. The paper further asserts that cyber security organizations (highly) specialized in a limited number of tasks should collaborate with others in order to effectively handle incidents. Trust among participants represents the basis for any successful collaboration. Trust, however, only exists between people. Thus, several other elements need to be in place in order to extend individual trust to organizations.

Standards play a key role in improving cyber defense and cyber security across different geographical regions and communities. Standardizing processes and procedures is also essential to achieve effective cooperation in cross-border and cross-community environments. The number of standards development organizations and the number of published information security standards have increased in recent years, creating significant challenges. Nations are using standards to meet a variety of objectives, in some cases imposing standards that are competing and contradictory, or excessively restrictive and not interoperable. Other standards favor companies that are already dominant in their field. The European Union, with the support of ENISA, has started to include standards in its strategies and policies, but much remains to be done. The development and use of standards is necessary, timely, and requires the involvement of public and private sector actors working in tandem.

Virtually every aspect of modern life is shaped by advancements in technology. While there are undeniable benefits to this ubiquitous use of technology and the Internet, we must also understand the security risks that come with them and take appropriate measures for preparedness. The challenges faced by government, industry, and academia continues to grow in volume and complexity as cyber security threats constantly evolve. The need to ensure that cyber security best practices are ingrained in everyone's behavior and continue to be an essential component of business operations has never been greater. Good cyber security is built on layers – a defense in depth strategy. A critical component of this strategy is to improve our cyber hygiene through positive change in behavior. The paper explores innovative ways to influence long lasting outcomes in three areas: cyber security strategy, human factor, and leadership.

Effective Computer Network Defense requires close cooperation and collaboration between government and industry, science and education, national and international efforts. The Netherlands offers a concrete example of a successful public-private partnership aimed at improving overall cyber security for its society in general, including government, industry, and citizens. This requires more that a mere national cyber security strategy. Mutual trust between parties and close international cooperation and collaboration are essential. The Dutch approach has been successful so far, but it needs the constant attention and focus of all parties involved. The lessons learned from this approach can help build NATO's non-traditional networks and enhance its overall cyber defense posture through cooperation with partner countries, organizations, and commercial entities.