Cyber Attack Task Force - Final Report - NERC
Cyber Attack Task Force - Final Report - NERC
Cyber Attack Task Force - Final Report - NERC
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Responses to <strong>Attack</strong><br />
Entities that utilize outside services to assist with forensics or possible criminal prosecution<br />
should make sure the service provider or law enforcement agency is aware of all operational<br />
requirements and obligations. This could preclude on inhibit the collection of certain evidence<br />
(i.e. hardware and software) as part of the investigation.<br />
See reference section for links to documents related to establishing a forensics program for<br />
control systems.<br />
If prevention eventually fails, preparedness to detect the compromise before impact is realized<br />
is the next goal. The same data sources that lead to a sound post-incident forensics analysis<br />
will also provide the mechanisms to proactively detect and deter successful compromises.<br />
These data sources include standard IT infrastructure logging such as firewall and intrusion<br />
detection systems. Secondary data sources that have proven to be invaluable during detection<br />
and forensics include Netflow data, Domain Name Resolution (DNS) logging, proxy logging,<br />
Email (SMTP) Logging, Remote Access (VPN) logging and full packet captures. It is<br />
recommended to extend the retention of these logs as long as feasible to maintain the<br />
historical forensics capability.<br />
Once the above data sources are logged, they may be correlated together to give context of the<br />
source of the intrusion and the methods the adversary may be using. This correlation of key<br />
artifacts may be distilled into what is known as Indicators of Compromise (IOCs) which can<br />
allow for detection for follow-on attempts or sharing with the industry through trusted partners<br />
such as the ES-ISAC or ICS-CERT.<br />
<strong>Cyber</strong> <strong>Attack</strong> <strong>Task</strong> <strong>Force</strong> <strong>Report</strong> 31