Monday, February 13, 2017

Into the Gray Zone The Private Sector and Active Defense Against Cyber Threats

Into the Gray Zone The Private Sector and Active Defense Against Cyber Threats

Em direção a Zona Cinzenta - O Setor Privado e a Defesa Ativa contra Cyber Ameaças

https://cchs.gwu.edu/sites/cchs.gwu.edu/files/downloads/CCHS-ActiveDefenseReportFINAL.pdf 

Appendix IV: Glossary of Terms Term Definition and Source Advanced Persistent Threat (APT) “An adversary that possesses sophisticated levels of expertise and significant resources which allow it to achieve its objectives using multiple attack vectors. (NIST SP 800-61).” “An adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.” SP 800-39. http://www.isaca.org/knowledge-center/documents/glossary/cybersecurity_ fundamentals_glossary.pdf Anti-malware “A technology widely used to prevent, detect and remove many categories of malware, including computer viruses, worms, Trojans, keyloggers, malicious browser plug-ins, adware and spyware.” http://www.isaca.org/knowledge-center/documents/glossary/cybersecurity_ fundamentals_glossary.pdf Beaconing “A way to enhance electronic files to allow for awareness of whether protected information has left an authorized network and can potentially identify the location of files in the event they are stolen.’” Sean L. Harrington, Cyber Security Active Defense: Playing with Fire or Sound Risk Management?, 20 Rich. J.L. & Tech. 1, 9 (2014) (citing Comm’n on the Theft of Am. Intellectual prop., The IP Commission Report 81 (2013), available at http:// ipcommission.org/report/IP_Commission_Report_052213.pdf). 50 | Appendix IV: Glossary of Terms Term Definition and Source Blacklisting “The process of the system invalidating a user ID based on the user’s inappropriate actions. A blacklisted ID cannot be used to log on to the system, even with the correct authenticator. Blackslisting and lifiting of a blacklisting are both security-relevant events. Blacklisting also applies to blocks placed against IP addresses to prevent inappropriate or unauthorized use of Internet resources.” CNSSI-4009.“A list of email senders who have previously sent spam to a user.” SP 800-114. “A list of discrete entities, such as hosts or applications, that have been previously determined to be associated with malicious activity.” SP 800-94. http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf Botnet “A term derived from ‘robot network;’ is a large automated and distributed network of previously compromised computers that can be simultaneously controlled to launch large-scale attacks such as a denial-of-service attack on selected victims.” http://www.isaca.org/knowledge-center/documents/glossary/cybersecurity_ fundamentals_glossary.pdf Botnet takedown “Actions taken to identify and disrupt a botnet’s command and control infrastructure.” http://timreview.ca/article/862 Challenge and Reply Authentication “A prearranged procedure in which a subject requests authentication of another and the latter establishes validity with a correct reply.” CNSSI-4009 http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf Communications deception “Deliberate transmission, retransmission, or alteration of communications to mislead an adversary’s interpretation of the communications.” CNSSI-4009. “Alteration or simulation of friendly telecommunications for the purpose of deception.” CNSSI-4009. “Introduction of deceptive messages or signals into an adversary’s telecommunication signals.” CNSSI-4009. http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf Computer Network Attack “Actions taken through the use of computer networks to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.” CNSSI-4009. http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf Computer Network Defense “Actions taken to defend against unauthorized activity within computer networks. CND includes monitoring, detection, analysis (such as trend and pattern analysis), and response and restoration activities.” CNSSI-4009. http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf Into the Gray Zone | 51 Term Definition and Source Computer Network Exploitation “Enabling operations and intelligence collection capabilities conducted through the use of computer networks to gather data from target or adversary information systems or networks.” CNSSI-4009. http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf Critical infrastructure “System and assets, whether physical or virtual, so vital to the U.S. that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters. [Critical Infrastructures Protection Act of 2001, 42 U.S.C. 5195c(e)] CNSSI-4009. http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf Cyber attack “An attack that alters a system or data.” CNSSI-4009. “An attack on the authentication protocol where the Attacker transmits data to the Claimant, Credential Service Provider, Verifier, or Relying Party. Examples of active attacks include man-in-themiddle, impersonation, and session hijacking.” SP 800-63. “An attempt to gain unauthorized access to system services, resources, or information, or an attempt to compromise system integrity.” SP 800-32. “Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy information system resources or the information itself.” CNSSI-4009. http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf Cyber deterrence by denial “Reducing the incentive of potential adversaries to use cyber capabilities against the United States by persuading them that the United States can deny their objectives . . . The President has at his disposal a number of tools to carry out deterrence by denial. These include a range of policies, regulations, and voluntary standards aimed at increasing the security and resiliency of U.S. government and private sector computer systems. They also include incident response capabilities and certain law enforcement authorities, such as those used by the Department of Justice to take down criminal botnets. They include cyber threat information sharing mechanisms, as well as public-private partnerships.” “efforts . . . to persuade adversaries that the United States can thwart malicious cyber activity, thereby reducing the incentive to conduct such activities. To make these deterrence efforts credible, we must deploy strong defenses and architect resilient systems that recover quickly from attacks or other disruptions.” Continued on the next page 52 | Appendix IV: Glossary of Terms Term Definition and Source Cyber deterrence by denial (continued) “Pursuing defense, resiliency, and reconstitution initiatives to provide critical networks with a greater capability to prevent or minimize the impact of cyber attacks or other malicious activity, and reconstitute rapidly if attacks succeed. Building strong partnerships with the private sector to promote cybersecurity best practices; assist in building public confidence in cybersecurity measures; and lend credibility to national efforts to increase network resiliency.” Department of State International Cyberspace Policy Strategy, Public Law 114- 113, Division N, Title IV, §402 (March 2016), https://www.state.gov/documents/ organization/255732.pdf. Cyber espionage “Activities conducted in the name of security, business, politics, or technology to find information that ought to remain secret. It is not inherently military.” http://www.isaca.org/knowledge-center/documents/glossary/cybersecurity_ fundamentals_glossary.pdf Cyber Infrastructure “Includes electronic information and communications systems and services and the information contained in these systems and services. Information and communications systems and services are composed of all hardware and software that process, store, and communicate information, or any combination of all of these elements. Processing includes the creation, access, modification, and destruction of other media types. Communications include sharing and distribution of information. For example: computer systems; control systems (e.g., supervisory control and data acquisition-SCADA); networks, such as the Internet; and cyber services (e.g., managed security services) are part of cyber infrastructure.” NISTIR 7628. http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf Cybersecurity “The protection of information assets by addressing threats to information processed, stored, and transported by internetworked information systems.” http://www.isaca.org/knowledge-center/documents/glossary/cybersecurity_ fundamentals_glossary.pdf Cyberspace “A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers.” CNSSI-4009. http://www.globaltimes.cn/content/1010409.shtml Into the Gray Zone | 53 Term Definition and Source Dark Net “A collection of websites that are publicly visible but hide the Internet Protocol addresses of the servers that run these sites.” “The Dark Web relies on darknets or networks that are made between trusted peers. Examples of Dark Web systems include TOR, Freenet, or the Invisible Internet Project (I2P). Vincenzo Ciancaglini et al., Below the Surface: Exploring the Deep Web, TrendLabs Research Paper, TrendMicro (2016) https://www.trendmicro.com/cloud-content/us/ pdfs/security-intelligence/white-papers/wp_below_the_surface.pdf. Deep Web “Any Internet content that, for various reasons, can’t be or isn’t indexed by search engines like Google. This definition thus includes dynamic web pages, blocked sites (like those that ask you to answer a CAPTCHA to access), unlinked sites, private sites (like those that require login credentials), non-HTML/-contextual/-scripted content), and limited-access networks.” Vincenzo Ciancaglini et al., Below the Surface: Exploring the Deep Web, TrendLabs Research Paper, TrendMicro (2016) https://www.trendmicro.com/cloud-content/us/ pdfs/security-intelligence/white-papers/wp_below_the_surface.pdf. Denial of Service (DoS) “The prevention of authorized access to resources or the delaying of time-critical operations. (Time-critical may be milliseconds or it may be hours, depending upon the service provided.). CNSSI-4009. http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf Distributed Denial of Service Attack (DDoS) “A Denial of Service technique that uses numerous hosts to perform the attack.” CNSSI-4009. http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf Dye pack See beaconing. In the cybersecurity context, the terms beacon and dye pack are often used interchangeably. However, with the term's physical namesake being the dye packs used to identify bank robbers, the cybersecurity tool sometimes takes on a more aggressive connotation. Where, in bank robberies, dye packs explode and contaminate the stolen money and their environment with a recognizable dye, cyber dye packs are often thought to not only be able to collect information on a hacker's computer (similar to a beacon) but also to be able to have a destructive impact on their surrounding environment. 54 | Appendix IV: Glossary of Terms Term Definition and Source Firewall “A system or combination of systems that enforces a boundary between two or more networks, typically forming a barrier between a secure and an open environment such as the Internet.” "A gateway that limits access between networks in accordance with local security policy.” SP 800-32. “A hardware/software capability that limits access between networks and/or systems in accordance with a specific security policy.” CNSSI-4009. “A device or program that controls the flow of network traffic between networks or hosts that employ differing security postures.” SP 800-41. http://www.isaca.org/knowledge-center/documents/glossary/cybersecurity_ fundamentals_glossary.pdf; http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST. IR.7298r2.pdf Honeypot “A specially configured server, also known as a decoy server, designed to attract and monitor intruders in a manner such that their actions do not affect production systems.” “A system (e.g., a Web server) or system resource (e.g., a file on a server) that is designed to be attractive to potential crackers and intruders and has no authorized users other than its administrators. CNSSI-4009. http://www.isaca.org/knowledge-center/documents/glossary/cybersecurity_ fundamentals_glossary.pdf; http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST. IR.7298r2.pdf Information Sharing and Analysis Center “ISACs help critical infrastructure owners and operators protect their facilities, personnel and customers from cyber and physical security threats and other hazards. ISACs collect, analyze and disseminate actionable threat information to their members and provide members with tools to mitigate risks and enhance resiliency . . . ISACs are trusted entites established by critical infrastructure owners and operators to foster information sharing and best practices about physical and cyber threats and mitigation. About ISACs, National Council of ISACs (Accessed Oct. 14, 2016), http://www. isaccouncil.org. Patching “Fixes to software programming errors and vulnerabilities.” The systematic notification, identification, deployment, installation, and verification of operating system and application software code revisions. These revisions are known as patches, hot fixes, and service packs.” CNSSI-4009. http://www.isaca.org/knowledge-center/documents/glossary/cybersecurity_ fundamentals_glossary.pdf; http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST. IR.7298r2.pdf Quarantine “Store files containing malware in isolation for future disinfection or examination.” SP 800-69. http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf Into the Gray Zone | 55 Term Definition and Source Ransomware “Ransomware is a type of malware that prevents or limits users from accessing their system, either by locking the system’s screen or by locking the users’ files unless a ransom is paid. More modern ransomware families, collectively called crypto-ransomware, encrypt certain file types on infected systems and forces users to pay the ransom through certain online payment methods to get a decrypt key.” Ransomware, TrendMicro (accessed Oct. 10, 2016), http://www.trendmicro.com/ vinfo/us/security/definition/ransomware. Remote Access Tools (RATs) Tools that allow either authorized or unauthorized remote access, i.e., “access to an organizational information system by a user (or an information system acting on behalf of a user) communicating through an external network (e.g., the Internet).” SP 800-53. “Access by users (or information systems) communicating external to an information system security perimeter.” SP 800-17. “The ability for an organization’s users to access its nonpublic computing resources from external locations other than the organization’s facilities.” SP 800-46. “Access to an organization’s nonpublic information system by an authorized user (or an information system) communicating through an external, non-organization-controlled network (e.g., the Internet). CNSSI-4009. http://www.isaca.org/knowledge-center/documents/glossary/cybersecurity_ fundamentals_glossary.pdf Sinkholing “A mechanism aimed at protecting users by intercepting DNS requests attempting to connect to known malicious or unwanted domains and returning a false, or rather controlled IP address. The controlled IP address points to a sinkhole server defined by the DNS sinkhole administrator. This technique can be used to prevent hosts from connecting to or communicating with known malicious destinations such as a botnet C&C server.” DNS Sinkhole, European Union Agency for Network and Information Security (accessed Oct. 14, 2016), https://www.enisa.europa.eu/topics/national-csirt-network/ glossary/dns-sinkhole. Social engineering “An attack based on deceiving users or administrators at the target site into revealing confidential or sensitive information.” http://www.isaca.org/knowledge-center/documents/glossary/cybersecurity_ fundamentals_glossary.pdf Spyware “Software that is secretly or surreptitiously installed into an information system to gather information on individuals or organizations without their knowledge; a type of malicious code.” SP 800-53, CNSSI-4009. http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf 56 | Appendix IV: Glossary of Terms Term Definition and Source Tarpits “Allowing a tarpitted port to accept any incoming TCP connection. When data transfer begins to occur, the TCP window size is set to zero, so no data can be transferred within the session. The connection is then held open, and any requests by the remote side to close the session are ignored. This means that the attacker must wait for the connection to timeout in order to disconnect.” http://csrc.nist.gov/cyberframework/framework_comments/20131213_charles_ alsup_insa_part3.pdf White hat “White hats are security researchers or hackers who, when they discover a vulnerability in software, notify the vendor so that the hole can be patched.” Kim Zetter, Hacker Lexicon: What are White Hat, Gray Hat, and Black Hat Hackers?, Wired (April 13, 2016), http://docs.house.gov/meetings/IF/IF17/20150324/103226/ HHRG-114-IF17-Wstate-SchoolerR-20150324.pdf. Whitelisting “A list of discrete entities, such as hosts or applications that are known to be benign and are approved for use within an organization and/or information system.” SP 800-128. http://nvlpubs.nist.gov/nistpubs/ir/2013/NIST.IR.7298r2.pdf Zero-day exploits “A vulnerability that is exploited before the software creator/vendor is even aware of its existence.” http://www.isaca.org/knowledge-center/documents/glossary/cybersecurity_ fundamentals_glossary.pdf

APIs - REST API