collaborative training and response communities - an
TRANSCRIPT
Collaborative Training and Response Communities -An Alternative to Traditional Cyber Defense Escalation
Erik L. Moore, Steven P. Fulton, Roberta A. Mancuso, Tristen K. Amador, andDaniel M. Likarish
Regis University, Denver Colorado, USA
{emoore, sfulton, rmancuso, tamador, dlikaris} @regis.edu
Validating the Accuracy of the
Information
Interpreting the Meaning of Themes/Descriptions
Interrelating Themes/Descriptions (e.g., grounded theory, case study)
Themes Description
Organizing the Data
Reading Through All Data
Organizing and Preparing Data for Analysis
Raw Data (transcripts,fieldnotes, images, etc.)
Multiple Themes/Description● Relative tasks ● Outcomes● Phases of deployment● Multiple lenses on the
process
Data Collection & Analysis● On-site observations for
training and incident response
● Interviews with leadership post training and post incident
Validation● Interrelating observations
and interviews● Relate process change and
ratios of tasks● Review by Collaborative
Community
Creswell’s Methodology for Qualitative Validation
RMCCDC 2012 to the present, advancing SKA through challenge learning
● Magic in a bottle○ Leadership○ Skills○ Real scenarios: rapid response
under pressure and threat (Red)● Volunteers and Partners
○ CAE, CONG, SoC/OIT and others ○ Industry Vendors○ Regional governmental entities,
SMB
Why did we do the work?● RU/CAE reasons to support the
work○ Protect Colorado citizens○ Good student projects○ Longitudinal research
● State’s response to cybersecurity problem○ Private entity exhausts
resources○ Call to the State Office of the
Governor’s response (Call on the Guard)
○ Role of the Guard as a spear point
● CONG○ Recognize need to work with
commercial side, regional entities
○ Skills, certifications (CISSP, Security +, CEH)
○ Meet the players ○ “CyberSmoke Jumpers”
Background● 2013 - Regis began hosting regular joint cyber defense exercises
• State and Local Government• Public Utilities• Colorado National Guard - Cyber Defense Operations (CONG-DCO)
● May 2016 - Including psychometric analysis• Feedback to leadership - team dynamics, role diversity, trait preferences• Goals of improving: team interaction, leadership efficacy, individual self-
awareness• after-event debriefs
● May 2017 - Myers-Briggs Type Indicators (MBTI) Parker Team Player Survey (PTPS)
• Establish full baseline● February 2018 and 2019
• CONG-DCO Live incident response event observations on-site, journaling and state assessment
Training CollaborativeStates
NationalGuard
Academia
Regis University
Colorado National Guard
State ofColorado
Cyber Security Multi Agency Collaboration for
Rapid Response Executable Model
Training CollaborativeExpanded
States
NationalGuard
Academia
RegisUniversity
ColoradoNationalGuard
State ofColorado
Cyber SecurityMulti Agency
Collaboration for Rapid Response
Executable Model
PrivateSector
InitialIndustryPartner
CDOT Event Context
● Joint Training Since 2013○ State of Colorado Office of Information Technology (OIT) Engaged in Joint Training with
Colorado National Guard at cyber defense exercises at Regis University and through other cooperative activities
● Other Crypto Malware Incidents○ Regional governmental entities had been subject to attack recently that had been highly
disruptive and information sharing sessions had occurred● OIT Support and Decisions
○ OIT provided Colorado Department of Transportation cybersecurity services, standards, and implementation
● Colorado Governor Empowered to Call the Guard○ Through relationships, tabletop exercises, policy and procedure review, and joint feasibility
analysis
CDOT Technical Details - Crypto Ransomware
● Server Initially Deployed Vulnerable○ Compromised and used to pivot
● Systems Exploited○ Colorado State Department of Transportation (CDOT)
● International perpetrators○ Focused on multi-phased extended threat chain and persistence, versioning malware
● First Responder Burnout○ Began occurring on reinfection with OIT/CDOT cyberdefense Team
● Team Relief○ Occured when Colorado National Guard takes over remediation and initiate restore
Keep The Lights On
Overtime/Burnout Line
IRL2Staff + Escalation
IRL1Staff + EscalationPlan &
Project
Time
Load
-Fu
ll St
aff
Slack
Infe
ctio
n 1
Infe
ctio
n 2
IRL2CTRC Slack
Keep The Lights On
Relative Incident Response Load
Escalate to Resources Identified During Normal Operations
Malware Analysis, Identify and Describe Threat in Detail
Develop and Fully Test Remediation Controls In Testing Environment
Implement Deployment Strategy
Deploy, Recover, and Restore Systems, Business Process, and Community Confidence
Initial Signature-based RemediationSolutions
Use Automated Threat Identification Resources
Implement Response Plan when Necessary
Develop Incident Response Escalation Plan
Implement Cyber Monitoring/Control
Retain Vendors and Identify Escalation Agencies
Joint Incident Response Process 1 (IRL1)
● Evaluate each step using teams formed from top experts picked regardless of originating organization
● Relieve and release exhausted participants at each phase. ● Redeploy when rested & ready as their tasks come up.
Ensure Best Technical Resources On key first Tasks
Malware Analysis, Identify and Describe Threat in Detail
Develop and Fully Test Remediation Controls In Testing Environment
Implement Deployment Strategy with Human Monitoring of Malware Adaptive Behavior
Deploy, Recover, and Restore Systems, Business Process, and Community Confidence
Revise or expand Signature-based RemediationSolutions
Forensic Hunting for Exploits
Organize Strategic Path Forward and Identify Immediate Success Criteria
Survey Technical Staff and Responding Personnel for Low-Hanging Fruit & Filter for Actionability
Deep Cyber Reconnaissance
Rapidly Evaluate Available Personnel Capabilities & Resources Including those Present through Escalation
Joint Incident Response Process 2 (IRL2)
EstablishIncidentCommand
Strategic Analysis
● Variance From Escalation○ Ability to give leadership and lead technical staff time for rest and
recovery● Establish Joint Command Structure
○ Common authoritative direction across multiple state departments, National Guard unit, and vendors
● Move Staff From Threat Analysis to Remediation and Recovery○ Charge teams with tasks well within their skill areas
● Create Slack Time○ Restore the work day of primary first responders as recovery process
proceeds
Follow-on Questions
● Is this Collaborative Training and Incident Response (CTRC) approach to severe cybersecurity incident response replicable with demonstrable value?
● As incidents occur over time, is there a predictable ratio of relative cost to the state for CTRC versus traditional escalation?
● How does this compare to other similar scenarios where traditional escalation was used?
● Could this model be used in the private sector?
Aggregated Timeline Elements
Role Diversity trait PTPS and PM Feedback Points
Team Cohesion Level
Firewall Attack Traffic
Sustained Services
Red Team, Tasks
“CEO” Injects A B C D
Time
FFF
Psychometric Findings● Online Survey Data Collection
○ Prior to May 8, 2017 -■ 7 team members conducted remote MTBI surveys. Set to look for
adaptation■ 13 team members completed PTPS surveys. No Challengers in the
surveyed team members● PTPS Result Samples
○ Team is predominantly task and goal oriented■ does not excel at process■ does not questioning that process
● Initial Review of “Scriptability” of Coaching Feedback○ Critical, but not completed for short-cycle framework
Firewall Activity (as aggregated in the SIEM)
● Dotted Line: ASA-6-302014 - A TCP connection between two hosts was deleted.● Dashed Line: ASA-6-106100 - The ASA might generate message 106100, indicating
that the packet was permitted; however, the packet is later correctly dropped because of no matching connection.
● Solid Line: ASA-6-302013 - A TCP connection slot between two hosts was created.
150,000
100,000
50,000
10:08 AMMon May 82017
10:09 AM 10:10 AM 10:11 AM 10:12 AM 10:13 AM 10:14 AM
Service Scoring Engine
Team 1
Team 2
Team 3
Red Team Journal
Ongoing Data
● Personality State Assessments○ Observed PTPS Behaviors○ Team Cohesion Assessment
Scale
Psychometric Indicators
Personality Trait Assessments
● Myers-Briggs Type Indicator (MBTI)
● Parker Team Player Survey (PTPS)
○ Adaptive Behavior Scale○ 14-Item Resilience Scale
Functional Sources
● Lower Layer Commonality
● Red Team Journaling vs. Incident Logging
● Service Availability in the Incident Log
● Initiation and Contextual Load in Training and Incident Response
●
Score BoardIncident Log
Red Team Journal
Scenario Description
Request for Support
SIEM Data SIEM Data
Psychometric Observations
Psychometric Observations
TrainingScenario
Incident Response
After Action Report
After Action Report
General Findings on Timeline Aggregation
● Timeline aggregation methods are possible to implement
● Timeline aggregation works both on training and in live incident response
● Scripting coaching for leadership is possible, and can be based on during-
event team states
● Transitive Trust (established during training) is a necessary component of the
relationship between the professors and the cyber defenders during a live
incident
● There were sufficient parallels between live incident and the training to
suggest that a similar timeline aggregation and analysis can work for both
Psychometric Analysts’ Strategy
● Provide observations, evaluations, and coaching
● Leadership skills and team member participation feedback for
individual team members
● One-on-one discussion about personality traits and leadership
guidance
● Increase awareness of participant’s interaction styles so they
can function more effectively in both cyber exercises and
incident response.
Advice Based on ObservationsResulting from CDOT Incident● Timeline of Events - IRL1 > Governor Directive > IRL2 (CONG)
○ Expect to offer relief at all org levels
● Train Together Across Groups○ TableTop, Management Pull Away, Tools/Physical Exercise
○ Exchange Business Cards… mutually confirm capability
● Assess and Reach (outside of joint events)○ Certs, Labs, Psychometrics, Leadership, Team Presence, Guest
Experts...