Paper:Targeted Cyber Intrusion Detection And Mitigation Strategies

Long Island Infragard Members Alliance Logo (Photo credit: Wikipedia)

From: Wulfhorst, Kevin C. 
Sent: Friday, June 01, 2012 11:10 AM
Subject: ICS-TIP-12-146-01—TARGETED CYBER INTRUSION DETECTION AND MITIGATION STRATEGIES

Good Morning -

Attached is an ICS-CERT TECHNICAL INFORMATION PAPER from the DHS Industrial Control System Cyber Emergency Response Team entitled "ICS-TIP-12-146-01—TARGETED CYBER INTRUSION DETECTION AND MITIGATION STRATEGIES" - dated May 25, 2012

Please disseminate to JTTF, ROIC, Infragard and DSAC distro lists.

Although this paper is intended for Industrial Control System IT specialists and operators, I am forwarding this to my entire FBI Newark distro list.  It will be of value to anyone who wants to better understand the nature of current cyber threats.

This paper is a very comprehensive, yet understandable guide that contains actions to identify and mitigate threats to private and public sector computer networks.  This document should be immediately shared with your organization's IT security and network administration personnel. 

Also, the Newark FBI Cyber Squad recommends that all organizations log their DNS queries, as described in this guide on page 4 - "DNS Logging with Host Level Granularity"

Here is "Overview" Section of the Paper:

OVERVIEW

Sophisticated and targeted cyber intrusions against owners and operators of industrial control systems across multiple critical infrastructure sectors have increased in recent months. ICS-CERT developed the following guidance to provide basic recommendations for owners and operators of critical infrastructure to mitigate the impacts of cyber attacks and enhance their network security posture.

This guidance applies to organizations whose networks have been compromised by a cyber attack as well as to those desiring to improve their network security preparedness to respond to a cyber incident. The guidance is relevant to both enterprise and control system networks, particularly where interconnectivity could allow adversaries to move laterally within and between networks. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to implementing defensive measures to avoid any negative impact to normal operations.

The guidance is organized into several topical areas and provides network administrators with concepts for improving detection of intrusions, preventing lateral movement of threat actors, and controlling access to the various segments of a network. The guidance is in the form of “what” should be done and “why” it is important. The “how” of implementation is the responsibility of each organization and is dependent on individual needs, network topology, and operational requirements.

Kevin C. Wulfhorst

Supervisory Intelligence Analyst

FBI Newark Division

Phone: 973-792-3274

Cell: 201-388-7585

ICS-TIP-12-146-01_TARGETED_CYBER_INTRUSION_DETECTION_AND_MITIGATION_STRATEGIES.pdf