Appendix A List of Acronyms¶
AMP |
Advanced Malware Protection |
ATP |
Advanced Threat Protection |
COI |
Community of Interest |
DE |
Detect |
DI |
Data Integrity |
DSP |
Directory Services Protector |
ESM |
Enterprise Security Manager |
ICA |
Information Centric Analytics |
ISE |
Identity Services Engine |
IT |
Information Technology |
ISO/IEC |
International Organization for Standardization/International Electrotechnical Commission |
NCCoE |
National Cybersecurity Center of Excellence |
NIST |
National Institute of Standards and Technology |
NISTIR |
NIST Interagency or Internal Report |
PR |
Protect |
RMF |
Risk Management Framework |
RS |
Respond |
SP |
Special Publication |
USB |
Universal Serial Bus |
VM |
Virtual Machine |
vsftpd |
Very Secure File Transfer Protocol Daemon |
Appendix B Glossary¶
Access Control |
The process of granting or denying specific requests to: 1) obtain and use information and related information processing services; and 2) enter specific physical facilities (e.g., federal buildings, military establishments, border crossing entrances) SOURCE: Federal Information Processing Standard (FIPS) 201; CNSSI-4009 |
Architecture |
A highly structured specification of an acceptable approach within a framework for solving a specific problem. An architecture contains descriptions of all the components of a selected, acceptable solution, while allowing certain details of specific components to be variable to satisfy related constraints (e.g., costs, local environment, user acceptability). SOURCE: FIPS 201-2 |
Audit |
Independent review and examination of records and activities to assess the adequacy of system controls and ensure compliance with established policies and operational procedures. SOURCE: CNSSI 4009-2015 |
Backdoor |
An undocumented way of gaining access to a computer system. A backdoor is a potential security risk. SOURCE: National Institute of Standards and Technology (NIST) Special Publication (SP) 800-82 Rev. 2 |
Backup |
A copy of files and programs made to facilitate recovery if necessary. SOURCE: NIST SP 800-34 Rev. 1 |
Compromise |
Disclosure of information to unauthorized persons, or a violation of the security policy of a system in which unauthorized intentional or unintentional disclosure, modification, destruction, or loss of an object may have occurred. SOURCE: NIST SP 800-32 |
Continuous Monitoring |
Maintaining ongoing awareness to support organizational risk decisions. SOURCE: NIST SP 800-137 |
Cybersecurity |
Prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication, and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation. SOURCE: CNSSI 4009-2015 (NSPD-54/HSPD-23) |
Data |
A subset of information in an electronic format that allows it to be retrieved or transmitted. SOURCE: CNSSI-4009 |
Data Integrity |
The property that data has not been changed, destroyed, or lost in an unauthorized or accidental manner. SOURCE: CNSSI-4009 |
Information Security |
The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability. SOURCE: FIPS 199 (44 U.S.C., Sec. 3542) |
Information Security Risk |
The risk to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation due to the potential for unauthorized access, use, disclosure, disruption, modification, or destruction of information and/or information systems. SOURCE: CNSSI 4009-2015 (NIST SP 800-30 Rev. 1) |
Information System |
A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. SOURCE: FIPS 200 (44 U.S.C., Sec. 3502) |
Insider |
An entity inside the security perimeter that is authorized to access system resources but uses them in a way not approved by those who granted the authorization. SOURCE: NIST SP 800-82 Rev. 2 (RFC 4949) |
Kerberos |
An authentication system developed at the Massachusetts Institute of Technology (MIT). Kerberos is designed to enable two parties to exchange private information across a public network. SOURCE: NIST SP 800-47 |
Log |
A record of the events occurring within an organization’s systems and networks. SOURCE: NIST SP 800-92 |
Malware |
A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system. SOURCE: NIST SP 800-111 |
Privacy |
Assurance that the confidentiality of, and access to, certain information about an entity is protected. SOURCE: NIST SP 800-130 |
Risk |
The level of impact on organizational operations (including mission, functions, image, or reputation), organizational assets, or individuals, resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. SOURCE: FIPS 200 |
Risk Assessment |
The process of identifying the risks to system security and determining the probability of occurrence, the resulting impact, and additional safeguards that would mitigate this impact. Part of Risk Management and synonymous with Risk Analysis. SOURCE: NIST SP 800-63-2 |
Risk Management Framework |
The Risk Management Framework (RMF), presented in NIST SP 800-37, provides a disciplined and structured process that integrates information security and risk management activities into the system development life cycle. SOURCE: NIST SP 800-82 Rev. 2 (NIST SP 800-37) |
Security Control |
A protection measure for a system. SOURCE: NIST SP 800-123 |
Virtual Machine |
Software that allows a single host to run one or more guest operating systems. SOURCE: NIST SP 800-115 |
Vulnerability |
Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. SOURCE: FIPS 200 (adapted from CNSSI 4009) |
Appendix C References¶
- B1
A. Sedgewick, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.1, National Institute of Standards and Technology, Gaithersburg, Maryland, Apr. 2018, 55 pp. Available: https://www.nist.gov/cyberframework/framework.
- B2
L. Kauffman, N. Lesser and B. Abe, Executive Technical Workshop on Improving Cybersecurity and Consumer Privacy, NISTIR 8050, National Institute of Standards and Technology, Gaithersburg, Maryland, April 2015, 155pp. Available: https://nccoe.nist.gov/sites/default/files/library/nistir-8050-draft.pdf
- B3
G. Stoneburner, et al., Guide for Conducting Risk Assessments, NIST Special Publication (SP), 800-30 Revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland, September 2012, 95 pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-30r1.
- B4
R. Ross, et al., Guide for Applying the Risk Management Framework to Federal Information Systems, NIST Special Publication (SP) 800-37, National Institute of Standards and Technology, Gaithersburg, Maryland, February 2010, 101pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-37r1.
- B5
R. Ross et al., Managing Information Security Risk, NIST Special Publication (SP) 800-39, National Institute of Standards and Technology, Gaithersburg, Maryland, March 2011, 87pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-39.
- B6
M. Souppaya et al., Guide to Enterprise Patch Management Technologies, NIST Special Publication (SP) 800-40 Revision 3, National Institute of Standards and Technology, Gaithersburg, Maryland, July 2013, 25pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-40r3.
- B7
R. Ross et al., Security and Privacy Controls for Federal Information Systems and Organizations, NIST Special Publication (SP) 800-53 Revision 4, National Institute of Standards and Technology, Gaithersburg, Maryland, April 2013, 461pp. Available: https://doi.org/10.6028/NIST.SP.800-53r4.
- B8
U.S. Department of Commerce. Security Requirements for Cryptographic Modules, Federal Information Processing Standards (FIPS) Publication 140-3, Mar. 2019, 65pp. Available: https://csrc.nist.gov/publications/detail/fips/140/3/final.
- B9
K. Kent et al., Guide to Integrating Forensic Techniques into Incident Response, NIST Special Publication (SP) 800-86, National Institute of Standards and Technology, Gaithersburg, Maryland, August 2006, 121pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-86.
- B10
K. Kent and M. Souppaya, Guide to Computer Security Log Management, NIST Special Publication (SP) 800-92, National Institute of Standards and Technology, Gaithersburg, Maryland, September 2006, 72pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-92.
- B11
P. Bowen et al., Information Security Handbook: A Guide for Managers, NIST Special Publication (SP) 800-100, National Institute of Standards and Technology, Gaithersburg, Maryland, October 2006, 178pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-100.
- B12
M. Swanson et al., Contingency Planning Guide for Federal Information Systems, NIST Special Publication (SP) 800-34 Revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland, May 2010, 148pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-34r1.
- B13
Office of Management and Budget (OMB), Management of Federal Information Resources, OMB Circular No. A-130, November 2000. Available: https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf.
- B14
P. Cichonski et al., Computer Security Incident Handling Guide, NIST Special Publication (SP) 800-61 Revision 2, National Institute of Standards and Technology, Gaithersburg, Maryland, August 2012, 79pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-61r2.
- B15
M. Souppaya and K. Scarfone, Guide to Malware Incident Prevention and Handling for Desktops and Laptops, NIST Special Publication (SP) 800-83 Revision 1, National Institute of Standards and Technology, Gaithersburg, Maryland, July 2013, 46pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-83r1.
- B16
C. Johnson et al., Guide to Cyber Threat Information Sharing, NIST Special Publication (SP) 800-150, National Institute of Standards and Technology, Gaithersburg, Maryland, October 2016, 42pp. Available: http://dx.doi.org/10.6028/NIST.SP.800-150.
- B17
M. Bartock et al., Guide for Cybersecurity Event Recovery, NIST Special Publication (SP) 800-184, National Institute of Standards and Technology, Gaithersburg, Maryland, December 2016, 52pp. http://dx.doi.org/10.6028/NIST.SP.800-184.
Appendix D Functional Evaluation¶
A functional evaluation of the data integrity (DI) example implementation, as constructed in our laboratory, was conducted to verify that it meets its objective of detecting and responding to DI events. Furthermore, this project aims to analyze the events to aid recovery and protection of the enterprise against future attacks. The evaluation verified that the example implementation could perform the following functions:
Detect malicious network activity, malicious mobile code, malicious code execution, and unauthorized user behavior.
Contain and analyze these types of incidents.
Mitigate the impact of these incidents as they occur.
Report relevant details for use in mitigation and protection against future events.
Section D.1 describes the format and components of the functional test cases. Each functional test case is designed to assess the capability of the example implementation to perform the functions listed above and detailed in Section D.1.
D.1 Data Integrity Functional Test Plan¶
One aspect of our security evaluation involved assessing how well the reference design addresses the security characteristics that it was intended to support. The Cybersecurity Framework Subcategories were used to provide structure to the security assessment by consulting the specific sections of each standard that are cited in reference to that Subcategory. The cited sections provide validation points that the example solution is expected to exhibit. Using the Cybersecurity Framework Subcategories as a basis for organizing our analysis allowed us to systematically consider how well the reference design supports the intended security characteristics.
This plan includes the test cases necessary to conduct the functional evaluation of the DI example implementation, which is currently deployed in a lab at the National Cybersecurity Center of Excellence. The implementation tested is described in Section 4.
Each test case consists of multiple fields that collectively identify the goal of the test, the specifics required to implement the test, and how to assess the results of the test. Table 6-1 describes each field in the test case.
Table 6‑1 Test Case Fields
Test Case Field |
Description |
|---|---|
Parent requirement |
Identifies the top-level requirement or the series of top-level requirements leading to the testable requirement. |
Testable requirement |
Drives the definition of the remainder of the test case fields. Specifies the capability to be evaluated. |
Description |
Describes the objective of the test case. |
Associated Cybersecurity Framework Subcategories |
Lists the National Institute of Standards and Technology Special Publication 800-53 rev 4 controls addressed by the test case. |
Preconditions |
The starting state of the test case. Preconditions indicate various starting state items, such as a specific capability configuration required or specific protocol and content. |
Procedure |
The step-by-step actions required to implement the test case. A procedure may consist of a single sequence of steps or multiple sequences of steps (with delineation) to indicate variations in the test procedure. |
Expected results |
The expected results for each variation in the test procedure. |
Actual results |
The observed results. |
Overall result |
The overall result of the test as pass/fail. In some test-case instances, the determination of the overall result may be more involved, such as determining pass/fail based on a percentage of errors identified. |
D.2 Data Integrity Use Case Requirements¶
Table 6-2 identifies the DI functional requirements addressed in the test plan and associated test cases.
Table 6‑2 Capability Requirements
Capability Requirement (CR) ID |
Parent Requirement |
Sub Requirement 1 |
Test Case |
|---|---|---|---|
CR 1 |
The DI example implementation shall detect and respond to malware that encrypts files and displays notice demanding payment. |
Data Integrity DR-1 |
|
CR 1.a |
File integrity changes are collected and logged. |
Data Integrity DR-1 |
|
CR 1.b |
Access is halted. |
Data Integrity DR-1 |
|
CR 1.c |
Executable is identified as malicious, using a denylist. |
Data Integrity DR-1 |
|
CR 1.d |
Executable is identified as malicious through analysis, and denylist is updated. |
Data Integrity DR-1 |
|
CR 1.e |
Execution is halted. |
Data Integrity DR-1 |
|
CR 1.f |
Downloads are identified as malicious, using a denylist. |
Data Integrity DR-1 |
|
CR 1.g |
Downloads are identified as malicious through analysis, and denylist is updated. |
Data Integrity DR-1 |
|
CR 1.h |
Downloads are prevented. |
Data Integrity DR-1 |
|
CR 1.i |
Attempts to propagate are detected. |
Data Integrity DR-1 |
|
CR 1.j |
Machines attempting to propagate are prevented from propagating. |
Data Integrity DR-1 |
|
CR 1.k |
Suspicious network traffic is detected, and denylist is updated. |
Data Integrity DR-1 |
|
CR 2 |
The DI example implementation shall detect and respond to malware inserted via Universal Serial Bus (USB) that modifies and deletes user data. |
Data Integrity DR-2 |
|
CR 2.a |
File integrity changes are collected and logged. |
Data Integrity DR-2 |
|
CR 2.b |
The insertion of a USB device is detected and logged. |
Data Integrity DR-2 |
|
CR 2.c |
The executable is identified as malicious, using a denylist. |
Data Integrity DR-2 |
|
CR 2.d |
The executable is identified as malicious through analysis, and the denylist is updated. |
Data Integrity DR-2 |
|
CR 2.e |
Malicious executable is halted or deleted. |
Data Integrity DR-2 |
|
CR 3 |
The DI example implementation shall detect and respond to virtual machine deletion. |
Data Integrity DR-3 |
|
CR 3.a |
Virtual machine integrity changes are collected and logged. |
Data Integrity DR-3 |
|
CR 3.b |
The event causing deletion of the virtual machine is analyzed. |
Data Integrity DR-3 |
|
CR 4 |
The DI example implementation shall detect and respond to malware received via phishing email. |
Data Integrity DR-4 |
|
CR 4.a |
Configuration integrity changes are collected and logged. |
Data Integrity DR-4 |
|
CR 4.b |
Email is identified as malicious, using a denylist. |
Data Integrity DR-4 |
|
CR 4.c |
Email is identified as malicious through analysis, and the denylist is updated. |
Data Integrity DR-4 |
|
CR 4.d |
Email is deleted or sorted into spam. |
Data Integrity DR-4 |
|
CR 4.e |
The attachment is identified as malicious, using a denylist. |
Data Integrity DR-4 |
|
CR 4.f |
The attachment is identified as malicious through analysis, and the denylist is updated. |
Data Integrity DR-4 |
|
CR 4.g |
Execution of the spreadsheet is stopped, and the denylist is updated if necessary. |
Data Integrity DR-4 |
|
CR 4.h |
The downloads are identified as malicious, using a denylist. |
Data Integrity DR-4 |
|
CR 4.i |
The downloads are identified as malicious through analysis, and the denylist is updated. |
Data Integrity DR-4 |
|
CR 4.j |
The malicious executable is halted or deleted. |
Data Integrity DR-4 |
|
CR 4.k |
Suspicious network traffic is detected, and denylist is updated. |
Data Integrity DR-4 |
|
CR 5 |
The DI example implementation shall detect and respond to changes to the database made through a web server vulnerability in custom code. |
Data Integrity DR-5 |
|
CR 5.a |
Database integrity changes are collected and logged. |
Data Integrity DR-5 |
|
CR 5.b |
Information about the client interacting with the web service is collected and logged. |
Data Integrity DR-5 |
|
CR 5.c |
Information from the attack is reported for use in protection against future events. |
Data Integrity DR-5 |
|
CR 6 |
The DI example implementation shall detect and respond to targeted modification by malicious insiders with elevated privileges. |
Data Integrity DR-6 |
|
CR 6.a |
File integrity changes are collected and logged. |
Data Integrity DR-6 |
|
CR 6.b |
Backup integrity changes are collected and logged. |
Data Integrity DR-6 |
|
CR 6.c |
Detected changes are reported. |
Data Integrity DR-6 |
|
CR 6.d |
Associated user accounts are contained. |
Data Integrity DR-6 |
|
CR 7 |
The DI example implementation shall detect and respond to an intrusion via compromised update server. |
Data Integrity DR-7 |
|
CR 7.a |
Program integrity changes are collected and logged. |
Data Integrity DR-7 |
|
CR 7.b |
The downloaded service is identified as malicious, using a denylist. |
Data Integrity DR-7 |
|
CR 7.c |
The downloaded service is identified as malicious through analysis, and the denylist is updated. |
Data Integrity DR-7 |
|
CR 7.d |
The service is halted and reverted or deleted. |
Data Integrity DR-7 |
|
CR 7.e |
The download site is temporarily added to the denylist. |
Data Integrity DR-7 |
|
CR 7.f |
The port opened by the service is detected. |
Data Integrity DR-7 |
|
CR 7.g |
The opened port is closed. |
Data Integrity DR-7 |
|
CR 7.h |
The intrusion into the infected machine is detected. |
Data Integrity DR-7 |
|
CR 7.i |
The intrusion into the infected machine is contained. |
Data Integrity DR-7 |
D.3 Test Case: Data Integrity DR-1¶
Table 6‑3 Test Case ID: Data Integrity DR-1
Parent requirement |
(CR 1) The DI example implementation shall detect and respond to malware that encrypts files and displays notice demanding payment. |
Testable requirement |
(CR 1.a) Integrity Monitoring, Logging, Reporting, (CR 1.c, CR 1.d, CR 1.f, CR 1.g, CR 1.i) Event Detection, (CR 1.b, CR 1.e, CR 1.j) Mitigation and Containment, (CR 1.h, CR 1.k) Forensics and Analytics |
Description |
Show that the DI solution has capabilities to detect behaviors typical of ransomware, and mitigate these behaviors appropriately. |
Associated Cybersecurity Framework Subcategories |
PR.DS-6, DE.AE-5, DE.CM-5, DE.DP-2, RS.CO-2, DE.AE-2, DE.AE-3, DE.AE-4, RS.AN-1, RS.AN-2, RS.AN-3, RS.AN-4, RS.RP-1, RS.MI-1, RS.MI-2,DE.CM-4, DE.CM-7, DE.DP-2, DE.AE-1, DE.CM-1 |
Preconditions |
User navigates to a malicious website and clicks on an ad for a virus cleaner. The virus cleaner is ransomware, which propagates across the domain and encrypts user files. |
Procedure |
The integrity monitoring capability is used to monitor and log changes to the integrity of files. The logging capability and the reporting capability are used to notify the security team of changes to the integrity of files and of potentially malicious events. The event detection capability is used to detect the ransomware in real time before or during its execution. It is also used to detect propagation of the ransomware. The mitigation and containment capability is used to halt the ransomware’s execution and delete it from the system. It is also used to quarantine affected machines once a breach is discovered. The forensics/analytics capability is used to discover malicious hosts and websites accessed by the ransomware. |
Expected Results (pass) |
The build can monitor and report changes to the integrity of files (CR 1.a). The machine is quarantined when malware is detected (CR 1.b). Malicious executables are identified through signature detection or analysis (CR 1.c, CR 1.d). Malicious executables are prevented from executing (CR 1.e). Malicious downloads are identified through signature detection or analysis (CR 1.f, CR 1.g). Malicious downloads are prevented (CR 1.h). Propagation of malicious executables is detected (CR 1.i). Propagation of malicious executables is prevented (CR 1.j). Network traffic is captured and analyzed for suspicious activity (CR 1.k). |
Actual Results |
Tripwire Enterprise (integrity monitoring) is used to successfully detect changes to files on the affected systems. ArcSight ESM (logging) is used to successfully log events from event detection and integrity monitoring for use in reporting and forensics/analytics. ArcSight ESM (reporting) is used to successfully report on malicious activity detected in logs. Cisco AMP (event detection) is used to successfully detect the malicious executable. Cisco AMP (mitigation and containment) is used to successfully remove malicious executables from the affected systems. Cisco Stealthwatch (event detection) is used to successfully capture malicious or suspicious network traffic from the executable. Cisco ISE (mitigation and containment) is used to successfully quarantine affected machines. Symantec Security Analytics (forensics/analytics) is used to successfully review network traffic generated by the ransomware for potentially malicious hosts and websites. Symantec ICA (forensics/analytics) successfully displays relevant events from ArcSight for analysis to aid in identifying the malicious files for use in future event detection as well as for removal by the security team. |
Overall Result |
Pass. All requirements for this use case are met. |
D.4 Test Case: Data Integrity DR-2¶
Table 6‑4 Test Case ID: Data Integrity DR-2
Parent requirement |
(CR 2) The DI example implementation shall detect and respond to malware inserted via USB that modifies and deletes user data. |
Testable requirement |
(CR 2.a) Integrity Monitoring, (CR 2.b, CR 2.c) Event Detection, (CR 2.d) Forensics and Analytics, (CR 2.e) Mitigation and Containment |
Description |
Show that the DI solution can detect behaviors of destructive malware and can mitigate these behaviors appropriately. |
Associated Cybersecurity Framework Subcategories |
DE.AE-5, DE.CM-4, DE.CM-7, DE.DP-2, RS.CO-2, DE.AE-2, DE.AE-3, DE.AE-4, RS.AN-1, RS.AN-2, RS.AN-3, RS.AN-4, RS.RP-1, RS.MI-1, RS.MI-2 |
Preconditions |
A user inserts an unidentified USB drive into their computer. They click on a file on the drive, which immediately destroys any files on their machine. |
Procedure |
The integrity monitoring capability is used to monitor integrity changes to the system. The logging capability is used to collect logs from the integrity monitoring capability. The event detection capability is used to detect malicious files on the USB inserted into the system. The mitigation and containment capability is used to prevent malicious files from executing. |
Expected Results (pass) |
The build can monitor and report changes to the integrity of files (CR 2.a). The build can detect insertion of a USB (CR 2.b). Malicious executables are identified through signature detection or analysis (CR 2.c, CR 2.d). Malicious executables are prevented from executing (CR 2.e). |
Actual Results |
Tripwire Enterprise (integrity monitoring) successfully detects changes made by an executable running from a USB. ArcSight ESM (logging) successfully collects logs from the integrity monitoring capability. Furthermore, USB insertions can be collected by using Windows group policy. Cisco AMP (event detection) successfully detects malicious files on the USB drive. Cisco AMP (mitigation and containment) immediately deletes these malicious files on the system if they are copied. It also prevents execution if the file is run from the USB drive. |
Overall Result |
Pass (partial). Cisco AMP does not immediately delete the file from the USB drive when it is plugged in if the user does not make any action (copy or execution). However, because both these actions trigger deletion, this is not a significant shortcoming as the file is otherwise harmless. |
D.5 Test Case: Data Integrity DR-3¶
Table 6‑5 Test Case ID: Data Integrity DR-3
Parent requirement |
(CR 3) The DI example implementation shall detect and respond to virtual machine deletion. |
Testable requirement |
(CR 3.a) Integrity Monitoring, (CR 3.b) Forensics and Analytics |
Description |
Show that the DI solution can detect and analyze DI events that involve virtual machines. |
Associated Cybersecurity Framework Subcategories |
DE.AE-5, DE.CM-3, DE.CM-7, DE.DP-2, RS.CO-2, DE.AE-2, DE.AE-3, DE.AE-4, RS.AN-1, RS.AN-2, RS.AN-3, RS.AN-4, RS.RP-1, RS.MI-1, RS.MI-2 |
Preconditions |
A routine maintenance script contains an error that accidentally deletes a virtual machine. |
Procedure |
The integrity monitoring capability is used to monitor integrity changes to the system. The logging capability is used to collect logs from the integrity monitoring capability. The forensics/analytics capability is used to analyze logs and determine the cause of integrity events. |
Expected Results (pass) |
The build can monitor and report changes to the integrity of virtual machines (CR 3.a). The build can analyze the impact of DI events (CR 3.b). |
Actual Results |
Tripwire Enterprise (integrity monitoring) successfully monitors and logs changes to configurations of virtual machines. ArcSight ESM (logging) successfully collects logs and reports on the events generated by the integrity monitoring capability, enabling faster response time. Symantec ICA (forensics/analytics) successfully displays relevant events from ArcSight for analysis to aid in identifying the file that causes the deletion. |
Overall Result |
Pass. All requirements for this use case are met. |
D.6 Test Case: Data Integrity DR-4¶
Table 6‑6 Test Case ID: Data Integrity DR-4
Parent requirement |
(CR 4) The DI example implementation shall detect and respond to malware received via phishing email. |
Testable requirement |
(CR 4.a) Integrity Monitoring and Logging, (CR 4.b, CR4.e, CR 4.h, CR 4.k) Event Detection, (CR 4.c, CR 4.f, CR 4.i) Forensics and Analytics, (CR 4.d, CR 4.g, CR 4.j) Mitigation and Containment |
Description |
Show that the DI solution can detect malicious attachments and respond to malicious configuration changes. |
Associated Cybersecurity Framework Subcategories |
PR.DS-6, DE.AE-5, DE.CM-5, DE.DP-2, RS.CO-2, DE.AE-2, DE.AE-3, DE.AE-4, RS.AN-1, RS.AN-2, RS.AN-3, RS.AN-4, RS.RP-1, RS.MI-1, RS.MI-2 |
Preconditions |
The user receives a phishing email with a malicious spreadsheet attached. The spreadsheet is downloaded and opened, causing account changes in Active Directory. |
Procedure |
The integrity monitoring capability is used to detect and log the account creation. This information is forwarded to the logging capability, along with other available Active Directory information. The email attachment is detected as malicious by the event detection capability and mitigated by the mitigation and containment capability, both when the file is in the inbox and when it is on the user’s system. The solution can review the network traffic generated by the file when it calls out to the malicious web server to download files through forensics/analytics. |
Expected Results (pass) |
The build can monitor and report changes to the integrity of configurations (CR 4.a). Malicious emails are identified through signature detection or analysis (CR 4.b, CR 4.c). Emails identified as malicious are sorted into spam or deleted (CR 4.d). Malicious attachments are identified through signature detection or analysis (CR 4.e, CR 4.f). Malicious attachments are prevented from executing (CR 4.g). Malicious downloads are identified through signature detection or analysis (CR 4.h, CR 4.i). Malicious executables are prevented from executing (CR 4.j). Network traffic is captured and analyzed for suspicious activity (CR 4.k). |
Actual Results |
Semperis DSP (integrity monitoring) successfully monitors and logs changes to Active Directory. ArcSight ESM (logging) successfully collects logs and reports on the events generated by the integrity monitoring capability, enabling faster response time. Glasswall FileTrust (event detection) successfully identifies the malicious attachment before it reaches the user’s inbox. Glasswall FileTrust (mitigation and containment) successfully mitigates the malicious attachment before it reaches the user’s inbox. The malicious file is successfully uploaded to Cisco AMP (event detection) for signature detection. Cisco AMP (event detection) successfully mitigates the file when found on user workstations. Symantec Security Analytics (forensics/analytics) is used to successfully detect network traffic involving download of files from the malicious server. |
Overall Result |
Pass (partial). Emails are not sorted into spam (CR 4.b–d); rather, the attachment is mitigated before reaching the user’s inbox. Sorting emails into spam is often a function of the email infrastructure. |
D.7 Test Case: Data Integrity DR-5¶
Table 6‑7 Test Case ID: Data Integrity DR-5
Parent requirement |
(CR 5) The DI example implementation shall detect and respond to changes to the database made through a web server vulnerability in custom code. |
Testable requirement |
(CR 5.a) Integrity Monitoring, (CR 5.b) Logging, (CR 5.c) Reporting |
Description |
Show that the DI solution can detect and respond to an exploitation a vulnerability in custom code that leads to an attack on the database. |
Associated Cybersecurity Framework Subcategories |
DE.AE-5, DE.CM-3, DE.CM-7, DE.DP-2, RS.CO-2, DE.AE-2, DE.AE-3, DE.AE-4, RS.AN-1, RS.AN-2, RS.AN-3, RS.AN-4, RS.RP-1, RS.MI-1, RS.MI-2 |
Preconditions |
A vulnerability in the source code of an intranet web page is discovered by a malicious insider. The insider exploits this vulnerability to delete significant portions of the database. |
Procedure |
The integrity monitoring capability is used to detect changes to the database. The logging capability is used to monitor changes to the database and to log web requests. The reporting capability is used to alert the security team of significant changes to the database. The forensics/analytics capability is used to investigate the malicious access as well as identify the page with the vulnerability. |
Expected Results (pass) |
The build can monitor and report changes to the integrity of the database (CR 5.a). Malicious interaction with the web server is detected (CR 5.b). Information about the attack is reported for use in maintaining the enterprise systems (CR 5.c). |
Actual Results |
Tripwire Enterprise (integrity monitoring) successfully monitors changes to the database configuration. ArcSight ESM (logging) successfully logs changes to the database and web requests. ArcSight ESM (reporting) successfully alerts the security team of changes to the database. Symantec Security Analytics (forensics/analytics) allows identification of web requests that could have caused the deletion, helping identify the web server’s vulnerability in custom code. |
Overall Result |
Pass. All requirements for this use case are met. |
D.8 Test Case: Data Integrity DR-6¶
Table 6‑8 Test Case ID: Data Integrity DR-6
Parent requirement |
(CR 6) The DI example implementation shall detect and respond to targeted modification by malicious insiders with elevated privileges. |
Testable requirement |
(CR 6.a, 6.b) Integrity monitoring, (CR 6.c) Reporting, (CR 6.d) Mitigation and Containment |
Description |
Show that the DI solution can detect and respond to targeted modification of assets and backups by malicious insiders. |
Associated Cybersecurity Framework Subcategories |
DE.AE-5, DE.CM-3, DE.CM-7, DE.DP-2, RS.CO-2, DE.AE-2, DE.AE-3, DE.AE-4, RS.AN-1, RS.AN-2, RS.AN-3, RS.AN-4, RS.RP-1, RS.MI-1, RS.MI-2 |
Preconditions |
A malicious insider attempts to modify targeted information in both the enterprise systems and the backup systems by using elevated credentials obtained extraneously. |
Procedure |
The integrity monitoring capability is used to detect changes to the file system. The reporting capability is used to notify the security team of changes to critical data assets. The mitigation and containment capability is used to prevent the malicious user from making further modifications. |
Expected Results (pass) |
The build can monitor and report changes to the integrity of files and backups (CR 6.a, CR 6.b). Information about the attack is reported for use in responding to the threat (CR 6.c). User accounts associated with the attack are contained (CR 6.d). |
Actual Results |
Tripwire Enterprise (integrity monitoring) successfully detects changes to files and backups caused by a malicious insider. ArcSight ESM (reporting) successfully reports and alerts administrators via email on changes made to files by a malicious insider. Semperis DSP (mitigation and containment) successfully disables the user accounts associated with malicious insider activity. |
Overall Result |
Pass. All requirements for this use case are met. |
D.9 Test Case: Data Integrity DR-7¶
Table 6‑9 Test Case ID: Data Integrity DR-7
Parent requirement |
(CR 7) The DI example implementation shall detect and respond to an intrusion via compromised update server. |
Testable requirement |
(CR 7.a) Integrity Monitoring, (CR 7.b) Event Detection, (CR 7.c) Forensics and Analytics, (CR 7.d, CR 7.e) Mitigation and Containment |
Description |
Show that the DI solution can detect a malicious update from a compromised update server as well as detect and respond to a resulting intrusion. |
Associated Cybersecurity Framework Subcategories |
PR.DS-6, DE.AE-5, DE.CM-5, DE.DP-2, RS.CO-2, DE.AE-2, DE.AE-3, DE.AE-4, RS.AN-1, RS.AN-2, RS.AN-3, RS.AN-4, RS.RP-1, RS.MI-1, RS.MI-2, DE.CM-4, DE.CM-7, DE.AE-1, DE.CM-1, |
Preconditions |
An external update server has been compromised, and a user workstation attempts to update from this server. |
Procedure |
The integrity monitoring capability is used to detect changes to the integrity of programs and files. The event detection capability is used to detect the malicious update. It is also used to detect the connection to the machine. The mitigation and containment capability is used to halt execution of the update and delete it. It is also used to contain the intrusion. |
Expected Results (pass) |
The build can monitor and report changes to the integrity of programs (CR 7.a). The malicious update is identified through signature detection or analysis (CR 7.b, CR 7.c). The malicious service is halted and reverted or deleted (CR 7.d). Other users are temporarily prevented from accessing this update server (CR 7.e). The port opened by the service is detected (CR 7.f). The port opened by the service is closed (CR 7.g). The intrusion is detected (CR 7.h). The intrusion is contained (CR 7.i). |
Actual Results |
Tripwire Enterprise (integrity monitoring) is used to identify changes in programs on the system as well as any changes made by the attacker. Cisco AMP (event detection) is used to detect the malicious update. Cisco Stealthwatch (event detection) is used to detect a connection to the machine via an unusual port. Cisco AMP (mitigation and containment) is used to halt the execution of the file and delete it, thereby closing the vulnerable port. Cisco ISE (mitigation and containment) is used to disconnect the affected machines from the network to prevent the spread of the intrusion. |
Overall Result |
Pass (partial). Cisco AMP does not seem to support network blocking for Unix machines at the time this practice guide was written—it supports only detection (it does support network blocking for Windows use cases, though, so a similar use case on Windows machines would potentially work). Instead, we rely on network protection, a DI Protect capability, to prevent further access to the update server; and on Cisco AMP’s mitigation capabilities to remedy any known malicious files downloaded from the server. |