Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
65 It is no longer a question of if your organization will be attacked, it is a question of when. This chapter describes techniques that airports can follow to detect, respond, and recover from cybersecurity attacks. More than a few experts interviewed for this study noted that âit is no longer a question of if your organization will be attacked, it is a question of when.â This is where all of the practices described previously in this document yield value. The objective is to detect an attack that has occurred as soon as possible, respond quickly and efficiently, recover to a normal state of operations with as little disruption as possible, and learn lessons to prevent similar attacks in the future. Attacks are threats that have been realized, whether they have been successfully averted by countermeasures or not. Those that have been averted should be noted so that trends can be identified. Successful attacks that have not been averted require immediate response. After the organization has recovered, additional countermeasures should be put in place to ensure that the uncovered vulnerability is addressed. The following sections describe detection, response, and recovery practices that airports can follow to achieve these objectives. Detecting Attacks Cybersecurity attacks, such as advanced persistent threats, can occur undetected and reside within an airportâs network for long periods of time. During this time, information that the air- port considers sensitive or confidential may be leaked, or malware may be installed for activation at a later date. âIdentifying whether an attack has occurred can be incredibly challenging,â remarks Rob Lee, the Digital Forensics and Instant Response Lead at SANS Institute (Karol 2013). He further notes that statistics from Madiant indicate that it takes companies an average of 416 days to detect a cybersecurity breach (Karol 2013). Regardless of whether such lingering attacks occur or not, it is prudent for airports to make every attempt to detect attacks that occur as quickly as possible. Following are some practices that can help achieve that goal: Anomalous activity should be reported and analyzed to determine if it is benign or malicious. Anomalous activity is system, device, or network behavior that differs from the norm. Activity such as slow response and refresh rates, inappropriate information and controls (e.g., links, pop-ups, entry boxes) on a website, and redirection to suspicious domain names may be observed by users. It can also involve network activity that trained cybersecurity professionals may notice, such as connections to IP addresses not required by an application, scanning of ports and services on a network, user logins to unusual systems or at unusual times, simul- taneous login attempts using one set of credentials, and abnormally large data downloads (DarkTrace 2014). In order to determine what activity is anomalous, it is important to first understand what activity is ânormalâ (Stotts and Lippenholz 2014). Martin Roesch, founder of SourceFire, a cybersecurity services provider, explains âonce youâre aware of how your net- work works, the applications people use, and the amount of bandwidth they chew up, youâll C H A P T E R 6 Detecting, Responding to, and Recovering from Attacks
66 Guidebook on Best Practices for Airport Cybersecurity be able to spot anomalies that will help you identify an attackâ (Karol 2013). This baseline is defined by details such as what applications and systems communicate over what ports, which users have access to specific applications, and typical ranges of network speed and data transfer volumes. This information should be collected and documented by IT professionals as a part of the inventory described earlier. Anomalous activity may be detected by continuous monitoring (described in the next list item) or by users who should be encouraged as a part of cybersecurity training to report computer or network behavior that they feel is outside the norm. Continuous monitoring involves software and hardware installed on premises or at a cloud- based provider that monitors application, database, system, and network activity. Events, data requests, login attempts, port scans, and other activities are recorded in logs that can be analyzed by increasingly sophisticated software and trained professionals. Monitoring tools and services are rapidly being developed to confront growing frequency and sophistication of cyber threats. Some of the options can be very expensive, while others are less expensive or in some cases free. It is outside the purview of this document to recommend vendor solutions. Furthermore, such recommendations would rapidly become out of date. It is therefore recom- mended that airport cybersecurity professionals become acquainted and remain up to date with industry product and service offerings. They should also talk with peers at other airports to gain referrals and testimonials regarding offerings that have or have not worked. Event triggers can be set on software and systems to alert IT staff or third parties of activity that strays outside of acceptable norms. Care should be taken to ensure that an abnormally high rate of false returns does not overload the individuals tasked with responding and cause them to become complacent. At the same time, the triggers should not be set so tight that activity that should be reviewed is not identified. Penetration testing is used to determine if triggers will detect the events desired. Antivirus and malware detection software should be installed on end-point systems such as desktops, laptops, and mobile devices. While these tools do not always catch known threats targeting these devices (Stotts and Lippenholz 2014), those that are detected should be recorded to identify trends or related activities that may be more successful. Inappropriate behavior of humans is an anomalous activity that all staff, consultants, and tenants should be trained to observe and required to report. Individuals trying to gain access to areas where secure systems or network infrastructure are present should be reported to security personnel. Similarly, individuals appearing to observe others to gain information such as passwords or to steal sensitive documents should also be reported. Cybersecurity detection should not be limited to detecting attacks, whether successful or not. Countermeasures that are not implemented or carried out as required should also be observed, reported, and remedied. In some cases, airport staff members, consultants, and tenants will be able to identify countermeasures that are not implemented properly. In other cases, a trained staff member is required. Common examples of countermeasures not being carried out include the following: Not following policies or procedures that are designed to implement countermeasures such as the handling of SSI, not writing down and displaying passwords, and browsing non-work- related sites. Such infractions should be reported and recorded not only as a means of address- ing individual infractions but perhaps more importantly to improve awareness and training so that they do not continue to occur. Not attending training will likely cause staff members to forget some of the policies and procedures they are required to carry out and not be familiar with the latest threats, and the airport may fall out of compliance with contracts and regulation. To avoid this, employees should be required to periodically attend training and records of their attendance should be kept. Contracts and agreements should be reviewed to ensure that airport policies, procedures, and specifications with regard to cybersecurity are properly incorporated. Not only procurement
Detecting, Responding to, and Recovering from Attacks 67 managers but also the IT and facility project managers, who may be more familiar with the technical requirements, should conduct these reviews. The detection of attacks and inappropriately applied countermeasures is a large but critical task. Individuals who fulfill the roles defined earlier in this document should participate to the extent that they are technically able. This responsibility should be conveyed and made clear to them as a part of required cybersecurity training. Even with such a concerted effort, airports may need to seek help from outside service providers. âItâs difficult for [most government and com- mercial entities] to build and maintain the infrastructure and capabilities needed to effectively monitor and analyze data on hundreds of thousands of systems on a daily basis,â note Richard Stotts and Scot Lippenholz of Booz Allen Hamilton. This is due to staff availability and the need to keep up to date with cybersecurity threats and available countermeasures. Fortunately, orga- nizations focused on this mission such as the DHS, FBI, CIA, local law enforcement agencies, ISACs, and a wide variety of vendors are able to assist. Responding to an Attack A cybersecurity program should have a process in place to quickly and effectively respond to cybersecurity attacks while minimizing the duration of their impact. The first objective in a response is to identify the data and systems that are affected as well as the vector used to circum- vent countermeasures. The second objective is to communicate the information that is known to relevant stakeholders and to collaboratively carry out an effective response. This response should contain the attack to the data and systems already affected to the extent possible and then close the vector used by the actor to limit further infiltration. To achieve these objectives, the following steps should be carried out: â¢ Collect data from logs and users. Scans of potentially affected systems should be conducted to provide additional information. External contact with agencies and peer airports may also provide information on known threats or similar attacks experienced by others. Depending on the severity and complexity of the attack, a digital forensics examination by a qualified third party and interaction with law enforcement officials may be warranted. â¢ Analyze the information collected from the previous step to understand the impact of the attack as well as the vector that successfully avoided countermeasures. The impact analysis should span affected systems as well as other connected systems and network devices. Using this information, the investigator should attempt to understand the motive of the attack, such as stealing confidential information, disrupting operations, or damaging the airportâs reputation. Consideration should also be given to the tools, techniques, and methods used to deliver its malicious payload to the compromised system or infrastructure component. â¢ Containment should be applied to temporarily or permanently close the attack vector used, isolate any malware or corrupt data that could cause further harm, and restrict users from relying on affected systems until a recovery to normal operations is complete. â¢ Communicate that the attack has occurred and any relevant details to senior management, affected parties, those who can assist, and law enforcement officials. Some of the informa- tion about the attack and even the fact that an attack has occurred may be considered SSI or confidential. Accordingly, information should be shared with the appropriate stakeholders according to a pre-defined communication plan. Contacts at relevant agencies should already have been established so that those who can help are already familiar with the airportâs data and systems to the extent they need to be. Third party service providers should already have been identified, and if possible under an on-call contract, so that they can be quickly brought in to assist. Senior management and legal staff should also review and approve any potentially sensitive information before it is released. Some information may even result in legal action against the airport if victims or even attacker(s) are inappropriately identified.
68 Guidebook on Best Practices for Airport Cybersecurity All response activities should adhere to the airportâs policy and procedures. Since time is of the essence during a response, individuals who fulfill the roles required during a response should already be aware of and trained on these policies and procedures. External resources should be considered and perhaps already under contract to assist in a response. Often such external resources have specialized training, experiences, and resources needed to effectively respond and recover. Responding to a cyberattack demands immediate time and attention, especially from those whose task it is to protect the airport. The challenge is for those resources to not divert so much of their attention to the attack that it causes them to let their guard down, which could increase the likelihood of another, possibly more harmful attack. This need to maintain countermeasures during the response to a successful attack should be taken into consideration when deciding to tap external service providers in response and recovery activities (Stotts and Lippenholz 2014). Recovery to Normal Operations After the immediate response has contained the attack and appropriate stakeholders have been alerted, steps should be taken to bring the organization back to a normal state of operation as quickly and efficiently as possible. Disrupted operations and associated reputational losses are among the negative effects that can be minimized by a quick recovery. As with detecting anomalous activity, it is important to have a clear idea of what normal operations means before attempting to achieve that goal. What systems should be operational, what data is needed, and which users need access to which systems are questions that should be answered and documented long before an attack occurs. These normal data, systems, and capa- bilities should also be prioritized so that the most critical and widely used can be addressed first in the recovery process. The recovery of these and eventually of all affected data and systems can then proceed with the following steps: â¢ Remove infectious software and corrupt data permanently from systems that have been affected. Infectious software can include malware, worms, and other forms of code that infiltrate a network and enable data to be stolen, corrupt data, or disrupt system operations. Such code can often linger for long periods of time before it is detected. Attempts to contain the problem during the initial response may be temporary or may restrict valid capabilities that need to be reinstated to attain normal operations. Eventually, the infectious code should be removed permanently. In some cases, antivirus, malware, and spyware detection software can accomplish this, but with more sophisticated attacks, this may be difficult if not impossible. It is often more efficient to isolate and then rebuild an infected system. This process is facilitated by using virtual machines that can be imaged and then quickly reinstated using a backed-up image. â¢ Recover data, software, or systems from archived backups. Information in the form of digital files and database records should be frequently backed up, so that if they need to be recovered little data is lost. This frequency depends on how often the data is updated and the cost of recovering updates that may be lost between backups. Software can be reinstalled, but any local configurations should be saved and backed up where possible. Entire systems can be rebuilt, although this can be a time-consuming process. One of the advantages of using virtual machines is that an entire image of a machine encompassing the operating system, software installed, and data can be quickly restored with little or no reconfiguration. â¢ Reauthorize access to data and systems that may have been isolated during the containment step of a response. This may involve reinstating user access rights, reopening network com- munication ports and protocols, and bringing systems back online. â¢ Reset credentials that may have been compromised as the result of an attack. Stealing user access credentials as a means of gaining access to sensitive data, other systems, or money is a
Detecting, Responding to, and Recovering from Attacks 69 common goal of an attack. If such credentials are or are suspected of being lost, they should be reset so that users have to establish new passwords or are issued new user identifiers. â¢ Inform users that their data and systems have been recovered and that they can resume opera- tions as normal. Other steps may be required based on the nature of the attack and the degree of impact. The documentation that describes the normal state of operations can be used as a guide to identify additional recovery activities that may be required. The just described recovery activities should be reflected in a response and recovery plan. Continuity of operations (COOP) plans are one such type of plan, which was initiated by the federal government during the Cold War and formalized by National Security Presidential Directive 51 and Homeland Security Presidential Directive 20. These plans ensure that âPrimary Mission-Essential Functions continue to be performed during a wide range of emergencies, including localized acts of nature, accidents, and technological or attack-related emergencies.â These directives require federal agencies to take such an approach, but transportation organizations have found them relevant to the response and recovery to cyberattack. Less than a quarter of the organizations surveyed by this project and a similar one [NCHRP Project 20-59(48)] conducted for transit and highway transportation organizations [14 of 63 (22%) who responded to the question] indicated that they have a COOP plan for their transportation operations systems. Slightly more [17 of 63 (27%) who responded to the question] indicated that they have a COOP plan for their enterprise data systems. A higher percentage of respondents [23 of 63 (37%)] have a COOP for both operations and data systems. Regardless of whether a formal COOP plan is established, a documented plan to respond and recover from cybersecurity attacks is recommended for airports. Lessons Learned An organization that has successfully been attacked should not return to normal operations as defined by the state of operations prior to the attack. New countermeasures, some of which may alter activities previously defined as ânormal,â may need to be implemented. The second part of the old adage âfool me twice, shame on meâ should be ample motivation to implement new countermeasures to prevent the same attack from affecting an airport more than once. In reality, attackers are constantly learning lessons as well and the vector, targets, and vehicles used to carry out a successful cyberattack may not be repeated in exactly the same manner. It is therefore important to learn lessons from attacks on oneâs own organization as well as peers and competitors, whether those attacks were successful or not. Information sharing has proven to be one of the most effective countermeasures in the financial services industry, where competitors share lessons learned to benefit the entire industry. These lessons learned should be applied to change policies, procedures, and implement new or improved countermeasures. The efficiency and effectiveness of the response and recovery from an attack should also be reviewed to make improvements for the future. Metrics that attempt to quantify the cost of the attack in terms of operational downtime, loss of data and reputation, response, and recovery should also be recorded to reassess the return on investment that additional measures may provide. Senior management should also reassess their willingness to tolerate cyberattacks and make future investment decisions accordingly.