1 of 34

Digital Leaders Exchange January 2024

NCDPI K-12 Cybersecurity Program

PSU Incident Response

Timothy Wease, NCDPI

Jason Shirley, MCNC�

https://sci.fi.ncsu.edu/cybersecurity/

January 29 - February 1, 2024

2 of 34

Agenda

  • NCDPI K-12 Cybersecurity Program Overview
  • Incident Response Management

2

3 of 34

NCDPI K-12 Cybersecurity Program Overview

3

4 of 34

Cybersecurity Program Purpose and Goal

NCDPI established the K-12 Cybersecurity Program with a purpose of organizing and aligning business and technical cybersecurity functions holistically across the state so that PSU and NCDPI stakeholders have greater visibility into the people, processes, and technologies deployed and have a measurable way to determine whether those efforts are sufficient and correct for current and future needs.

The goal is to help all PSUs achieve essential cyber hygiene

4

5 of 34

Program Management

The K-12 Cybersecurity Program is composed of cross-functional heterogeneous teams to work on tasks and deliverables of the program.

  • Cybersecurity Executive Committee (CEC)�
  • Cybersecurity Core Teams (CCT)
  • Cybersecurity Advisory Council (CAC)
    • 2 PSU representatives from each 8 education regions

5

6 of 34

Program Strategy

The K-12 Cybersecurity Program Governance aligns with the following three major components:

The goal is to help all PSUs achieve essential cyber hygiene

6

7 of 34

Program Services and Resources

  • NCDPI K-12 Cybersecurity Program represents the specific people, process, and technology that, when collectively implemented, effectively reduces risk and enhances cybersecurity posture at the PSU

  • The following is the current list of services and tools that are available to all PSUs through the NCDPI K-12 Cybersecurity Program, other State, and Federal resources

7

8 of 34

Program Services and Resources

  • Security Awareness and Skills Training (FI/KnowBe4)
  • Email and Web Browser Protection (MCNC/zScaler)
  • Network Infrastructure Management (MCNC/Palo Alto)
  • Malware Defenses (MCNC/CrowdStrike)
  • Continuous Vulnerability Management (Kenna, Shodan, Nessus, FI)
  • Inventory and Control of Enterprise Assets (FI/runZero)
  • Account and Access Control Management (NCDPI/RapidIdentity)
  • Networking Monitoring and Defense (MCNC, FI, NCLGISA)
  • Incident Response Management (NCJCTF, MCNC, FI, NCDPI)
  • Network and Cybersecurity Consulting (MCNC, FI, NCLGISA)

8

9 of 34

IR Partner Services and Resources

  • NCLGISA IT Strike Team - The IT Strike Team is a group of NCLGISA members that volunteer their time and talents to help out in times of need. The Strike Team has partnered with NC Emergency Management to provide IT support where needed in time of disaster but is also available to any NCLGISA member who needs more resources to address emergency issues.�
  • North Carolina National Guard (NCNG) - The NCNG CSRF mission is to conduct defensive cyberspace operations to support mission requirements as directed by The Adjutant General or Governor. Specifically for North Carolina, the CSRF provides cyber security assistance to State, Local, and Critical Infrastructure providers.

9

10 of 34

Key Program Contact information

Tim Wease

Phone: (984) 236-2269

Email: timothy.wease@dpi.nc.gov

Calendar: Book time with my calendar

Team outreach:

k12cybersecteam@dpi.nc.gov��Program Website:

https://sci.fi.ncsu.edu/cybersecurity

10

11 of 34

Incident Response Management

11

12 of 34

Incident Response Purpose

  • The NCDPI K-12 Cybersecurity Program goals and provided services align with a simple prevention, detection, and response layered approach to mitigating cybersecurity risk.
  • There is no such thing as perfect cybersecurity and thus PSUs have to be ready to respond and recover when an incident occurs.
  • The purpose of incident response is to effectively manage and mitigate the impact of cybersecurity incidents that threaten the confidentiality, integrity, and availability of an organization's information systems, data, and resources. �

Incident response aims to minimize damage, reduce downtime, and restore normal operations as quickly as possible after an incident occurs.

12

13 of 34

PSU Incident Response Toolkit

NCDPI and the K-12 Cybersecurity Program partners have assembled an IR Toolkit that includes four essential components to equip PSUs with the tools and knowledge to effectively detect, respond to, and recover from cyber incidents.

  • Incident Response Guidelines: NIST SP 800-61r2
  • Incident Response Policy: IR Policy Examples
  • Incident Response Plan: NCDPI IR Plan Template
  • Incident Response Procedures

https://go.ncdpi.gov/PSU-IR-Toolkit

13

14 of 34

Incident Response Plan

  • The Incident Response Plan Template provides a well-defined and organized approach for responding to cybersecurity events or incidents within a PSU.�
  • It provides a framework and processes for developing consistent approaches and allocating resources to facilitate detection, identification, containment, eradication, and recovery from cyber incidents. �

  • This plan is based on NIST 800-61r2 guidelines and aligns with NCDIT Incident Response Policy, applicable North Carolina General Statutes, and industry best practices.

14

15 of 34

Incident Response Plan - Elements

  • Key Points of Contact - CIRT, State,and External Support

  • Major Incident Handling Steps

  • Purpose, Scope, Governance, and Approval

  • Roles and Responsibilities

  • Cybersecurity Incident Response Lifecycle
    • Preparation
    • Detection & Analysis
    • Containment, Eradication, and Recovery
    • Post-Incident Activity

  • Incident Response Toolkit Index

  • Tabletop Exercise Resources

15

16 of 34

Incident Response IT Roles & Responsibilities

IR Team Leader (IR Team Administrator Delegate)

  • Responsible for overall leadership and management of the IR Team
  • Responsible for declaring an incident, invoking incident response plans, and reporting to applicable local, state, and federal partners (i.e. Notify NCDIT of Incident within 24 hours)
  • Assigns the IR Team Lead Investigator and identifies resources needed during all stages of incident response
  • Coordinates with executive leadership to establish incident response policy, budget, and staffing
  • Coordinates with executive leadership teams regarding communications, financial, external engagements, human resources, academic, and potential operational and business changes/shifts
  • Responsible for ensuring all stages of incident response are thoroughly documented and serves as the point of contact for legal counsel, insurance representatives, communications/PR, and other internal stakeholders about the incident and response.
  • Collecting and documenting incident details and response activities
  • Leading post mortem discussions to determine root cause, necessary changes/updates, response strengths/weaknesses, and lessons learned.
  • Responsible for overseeing and prioritizing response activities to ensure complete detection, analysis, and containment of the security incident
  • Facilitates information sharing and coordination of activity across the PSU to support rapid response and recovery, as well as meet contractual and regulatory obligations
  • Involves relevant external parties during the incident response as needed and remains an involved party in any external investigations or remediation activities

IR Team Lead Investigator

  • Named by the Team Leader and Responsible for coordinating comprehensive response activities (network/hardware/software), including most technical aspects of the incident. NOTE: Role may be filled by external technical experts skilled in detection and response.
  • Monitors information systems for potential security events
  • Receives reports of security events from end users
  • Conducts initial triage of event to determine if an Information Security or Privacy Incident has occurred
  • Completes analysis, containment, eradication, and recovery actions as directed by the IR Team Leader
  • Serves as SME during any external IR investigations or remediation activities, as needed

16

17 of 34

Incident Response Procedures

  • Procedures are based on the incident response policy and plan

  • Standard operating procedures (SOPs) are a delineation of the specific technical processes, techniques, checklists, and forms used by the incident response team

  • SOPs standardize responses and assist with minimizing errors, particularly those that might be caused by stressful incident handling situations

  • SOPs should be tested to validate their accuracy and usefulness, then distributed to all team members

  • Training should be provided for SOP users�

17

18 of 34

Incident Response Procedures

Reporting Process for NCDIT

  • This procedure documents the NCDIT incident reporting process as required under North Carolina General Statute 143B-1379.

Compromise Questionnaire

  • This procedure provides aid in the initial analysis of an incident through a series of questions designed to gather and record important information during an incident. This information further helps with planning and assigning resources, as well as the incident closure process.

18

19 of 34

Incident Response Procedures

IR Network and System Inventory

  • This procedure provides a template for PSUs to identify and document key elements of their infrastructure and services offered to their customers.

IR Handling Checklist

  • This checklist documents the required action items have been completed during all stages of the incident response process. This checklist was developed with guidance from NIST in combination with current PSU incident response procedures.

19

20 of 34

Incident Response Procedures

Communication and Coordination

  • This procedure provides guidance regarding communication and coordination activities during a cybersecurity incident response activity. Activities such as:
    • CIRT team workspace
    • Out-of-band communication
    • Incident update cadence
    • Stakeholder notification

IR Investigation Ledger

  • This procedure provides a template for documenting the incident response, such as:
    • IOCs
    • Evidence Log
    • Compromised or accessed hosts
    • Compromised accounts
    • Incident Response Timeline
    • Threat Actor Timeline

20

21 of 34

Incident Response Procedures

Evidence Preservation and Safeguarding

  • This procedure provides the CIRT with best practices to consider when collecting and storing artifacts as part of the incident response analysis phase.

IR Reporting Elements

  • This procedure documents a standard set of incident-related data elements to be collected for each incident. Identifying this set of data will facilitate more effective and consistent incident handling and assist in meeting applicable incident reporting requirements.

21

22 of 34

Incident Response Procedures

Lessons Learned Checklist

  • This procedure provides a checklist with questions for the CIRT to consider when conducting a lessons learned after an incident.

22

23 of 34

Tabletop Exercise

  • A discussion-based exercise where key stakeholders and participants discuss and simulate a hypothetical incident scenario �
  • The scenario is presented in the form of a narrative that outlines the details of the incident, its impact, and the progression of events �
  • The participants work through the scenario collaboratively, discussing and deciding how they would respond at various stages of the incident
  • Tabletop exercises are an essential part of maintaining a proactive and effective incident response capability
  • Tabletop exercises ensure that organizations are prepared to handle unexpected incidents in a controlled and efficient manner
  • Best Practice: Tabletop exercises should be performed within PSU on an annual basis.�

Free TTX Resources in IR Plan Template - Appendix B

23

24 of 34

Incident Response Playbook

  • IR Playbooks will be based on the incident response policy and plan.

  • An IR Playbook will provide the incident response team with specific technical processes, techniques, checklists, and actions to perform during incident response.

  • IR Playbooks will be developed for the most common cyber incidents, e.g. ransomware, malware, insider and privilege misuse, targeted intrusion, web application hacking, ...

24

25 of 34

Ransomware Playbook

DESCRIPTION

Ransomware is malware that encrypts a user or organization’s data denying access to files, databases, or applications until a ransom is paid (typically paid using a form of e-currency, e.g. Bitcoin). A ransomware incident will have the following characteristics:

  • Files cannot be opened or are scrambled. Errors indicate the file is corrupt or has the wrong extension.
  • Systems or applications cannot be accessed.
  • A message window indicates your files have been encrypted with instructions on how to pay the ransom in order to restore access. A countdown indicates the deadline to pay the ransom.

25

26 of 34

Ransomware Playbook

26

PREPARATION

Cyber Hygiene Safeguards

  • Implement user account least privilege (domain and local).
  • Implement multi-factor authentication (MFA).
  • Implement least privilege network segmentation.
  • Turn off unused wireless connections.
  • Implement firewall geo-blocking for suspicious domains and regions.
  • Ensure anti-virus/anti-malware software is up-to-date and scans are scheduled and performed regularly.
  • Implement application allow-listing to prevent unauthorized or malicious software from executing.
  • Perform data backups often and ensure a copy is kept offline in a separate, secure location to prevent malicious encryption.
  • Implement security monitoring and system logging for incident detection.
  • Perform vulnerability scanning and system patching on a monthly or more frequent basis.
  • Provide Information Security Awareness training to teachers, staff, and students.
  • Run tabletop exercises to identify any potential gaps in the Incident Response Plan and/or Incident Response Playbook.

27 of 34

Ransomware Playbook

27

DETECTION

Ransomware

Confirmed

Activate CIRT

Notify PSU Leadership

Notify NCDPI, NCDIT, JCTF

Notify Cyber Insurance

Containment

Ransomware Confirmed

  • Receive notification from teachers, staff, and/or students via Help Desk incident ticket, email, text, or phone.
  • Identify indicators of compromise in the Firewall.
  • Receive alerts from anti-virus/anti-malware service.
  • Identify indicators of compromise through DNS/Web Filtering services.

Activate CIRT

  • Assemble members of the Cybersecurity Incident Response Team (CIRT) as define in the PSU Incident Response Plan.
    • IR Team Lead: John Doe | john.doe@psu.edu | 919.987.6543
    • Legal Counsel: Perry Mason | perry.mason@psu.edu | 919.654.3219

Notify PSU Leadership

28 of 34

Ransomware Playbook

28

CONTAINMENT

Identify Affected Hosts

  • Identify all host with reported ransomware.
  • Conduct investigation to identify other potential infected devices. Potential indicators of compromise (IoC) include:
    • Anomalous file activity - high volume of file renaming, writes to local disks, disk encryption.
    • Increased CPU and disk activity on endpoints
    • Inability to access files
    • Application failures
    • Suspicious network traffic
    • Anomalies in privileged user account activity
    • Geographical irregularities
    • Suspicious registry or system file changes
    • DNS request anomalies

Detection

Identify Affected Hosts

Isolate Affected Hosts

Analysis

Reset Impacted User/Host Credentials

Isolate Affected Hosts

29 of 34

Ransomware Playbook

29

ANALYSIS

Preserve Evidence

  • Collect compromised system data:
    • Ransomware notification notice
    • Encrypted files
    • Event logs
    • Application logs
    • Alert events
    • Forensic images
    • In-memory process
    • Network traffic logs
    • Renamed files

Containment

Preserve Evidence

Identify Ransomware Strain

Remediation

Establish Infection Vector

Validate Backup Availability

Identify Ransomware Strain

30 of 34

Ransomware Playbook

30

REMEDIATION

Add IoC to Threat Platform

  • Where IoC is explicit, add to existing threat detection platform in blocking mode.
  • Where IoC is generic, add to existing threat detection platform in detection mode to prevent interruption of legitimate business activities.

Analysis

Add IoC to Threat Platform

Run Full Anti-Virus/

Anti-Malware Scan

Recovery

Submit Samples to Vendors

Run Full Anti-Virus/

Anti-Malware Scan

  • Run a complete anti-virus/anti-malware scan against all assets with up-to-date endpoint protection tool.

Submit Samples to Vendors

  • Sharing samples of infected data or IoCs with vendors allows them to make changes to their systems to help prevent recurrence.

31 of 34

Ransomware Playbook

31

RECOVERY

Restore/

Replace Infected Hosts to Known Good State

  • Re-image affected endpoints with a known good image using removable media or snapshots.
  • Where re-imaging is not available, do a bare metal restore of the asset reinstalling the operating system and all requisite applications.

Remediation

Restore/

Replace Infected Hosts to Known Good State

Patch Known Vulnerabilities

Incident Postmortem

Restore Affected Files

Patch Known Vulnerabilities

  • Patch all software on affected assets (operating system and applications).
  • Update all hardware firmware on affected assets.
  • Correct identified misconfigurations (software, hardware, operating system, access, etc.).

Restore Affected Files

32 of 34

Ransomware Playbook

32

RESPONSE

Detection

Containment

Analysis

Remediation

Recovery

33 of 34

Questions and Answers

k12cybersecteam@dpi.nc.gov

33

34 of 34