ISA IC37 Module Five Notes

©2023 International Society of Automation

1.5 Learning Objectives

Notes:

After completing this module, you should be able to:

• Explain the need for a well-documented incident response process
• Discuss how the Mitre ATT&CK framework can help defenders
• Explain the incident response life cycle
• Identify considerations for cyber incident response planning
• Recognize prevention is preferred over response due to the possibility of severe
consequences
• Identify considerations for incident management
• Discuss why and how to perform post-incident analysis and forensics.

©2023 International Society of Automation

1.6 Incident Response & Recovery

Notes:

In this module, we will discuss different aspects of incident response and recovery including
the incident response lifecycle, cyber incident response planning, incident prevention,
incident management (which consists of detection, containment, remediation, and recovery
& restoration), and finally post-incident analysis and forensics.

©2023 International Society of Automation

2.1 Duty to Report

Notes:

Before we get into incident response and recovery details, we will discuss the duty to report
incidents and the Mitre Attack framework, a knowledge base of techniques used to exploit
digital systems. We will then discuss different aspects of incident response and recovery,
including the incident response lifecycle, cyber incident response planning, incident
prevention, incident management (which consists of detection, containment, remediation,
and recovery & restoration), and finally, post-incident analysis and forensics.Before we get
into incident response and recovery details, we will discuss the duty to report incidents and
the Mitre Attack framework, a knowledge base of techniques used to exploit digital systems.
We will then discuss different aspects of incident response and recovery, including the
incident response lifecycle, cyber incident response planning, incident prevention, incident
management (which consists of detection, containment, remediation, and recovery &
restoration), and finally, post-incident analysis and forensics. Before we get into incident
response and recovery details, we will discuss the duty to report incidents and the Mitre
Attack framework, a knowledge base of techniques used to exploit digital systems. We will
then discuss different aspects of incident response and recovery, including the incident
response lifecycle, cyber incident response planning, incident prevention, incident
management (which consists of detection, containment, remediation, and recovery &
restoration), and finally, post-incident analysis and forensics.

©2023 International Society of Automation

2.2 The European NIS Directive

Notes:

Increasingly, reporting cyber incidents to regulators has become mandatory.

In 2016, the European Union adopted the NIS Directive on the security of Network and
Information Systems (NIS). The goal is to enhance cybersecurity across the EU. Each member
state adopted the NIS directive with national legislation in 2018.

As a part of the NIS Directive, entities active in energy, water, transport, and health services
are identified as an Operator of Essential Services (OES). Each OES is assigned to and
supervised by national regulators.
OESs have a ‘duty of care’ (they need to be in control of cybersecurity) and a 'duty to report'
(they need to inform the competent authority of incidents significantly impacting the
continuity of the essential services they provide.)

Similar requirements apply to OESs outside the European Union.

A well-documented incident response process is required to be able to comply.

©2023 International Society of Automation

2.3 EU Cybersecurity Netcode (NCCS)

Notes:

In addition to the European NIS(2) directive, industry-specific regulations like the EU NetCode
for CyberSecurity (NCCS) are also included. This netcode prescribes what entities active in
the energy value chain must do to be in control of cybersecurity. Because of this regulation,
the likelihood of successful breaches will decrease.

Some measures that are included in the NCCS include:

• Risk management;

• A structural approach to cybersecurity instead of ad-hoc and incident-driven

approach;

• Information sharing;

• Security by design

©2023 International Society of Automation

©2023 International Society of Automation
3.2 What is ATT&CK?

Notes:

The MITRE ATT&CK framework is a knowledge base of techniques hackers and malicious
actors use to attack and exploit digital systems. The framework's focus is not on the tools
and malware these actors use, but on how they interact with systems during an operation.

ATT&CK organizes these techniques into a set of tactics to help explain to provide context for
the technique. Each technique includes information that’s relevant to both a red team or
penetration tester for understanding the nature of how a technique works and also to a
defender for understanding the context surrounding events or artifacts generated by a
technique in use.
Tactics represent the “why” of an ATT&CK technique. The tactic is the adversary’s tactical
objective for performing an action.

Techniques represent “how” an adversary achieves a tactical objective by performing an

action. Techniques may also represent “what” an adversary gains by performing an action.

©2023 International Society of Automation

3.3 What is ATT&CK?

Notes:

The MITRE ATT&CK framework is a knowledge base of techniques hackers and malicious
actors use to attack and exploit digital systems. The framework's focus is not on the tools
and malware these actors use, but on how they interact with systems during an operation.

ATT&CK organizes these techniques into a set of tactics to help explain to provide context for
the technique. Each technique includes information that’s relevant to both a red team or
penetration tester for understanding the nature of how a technique works and also to a
defender for understanding the context surrounding events or artifacts generated by a
technique in use.
Tactics represent the “why” of an ATT&CK technique. The tactic is the adversary’s tactical
objective for performing an action.

Techniques represent “how” an adversary achieves a tactical objective by performing an

action. Techniques may also represent “what” an adversary gains by performing an action.

©2023 International Society of Automation

3.4 Types of Indicators

Notes:

Defense against skilled adversaries is difficult. Many preventive controls have a technical
focus:
• Deny listing known bad IP addresses or domain names;
• Monitoring for certain hash values with an IDS.

Disadvantage is that these can be easily changed by attackers. It is very difficult for attackers
to change their tactics, techniques and procedures. This is where the MITRE att&ck
framework can be used by defenders.

Let's start by simply defining types of indicators make up the pyramid:

• Hash Values
SHA1, MD5 or other similar hashes that correspond to specific suspicious or malicious
files. Often used to provide unique references to specific samples of malware or to files
involved in an intrusion.
• IP Addresses
It's, um, an IP address. Or maybe a netblock.
• Domain Names

©2023 International Society of Automation

This could be either a domain name itself (e.g., "evil.net") or maybe even a sub- or sub-sub-
domain (e.g., "this.is.sooooo.evil.net")
• Network Artifacts
Observables caused by adversary activities on your network. Technically speaking, every
byte that flows over your network as a result of the adversary's interaction could be an
artifact, but in practice this really means those pieces of the activity that might tend to
distinguish malicious activity from that of legitimate users. Typical examples might be URI
patterns, C2 information embedded in network protocols, distinctive HTTP User-Agent or
SMTP Mailer values, etc.
• Host Artifacts
Observables caused by adversary activities on one or more of your hosts. Again, we focus
on things that would tend to distinguish malicious activities from legitimate ones. They
could be registry keys or values known to be created by specific pieces of malware, files or
directories dropped in certain places or using certain names, names or descriptions or
malicious services or almost anything else that's distinctive.
• Tools
Software used by the adversary to accomplish their mission. Mostly this will be things they
bring with them, rather than software or commands that may already be installed on the
computer. This would include utilities designed to create malicious documents for
spearphishing, backdoors used to establish C2 or password crackers or other host-based
utilities they may want to use post-compromise.
• Tactics, Techniques and Procedures (TTPs)
How the adversary goes about accomplishing their mission, from reconnaissance all the
way through data exfiltration and at every step in between. "Spearphishing" is a common
TTP for establishing a presence in the network. "Spearphishing with a trojaned PDF file" or
"... with a link to a malicious .SCR file disguised as a ZIP" would be more specific
versions. "Dumping cached authentication credentials and reusing them in Pass-the-Hash
attacks" would be a TTP. Notice we're not talking about specific tools here, as there are
any number of ways of weaponizing a PDF or implementing Pass-the-Hash.

©2023 International Society of Automation

3.5 MITRE ATT&CK Framework for ICS

Notes:

This slide shows the ICS-specific ATT&CK framework that can be used by personnel
responsible for IACS cybersecurity.

The ICS ATT&CK matrix is a knowledge base of adversary actions that focuses on adversaries
whose goal is disrupting ICSs. This is an open-sourced/community-driven knowledge base.

In the ICS ATT&CK matrix, disruptive tactics are mapped against mitigation techniques to
give manufacturers practical actions to help prevent each type of threat. Information is also
provided about adversary groups. Experts should know how to use the ATT&CK framework
to create a roadmap that prioritizes mitigating the largest risks to an organization’s smart
manufacturing and IIoT systems.

©2023 International Society of Automation

4.1 Incident Response Planning

©2023 International Society of Automation

4.2 Incident Response Lifecycle

Notes:

©2023 International Society of Automation

4.3 Incident Response Planning

Notes:

When it comes to planning the first step is to organize a cyber security incident response
team (CSIRT). This team should be composed of specialists from different departments and
may include additional external resources. The roles included should be Team Manager,
Process or Control Engineer, Network Administrator, Systems Administrator, Plant/Site
Manager, Information Technology Director (such as the Chief Information Officer or Chief
Information Security Officer), Vendor Support, Security Experts, and Legal Experts (it is
becoming more common to also include Public Relations and/or Human Resources).
all logbooks, syslogs, and eyewitness accounts as part of the investigation.

©2023 International Society of Automation

4.4 Planning: Policy & Procedure

Notes:

You may not need all members at all times. A good start is to establish policies and
procedures by writing clear and detailed operating procedures and a response checklist that
includes contacts.

©2023 International Society of Automation

4.5 Topics (1)

Notes:

In incident response planning there are several topics that should be considered and
documented.

The overviews, goals, and objectives section should define what will be accomplished in the
plan.
In the incident detection section, detail the discovery and ways in which an incident whether
physical or digital can be identified.
Then for incident notification, identify how to prioritize and escalate accordingly. Be sure to
include contact names and numbers along with backup personnel.
In the incident analysis section, document procedure for how to evaluate and analyze an
incident. Be sure to identify what systems, equipment, and organizations have been
affected.

©2023 International Society of Automation

4.6 Topics (2)

Notes:

It is essential part of the plan to document the actions to be taken. It is important that these
actions be well followed as at times of an incident everyone is stressed and looking for how
the response is going. Minimize stress by having well prepared team members.
For communications you want to list all necessary contacts including first responders.
• Document who to contact of media, civil authorities, and local and global organizational
contacts.
• A designated point of contact with alternatives who are prepared to speak on behalf of the
organization.
• Prepared and vetted statements for press release should be available. This is particularly
important when the organization provides a product or service on which the public
depends.
• List the reporting chains for both internal and external.
• A current list of contacts names with respective skills for critical systems and components
for all IACS.
• Describe alterative physical methods to handle impaired communication of telephone,
cellular, and Internet connections. Include contingencies if any or all methods are non-
functional.

©2023 International Society of Automation

4.7 Topics (3)

Notes:

Once the incident is handled, you want to perform forensics. In IACS this will go beyond just
cyber. It is not uncommon to see a small change cripple a whole process operation. Identify
not just who has access to the systems but determine their level of experience. Collect all
logbooks, syslogs, and eyewitness accounts as part of the investigation.

©2023 International Society of Automation

4.8 Incident Prevention

Notes:

When it comes to incident prevention, you want to consider various techniques covered in
Module 3, including IACS Asset Management, System Hardening, Access Control, Remote
Access, Vulnerability and Patch Management, Malware Prevention, System Backups, Change
Management, Information & Documentation Management, and Physical Security. In addition
to these, you want to consider vendor interactions.

You should recall that the Cybersecurity Management System (CSMC) enables continuous
improvement of cybersecurity. The items mentioned here are part of the CSMS.

©2023 International Society of Automation

4.9 Vendor Interaction

Notes:

The interaction between customer and vendor technical staff is important. Many times it is a
small market with proprietary systems and vendors are supporting a long service life of
products. There are user groups that are good to get with to assist with issues and
troubleshooting , especially for legacy systems that may no longer be in business. What is
your service level agreement with vendors? You may need to be notified of changes in staff
that affect your incident lifecycle and CSIRT.

Clear agreements about remote access to IACS components. Many vendors nowadays
require remote access to live up to specific service levels.

©2023 International Society of Automation

4.10 Incident Management

Notes:

Incident management consists of detection, how are you going to be aware of an incident?
Will it be observed by a person or come from an automated method? Once you know of the
incident how will you respond? How should the incident be categorized? Then, how do you
contain it? What remediation is necessary? What will be done to recover and restore to a
normal operating state? We’ll look at these aspects in more detail.

©2023 International Society of Automation

4.11 Incident Detection

Notes:

Unless you can detect it, you will not know you have an incident. There are different ways
including use of tools to ensure you can detect an incident. There are automated detection
methods that set off alarms. Sometimes an incident is detected by observation. In either
case you need reporting and coordination mechanisms to become aware and respond to an
incident.

©2023 International Society of Automation

4.12 Detection by Observation

Notes:

In order for a person to observe abnormal system behavior, they need to know what to look
for.
Some possible warning signs are:
• Unusually heavy network traffic
• Out of disk space or significantly reduced free disk space
• Unusually high CPU usage
• Creation of new user accounts
• Attempted or actual use of administrator-level accounts
• Locked-out accounts
• Cleared log files or full log files
• Antivirus or IDS alerts
• Disabled antivirus software and other security controls
• Unexpected patch changes
• IACS devices connecting to external IP addresses
• Requests for information about the system (social engineering)
• Unexpected changes in configuration settings
• Unexpected system shutdown
When any of these are observed, the person needs to know how to report it and who to
report it to.

©2023 International Society of Automation

4.13 Containment

Notes:

Once an incident has occured, let’s say you have been hacked or found malware. Based on
the incident you need to focus on preventing the spread and effects of the malware.

The purpose of containment is to stop the spread to other parts of the system and prevent
continued damage to the IACS. They way to contain an incident varies based on the type of
incident. In the case of malware it depends on the type, the importance of the system, and
the acceptable levels of risk.

Maybe an attacker did not leave malware, but directly accessed ICS components so
containment would include blocking the intruder, restoring equipment (if affected), and
applying protective measures as outlined in module 3 to prevent another incident.

©2023 International Society of Automation

4.14 Plan

Notes:

When planning containment you need to concentrate on how the system affected can be
isolated from other process units without issue. Protection of adjacent systems to prevent
the spread of malware and possible network issues such as Denial of Service (DoS). For this
a VPN can help to prevent malware from spreading, quickly switching that segment over to
use a VPN. This means these tool have to be in place and ready to go.

©2023 International Society of Automation

4.15 Remediation

Notes:

Prior to full system recovery, remediation efforts should be performed to fix the source of
the problem.
• Knowing what caused the incident directs what actions to take to prevent it from spreading
or from happening again.
• Be sure to close unauthorized access paths.
• Remove any malware.

In some cases malware can keep coming back, it might be a worm, or you haven’t found the
root of the problem.

Work with asset owner, data owner, and production supervisor. They need to be aware and
ay need to assist in clean up and restoration once the system is cleared to come back up.

©2023 International Society of Automation

4.16 Recovery & Restoration

Notes:

When it comes to recovery and restoration, you need to plan ahead.

• Establish contingency plans.

• Patch and maintain all backup systems to the same level as the primary systems. This is
why having scheduled backups is important. Without a recent backup you may be looking a
major loss of data.
• Periodically verify that the fail-over systems will work properly when called upon. It is
important to schedule and test these systems, so they run smoothly when needed.
• Establish plans to run segments of the IACS in isolation prior to an incident.
• Test backup equipment against realistic timeframes found in a worst-case scenario.
• Establish and run acceptance tests and procedures to ensure that systems have been
restored to the pre-incident state.

Define procedures as part of the incident response plan to provide for the tests and declare
the IACS fully operational.

©2023 International Society of Automation

Lab Demonstration: Incident Recovery

https://vimeo.com/836333754/8fa8acdb77?share=copy

©2023 International Society of Automation

5.1 Forensic Process

©2023 International Society of Automation

5.2 Post Incident Analysis & Forensics

Notes:

Once you have recovered from an incident, you want to learn from it. The goal of performing
forensics is to gain a better understanding of the event of interest by finding and analyzing
the facts related to that event. Forensics is often performed using a four-phase process of
collection, examination, analysis, and reporting. This is based on the NIST Guide to
Integrating Forensic techniques into Incident Response. Click each event is the process to
learn more about it.

©2023 International Society of Automation

5.3 Collection

Notes:

When it comes to the collection of information in response to an IACS incident, time is of the
essence. Many IACS systems will only keep data for a limited amount of time before it is
overwritten.
Secure sensitive data by making copies to an external drive or device. Look for items that
contain trend history, alarm and even history, windows events and logs.
Preserve what you can at the scene of the incident by saving IACS system configurations.
Determine when the last known good backup was done and secure a copy. Look for multiple
versions that could indicate an issue. Identify if online applications running, such as
engineering software from an operator to another console.
Be sure to protect the evidence once it is acquired. Make backups and store multiple copies.

Practice the three C’s by remaining calm, cool and collected.

• Calm, there will be many in panic mode and some looking over your shoulder, maintain
your composure and follow the procedures.
• Cool, there will be intense discussions, stay in control and cooperate with all involved.
• Collected, listen to everything and take an out of the box approach by practicing critical
thinking.

©2023 International Society of Automation

5.4 Examination

Notes:

Establish a checklist as part of the plan. You’ll want to examine the people, process, and
technology.
For the people, identify the key personnel aware of or involved in the incident. Then identify
the functions of the personnel with authorized access, including engineering, maintenance,
analytical, and operations supervision. Evaluation of role-based credential access, such as
who can change tuning, make forces, and perform override functions.
For the process, Identify the requirements of operations. Define what is normal operating
conditions and therefore you can identify abnormal conditions. Identify the process upset so
you know when things are not working right.
For the technology, you want to identify what IACS protocols are used. Identify any
protection components in use, such as audio and video equipment, whitelists, and other
protection components. Identify the system architecture and components, having diagrams
to reference can help to eliminate or pinpoint the root cause. Identify parameters for
remote access, which internal employees, external contractors and vendors has access to
the system. what are the settings for the firewall and review the Syslogs. You want to acquire
as much raw data as possible.
Conduct interviews of personnel that have knowledge and access to the system. Meet with
them individually if possible and keep the atmosphere positive and friendly. Do not jump to
conclusions during interviews, rather practice active listening and confirm what the people
are saying. Get as much information as possible on what could cause the incident.
Operations personnel are responsible for monitoring and controlling the operational
processes. They can provide valuable forensic information for cyber related incidents, such

©2023 International Society of Automation

as loss of view, loss of control, and HMI latency. The are often knowledge about expected
behavior and order of operations, so ask questions to gather information about both
normal and abnormal conditions.

©2023 International Society of Automation

5.5 Analysis

Notes:

Wherever possible conduct network traffic capture for analysis. Save the files on an external
device. You should perform a packet analyzer, also known as network analyzer, protocol
analyzer or sniffer. This is a computer program or piece of computer hardware that can
intercept and log traffic passing over a digital network or as part of a network. As data
streams flow across the network, the sniffer captures each packet and if needed, decodes
and analyses its content according to appropriate RFC or other specifications.
Performing a network capture will help in an incident to gain insight into the communication
traffic. The data capture can be saved to a common file type, known as pcap, for deeper
forensic analysis. Some solutions offer a playback of the data capture and other offer a
visual representation of the communication points.
There are many tools for capture analysis including CyberLens, Wireshark, Microsoft
Message Analyzer, Capsa Packet Sniffer, and TCPDump. Cyberlens is shown here, but ISA
does not recommend or endorse any specific product.
The problem could be physical. Inspect the actual infrastructure for apparent signs of
alteration or poor wiring practices. Look for any hanging cables and open switch ports that
are easy prey for a technician, engineer or even a hacker.
There are a number of logs you can analyze such as windows system logs and events,
IPS/IDS logs, firewall logs or syslogs. Review historical data for trends, alarms and events.
Compare IACS configurations to last known good. Most configurations will have a data and
timestamp.

Alarms

©2023 International Society of Automation

Known how to identify any alarms. In this sample image, you can see several priority zero
alarms. Some are priority one but of high importance, while some are low. Be able to
identify the area. Here it is also important to know the acronyms for the various systems, in
line 5 you can see a safety system alarm for BMS, you need to know what that means.

Windows events logs may need to be configured and should be considered in you planning.
Know when to be concerned and who to contact for alerts and alarms.

©2023 International Society of Automation

5.6 Cabling/Wiring

Notes:

The problem could be physical. Inspect the actual infrastructure for apparent signs of
alteration or poor wiring practices. Look for any hanging cables and open switch ports that
are easy prey for a technician, engineer or even a hacker.

©2023 International Society of Automation

5.7 Log Analysis

Notes:

There are a number of logs you can analyze such as windows system logs and events,
IPS/IDS logs, firewall logs or syslogs. Review historical data for trends, alarms and events.
Compare IACS configurations to last known good. Most configurations will have a data and
timestamp.

©2023 International Society of Automation

5.8 Alarms

Notes:

Known how to identify any alarms. In this sample image, you can see several priority zero
alarms. Some are priority one but of high importance, while some are low. Be able to
identify the area. Here it is also important to know the acronyms for the various systems, in
line 5 you can see a safety system alarm for BMS, you need to know what that means.

©2023 International Society of Automation

5.9 Windows Alarm

Notes:

Windows events logs may need to be configured and should be considered in you planning.
Know when to be concerned and who to contact for alerts and alarms.

©2023 International Society of Automation

5.10 Reporting

Notes:

Preserving forensic data is essential. Keep detailed notes of what is observed, including
date/time, mitigation steps, device logging, and machine names for compromised
equipment. When possible capture live system data prior to disconnecting machines from
the network. Avoid running any antivirus software till after the investigation as it can change
critical file dates a and impede discovery. Avoid making changes to the operating system or
hardware until after the investigation.

Detail your evidence and findings in a report along with recommendation for prevention of
another such incident.

©2023 International Society of Automation

5.11 Preserve Forensic Data Key Points

An organization’s network defenders should make note of the following recommendations

for retention of essential forensic data:
• Keep detailed notes of all observations, including dates/times, mitigation steps
taken/not taken, device logging enabled/disabled, and machine names for suspected
compromised equipment. More information is generally better than less
information.
• When possible, capture live system data (i.e., current network connections and open
processes) prior to disconnecting a compromised machine from the network.
• Capture a forensic image of the system memory prior to powering down the system.
• When powering down a system, physically pull the plug from the wall rather than
gracefully shutting down. Forensic data can be destroyed if the operating system
(OS) executes a normal shut down process.
• After shutting down, capture forensic images of the host hard drives.
• Avoid running any antivirus software “after the fact” as the antivirus scan changes
critical file dates and impedes discovery and analysis of suspected malicious files and
timelines.
• Avoid making any changes to the OS or hardware, including updates and patches, as
they might overwrite important information relevant to the analysis. Organizations
should consult with trained forensic investigators for advice and assistance prior to
implementing any recovery or forensic efforts.

©2023 International Society of Automation

Lab Demonstration: SIEM

https://vimeo.com/838044437/42bc1a4188?share=copy

©2023 International Society of Automation

6.1 Module Five Summary

©2023 International Society of Automation

6.2 Summary

Notes:

You should now be able to:

• Explain the need for a well-documented incident response process
• Discuss how the Mitre ATT@CK framework can help defenders
• Explain the incident response life cycle
• Identify considerations for cyber incident response planning
• Recognize prevention is preferred over response due to the possibility of severe
consequences
• Identify considerations for incident management
• Discuss why and how to perform post-incident analysis and forensics

©2023 International Society of Automation

7.1 Flash Cards

©2023 International Society of Automation

7.3 Flash Card 1

Flip (Slide Layer)

©2023 International Society of Automation

7.4 Flash Card 2

Flip (Slide Layer)

©2023 International Society of Automation

7.5 Flash Card 3

Flip (Slide Layer)

©2023 International Society of Automation

7.6 Flash Card 4

Flip (Slide Layer)

©2023 International Society of Automation

7.7 Flash Card 5

Flip (Slide Layer)

©2023 International Society of Automation

7.8 Flash Card 6

Flip (Slide Layer)

©2023 International Society of Automation

7.9 Flash Card 7

Notes:

Flip (Slide Layer)

©2023 International Society of Automation

Quiz

1. What are the seven phases in the incident response lifecycle?

2. Which of the following are part of Incident Management ?

3. What is the purpose of containment?

4. Which of the following are the 3 C’s of Incident Analysis?

5. Which of the following are topics for Incident Response Plans?

6. What of the following is part of recover and restoration?

©2023 International Society of Automation

8.5 Certificate Exam

Notes:

©2023 International Society of Automation