¶ Context
In an effort to define a process for dealing with security incident and events in Science Program's cloud tenants, these will be our repeatable steps.
¶ Definitions
¶ Compromise
A breach of government security, including but is not limited to unauthorized access to, disclosure, modification, use, interruption, removal or destruction of sensitive information or assets, causing a loss of confidentiality, integrity, availability or value an event causing a loss of integrity or availability of government services or activities
¶ Security event
Any event, act, omission or situation that may be detrimental to government security, including threats, vulnerabilities and security incidents. Examples of cyber security events: Disclosure of a new vulnerability, intelligence that a threat actor may be planning an attack against a GC information system (for example, a distributed denial of service (DDoS) attack, attempts to breach the network perimeter)
¶ Security incident
Any event (or collection of events), act, omission or situation that has resulted in a compromise.
Every cyber security incident is a cyber security event (or collection of cyber security events), but not every cyber security event is a cyber security incident (see Figure 1)
Examples of cyber security incidents: Active exploitation of one or more identified vulnerabilities, exfiltration of data, failure of a security control, breach of a cloud-hosted or managed GC service
¶ Threat
Any potential event or act, deliberate or unintentional, or natural hazard that could result in a compromise.
¶ Vulnerability
A factor that could increase susceptibility to compromise.
¶ Process
- Recieve incident alert
- Appoint incident investigation lead. Alert Science Program of incident lead
- Notify Pathfinder owner and leads that an incident event has occured and that investigation process is about to begin. See Incident Communication to Clients
- Include pathfinder in the process, for information gathering and sharing
- If a security incident create a manual incident in Azure Sentinel if not automatically created via a Sentinel analytic rule. See the Azure Sentinel page for how to create the ticket.
- Begin investigtaion process
- Validate event information with pathfinder subject matter experts
- Determine if incident is a false positive
- If it's a false positive
- Give pathfinder advice on how to remediate the issue
- Remove any automaticly applied remediations actions that may have been triggered
- If issue is not properly remidiated or acted on, see Incident Abuse
- If a positive event
- Contact Cyber Center about event
- Use GC-CSEMP process
- Document and publish in Azure Devops
¶ Automatic Remediations
- Removal of pathfinder owner and contributor groups from cloud subscription
- Disconnect from Internet
- Remove IP
- Impliment NSG/firewalls
- Run the Sentinel block user playbook
- Move the account to the Quarantine/Suspended management group or OU.
- Rebuild the machine
None of these automatic remediations are currently implemented except blocking a user, but could be at any time.
¶ Abuse
SSC Science Programs' cloud tenants are innovation sandboxes, but secure innovation is still a goal of the Science program.
We will be implimenting a 3 strike system for those who don't take action.
- Warning
- Escalated Warning
- Removal of access to, and possible deletion of, deployed cloud resources