Cyber Security Emergency Response (21)

The Morris Worm Incident was a wake-up call to the public about computer network vulnerabilities. This incident caused a panic in the United States, and convinced people the more computers are used, the higher the possibility of computer network attacks. These days, with computers more tightly connected than ever before and networks open to more people, Morris-like worm programs are inevitable. If such a program is exploited, the damage can be large. CERT setup marks the transformation of information security from traditional static protection to sound dynamic protection. 
FIRST is the premier organization and recognized global leader in incident response, and brings together a variety of computer security incident response teams. FIRST members work together to handle computer security incidents and promote incident prevention plans.
  • FIRST members develop and share technical information, tools, methods, processes, and best practices.
  • FIRST encourages and promotes the development of quality security products, policies, and services.
  • FIRST develops and announces best computer security practices.
  • FIRST promotes the establishment and development of worldwide security incident response teams.
  • FIRST members use their comprehensive knowledge, skills, and experience to foster a safer global electronic environment. 
China has created additional professional emergency response organizations, such as National Computer Network Intrusion Prevention Center, National 863 Program Computer Intrusion Prevention, and Antivirus Research Center. Many companies also offer paid cyber security response services. 
As a national emergency center, CNCERT/CC:
Carries out prevention, discovery, warning, and coordination of Internet cyber security incidents according to the principle of "proactive prevention, timely discovery, quick response, and recovery".
Ensures national Internet security, and secure operation of fundamental information networks and systems.
Monitors security of "Internet+" finance industry and others.

CNCERT/CC work scope:
  • Incident discovery: CNCERT/CC uses the Internet security monitoring platform to proactively monitor vital information systems (such as fundamental information networks and financial securities systems). It also shares data and information with partners at home and abroad, and discovers attack threats and cyber security incidents by means such as hotline, fax, email, and website.
  • Warning: CNCERT/CC relies on comprehensive analysis of large data resources and multi-channel information acquisition to analyze network security threats and issue warnings, report security incidents, and analyze macro network security situation. It provides companies with Internet security situation reports, network security technologies, resource information sharing, etc. 
  • Emergency handling: CNCERT/CC responds to security incidents in a timely manner and makes coordinated efforts to handle incidents that are detected and reported (incidents affecting Internet security, incidents affecting huge numbers of Internet users, incidents related to important government departments and information systems, complaint incidents with serious impacts, and security incidents reported by national emergency organizations outside China).
  • Test and assessment: As a professional organization for cyber security test and assessment, CNCERT/CC provides security test and assessment services for governments and enterprises in accordance with relevant standards by adopting scientific methods, standard procedures, and fair and independent judgment. CNCERT/CC also organizes efforts to formulate standards for communications network security, and telecommunication network and Internet security protection. It also technically monitors and analyzes national Internet financial risks. 
The Cybersecurity Law of the People's Republic of China is hereinafter referred to as "Cybersecurity Law".

The following laws and regulations are complements to the Cybersecurity Law:
  • Regulations on Personal Information Protection for Telecom and Internet Users
  • Regulation of Critical Information Infrastructure Security Protection (Draft for Soliciting Opinions)
  • National Emergency Plan for Cyber Security Incidents
  • Catalog of Critical Network Equipment and Specialized Cybersecurity Equipment (First Edition)
  • Regulation of Internet News and Information Service Management
  • Regulation of Internet Content Management Administration Law Enforcement Procedure
Some other laws and regulations are being planned, and will contribute to a more
comprehensive cyber security law system. 
Cyber security incidents are as follows:
  • Malicious program: Computer virus, worm, Trojan horse, botnet, hybrid program attack, or malicious code embedded in web page
  • Cyber attack: DoS attack, backdoor attack, vulnerability attack, network scanning and eavesdropping, phishing, or interference
  • Information breach: Information tampering, spoofing, leakage, theft, or loss
  • Information content security: spread of information forbidden by laws and regulations, illegal organization, incitement of illegal rally, insensitive publicity stunt, or incidents that undermine national security, social stability, and public interest
  • Equipment and facility fault: Hardware/software fault, peripheral facility fault, deliberate destruction
  • Disaster: cyber security incidents in other emergencies such as natural disasters
  • Others: other network security incidents 
The National Emergency Plan for Cyber Security Incidents implements the general principles for dealing with cyber security incidents. For the methods of handling information content security incidents, relevant organizations or companies shall formulate specific emergency response plans accordingly.

Emergency response plans are classified as follows:
  • Comprehensive emergency response plan: serves as guidance for carrying out emergency response work.
  • Special emergency response plan: provides solutions to specific types of security incidents.
  • Specific system emergency response plan: provides solutions to specific security incidents in specific environments.
  • Individual incident response plan: provides a one-off solution to a specific scenario.
Different types of emergency response plans apply to different security incident categories, warning levels, and emergency response levels. For more information, see National Emergency Plan of Cyber Security Incidents. The following provides details about incident categories:
  • Extremely serious incidents:
    • Critical networks and information systems are severely compromised, crippling networks and systems on a large scale and depriving of functionality.
    • National secrets, sensitive information, and key data are lost, stolen, altered, or counterfeited, posing extremely serious threats to national security and social stability. 
    • Other cyber security incidents that pose particularly serious threats to or impacts on national security, social order, economic construction and public interest.
  • Serious incidents:
  • Important network information systems are tremendously compromised, resulting in long downtime or partial breakdown, and seriously deteriorating service processing capabilities.
    • Country secrets, sensitive information, and key data are lost, stolen, altered, or counterfeited, posing serious threats to national security and social stability.
    • Other cyber security incidents that pose serious threats to or impacts on national security, social order, economic construction and public interest.
  • Relatively serious incidents:
    • Other cyber security incidents that pose serious threats to or impacts on national security, social order, economic construction and public interest.
    • Country secrets, sensitive information, and key data are lost, stolen, altered, or counterfeited, posing relatively serious threats to national security and social stability.
    • Other cyber security incidents that pose relatively serious threats to or impacts on national security, social order, economic construction and public interest.
  • Ordinary incidents:
    • Other cyber security incidents that pose threats to or impacts on national security, social order, economic construction and public interest.
Emergency response level:
  • Level-I response to red signal warning:
    • The emergency response office organizes the response work, including contacting security professionals and relevant organizations to track and investigate the situation and work out preventive measures and emergency response plans, and making preparations for resource scheduling and department coordination. 
    • The relevant cyber security incident emergency command center must be on duty 24 hours a day, and relevant personnel must be always available. The organization must also strengthen cyber security incident detection and information collection. Organize emergency support teams to take emergency measures, and perform risk assessment/control, etc.
    • The national technical support team for cyber security emergency is ready to develop countermeasures based on warning information and check that emergency vehicles, devices, and software tools are in good condition. 
  • Level-II response to orange signal warning:
    • The relevant cyber security incident emergency command center executes the corresponding emergency plan, organizes response work, and performs risk assessment/control and emergency preparations.
    • Relevant departments must report the situation to the emergency response office in a timely manner, and the office must pay close attention to the situation and report important information to relevant departments.
    • The national technical support team for cyber security emergency must be always available and check that emergency vehicles, devices, and software tools are in good condition.
  • Level-III response to yellow signal warning and level-IV response to blue signal warning:
    • The cyber security incident emergency command centers of relevant regions and departments must execute the corresponding emergency response plans and organize response work. 
Emergency response services provided by emergency response organizations around the world include:
  • Security consulting service and emergency response service
  • System or risk assessment
  • Intrusion detection
  • Security bulletin and vulnerability publishing, and patch download
  • Attack source tracing and data recovery
  • Education and training
  • Organizing academic exchange activities 
In the study of information security and cyber defense theory, the United States Department of Defense proposed Information Assurance and gave a dynamic Protection, Detection, Response, and Recovery (PDRR) model. Response in this model focuses on emergency handling of security incidents.

The protection, detection, response, and recovery in the PDRR model constitute an information security process.
  • Protection: takes measures (such as patching, access control, and data encryption) to defend against all known security vulnerabilities.
  • Detection: detects the defense system bypass behavior and locates the identity of the intruder, including the attack source, attack status, and system loss.
  • Response: responds to the intrusion incident detected, including handling the incident and processing other services.
  • Recovery: restores the system after an intrusion incident occurs. The defense system must be updated to prevent the same type of intrusion incident reoccurring. 
In remote emergency response, emergency response teams obtain temporary host or device accounts from the customer network personnel, and log in to the hosts/devices for detection and service support. After the incidents are resolved, the emergency response teams provide detailed emergency response reports.

If remote login fails or the incidents cannot be resolved, confirm local emergency response with customers. 
The emergency response process varies according to situations. The emergency response service personnel need to flexibly handle security incidents but must record all process changes.

Reference files:
  • GB/T 20984-2007 Information Security Technology - Risk Assessment Specification for Information Security
  • GB/Z 20985-2007 Information Technology - Security Technology - Information Security Incident Management Guide
  • GB/Z 20986-2007 Information Security Technology – Guidelines for the Category and Classification of Information Security Incidents
  • GB/T 20988-2007 Information Security Technology – Disaster Recovery Specifications for Information Systems
  • GB/T 22240 - 2008 Information security technology – Guide for Classified Protection Of Information System
  • GB/T XXX XXXX Information Security Technology – Baseline for Classified Protection of Information System 
Identify and detect various security emergency incidents. Create security warning reports before emergency security incidents. In case of an emergency, report a security warning to the emergency response center. The emergency response center takes the following measures based on the incident severity:
  • Proactive discovery: Incidents are found by the intrusion detection device and global warning system
  • Passive discovery: Incidents are reported by network users.
  • Determine the person responsible for handling the incident, and provide necessary resource support.
  • Estimate the impact and severity of the incident to determine a proper emergency response plan.
  • Check the following: affected hosts and networks, network intrusion extent, permissions obtained by the attacker, security risks, attack means, and spread scope of the exploited vulnerabilities.
  • Check whether a network-wide security incident occurs 
Take different suppression actions in different scenarios. For example:
  • In the preliminary analysis process, determine a proper suppression method, such as blocking attacks, mitigating system loads, blocking the intrusion source address by using routers and firewalls, and isolating the systems infected by viruses.
  • Modify the filtering rules of all firewalls and routers to deny the traffic from suspicious hosts.
  • Block or delete the attacked login accounts.
  • Raise system or network behavior monitoring levels.
  • Set honeypots, and disable the exploited services.
  • Summarize data to estimate the loss and isolation effect 
A Dilemma in AI algorithm design of autonomous vehicles: You see a runaway railway trolley moving toward five people, tied-up and lying on the tracks. You are standing next to a lever that controls a switch. If you pull the lever, the trolley will be redirected onto a side track and the five people on the main track will be saved. However, there is a single person lying on the side track. You have two options: 1. Do nothing and allow the trolley to kill the five people on the main track. 2. Pull the lever, diverting the trolley onto the side track where it will kill one person.

New technologies (industries) such as encryption and anti-encryption, blockchain security, iris recognition, and digital identity are still in the early stage of development. As security risks are unknown or related interests are too complex, legislation authorities and regulators of different countries only discuss security issues but do not offer relevant laws/regulations. 


Ref : [1]