=Paper=
{{Paper
|id=Vol-1816/paper-13
|storemode=property
|title=An Operational Framework for Incident Handling
|pdfUrl=https://ceur-ws.org/Vol-1816/paper-13.pdf
|volume=Vol-1816
|authors=Giovanni Bottazzi,Giuseppe Francesco Italiano,Giuseppe Giulio Rutigliano
|dblpUrl=https://dblp.org/rec/conf/itasec/BottazziIR17
}}
==An Operational Framework for Incident Handling==
https://ceur-ws.org/Vol-1816/paper-13.pdf
In Proceedings of the First Italian Conference on Cybersecurity (ITASEC17), Venice, Italy.
Copyright c 2017 for this paper by its authors. Copying permitted for private and academic purposes.
An Operational Framework
for Incident Handling
Giovanni Bottazzi, Giuseppe F. Italiano, Giuseppe G. Rutigliano
University of Rome “Tor Vergata”, Rome, Italy
gbottazzi73@gmail.com, giuseppe.italiano@uniroma2.it,
rutigliano@ing.uniroma2.it
Abstract
The information security management is a widely discussed topic in recent years, due
to the increasing number of attacks and the growth of the damage they can cause to the
daily life of a society. In this context, new emerging paradigms, such as IoT, the CPS and
Critical Infrastructure, converge towards common technologies, resulting in a dangerous
interconnection and interdependence of worlds formerly separated, or even isolated. For
this purpose, numerous cybersecurity frameworks have been defined, identifying
organizational methodologies, mainly process-oriented, for managing a security
infrastructure. This article is rather oriented to define a framework with a special attention
to the management of the IT incidents, describing some minimal arrangements that need
to be adopted in order to respond effectively and efficiently to a cyberattack, to mitigate
the damages suffered and to limit the analysis and the recovery time.
1 Introduction
The threat posed by the criminal use of the Internet is constantly growing and causes, at the moment,
in most cases, a steady rise of phenomena whose purpose is mainly to carry out criminal acts, for
economic purposes, to the detriment of millions of users (victims). Without dwelling on the difference
existing between common crimes perpetrated by means of the Internet (e.g., online sale of drugs,
counterfeited goods, etc.) and crimes born and developed thanks to it (Distributed Denial of Service,
cyber extortion, etc.), it can be asserted, without fear of contradiction, that cybercrime is a growth
industry.
The revenues are great, considering that the Internet economy is capable of generating 2 to 3 trillion
dollars per year. It has been estimated (June 2014) that the likely annual cost to the global economy
from cybercrime is more than $400 billion. A conservative estimate would be $375 billion in losses,
while the maximum could be as much as $575 billion (McAfee, 2014). Criminals still have difficulty
turning stolen data into financial gain, but the constant stream of news contributes to a growing sense
that cybercrime is out of control.
126
� Moreover, the current trends suggest considerable increases in the scope, sophistication, number
and types of attacks, number of victims and economic damage (Europol IOCTA, 2015). In addition to
the partiality of information available on the exact incidence of cybercrime on the Internet economy (or
on the global economy), we must consider the vagueness of information related to what could be funded
with the cybercrime industry revenues. Are they used just for self-funding or for supporting terroristic
actions/organizations?
There are some important factors worth highlighting in this context: the widespread of unsecured
targets and the low cost barriers for the newly emerging “Crime as a service” rental model. The term
“unsecured targets” must be related not only to consumer devices (e.g., smartphones, tablets, smart
TVs, etc.), but also to technological (and critical) infrastructures facing for the first time the Internet,
e.g., Smart Buildings, Cyber Physical Systems, Industrial Control Systems and all the devices related
to the paradigm of the “Internet of Things”. The attention of industry is yet not fully focused on cyber
security or on privacy-by-design. Many of the so-called smart devices are actually quite dumb when it
comes to their security posture, being unaware of the fact that they are part of a botnet or being used for
criminal attacks.
The security of Critical Infrastructures (CI) needs to be addressed in a holistic and effective manner
in order to protect economies and societies, mainly because it relates to complex systems composed of
various hardware and software components, often deployed by different vendors and designed with
little consideration for network and software security. Cybercrime is already able to move huge amounts
of capital from the licit economy to the illegal one. It is very likely that, in the near future, the data will
be even more alarming, because it is hard to imagine that the trend will decrease, and because today we
are witnessing many examples that can highlight as the sophistication of the attacks can further
degenerate into "terrorist use" of the Internet or, worse, into cyber terrorism.
The invasiveness of the Information and Communication Technology in various aspects of the life
of a civil society, naturally brings, on the one hand, all the benefits related to automation, monitoring
and remote controlling, a.k.a. genuine innovation, but brings also, on the other hand, all the side effects
related to its misuse, improper or, worse, criminal (Bottazzi, Me, 2016).
Moreover, the emergent industrial paradigm is convergent toward common software technologies,
inheriting all the issues already available for the “pure” IT ecosystem, but involving infrastructures
much more critical than the usual Internet blogs, with easily predictable domino effects.
In this context, a number of initiatives have been realized, with specific reference to the well-known
frameworks for cyber security aimed at providing to organizations a homogeneous and volunteer
approach to face up cyber security, in order to reduce the risk linked to cyber threats.
These frameworks, use the business drivers to guide cybersecurity activities and consider
cybersecurity risks as part of the organization’s risk management processes, with important fittings
relating, for example, the critical infrastructures, the small and medium enterprises or the incident
handling (to be considered as the reacting phase of a cybersecurity framework).
However, they still suffer from a high-level perspective in both the prevention and reaction stages,
and need a much deeper analysis, aiming at providing practical guidelines to security designers,
operators and officers.
2 Current and future Internet-related threats
Many of the Internet-related tools already available, whose business model can amplify their
capabilities, as already said previously, have been used in the past for actions that can hardly be labeled
as mere crime (e.g., the well-known “Estonia 2007” and STUXNET). It was not introduced any
technological novelty (a massive DDoS in first case and a number of Zero-day vulnerabilities in the
second). Late last year, a wave of cyber-attacks hit several critical sectors in Ukraine (Kaspersky, 2016).
127
�Widely discussed in the media, the attacks took advantage of known BlackEnergy Trojan as well as
several new modules.
BlackEnergy is a Trojan created by a hacker known as “Cr4sh”. In 2007, he reportedly stopped
working on it and sold the source code for an estimated $700. Around 2014, a specific user group of
BlackEnergy attackers began deploying SCADA-related plugins to victims in the Industrial Control
Systems (ICS) and energy sectors around the world. The attackers have simply decided to shift the focus
towards new targets, using spear-phishing emails carrying malicious Excel/Word documents with
macros to infect computers in a targeted network (example in Figure 1). It should be clear at this point
that, given the maturity of both the technology and the business model, a criminal attack can become
terroristic, or something worse, just considering “who is opposed to who” and not by means of the tools
used (almost always the same).
Figure 1: Excel file with macros used in the BlackEnergy campaign.
With reference to CIs, despite the numerous attempts made so far, there is still no universally
recognized definition, or at least a definition that provides a classification fitting the characteristics of
each nation. A critical infrastructure is often identified as that infrastructure whose incorrect working,
even for a limited time period, may negatively affect the economy of individual subjects or groups,
involving economic losses and/or even expose people and things to a safety and security risk (TENACE
project, 2014).
CIs are at the heart of any advanced civilized country. These infrastructures include among others:
finance and insurance, transportation (e.g. mass transit, railways and aircrafts), public services (e.g.,
law enforcement, fire and emergency services), energy, health care. All surveys from leading security
stakeholders indicate that attacks are expected to increase in scale, to become more accurate and precise,
and therefore to become real cyber weapons. This raises security concerns (and threats), because of the
interconnection of two previously isolated worlds, the Internet and CI systems. Interestingly, the
Internet is itself an underlying critical asset of modern CIs, because their controlling systems are often
distributed over remote, Internet-connected locations. Moreover, these two worlds are not only
interconnected, but also interdependent with an increased risk of a domino effect. Unfortunately, we
already witnessed a number of events that must be perceived not just as the “weaponization of the coffee
pot”.
In addition to the mentioned BlackEnergy event, we can also cite the accident suffered by the Israeli
power grid on last February, labeled as the largest cyber assault that the country has experienced (The
Jerusalem Post, 2016). Moreover, the year 2016 started with quite a number of security incidents related
to hacks on hospitals and medical equipment (Securelist Blog, 2016). They include a ransomware attack
128
�on a Los Angeles hospital, the same in two German hospitals, a case of researchers hacking a patient
monitor and drug dispense system, an attack on a Melbourne hospital and so on – in just two months of
2016!
Finally, a recent research (Wendzel et al., 2014) envisioned that a new class of botnets deployed on
Building Automation Systems (BAS) and used for “novel scenarios” like remote access to sensor data
for mass surveillance, or remotely locking the building and holding the people inside for ransom.
Citing the WatchDogs video game, “we are no more individuals, we are data clusters”.
3 Cybersecurity frameworks (a.k.a. related works)
Cyber attacks on CIs are no longer a theoretical, but a real problem probably since the discovery of
the STUXNET worm in July 2010. Criminal gangs, hence, can benefit from a relatively new business
capacity (widest sense of the term), in addition to the already vast possibilities offered by the most
common cybercrime. Consequently, security researchers envisioned the goal of the next generation of
malware to stop quietly production at a utility, to affect production of a rival, to sell the shares of a
company or to extort money under the threat of a disruption.
On the other hand, cyber threats certainly cannot be faced only by giving up the potentials offered
by the IT systems and their interconnection within the network, thus losing the increase of productivity
and efficiency linked with computerization. The answer should be systematic, aimed at raising the
citizens’ awareness, the “duty of care” of companies and the International “due diligence” of the country
about the cyber threat.
It is crucial that in this process of collective raising awareness, we shift from an idea of “IT system
security” or “IT security” to that of “cyber threat management”. This means, among other things, to
define a process that respects the Constitution principles regarding, for example, the business activity
management in order neither to contrast the social benefit nor to affect safety, freedom and human
dignity. This consideration implies that the cyber security perspective is not to be seen just in
technologic terms, but rather requires taking into account the overall legal and formal duties and the
principles of social interest, into which the public and private framework need to converge. For this
reason, the duty of protection should become part of the top management responsibility of an
organization, as it requires a specific and accurate evaluation by the ones who have the direction and
management power.
In this context, the research community felt the need to define a series of coordinated actions to be
taken in order to manage the cyber risk. Such actions involve the organization and the technology
departments of the company, in addition to the financial management of the risk, also through the
establishment of a residual risk management strategy and a strategy to protect the company balance.
Furthermore, the cyber risk is intrinsically highly dynamic. It changes as threats, technology and
regulations change. In order to start approaching this issue in a way which is useful for the country
system (State, enterprises and citizens), common grounds (a.k.a. Frameworks) have been designed, in
which the various production sectors, government agencies and regulated sectors can recognize their
business, so to align their cyber security policies in a steadily developing process. To reach this aim, a
common Framework should be first neutral both in terms of business-risk management policies and in
terms of technology, so that each player could keep on using its own risk management tools, managing
its technology assets while monitoring at the same time the compliance with sector standards. A
Framework may help an enterprise to plan a cyber-risk management strategy, developed over the time
according to its business, size and other distinguishing and specific elements of the enterprise.
Starting from the “Framework for Improving Critical Infrastructure Cybersecurity” issued by the
NIST (NIST, framework, 2014), a number of related/linked documents have been issued. For instance,
the Italian National Cybersecurity Framework (Baldoni, Montanari, 2015), while based on the one
129
�developed by NIST, has shaped the overall approach to the Italian scenario, in terms of legal and
enterprise frameworks.
Moreover, each key concept contained in the abovementioned Frameworks, may have been a topic
of study in other guidelines, such as the “Computer Security Incident Handling Guide” (NIST, guide,
2012), to be considered as a deepening of the Core activity labeled as “Respond” in the Cybersecurity
Framework.
With specific reference to the actions that must be performed during/after a cyber-attack, further
research documents have been produced for better identifying skills, organization and collaboration of
the teams involved in managing security incidents (Computer Security Incident Response Teams) or
for improving their response efficiency (Ruefle et al., 2014; Steinke et al., 2015).
None of the above documents, regardless of their depth level, helps in outlining what should be the
security measures to implement, from a purely practical point of view.
We believe that the guidelines for the prevention, management and reaction to a cybersecurity
incident, with a strong practical orientation (to be understood as the technological arrangements to
implement), should have two main targets. On the one hand, they should represent a valuable tool for
inflecting the concepts contained within the frameworks developed so far, and on the other hand, they
should be able to spread awareness and greater technical knowledge regarding the burden to bear for
deploying a specific IT service.
For example, the adoption of https certificates whose trustworthiness is always verifiable, could help
many organizations to significantly reduce the attack surface and to protect them from attack techniques
(e.g., Man In The Middle) which, although easy to find on the black market, are not yet easily countered.
In the next section, we will describe a framework for limiting the effects of cyber attacks (incident
response) in the time, space and data domains.
4 A practical framework for incident handling
In the abovementioned scenario, the well-known paradigm where “the attacker is getting stronger”
(Brady et al., 1999), or, alternatively, the attacker has thermodynamics on his side, results to be
reinforced and, without proper and very challenging strategies, the phenomenon is expected to grow
and hardly there will be a turnaround. Starting from the characterization of the threat, in terms of
organization, objectives, operating procedures and action times, we can assert that it is possible to
identify common elements, even if it may originate from heterogeneous subjects, with significantly
different resources and capabilities.
The group that materially performs a coordinated attack has usually a lean structure and counts a
number of people that can vary from a few units to a few tens. The command chain is short, the skills
and the tactical objectives are clear and quite common (unlike those strategic): DoS, defacement, data
exfiltration, etc. The actions are carried out in subsequent stages, or parallel when possible, by highly
specialized working groups (e.g., system analysts, database experts, network experts, crackers, etc.),
with a previously scheduled timing and through very “easy-to-find” tools (usually on the black market).
The time, thus, is a crucial success factor for the attacks, often carried out in periods and times
carefully chosen, in order to find the lowest defensive power as possible. The attackers have the
advantage of surprise on their side, and of course, they try to maximize the effects.
The defensive organization, instead, involves a very large number of individuals in the ICT
management. In addition, the common users may be subject to social engineering or phishing attacks.
In this context, the number of people involved increase dramatically.
The defensive organization, then, turns out to be much less streamlined than the attacker's one, in
terms of tasks and responsibilities. There is no best approach, because the absolute separation of duties
130
�and the use of dedicated resources, that might seem the best choice from a conceptual and procedural
point of view, still poses problems on group cohesion (internals and outsourcers) and quick responses.
Moreover, if not all operators are fully trusted, there is even more the need to define tasks clearly
identified, easy to implement (because previously tested) and not subject to misinterpretation. The
command chain (defensive) is further complicated by the absence of clear operational procedures and
can become an obstacle to the operations of containment and remediation mostly when, for example,
there is the need to bring together the appropriate committees for identifying actions to be undertaken.
Moreover, the procurement of human resources, technologies and services, is composed by articulated
procedures and bureaucratic processes, subject to appropriate authorizations. In other words, the
defensive processes result to be much slower compared to those involved in the threat evolution and
there is the need of organizational, technological and operational changes.
We can imagine a large IT organization as the one described in Figure 2. Typically, we have
Headquarters, hosting datacenter and executive workstations, a number of branch offices and mobile
devices. The Internet resource is shared through Headquarters or directly through the branch offices
(rare). In order to measure the cost of a compromise, we need to identify the assets that can be involved,
their single value, the time needed for analyzing, identifying and recovering a compromise. Moreover,
a compromise can start from an asset and evolve to other assets through privilege escalation and/or
lateral movement. The final goal of a cyber attack is always the compromise of an infrastructural service
(e.g., DNS, internal Domain, etc.), giving the attackers the full capacity to act.
Figure 2: IT architecture of a large corporate organization
In this context, the total cost of compromise (of course just in the success case) can be seen as the
sum of the costs of all the “objects” compromised in each asset, plus the time needed for detecting,
analyzing and recovering each compromised asset. Thus, we have:
∀ 𝐴𝑠𝑠𝑒𝑡, Cost(Asset) = ∑𝑖=𝑛
𝑖=1 (𝑉𝑖 + 𝐴𝑇𝑖 + 𝑅𝑇𝑖 )
where n is the number of “objects” composing each asset, V is the Value of each object composing the
specific Asset, to be considered as the criticality of the object, AT is the Analysis Time required for
analyzing and finding the compromise, RT is the Recovery Time required for recovering the original
behavior of the “object”. We can describe the typical assets deployed within a large corporate network,
131
�as the one described in Figure 2, resumed in Table I, together with possible values for Vi, ATi and RTi
(ranging from 1 to 1,000).
ASSET Vi ATi RTi
Common Workstation (mobile device) 1 1 1
Admin Workstation (mobile device) 10 1 50
Executive Workstation (mobile device) 100 1 10
Application Service 300 500 100
Infrastructural Service 1,000 800 1,000
Table I: distribution of Vi, ATi and RTi, within a large corporate network.
The values in Table I have been defined considering low AT and RT values for almost all
workstations. The only exception regards the RT value of the Admin workstations, which usually
require more starting configurations. The V value, instead, has been considered greater for the Executive
Workstations, considering all the business strategic data stored within. Moreover, the application and
infrastructure services obviously have a high V value, but above all, they have the AT and RT values
much higher than the workstations. Finding a compromise inside the e-mail servers or inside the domain
infrastructure could be very challenging and recovering from it may result in reinstalling a brand new
system.
At this point, it is easy to verify how the total cost of an incident increases, during time, because of
the escalation to assets with higher value, and higher costs, resulting in an increased burden for the
organization, in terms of analysis and recovery (Figure 3). In Figure 3 we reported the examples related
to the compromise of an infrastructural service (e.g., through an Advanced Persistent Threat - APT).
We supposed the APT started from a workstation within a branch office (e.g., mail-attached malware)
and from an application service (e.g., SQL injection and subsequent reverse shell), described by the
blue and the red series respectively (the green series will be illustrated later).
Figure 3: Compromise escalation during time
In the first case, the attack escalation has been imagined as moving first through the common
workstations and the application services, before reaching the infrastructural services. In the second
case, the escalation path, starting from the application services, is definitely reduced. In both cases, the
cost of each escalation step has been computed using the previous formula, thus summing the costs of
all the objects involved in the attack. We hypothesized the IT infrastructure composed by 100
application services, 10 infrastructural services, 100,000 common workstations, 50 admin workstations
and 30 executive workstations. As we can see, after about 2 hours (the vertical dotted line), assuming
132
�that the two attacks are successfully scaled or addressed toward the “Data Center”, the global cost of
the compromise is completely different (displayed in logarithmic scale).
Of course, we did not consider the probability that an attack is successfully completed, which
depends on numerous factors such as the security systems in operation, the type of threat, etc. In any
case, it would be limited to the identification of a scale factor of the trend described in Figure 3.
In order to reduce the speed gap between attackers and defenders is necessary to adopt procedural
and technical measures, designed to streamline the defense system. The arrangements we are going to
describe, do not replace the requirements and recommendations contained in other security frameworks,
but are meant to improve their effectiveness, with easier and faster defense operations or, in some cases,
slowing down the attackers' operation.
Firstly, the initial perimeter of the infection must be reduced. This objective can only be achieved
by acting on IT assets with an "incident-handling" perspective and thus implementing, during the design
and the management stages, all the prescriptions related to the network segmentation and data
segregation. For instance, if an attacker can break into a server, located inside a wide data center
protected by perimeter defenses but no internal segregation/segmentation, he can easily extend the
attack on the entire server farm. Thus, the reduction of the attack surface must be coupled with the
increase of the compartmentalization of internal services.
Actions
Domain
Ex-ante Ex-post
Time Minimize the Internet border gateways. Close all or part of the Internet border
gateways.
Arrange only interesting logs in usable Mine the logs starting from those
format. concerning the compromised sector.
Space Prepare hardware/software probes up to Limit or interrupt traffic starting from
high level of depth. the compromise sector.
Segment the network infrastructure. Close the network links starting from
the compromise ones.
Segregate the application data. Inhibit the communications to and
from the compromised application
service.
Implement Content Delivery Networks. Switch to CDNs.
Access the application services via Isolate the access to application
terminals and credentials limited and well services.
identified (admins and not users).
Access the infrastructural services via Isolate the access to infrastructural
terminals and credentials limited and well services.
identified.
Data Backup or service-snapshots (off line). Recovery (on line).
Data encryption (in order to prevent that Reduce data access to a few entities
the compromise of the server will (prior verification of the credentials).
automatically expand to the data).
Prepare workstations never used (off line) Use new workstations previously
and ready for the emergencies. prepared.
Table II: A framework for incident handling.
In addition, the operators dedicated to monitoring and analyzing possible cyber attacks, usually do
not have sufficient Rules of Engagements (RoE) for implementing timely corrective and/or mitigation
actions. Hence, the second objective to be pursued concerns the organizational structure, always for
133
�managing security emergencies (incident-handling perspective). It is necessary to make efforts for
delegating as much as possible at every command-chain level the responses to attacks, identifying a
priori the possible scenarios and preauthorize the responses, giving to operators clear RoE that can be
put in place immediately, without fear of incurring in personal liabilities and without waiting for the
appropriate authorizations. This approach, borrowed from the military affairs is, in our opinion, the only
way to make effective a tool that otherwise would risk being essentially a system for observing the
evolution of a phenomenon and not for contrasting it.
The third objective is to prepare in advance the data necessary for the incident analysis. Usually,
huge amounts of logs are kept, sometimes even in excess, without a well-focused objective. For
instance, if we consider the Internet gateway (the same for all users) of Figure 2, it is very likely that
the vast majority of the logs, without any pre-processing, do not provide any useful information to the
identification of an attack (e.g., misconfigurations, authentication methods not supported by the
application software, etc.). All these logs should be separated from the others in the "peacetime", in
order to reduce the amount of data to be inspected in the "wartime".
Moreover, the firewalling policies, usually record all the failed attempts to access network resources
(drop logs). Many of these logs refer to mere attempts made by unaware users trying to access to
resources for which they do not own the related grant (e.g. network shares). This is quite different from
an automatic port scan of an entire class of IP addresses.
Hence, the paradigm must be reversed, focusing on what are the most useful logs for the analysis,
select them in accordance with objective criteria, organize and prepare them (pre-process) in order to
have a repository easy to inspect. The current tendency is to store as many logs as possible without
figuring, again, any incident-handling scenario.
The framework, we propose encompasses a whole series of minimal preventive technical
arrangements (ex-ante) as well as a series of practical actions, again minimal, delegated to the operators
(ex-post), but well defined and tested (Table II) in three main domains (Time, Space and Data).
Everything reported in the ex-post column, must be simulated and approved in the "peacetime", in order
to allow operators to act with a fast freedom of action.
For instance, the NIST “Computer Security Incident Handling Guide”, with specific reference to the
Chapter named “Handling an Incident”, provides advices regarding logistics, organization and tools,
fundamental to the success of incident response programs. In particular, in line with the examples so
far treated, the section related to “Incident Analysis”, considers the “Log Retention Policies” as
extremely helpful and suggests frequent log reviews for improving knowledge. However, this does not
give any practical measure for extracting knowledge about an attack, as better described in the following
example.
The green series shown in Figure 3, describes how the infection trend described by the blue series
can change by applying some of the elements in Table II. We imagine that the attack starts with a
phishing email received by a workstation of a branch office (series blue in Figure 3), in order to install
a malware that tries to contact its command-and-control center on the Internet. We imagine also that
the LAN of the branch office is equipped with a probe (ex-ante measure in the space domain) and that
there is only one Internet gateway whose logs can highlight the Internet domains contacted by the
internal network (two ex-ante measures in the time domain).
At some point, the security infrastructure/organization will detect the presence of an infection.
Assuming that there is still been no escalation, retrieving the Internet domains contacted by the infected
machines and acting on the probes, we will be able to quickly identify infections and successful
malicious actions, as well as isolate the workstations/LAN (green series in Figure 3).
In the absence of the three above-mentioned measures (one in the space domain and two in the time
domain), the time needed for localize and isolate the infection will be longer and will be higher the
probability that the attack can scale to higher-value objects. Of course, the use of one or more of the
measures provided by the framework in Table II, must be preceded by a trade-off evaluation between
the cost of the measure and the cost resulting from its non-application.
134
�5 Conclusions
Our proposals (minimal), intend to shift attention on the incident response stage, preparing first the
rules, regulations, techniques, procedures, skills and tools to avoid having to approach the issue only
after an incident. The work done, or at least organized, before, lengthens the time of the attack and
reduces the time of response, bringing balance on the field, but also can be used as a "gym" for forming
the awareness, developing the know-how and raising up the motivation of people involved in
cyberdefence. The framework proposed in this document requires efforts and investments at various
levels that may appear superfluous in normal conditions (peacetime), but assumes importance if
contextualized with the recovery difficulties of a cyber incident, managed with general-purpose plans,
with inevitable impacts on the exponential growth of time and costs.
References
Baldoni R., Montanari L. (2016, February). A National Cyber Security Framework. Available via:
http://www.cybersecurityframework.it/en
Brady Robert M., Anderson Ross J., Ball Robin C. (1999, September). Murphy's law, the fitness of
evolving species, and the limits of software reliability.
Bottazzi G., Me G., (2016, June). Cybercrime-funded terrorism and the threats posed by future
technologies. NATO Advanced Research Workshop, Terrorists’ Use of the Internet: Assessment and
Response. Available via www.cyberterrorism-project.org
Europol, Report (2015). The Internet Organised Crime Threat Assessment (IOCTA).
Kaspersky (2016, January). Newly discovered BlackEnergy spear-phishing campaign targets
Ukrainian entities. Retrieved from http://usa.kaspersky.com/about-us/press-center/press-
releases/2016/newly-discovered-blackenergy-spear-phishing-campaign-targets-uk
McAfee Report (2014, June). Net Losses: Estimating the Global Cost of Cybercrime.
NIST (2012). Computer Security Incident Handling Guide. Retrieved from
http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
NIST (2014). Framework for Improving Critical Infrastructure Cybersecurity. Available via:
https://www.nist.gov/cyberframework
Ruefle R., Dorofee A., Mundie D., Householder A. D., Murray M., Perl S. J. (2014, Sept./Oct.).
Computer Security Incident Response Team Development and Evolution. IEEE Security & Privacy
(Volume: 12, Issue: 5, Sept.-Oct. 2014).
Securlist blog (2016, March). Hospitals are under attack in 2016. Retrieved from
https://securelist.com/blog/research/74249/hospitals-are-under-attack-in-2016/
Steinke J., Bolunmez B., Fletcher L., Wang V., Tomassetti A. J., Repchick K. M., Zaccaro S. J.,
Dalal R. S., Tetrick L. E. (2015, Jul./Aug.). Improving Cybersecurity Incident Response Team
E- ectiveness Using Teams-Based Research. IEEE Security & Privacy, vol. 13, no. , pp. 20-29, July-
Aug. 2015.
TENACE Project (2014, March). Critical Infrastructure Protection: Threats, Attacks and
Countermeasures. Available via: http://www.dis.uniroma1.it/~tenace/index.php?lang=eng§ion=0
The Hacker News (2016, January). 602 Gbps! This May Have Been the Largest DDoS Attack in
History. Retrieved from http://thehackernews.com/2016/01/biggest-ddos-attack.html
The Jerusalem Post (2016, January). Israel's electrical grid attacked in massive cyber attack.
Retrieved from http://www.jpost.com/printarticle.aspx?id=442844
Wendzel S., Zwanger V., Meier M., Szlosarczyk S. (2014, October). Envisioning Smart Building
Botnets. “Hack In The Box” Security Conference 2014.
135
�