OCR of the Document

View the Document >>

National Reconnaissance Office, Audit of NRO Cyber Incident Detection and Response Final Report, December 17 2014, Secret//Talent Keyhole//Noforn

FINAL REPORT U Audit of NRO Cyber Incident Detection and Response Project Number 2014-001 A b 3 This document cannot be released in 17 December 2014 whole or in part to pcrsons or agcncics CLBY DECLON 20391217 DRV FM INCG 1 0 13 February 2012 SECRETIITALENT KEYHOLEUr IOEORN Approved for Release 2017 02 06 C05095359- outside the NRO nor can it be republished in whole or in within any document not this statement without the express written approval of the NRO Inspector General Approved for Release 2017 02 06 C05095359 c a ' I ' GI L11 L GI L c LnV L I c aIII v cv I ' L THIS PAGE INTENTIONALLY LEFT BLANK ______ KEYHOLE NOFORN Approved for Release 2017 02 0 C05095359 ------ Approved for Release 2017 02 06 C05095359 t ' '''''f emptic' noted redactions on ' 'FI'- t nlS page ra un n 17 December 20 4 MEMORANDUM FOR SUBJECT NATIONAL RECONNAISSANCE OFFICE NATIONAL RECONNAISSANCE PRINCIPAL DEPUTY OFFICE DEPUTY NATIONAL RECONNAISSANCE OFFICE COMMUNICATIONS SYSTEMS DIRECTORATE CHIEF INFORMATION OFFICER DI OFFICE OF SECURITY AND COUNTERINTELLIGENCE U Final Audit of the National Reconnaissance Office Incident Detection and Response Project Number 2014 001 U The National Reconnaissance Office Office of nspector General OIG on the Audit of NRO Incident Detection and is attached I am for the Communications S Directorate's COMM's and Office 0 and Counterintell 's OS CI's information and ion of the recommendations In your proposed address and resolve each recommendation COMM and OS CI are to via the IER system on the status of actions taken and estimated ion dates U I appreciate the courtesies extended you may corrective Administrator at action Attachment U Final Audit ect Number 2014-002 BY DECL ON DRV FROM 2039 2 7 INCG 1 0 3 2012 UNCLASSIFIEDII when from document SECRET lTALEni' Approved for Release 2017 02 06 C05095359 Approved for Release 2017 02 06 C05095359 c a ' I ' GI L11 n L c Lnv c aIII v cv I ' L THIS PAGE INTENTIONALLY LEFT BLANK Unless noted Approved for Release 2017 02 06 C05095359 redactions on ' 'this 'iscl'g l e t'a ' der E' emption b 3 SUBJECT Final Audit of the National Reconnaissance Office r Incident Detection and Response ect Number 2014 001 L -_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ r17 Dec 14 DISTRIBUTION Hard copy Director National Reconnaissance Office Director National Reconnaissance Office Director National Reconnaissance Office Director Communications nformation Officer Director Office of Assistant AuditorFol o G Chron Soft copy IG-Fol T NROnet Approved for Release 2017 02 06 Cg5095359 THIS PAGE INTENTIONALLY LEFT BLANK SECRET T KEYHOLE NOFORN Approved for Release 2017 02 06 CQ5095359 Unless noted b 3 U Audit of NRO Cyber Incident Detection and Response b 1 U Why the OIG Did This Audit b 3 Successful penetration or disruption of NRO classified networks are high priority targets for our adversaries b 1 b 3 The As an for the NRO to improve cyber incident detection and response capabilities the Fiscal Year 2014 Intelligence Authorization Act fenced from the NRO's budget and directed the NRO to develop a strate and' addresses the OIG also found that the NROl '--------- --- I UIIFa 0 The DIG conducted this audit to determine the NRO effectiveness in preventing detecting and responding to cyber incidents Specifically the DIG assessed whether NRO has adequate controls in place to ensure cyber incidents on NRO networks and systems are detected and handled in accordance with applicable laws and regulations b 1 b 3 NRO's effectiveness in to c ber incidents ---------------- b 1 0 The OIG recommends the NRO take -----______ _-- - ------- --------- - -______ _______ _ b 1 complete list recommendations can be founc b 3 U Management Comments U The Director Communications Directorate D COMM and Director Office of Security and Counterintelligence D OS CT reviewed a draft of this report and concurred with findings and recommendations presented The D COMM and D OS CI comments and plans meet the intent of the As part of our follow-up process we the status of the corrective action through full implementation Complete copies of management comments can be found in -'-' Project Number 2014-001 A 17 SBCRBTNTALI NT K EYIIOL I NOFO Approved for Release 2017 02 06 C05095359 lece moer 2014 '-- Approved for Release 2017102 06 C0509535 T SE LJ Ui II AL GBP'111'lUJ1UKl l THIS PAGE INTENTIONALLY LEFT BLANK Approved for Release 2017 02 06 C05095359 --- - ' Approved for Release 2017102 06 C0509535 Unless noted redactions-' J Ht dl f b 3 U TABLE OF CONTENTS U INTRO DUCTI0 N 1 U- BACKGROUND 1 U Elements of Computer Network 2 D NRO Cyber Incident Detection and Response 3 U SCOPE AND METHODOLOGY 4 U PRIOR COVERAGE 5 U AUDIT RESUL TS 6 U inding 1 The NRo ---1_ _ _ _ _ _ _ _ _ _ _ _ _ _ _----- b 1 b 3 Networks 6 U Network U 6 Threat Assessments 9 D Vulnerability Scanning 10 U -----I_ _ _ _ _ I 10 U Mission Ground Stations 11 U Network Security Assessments 12 U Red 12 U Blue 12 r r g Strategy 13 b 1 b 3 15 U -----I_ _ _ _ _ _ 1 U I I 17 U I Ito NRO Leadership 17 U I I 19 Finding 3 I 15 NRO Cyber Incidentsl I 21 U Other Matter 23 Approved for Release 2017 02 06 C05095359 b 1 b 3 -- C0509535 T nJ1 'I nULGBPi ll'lUJ1UKl l Approved for Release 2017102 06 SE LJ Ui I lIAL THIS PAGE INTENTIONALLY LEFT BLANK Approved for Release 2017 02 Q6 C05095359 -- C0509535 T l' l'li I nJ1 'I nULl' 1I1'liUJ1UKl l Approved for Release 2017102 06 SE LJ Ui III U APPENDIX A Summary of Recommendations 25 U APPENDIX B Policies Related to Computer Network Defense 27 U APPENDIX C NRO Networks Reported by CIO and COMM 31 U APPENDIX D NRO Cyber Incident Events and Categories 33 U APPENDIX Cyber Incident Details 35 U Network Security Assessment 35 U Acquisition Center of Excellence 36 U APPENDIX F Management Comments 39 U APPENDIX G Major Contributors to this Report 55 Approved for Release 2017 02 06 CO R 95359 --- Approved for Release 2017102 06 SE LJ Ui I I ALl' l C0509535 T 'I nULl' 1 1'1UJ1 UKl l THIS PAGE INTENTIONALLY LEFT BLANK Approved for Release 2017102106 CO 095359 Unless noted ----- - ' Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f HJQWKl b 3 U OFFICE OF INSPECTOR GENERAL U Audit of the National Reconnaissance Office Cyber Incident Detection and Response Project Number 2014-001 A U INTRODUCTION S'fiNF National Reconnaissance Office NRO b 1 b 3 b 1 b 3 Prior NRO network security assessments have shown the NRO's cyber incident detection and r sno se capabilities the fiscal year FY 2014 Intelligence Authorization Act fence the NRO to develo a strate and im lementation from the NRO's bud et and an t at addresses the b 1 direct b 3 3 reporting of cyber incidents to Intelligence Community Security Coordination Center IC SCC -------------- U JO The OIG conducted this audit to determine the NRO's effectiveness in preventing d t g and responding to cyber incidents Federal guidance 1 defines a cyber incident as any attempted or successful access to ex filtration of manipulation of or impairment to the integrity confidentiality security or availability of data an application or information OIG also assessed whether the NRO has adequate controls system without lawful authority in place to ensure cyber incidents on NRO networks and systems are detected and handled in accordance with applicable laws and regulations U BACKGROUND U The Federal Information Security Management Act FISMA of 2002 sets forth a comprehensive framework for ensuring the effectiveness of security controls over information resources supporting federal operations and assets With regard to cyber incident detection and response FISMA requires each agency to implement an information security program that includes procedures for detecting reporting and responding to cyber incidents Further NSPD - 54IHSPD - 23 requires federal to 1 increase efforts to coordinate and enhance the security of classified and unclassified networks 2 increase the protection of the data on these networks and 3 improve their capability to deter detect prevent protect against and 1 U National Security Presidential Directive NSPD 54 Homeland Security Presidential Directive HSPD Approved for Release 2017102 06 C0509535 23 Unless noted b 3 respond to threats against infonnation systems and data provides a listing of policies and procedures applicable to NRO cyber incident detection and response functions U Elements of Computer Network Defense U Computer Network CND operations include actions taken to 1 prepare and protect 2 monitor detect and analyze and 3 respond to unauthorized activity within infonnation systems and networks 1 below shows the CND elements U cyber incidents is a continuous process of identifying any unusual network or system activity that has the potential to adversely affect systems networks or operational missions Monitoring and detection also provides situational awareness attack sensing and indications and warnings primary objectives for detecting cyber incidents are to ensure that an suspicious activity is identified and reported in a timely manner consistent with required reporting timelines to facilitate further and ensure effective coordination with other organizations U Once a cyber incident is detected the ability to proactively to the unauthorized activity and events that might negatively impact the mission includes steps to prevent further damage restore the integrity of affected systems and implement follow-up to prevent the incident from happening again U Figure 1 Computer Network Defense Elements n Figure is UNCLASSIFIEDII Approved for Release 2017 02 06 C05095359 Unless noted b 3 ---- - ' Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f Kl U NRO Cyber Incident Detection and Response U NRO ChiefInformation Officer CIO establishes the cyber incident detection and response policy The CIO is also responsible for providing oversight of cyber incident handling and reporting to external entities However the CIO does not have a role the execution of activities Execution of th rGBP rm h Communications S stems Directorate COMM IS ---- -- -- -- -- ---- ------ -- -- responsible for all NRO information technology IT infrastructure and commoditized services to include incident detection and response compute storage networks and enabling commercial software U Thel Iwas established in April 2014 to serve as the single NRO office responsible for providing unified comprehensive cyber defenseo' ' 'for the NRO 3 fo ation E temrise t rIE Prior to the establishment of th thel I I Jwas responsiblror the loverall r inc ent detection and response all 0 resources for cyber defense and ncttOn WIt thi Bnp ementation ofth I Currently th s chartered with 24 hours 7 days a response transitioned to th week monitoring of the NIE As such they are responsible for protecting de rtim rd responding to suspicious and unauthorized activity on or against the Th is also chartered to conduct scans of NRO networks perfonn external securit incident re ortin with guidance from thrland maintain the N R_O ---- -__ ____---- -- ________ -- __ Although the resuIts--oraudit testing t s the organization responsible for performing its standup th Inherited these cyber incident detection and resrnse responsibilities As a result the responsible for performing cyber incident detection and response in the future wt U The Office of Security and Counterintelligence OS CI also supports the NRO's cyber incident and response efforts I I U Effective 15 September 2014 the Chieflnformation Office and Communications Systems Directorate COMM mergcd With this mergcr the Director COMM assumed the Chicf Information Officcr dcsignation 3 u The NIE is defincd as the collection of all NRO-owned information and IT re uired to erform the NROmi in 2 4 Approved for Release 2017 02 06 C05Q 95359 Unless noted ----- - ' Approved for Release 201710 2 06 C0509535 redactions-' J Ht dl f 'tJ U JQWKl b 3 U SCOPE AND METHODOLOGY U The OIG conducted this perfonnance audit from January 2014 to September 2014 in accordance with generally accepted government auditing standards Those standards require that the OIG plan and perform the audit to obtain sufficient appropriate evidence to provide a reasonable basis for the findings and conclusions OIG assessed the internal controls deemed significant within the context of the audit objectives The OIG believes that the evidence obtained provides a reasonable basis the findings and conclusions based on the audit objective The OIG reviewed relevant laws and regulations as well as Department of Defense D D ce of Director of National Intelligence ODNI and NRO guidance policies and procedures The OIG interviewed NRO personnel from CIO COMM OS CI and mission ground stations to understand their role in the NRO incident detection and response process The OIG also met with personnel from the IC SCC and U S Cyber Command USCYBERCOM to understand their requirements and expectations for NRO cyber incident Additionall the OIG met with ersonnel res onsible for incident detection and res onse o obtain an understanding of their operations '-----a-n l e-n- t l le- e-s t-p-r-ac-'t-lc-e-s- m-c-e- t - -Jmherited yber incident detection and response responsibilities in April 2014 the OIG met wit personnel to discuss preliminary findings and recommendations and their plans to improve the CND security landscape detennine whether the NRO had adequate controls in place to prevent and detect cyber incidents the OIG interviewed officials from the CIO and COMM to detennine the NRO's rocesses and rocedures for OIG compared the lists of networks provided by COMM and CIO to detennine how consistently this information is tracked between the Directorates and Offices Ds and Os Further the OIG obtained a list 0 o detennine whether monitoring- canahilities in nlafe maintain visibility into all NRO networks The OIG also reviewed the j 10 detennine whether the NRO maintains adequate controls to prevent and detect cyber incidents '-------------------------------------- Further the OIG interviewed representatives from the CIO and individual Ds and Os to obtain an understanding of the NRO' sl '--------------- I I U TO detennine the effectiveness of the NRO's response to cyber incidents the 01G obtained a list of all cyber incident cases created bvr-i during calendar year CY 2013 From this list the OIG ajudgmental sample to d etemiine the extent to which the NRO is reporting cyber incidents to IC SCC and USCYBERCOM Although the findings of a judgmental sample cannot be projected we believe that our sample provides a sufficient basis Approved for Release 2017 02 06 C050953 9 Unless noted --- - ' Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f b 3 our audit findings and conclusions The OIG also assessed the completeness and validity of the incident case data Any information system data used by the auditors or included in this report for informational purposes was not audited U PRIOR COVERAGE U 7F OtfO 1u the NRO FY 2014 FISMA Evaluation Report dated 5 September 2014 the OIG noted that the NROI nd reporting process This issue has been reported since the FY 2009 S n the Audit of the Enterprise Manaf ement ofCvber Incidents dated 15 June 2012 tl IG found that the NRoI b 1 b 3 I SECRETIIT OFORN Approved for Release 2017 02 06 C05095359 Unless noted - ' Approved for Release 2017102 06 C0509 535 redactions-' J Ht dl f P tl i3M16n'w b 3 U AUDIT RESULTS The NRO cvber incident detection and resoonse caoabilitv iJI b 1 b 3 r II I --- b 1 b 3 U Finding 1 The NROj ---------------------------------- b 1 b 3 U Network Mapping UII O I b 1 b 3 J 5 U Transport networks provide reliable communication sessions between computers Approved for Release 2017 02 06 C05095359 Unless noted - Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f rfiird '-b ftHrrpHJOWKl b 3 In F In December 2013 the OIG issued the Audit 0 ormGBP io echnolo CIO Mana yement 0 NRO b 1 b 3 F I b 1 b 3 I s audit the OIG found it necessary to request a list ofNRO networks from the CIO COMMj and COM to determine the extent of the NRO awareness of its universe of network ---s - b 1 b 3 Corporate Business Process In-s- -tru-ct --'-io-n---YO C BrvPrvI ' 'E 'n---- te-r-p-rz s-eTD't 'fe n-s-e- C'y'b-er-lTn-c-- -'id ent Re - ponse provides the NRO a uniform definition of network It defines a network as a collection of interconnected components based on a coherent security architecture and design This may include routers hubs cabling telecommunications controllers key distribution centers and technical control devices b 1 b 3 '--- -- --------- ------- - -- ---- - - -------- -- - - - '''- '- he networks reported by the CIO and COMM provides I ---------- --------------- b 1 -6 S- -A ------------------T 3 -------------------------------------------- 7 SECRETIITALENT '-- Approved for Release 2017 02 06 C05095359 Unless noted - -Approved for Release 2017 02 06 C0509535 redactions-' J Ht dl f f'a rfiird U ' ftHd KJQWKl b 3 b 1 b 3 U Figure 2 Common Networks Reported by COMM an SIO Figure is SEcRE i Hl'KIINQFORN - October 2005 Subsequently il b 1 b 3 I I _ _ _ _ _- - - - - - - - - - - - - - - I U Recommendation for the Director COMM Approved for Release 2017 02 06 C05095359 b 1 b 3 Unless noted -- Approved for Release 2017 02 06 C0509535 redactions-' J Ht dl f ra l 'thH V ftHdpHJOWKl b 3 U Management Response Tclih -- - - '-L'-L 8 LU - - - ---- - - - ---_ __ recommendation The Director COMM --- --- ----- A complete copy of the management comments is included in -' U Cyber Threat Assessments S7 NF b 1 b 3 Cyber threat assessments are intended to provide a basis for improved risk management and strate ic infonnation assurance Iannin that consider both threats and vulnerabilities --- U Although it is the owner of Infonnation Technolo -Infonnation AssuranceInfonnation Management the CIO IC Standard TCS 502-01 IC Computer Incident Response and Computer Network Defense requires TC elements to conduct annual cyber threat assessments to identify and evaluate cyber threats to enterprise information systems networks and shared IC resources Further ICD 502 Concept of Operations CONOPS ---- -- - 1 J b 1 b 3 Tn addition to CTO cyber threat assessment effortsnpersonnel stated that b 1 b 3 Approved for Release 2017 02 06 C05095359 Unless noted Approved for Release 2017 02 06 C0509535 redactions-' J Ht s'1 f pffi1t -lH ' J f H-IQVKl b 1 b 3 b 3 U Recommendation for the Director COMM Management Response The Director COMM concurred with this recommendation A complete copy of the management comments is included in U Vulnerability Scanning I I CBPI Enterprise Defense Cyber Incident Response 50-2E b 1 b 3 I U -----I_ _ _ _ _----- b 1 b 3 1 2 3 4 5 6 b 1 b 3 mission system owners h _ _ _ _ _ _ _ _ _ _ _ _ _----- J the mission addition 10 SECRETIITALENT KEi HfiLEt t lSfOFORN - Approved for Release 2017 02 06 C05095359 Unless noted - ' Approved for Release 2017102 06 C0509535 reda c t i on s-' J Ht d I f 1 qtrl'C ihf @ ft arM Kl b 3 U Mission Ground Stations b 1 b 3 b 1 b 3 0 The OIG discussed vulnerability scanning withi U Recommendation ipcrsonncl and they for the Director COMM U Management Response The Director COMM concurred with this recommendation A complete copy of the management comments is included in 11 SECRETIITALENT KEYUOI$IINOFORN Approved for Release 2017 02 06 C05095359 Unless noted ----- - ' Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f 1'1Ff1tM r WHJQWKl - b 3 U Network Security Assessments b 1 b 3 U In January 2014 the CIo 1 established a frameworkJ I U Red Team NRORed Tea b 1 b 3 b 1 b 3 U Blue Team The NRO Blue Team b 1 b 3 the Red Team 12 SECRETIITAL YHOLEIINOFORN Approved for Release 2017 02 06 C05095359 Unless noted - ' Approved for Release 2017 02 06 C05095359 redactions-' J Ht dl f P HJ 'h'IU b 3 b 1 b 3 engineering efforts U Recommendation #4 for the Director COMM Management Response The Director COMM concurred with this complete copy of the management comments is included recommendation U Recommendation for the Director OS CI Management till lin Response The Director OS CI concurred with this and recommendation OS CI is currentl -----_ _ _ _ _ _ _ _ _ _ _ _ _ _----- J effort A complete copy of the management comments is included in -'-' U Network Monitoring Strategy TheNROI b 1 b 3 13 SECRE T lIT ATL 'FI-Il Jj Approved for Release 2017 02 06 C05095359 Unless noted - ' Approved for Release 201710 2 06 C0509535 redactions-' J Ht dl f 'EJ2iM YWKl b 3 b 1 b 3 I b 1 b 3 b 5 j O While the 0 Id _---- --- --_______- -___----- -______________Ithe NRO must ensure that institutional knowledge is -U'-l'l cULL - - stakeholders e COMM and CIO leadershi official stated that b 3 - - - - - - - - - - - - -_ _ _ _ _ _ _ _ _ _ _ _ _ _ b 5 U Recommendation #6 for the Director COMM Management Response A complete copy Director COMM concurred with this the management comments is included in 14 SECRETIITALENT Approved for Release 2017 02 06 C05095359 Approved for Release 2017 02 06 C05095359 Approved for Release 2017 02 06 C05095359 b 1 b 3 Unless noted Approved for Release 2017 02 06 C05095359 redactions on this page fall under Exemption b 3 Approved for Release 2017 02 06 C05095359 b 1 b 3 Unless noted Approved for Release 2017 02 06 C05095359 redactions on this page fall under Exemption b 3 Approved for Release 2017 02 06 C05095359 b 1 b 3 Unless noted - ' Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f ft HIQVKl - b 3 b 1 b 3 I U Figure 51 ___ ssessment Results Briefing Dates I _____ Figure is UNCLASSIFIK O U O ICS 502-01 requires IC elements to report vulnerability assessment information status and results to the agency's leadership ICS 502-01 also requires IC elements to develop and maintain internal processes for elevating report on information system weaknesses deficiencies andlor vulnerabilities associated with reported incidents to the IC r I adershi and stakeholders Further the ICD 502 CONOP b 1 b 3 From 2008 to 2009 18 YHOLEIINOFORN Approved for Release 2017 02 06 C05095359 Approved for Release 2017 02 06 C05095359 Approved for Release 2017 02 06 C05095359 b 1 b 3 Unless noted ------ - ' Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f HJQWKl b 3 b 1 b 3 l -'------------ U Acquisition Center of Excellence Acquisition Resource Center Unclassified Webserver he Acquisition Center of Fxrpllpnre Acquisition Resource Center ARC unclassified webserverl b 1 b 3 I TP While NRO Directive 2-15 Risk and Vulnerabilitv Assessments Reviews and I Update d s basic responsibilities J b 1 I II b 3 I U Recommendation for the Director COMM u J U1 reco ion Management Response The Director COMM concurred with this A complete copy of the management comments is included in b 3 b 1 AT OJ 'e n vulnerabilities 4 the C 10 k efl Pol v Note '014-03 orov d np m d e 00 the mooee d '1 o of II Approved for Release 2017 02 06 C05095359 ----- - ' Approved for Release 2017102 06 redactions-' J Ht dl f Unless noted b 3 Ijj l Findinf 1 NRo Cyber Incidents J I C0509535 WKl '------- - - - - - The IC SCC requires initial cyber incident reports be provided I I of the incident ocpmrence I iSCYBERCOM requires initial cyber incident reports be provided epending on the incident category_ OIG reviewed aUQyber within a range ofL incident reports the NRO reported to the IC SCC and USCYBERCOM from January 2013 through February 2014 I --------- I --- u I According to the ODNI Intelligence Community Incident Reporting Procedures IC agencies should report cate or 1-8 c ber incidents an 21 IC S 19 U The IC SCC is the IC CIO's executive to monitor and oversee the defense of the IC to report cyber incident information associated with its TOP information environment The NRO is SECRET and networks to IC Scc 20 U The USCYBERCOM plans coordinates and conducts activities to direct the to incident information and defense of DoD information networks The NRO is associated with its and networks at the SECRET and below classification levels to USCYBERCOM 21 UIIFOUO The IC SCC also reporting for any network that is funded through the National Intelligence Progr ___ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _- UIIF J'I'ojQ21 ------------------------------ 21 SECRETllTALEN IKEi' IIOLEfiNOFO R N Approved for Release 2017 02 06 C05095359 Unless noted - ' Approved for Release 2017 02 06 90509535 redactions-' J Ht dl f Pt'n ft1 Ut_MKl_ b 3 b 1 b 3 lame IS I ' es a IS es incident-related responsibilities for the CIO to include 1 providing oversight for the overall cyber-related incident handling and reporting process and 2 providing guidance regarding inconsistent external reporting of cyber-related incidents Such CIO oversight would and untimely information in the reports provided to IC and USCYBERCOM UI Q and subsequent sharing of cyber incidents among the I ---C_ _--- elements directly supports the building of trust and cooperation across the IC elements I I -' provides a description of each cyber incident category_ 22 SECRETIITAL Approved for Release 2017 02 06 C05095359 Unless noted -- - ' Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f HJQWKl b 3 1 U Recommendation #10 for the Director COMM I U UO Management Response rec ation A complete copy The Director COMM concurred with this the management comments is included in U Other Matter S The OIG noted inconsistencies with theuxternal cyber incidents renorts the NRO submitte to IC SCC and USCYBERCOM Specifically the 01G reviewe reports provided to the IC SCC from January 2013 through February 2014 and found that - - - I_ _ _ __ r'-' e1 'p o rt s-- in c lu d e d l a nbl ta' ' EL e -- t h at - r - e fe r s-- to se a r at e- i c cnc icyd en -- - - co m l 1'- ----' il4 - - LU L-- U ' --_ b 1 b 3 UIIF 01G also met with USCYBERCOM representatives to determine whether they had any concerns with the cyber incident reports provided by the NRO They acknowledged that they are satisfied with the reporting of cyber incidents provided by the NRO IP r the OIG's o pyber incident reports the NRO provided to USCYBERCOM January 2013 and February 2014 showed thatDomitted vital details about the cyber incidents With that said opportunities exist for improvement with regard to USCYBERCOM reporting UII TO The Chairman of the Joint Chiefs of Staff Manual 6510 01 Information Assurance and puter Network Defense Volume I Incident Handling Program requires that cyber incident reports to USCYBERCOM contain specific technical details However most of the NRO cyber incidents reported to USCYBERCOM contained only a very brief description of the cyber incident and omitted significant details that were available and should have been included Figure 7 shows one cyber incident description in a report sent to USCYBERCOM compared to the description of the same cyber incident an internal NRO report SECRETIITALEI l' 23 IfEYHQLEllNOFORN Approved for Release 2017 02 06 C05095359- Unless noted ------- - ' Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f JQWKl b 3 U Figure 7 Comparison Between USCYBERCOM and Internal Report Figure is UNCLASSIFIED U While IC SCC and USCYBERCOM did not express concern over the infonnation contained in the NRO cyber incident reports this is an opportunity for the NRO to take action to increase infonnation sharing to contribute to an IC-wide operation I I Approved for Release 2017 02 06 C05095359 --- Approved for Release 2017102 06 C0509535 Unless noted redactions-' J Ht dl b 3 U APPENDIX A Summary of Recommendations UIIF ffective 15 September 2014 the ChiefInformation Office and Communications Systems Directorate COMM merged With this merger the Director COMM assumed the Chief Information Officer designation Therefore the recommendations that were to be addressed to the CIO prior to the are addressed to the Director COMM U Recommendation #1 for the Director COMM -- ------------------------------------------------ U Recommendation #2 for the Director COMM r----------L U IIFoocn1 '---------------- U Recommendation #3 for the Director COMM UIIF and ICD 502 U Recommendation #4 for the Director COMM UII I U Recommendation #5 for the Director OS CI UIIFWOl I U Recommendation #6 for the Director COMM I lU Fl Uoj ------------------------------------ U Recommendation #7 for the Director COMM m ------- _J_ _ _ _ ___ SECRETIITALEI l' 25 K-EYHQLEIINOFORN Approved for Release 2017 02 06 C05095359- Approved for Release 2017102 06 SE LJ Ui I lIALl' l'li I C0509535 T - nJ17'I U' r l'liUJ1UKl l U Recommendation #8 for the Director COMM I -- ----- ______ U Recommendation #9 for the Director COMM U UO I b 3 U Recommendation #10 for the Director COMM UllFimQ 1 26 SECRE TilT ALENT K 7 t I -'i _ -- - ---- C0509535 T K1 1 Approved for Release 2017102 06 SE LJ Ui I IALl' l'liI U APPENDIX B Policies Related to Computer Network Defense Federal Laws Director of National Intelligence DNI o Federal Information Security Management Act of 2002 requires each agency to develop and implement an agency-wide information security program that includes procedures for detecting reporting and responding to security incidents o National Security Presidential Directive-541H0meland Security Presidential Directive-23 Cybersecurity Policy requires agencies to increase efforts to coordinate and enhance the security of their classified and unclassified networks increase protection of the data on these networks and improve their capability to deter detect prevent protect against and respond to threats against information systems and data o Intelligence Community Directive lCD 502 Integrated Defense of the IC Information Environment identifies the organizations in computer network CND of the IC Infonnation Environment and specifies their roles and responsibilities o Intelligence Community Standard ICS 502-01 Computer Incident Response and Computer Network Defense defines the baseline computer incident response responsibilities capabilities and supporting CND services in the intelligence community o Intelligence Community Incident Reporting Procedures provides reporting procedures for cyber security incidents events and data spillages in support of ICD 502 o Intelligence Community Information Assurance Architecture describes information assurance IA capabilities necessary to provide agencies with the ability to counter increasingly sophisticated cyber threats o Detailed Plan to Increase the Security ofClass fied Networks details enterprise cybersecurity capabilities that include processes and services that enhance the security and situational awareness of classified networks Approved for Release 2017 02 06 C05095359 C0509535 T I nJ1 'I nULGBPilll'lUJ1UKl l 'Approved for Release 2017102 06 SE LJ Ui II fIs Department of Defense DoD National Reconnaissance Office NRO o DoD Directive 8500 1 Information Assurance requires a defense-in-depth approach to IA and to make appropriate use of IA infrastmctures including incident response o DoD Directive 8530 1 Computer Network Defense requires all DoD information systems and computer networks to monitored in order to detect isolate and react to intmsions dismption of services or other incidents that threaten the security or function of DoD operations DoD information systems or computer networks o DoD Instmction 8500 2 Information Assurance Implementation requires Heads of DoD Components to provide for vulnerability mitigation and an incident response and reporting capability o Chairman ofthe Joint Chiefs of Staff Manual 6510 01 describes the DoD Incident Handling Program the major processes that take place within the incident handling program and the interactions with related U S Government computer network defense activities o Corporate Business Process CBP 50 Information Technology Information Assurance and Information Management directs the NRO to establish an Information Assurance Program including cyber incident detection and response capabilities o Corporate Business Process Instmction CBPI 50-2E Enterprise Defense Cyber Incident Response implements the cyber incident prevention and detection requirements outlined in CBP 50 These requirements include procedures to assess the damage and minimize the impact of cyber incidents provide data to identify system vulnerabilities and improve enterprise defenses and countermeasures o NRO Directive ND 52-15 Risk and VulnerabiliZV Assessments Reviews and Updates directs the NRO to ensure the availability integrity authentication confidentiality and non-repudiation of information and information svstems This includes the I I roles and responsibilities to include coordinating the assessment prioritization and remediation of vulnerabilities I o IConcept of Operations NROI outlines the process for the NRO to coordinate and leverage resources within the existing directorates and offices to establish the framework for an NRO Information Enterprise critical incident response and reporting capability 28 SECRETIITATL i Jj Approved for Release 2017 02 06 C05095359 b 3 -- C0509535 T nJ1 'I nUJsAI 'n IJ1VK1 1 Approved for Release 2017102 06 SE LJ Ui I lIALl' l'li I National Institute for Standards and Technology NIST o NIST Special Publication 800-61 Computer Security Incident Handling Guide seeks to assist organizations in mitigating the risks from computer security incidents by providing practical guidelines on responding to incidents effectively and efficiently It includes guidance on establishing an effective incident response program but the primary focus of the document is detecting analyzing prioritizing and handling incidents o NIST Special Publication 800-94 Guide to Intrusion Detection and Prevention Systems assists organizations in understanding intrusion detection system and intrusion prevention system technologies and in designing implementing configuring securing monitoring and maintaining intrusion detection and prevention systems Table is U1 F 29 SECRETIITALENT Approved for Release 2017 02 06 C05095359 C0509535 T nJ1 'I nULl' I1'lUJ1UKl l Approved for Release 2017102 06 SE LJ Ui I lIALl' PAGE INTENTIONALLY LEFT BLANK Approved for Release 2017 02 06 C05095359 Unless noted Approved for Release 2017 02 06 C05095359 redactions on this page fall under Exemption b 3 Approved for Release 2017 02 06 C05095359 b 1 b 3 ---- Approved for Release 2017102 06 SE LJ Ui I I ALl' l C0509535 T 'I nULl' 1 1'1UJ1 UKl l PAGE INTENTIONALLY LEFT BLANK 32 SECRETIITALENT K Approved for Release 2017 02 06 C05095359 -Approved for Release 2017102 06 C0509535 T SE L 1111AL U'UJ 1' U APPENDIX D NRO Cyber Incident Events and Categories Description Root Level Intrusion Unauthorized privileged access administrative or root access to a system User Level Intrusion Unauthorized non-privileged access user-level permission to a system Automated tools targeted exploits or self-propagating malicious logic may also attain Unsuccessful Activity Attempt Attempt to gain unauthorized access to a system which is defeated by nonnal defensive mechanisms Attempt fails to access to system Le attacker valid or potentially valid username and password combinations and the activity cannot be characterized as exploratory scanning Can include reporting of quarantined malicious code Denial of Service Activity that functionality of a system or network impedes or halts nornlal Non-Compliance Activity This category is used for activity that due to actions either via configuration or usage makes systems potentially vulnerable e g missing security patches connections across security domains installation of vulnerable applications etc In all cases this category is not used if an actual compromise has occurred Information that fits this category is the result of non-compliance or configuration changes or improper by authorized users 6 Reconnaissance An activity scan probe that seeks to identify a computer an open port an active service or any combination thereof for later exploit activity does not directly in a compromise Malicious Logic installation of malicious software e g Trojan backdoor worm etc Investigating Activities that are potentially malicious or anomalous activity deemed suspicious and warrant or are undergoing further review No incident will be closed out as a category 8 9 Explained Anomaly Activities that are initially suspected as being malicious in nature but after investigation are determined not to fit the criteria for any of the categories malfunction false positive bad information etc Misuse Porn Activities that are in breach of best security practices NRO Acceptable Use Policy and or contain blatant pornographic activity Table is UNCLASSIFIED 33 SECRETIITAL HOLEIINOFORN Approved for Release 2017 02 06_ C05095359 --- Approved for Release 2017102 06 C0509535 T SE LJ Ui II ALl' l'1i J1VK1 1 PAGE INTENTIONALLY LEFT BLANK 34 YHOLEIINOFORN Approved for Release 2017 02 06 C05095359 Unless noted b 3 U APPENDIX E Cyber Incident Details U Network Security Assessment INFf b 1 b 3 I b 1 b 3 Approved for Release 2017 02 06 CO 095359 Approved for Release 2017 02 06 C05095359 Approved for Release 2017 02 06 C05095359 b 1 b 3 Approved for Release 2017 02 06 C05095359 Approved for Release 2017 02 06 C05095359 b 1 b 3 --- Approved for Release 2017102 06 SE LJ Ui I IALl' l'li I C0509535 T 'liUJ1UK1 1 PAGE INTENTIONALLY LEFT BLANK 38 SECRETIII ALEl tT KFYHOLEIINOFORN Approved for Release 2017 02 06 C05095359 Unless noted --- - ' Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f P HJQWKl b 3 U APPENDIX F Management Comments Approved for Release 2017 02 06 C05Q 95359 Unless noted Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f r rd U 'kft6WHJOWKl b 3 40 SECRETIITALEN i ItEYIIOLEIINOFORN Approved for Release 2017 02 06 C05095359 Unless noted b 3 ---- - ' Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f P HJQWKl 41 SI CItI 'f'lt'f'ALI N'f' KEYtlOLEffNOFORN Approved for Release 2017 02 06 C05095359 Unless noted - ' Approved for Releas 2017102 06 C0509535 redactions-' J Ht dl f L1 hUUJ HJQWKl b 3 b 1 b 3 NROI ------------------------ b 1 b 3 NR9 -------------------------- b 1 b 3 42 SECkE 1111 ALEN I D I ItOLIUtN'OFOft N Approved for Release 2017 02 06 C05095359 Approved for Release 2017 02 06 C05095359 Approved for Release 2017 02 06 C05095359 b 1 b 3 Unless noted -- - ' Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f HJQWKl b 3 8 II II1 0 IJ 0 1 I--------- -------- u1I l 10 UII I Approved for Release 2017 02 06 C05095359 - ' Approved for Release 2017102 06 C0509535 Unless noted redactions-' J Ht dl f JQWKl b 3 45 SECRETIlT ALEN Yr 'ft'i'Iil u D Approved for Release 2017 02 06 C05095359 - ' Approved for Releas 2017102 06 C0509535 Unless noted redactions-' J Ht s'1 f B f 'B1U J -'tfsfhlE HJOWKl b 3 O Recommendation 2 I Recommendation 3 I rTTr- T SECRETllTALErli EIINOFORN Approved for Release 2017 02 06 C05095359 b 3 Unless noted Approved for Release 2017 02 06 C05095359 redactions on this page fall under Exemption b 3 Approved for Release 2017 02 06 C05095359 Unless noted - ' Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f rt i ' 6UUJ HJQWKl b 3 Approved for Release 2017 02 06 C05095359 Unless noted b 3 ------ - ' Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f P __ HOLEIINOFORN Approved for Release 2017 02 06 C05095359 Unless noted b 3 Ul Recommendation 7 I I I SI Gl'Il f 'FIt I PdSFSRFd 50 SECRETIITALEN I IEEYHQLEIINOFORN Approved for Release 2017 02 06 C05095359 b 3 Unless noted Approved for Release 2017 02 06 C05095359 redactions on this page fall under Exemption b 3 Approved for Release 2017 02 06 C05095359 b 3 Unless noted Approved for Release 2017 02 06 C05095359 redactions on this page fall under Exemption b 3 Approved for Release 2017 02 06 C05095359 Unless noted - ' Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f HJQWKl b 3 U O Recommendation 10 I 'I' nTTT SECRETIITALJ l OLEIINOFORN Approved for Release 2017 02 06 C05095359 --- C0509535 T VK1 1 Approved for Release 2017102 06 SE LJ Ui I IALl' l'liI OS CI lS currently I I b 3 Approved for Release 2017 02 06 C05095359 Unless noted ------ - ' Approved for Release 2017102 06 C0509535 redactions-' J Ht dl f WKl b 3 U APPENDIX G Major Contributors to this Report Assistant Inspector General for Audits Deputy Assistant Inspector General for Infonnation Technology Audits Auditor-in-Charge Auditor-in-Charge Auditor Quality Assurance Reviewer Quality Assurance Reviewer Writing Facilitator Approved for Release 2017 02 06 C05095359                     National Security Archive    Suite 701  Gelman Library  The George Washington University    2130 H Street  NW  Washington  D C  20037    Phone  202 994‐7000  Fax  202 994‐7005  nsarchiv@gwu edu