Part of Objective C - Detecting cyber security events

Principle C2: Proactive security event discovery

Previous Chapter

Principle C1: Security monitoring

Current Chapter

Current chapter – Principle C2: Proactive security event discovery

The organisation detects, within networks and information systems, malicious activity affecting, or with the potential to affect, the operation of essential functions even when the activity evades standard signature based security prevent/detect solutions (or when standard solutions are not deployable).

C2.a System abnormalities for attack detection

Description

You define examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify.

The expectation for this contributing outcome is Not achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. Normal system behaviour is insufficiently understood to be able to use system abnormalities to detect malicious activity.

NA#2. You have no established understanding of what abnormalities to look for that might signify malicious activities.

Partially achieved

Partial achievement is not possible for this contributing outcome.

Achieved

All the following statements are true:

A#1. Normal system behaviour is fully understood to such an extent that searching for system abnormalities is a potentially effective way of detecting malicious activity (for example, you fully understand which systems should and should not communicate and when).

A#2. System abnormality descriptions from past attacks and threat intelligence, on yours and other networks, are used to signify malicious activity.

A#3. The system abnormalities you search for consider the nature of attacks likely to impact on the networks and information systems supporting the operation of your essential function(s).

A#4. The system abnormality descriptions you use are updated to reflect changes in your networks and information systems and current threat intelligence.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework (CAF).

The approach and documentation list described below provides guidance on how to conduct testing and should be adapted as appropriate in order to assess whether the NHS providers outcomes are effectively achieved.

Suggested approach to testing

1. Understanding of normal system behaviour – Obtain and inspect organisation’s documentation establishing baselines for normal system behaviour. Verify that it is comprehensive, and interrogate how the organisation would use this to search for system abnormalities. (A#1)

2. Threat intelligence – Obtain and inspect documentation showing the organisation collects system abnormality descriptions from threat intelligence and past attacks. Verify that it uses them to identify and investigate malicious activity. (A#2)

3. Searching according to risk – Obtain and inspect evidence that the organisation has rationalised which attacks are likely to impact its essential functions. Verify that it searches for indicators of these attacks when performing searches for system abnormalities. (A#3)

4. Updating system abnormality descriptions – Assess the organisation has a process for updating system abnormality descriptions to reflect changes in the organisation’s networks and information systems and current threat intelligence. Obtain samples of updates and verify that the process is followed. (A#4)

C2.b Proactive security event discovery

Description

You use an informed understanding of more sophisticated attack methods and of normal system behaviour to monitor proactively for malicious activity.

The expectation for this contributing outcome is Not achieved.

Indicators of good practice (IGP) achievement levels

Expand the achievement levels to find out the requirements needed to meet each level.

Not achieved

At least one of the following is true:

NA#1. You do not routinely search for system abnormalities indicative of malicious activity.

Partially achieved

Partial achievement is not possible for this contributing outcome.

Achieved

All the following statements are true:

A#1. You routinely search for system abnormalities indicative of malicious activity on the networks and information systems supporting the operation of your essential function(s), generating alerts based on the results of such searches.

A#2. You have justified confidence in the effectiveness of your searches for system abnormalities indicative of malicious activity.

As documented in the introduction to this framework, independent assessors are expected to use their professional judgement when assessing organisations against the Cyber Assessment Framework (CAF).

Suggested approach to testing

1. Proactive security event discovery management – Obtain and inspect evidence to assess whether:

System abnormalities are routinely searched for to indicate any malicious activity on the networks and information systems. (A#1)
Alerts are generated based on system abnormalities detected. (A#1)
The organisation has carried out testing to gain confidence that its searches are effective in detecting system abnormalities indicative of suspicious activity. (A#2)

Principle C2: Proactive security event discovery

C2.a System abnormalities for attack detection

Description

Indicators of good practice (IGP) achievement levels

Suggested approach to testing

Suggested documentation list

C2.b Proactive security event discovery

Description

Indicators of good practice (IGP) achievement levels

Suggested approach to testing

Suggested documentation list

Chapters