###### e

 NATIONAL CYBERSECURITY 


-----

###### TABLE OF CONTENTS

A Letter to Our Partners 1

A Conversation with
3
NCCIC Director John Felker

RUNNING DIAGNOSTICS...

Our Purpose: Driving Toward
A More Secure Cyber and 5
Communications Ecosystem

Leading A Global Fight, Coordinating
11
A Unified National Effort

What We Do 17

SATELLITE UPLINK:
MESSAGE RECEIVING

COMMANDER FELKER Evolving to Serve Customers

31

PLANET ANALYSIS Better: FY 2018 and Beyond

Conclusion 35

Appendix A: NCCIC Services 37


-----

## A LETTER TO OUR PARTNERS

Fiscal Year 2017 was both eventful and exciting for the National combatting persistent threats from sophisticated adversaries seeking ensure that the NCCIC continues to arm our
Cybersecurity and Communications Integration Center (NCCIC). to compromise our national security. Whether working with partners to customers with the critical information products,
Throughout the year, we were reminded all too frequently tackle large-scale, global cyber attacks such as WannaCry and NotPetya, services, and capabilities they require.
that threats to the Nation’s information and communications or coordinating the restoration of vital telecommunications in the wake

I want to thank our partners and the dedicated and

systems remain persistent and extremely dangerous. Yet there of Hurricanes Harvey, Irma, and Maria, NCCIC is there to help the Nation

skilled NCCIC team for their tireless work and

is also room for excitement and optimism because, while much prepare for, prevent, protect, and if necessary respond to incidents.

contributions to the Nation’s security.

work remains, NCCIC and our partners made real progress

No one agency or organization can secure our homeland alone, however.

toward creating a more sustainable, secure, and resilient cyber

Cyber and communications security is a shared responsibility. All of us,

and communications environment.

from the biggest government agencies and multinational corporations,

Sincerely,

This Fiscal Year 2017 NCCIC Year in Review highlights NCCIC’s to individual citizens play a part in keeping the Internet safe. Together,
important role in protecting the Nation’s critical information and we can improve our collective defense through collaborative, tangible Jeanette Manfra
communications systems. actions that make the cyber ecosystem safer. NCCIC’s goal is a cyber _Assistant Secretary for Cybersecurity_

environment where a given tactic, such as a malicious email, can only be _and Communications_

Misuse of, threats to, and malicious attacks on these systems

used once before all other potential victims block it.

pose some of the most serious and enduring strategic risks to
the United States. The increasing frequency and scale of In FY17, NCCIC streamlined its product portfolio, further integrated core
malicious cyber activity threatens us all. As more devices functions and capabilities, and improved services to customers in a
connect to the Internet, the threat landscape broadens and number of important ways. We continue to explore ways to enrich cyber
compounds the challenge for security practitioners. threat indicator data and leverage analytics and automation to improve

the information we deliver to customers. We are also helping customers

NCCIC spearheads the Department of Homeland Security’s

improve readiness and technical expertise by enhancing our training

operational efforts to reduce systemic risk to our information

and exercise capabilities. These and other enhancements—together with

technology and operational technology (IT and OT), while

the growing strength and breadth of our global partnerships—will help to


-----

## A CONVERSATION
##### WITH NCCIC DIRECTOR  JOHN FELKER

###### DHS established NCCIC in 2009. The National Cybersecurity Protection Act of 2014 (NCPA) established NCCIC in law. Together, NCPA and the Cybersecurity Act of 2015 collectively tasked NCCIC with a number of core cybersecurity functions, including serving as a federal-civilian interface for sharing cyber threat indicators, coordinating information exchange across the Federal Government, and providing information and recommendations on security and resilience measures to federal and non-federal entities.

 Q: What does NCCIC do? Q: How does NCCIC protect the public and private sectors
 from cybersecurity and communications threats?

NCCIC helps people and organizations defend their cyber


Working with our partners, we used our telecommunications
capabilities to respond to major hurricanes, wildfires, and
other natural disasters. We streamlined our cyber assessment
and analytic teams to better enable network defenders to
identify—and reduce the risk of—malicious attacks. We built
out our vulnerability management capabilities to ensure
responsible disclosure of IT and OT vulnerabilities and to provide
corresponding research and analysis. We continued to develop
and expand our capacity to respond to incidents, and we stood
up a new cyber hunt capability that significantly improves our
ability to proactively find threat actors on government and
CI networks.

###### Q: How is NCCIC evolving?

Our evolution is an ongoing process. We continuously look for
ways to create a more nimble organization that can quickly
adapt to the changing threat environment and deliver critical
products and services to our stakeholders with greater speed,


value, and proficiency. We are just getting started, and the
changes we are making are streamlining NCCIC operations,
and improving analytical insight, information sharing, and
response synchronization. As part of an internal realignment,
we are organizing to more effectively deliver the products and
services our stakeholders rely upon. We are bringing focus
to cooperative efforts across the Office of Cybersecurity and
Communications[3] (CS&C) to deliver a wide range of cyber and
communications support functions.

To succeed in an ever-changing cyber and communications
environment, we recognize that we must do an extraordinary
job. We must always strive to be more effective in everything we
do. We will continue to listen to our partners and stakeholders,
learn from the evolving landscape, and adapt our operations
and tools to be a step ahead of cyber threat actors.


###### CHEMICAL
DEPARTMENT OF HOMELAND SECURITY

###### COMMERCIAL FACILITIES
DEPARTMENT OF HOMELAND SECURITY

###### COMMUNICATIONS
DEPARTMENT OF HOMELAND SECURITY

###### CRITICAL  MANUFACTURING
DEPARTMENT OF HOMELAND SECURITY

###### DAMS
DEPARTMENT OF HOMELAND SECURITY

###### DEFENSE INDUSTRIAL BASE
DEPARTMENT OF DEFENSE


We enhance the security of the cyber and communications
ecosystem through threat information sharing across the globe.
If reliable information flows quickly and to enough people, we
can halt cyber incidents before they spread widely and cause
significant harm. On our 24/7 watch floor, we continuously
monitor national and international incidents and events that
may affect cyber and communications infrastructure. By fusing
information from all levels of government, the private sector,
international partners, and the public, we help people and
organizations take action to protect against cybersecurity risks.
This coordination also improves government-wide incident and
emergency response capabilities and strengthens resilience.

NCCIC’s priority is delivering products and services to protect
the networks and systems that underpin our Nation’s critical
infrastructure (CI). CI includes essential government services,
financial institutions, energy providers, transportation systems,
water treatment systems, public health, chemical and nuclear
plants, and emergency services (table 1 shows the 16
identified CI sectors). At the same time, we make many of
NCCIC’s products and services available at no cost to all
Americans to use to protect themselves from cyber threats.


Integration is one of our core functions. Many of our
partners—including members of the intelligence community,
law enforcement, and major Internet service providers—are
co-located on our watch floor, which facilitates coordination and
collaboration. We exchange information with these partners,
analyze data, and provide results in publicly available alerts,
technical advisories, and reports.

We also help stakeholders improve cyber hygiene, assess
cybersecurity posture, test network defenses, and enhance
preparedness and expertise through exercises and training.
Additionally, when major incidents occur, the NCCIC team
provides both remote and on-site incident response support
to federal departments and agencies; state, local, tribal, and
territorial (SLTT) governments; and the private sector.

###### Q: What did NCCIC accomplish in Fiscal Year 2017?

As you will read throughout this report, NCCIC continued
to operate at a high tempo in Fiscal Year 2017 (FY17). We
responded to diverse incidents, conducted exercises to support
operational readiness, and provided guidance on advanced
persistent threat (APT) campaigns, including GRIZZLY STEPPE,
Dragonfly, and HIDDEN COBRA.[2] In FY17, NCCIC also responded
to malware implants on critical systems, including IT service
providers, where an attacker could exploit credential
compromises to gain access to customer network environments.


###### Presidential Policy  Directive 21: Critical Infrastructure Security and Resilience


1 Presidential Policy Directive-21: Critical Infrastructure Security and Resilience, establishes national policy on CI security
and resilience. PPD-21 defines CI as systems and assets, whether physical or virtual, so vital to the United States that
their incapacity or destruction would have a debilitating impact on security, national economic security, national public
health or safety, or any combination of those matters. PPD-21 identifies 16 CI sectors and designates associated Federal
Sector-Specific Agencies (SSAs) to lead Federal Government efforts to collaborate, coordinate, and implement actions to


###### EMERGENCY SERVICES
DEPARTMENT OF HOMELAND SECURITY

###### ENERGY
DEPARTMENT OF ENERGY

###### FINANCIAL SERVICES
DEPARTMENT OF TREASURY

###### FOOD AND AGRICULTURE
DEPARTMENT OF AGRICULTURE,
DEPARTMENT OF HEALTH AND
HUMAN SERVICES

###### GOVERNMENT FACILITIES
DEPARTMENT OF HOMELAND SECURITY,
GENERAL SERVICES ADMINISTRATION


###### Designated Critical  Infrastructure (CI) Sectors[1]

 HEALTHCARE AND  PUBLIC HEALTH
DEPARTMENT OF HEALTH AND
HUMAN SERVICES

###### INFORMATION TECHNOLOGY
DEPARTMENT OF HOMELAND SECURITY

###### NUCLEAR REACTORS,  MATERIALS, AND WASTE
DEPARTMENT OF HOMELAND SECURITY

###### TRANSPORTATION SYSTEMS
DEPARTMENT OF HOMELAND SECURITY,
DEPARTMENT OF TRANSPORTATION

###### WATER AND WASTEWATER SYSTEMS
ENVIRONMENTAL PROTECTION AGENCY


2 GRIZZLY STEPPE, Dragonfly, and HIDDEN COBRA are separate APT campaigns. Please visit https://www.us-cert.gov for more information.

3 NCCIC is one of five CS&C divisions The other divisions are the Federal Network Resilience Division Network Security Deployment Division the Office of Emergency Communications and


-----

## OUR PURPOSE:
##### DRIVING TOWARD A MORE SECURE CYBER AND COMMUNICATIONS ECOSYSTEM

###### NCCIC serves as the focal point for collaborative efforts between the public and private sector to facilitate threat information sharing across the globe. In everything we do, we follow a single-minded goal: help the Nation build a more secure and resilient cyber and communications environment.


###### RUNNING DIAGNOSTICS...


-----

|D|HS|
|---|---|


###### NCS NCC US-CERT ICS-CERT NCCIC

1963:

Presidential

##### TIMELINE OF

1984:

Memorandum
established the National Executive Order 12472
Communications System expands NCS to include
(NCS) National Security and

##### NCCIC HISTORY

Emergency Preparedness
(NS/EP) and establishes
the National Coordinating
Center (NCC) for
communications

2000: 2000:

436.243 million star units the White House officially Congress Created
a: 8472846.0482 designates NCC as the Federal Computer
b: 3573349.9573 Information Sharing and Incident Response Center

###### DHS Analysis Center (ISAC) for Telecommunications (FedCIRC) at GSA to handle growing number 

of cyber breaches

###### 2002:
DHS established by the
Homeland Security Act

2003: 2003:

NCS moves from the DOD Congress moves FedCIRC

2004:

to DHS to newly formed DHS;

renames as US-CERT and DHS establishes the

2009:

expands the mission to Control Systems Security

National Security include cybersecurity Program (CSSP)

316.243 million star units Telecommunications
a: 334846.0482 Advisory Committee
b: 535739.9573 (NSTAC) recommends

October 2009:

establishing joint
collaboration center that DHS establishes the
becomes basis for NCCIC NCCIC

2012: 2012: 2012:

Executive Order 13618 DHS establishes ICS- NCCIC co-locates US-
disbands the National CERT, replacing CSSP CERT, ICS-CERT, and NCC
Communications System into NCCIC watch floor
(NCS); NCC assumes
these new responsibilities

2015:

The Cybersecurity Act
of 2015 designates

2017:

136.243 million star units NCCIC as the central
a: 8472846.0482 DHS streamlines organi- hub for cyber threat
b: 3573349.9573 zational structure, moving indicator sharing between

US-CERT, ICS-CERT, and government and the
NCC into a single NCCIC private sector
organizational structure

236.243 million star units
a: 234846.0482
b: 535739.9573

###### Table of NCCIC History. 
1963: Presidential Memorandum established the National Communications System (NCS).
1984: Executive Order 12472 expands NCS to include National Security and Emergency Preparedness (NS/EP) and establishes the National Coordinating Center (NCC) for communications.
2000: the White House officially designates NCC as the Information Sharing and Analysis Center (ISAC) for Telecommunications.
2000: Congress Created Federal Computer Incident Response Center (FedCIRC) at GSA to handle growing number of cyber breaches.
2002: DHS established by the Homeland Security Act.
2003: NCS moves from the DOD to DHS.
2003: Congress moves FedCIRC to newly formed DHS; renames as US-CERT and expands the mission to include cybersecurity.
2004: DHS establishes the Control Systems Security Program (CSSP).
2009: National Security Telecommunications Advisory Committee (NSTAC) recommends establishing joint collaboration center that becomes basis for NCCIC.
2009: DHS establishes ICSCERT, replacing CSSP.
2009: DHS establishes the NCCIC.
2012: Executive Order 13618 disbands the National Communications System (NCS); NCC assumes these new responsibilities.
2012: NCCIC co-locates USCERT, ICS-CERT, and NCC into NCCIC watch floor.
2015: The Cybersecurity Act of 2015 designates NCCIC as the central hub for cyber threat indicator sharing between government and the private sector.
2017 – Present: DHS streamlines organizational structure, moving US-CERT, ICS-CERT, and NCC into a single NCCIC organizational structure.


-----

|Col1|Col2|Col3|Col4|Col5|Col6|Col7|
|---|---|---|---|---|---|---|
||||||||
|O|U||R||||
||||||||
||||||||
|V|I||S||I|ON|

|Col1|Col2|Col3|Col4|Col5|Col6|Col7|
|---|---|---|---|---|---|---|
||||||||
||||||||
||||||||
||||||||
|TION|||||||


###### OUR OUR OUR ORGANIZATION VISION MISSION

As part of our commitment to serve customers better, over the last year NCCIC’s vision is a secure and robust cyber and NCCIC’s mission is to reduce the risk of systemic
NCCIC conducted an extensive internal review of operations. Based in communications infrastructure, resilient against cybersecurity and communications challenges in our
part on the review, we created significant functional enhancements attacks and disruption. In pursuing our vision, we role as the Nation’s flagship cyber defense, incident
that position NCCIC as a more efficient and responsive organization. adhere to a number of Guiding Principles: response, and operational integration center.
Specifically, these changes

                                                                          - Put Customers First. Understand and meet our We execute this mission by serving as a national hub

                              - improve our overall analytic capacity and realign resources toward customer and constituent needs quickly and for cyber and communications information, technical
greater effectiveness; completely. expertise, and operational integration, and by

operating our 24/7 situational awareness, analysis,

                             - expand our incident response and tailored hunt services;                              - Lead the Global Mission. In service to our

and incident response center.

national interests, serve as a global

                              - integrate our information technology and operational technology (IT

ambassador for cyber and communications To execute its mission, NCCIC performs a number of

and OT) assessment and vulnerability coordination capabilities; and

security expertise, excellence, and information. core functions:

                              - consolidate our national exercise and training programs.

                                                                          - Be an Active Force for Good. Defend the                                                                          - information exchange,
homeland by being the first and best option

The realignment integrates the United States Computer Emergency

                                                                                                        - training and exercises,

to identify, understand, prevent, protect, and

Readiness Team (US-CERT) and Industrial Control Systems Cyber

respond to significant threats and exploitations

Emergency Response Team (ICS-CERT) into a single, functionally organized                             - risk and vulnerability assessments,

of our cyber and communications infrastructure.

NCCIC structure that combines intersecting functions from those legacy

                                                                                                        - data synthesis and analysis,

organizations. The work US-CERT and ICS-CERT performed as organizations

                                                                          - Drive Innovation. Stay on the cutting edge of

under the NCCIC umbrella was extraordinary, and NCCIC retains all of the

innovation to bring down risk, learning from past                                                                                    - operational planning and coordination,

expertise, functions, and capabilities that those organizations provided.

experiences and anticipating change. Inspire

The dedicated professionals with whom our stakeholders have developed                            - watch operations, and

others to better understand and apply cyber and

trusted working relationships will continue their specialized work within

communications knowledge and tools.                                                                           - incident response and recovery.

the NCCIC, ready to draw on the broader resources of the entire NCCIC to
serve customers better.                             - Be Right, Be Fast. Connect people-to-people

and people-to-content to build community

Moving forward, our focus is on innovation, value, execution, and

knowledge. Share threat and vulnerability

operational excellence. We will consistently look for ways to better serve

information quickly and broadly, while

stakeholders as together we build a more sustainable, secure, and

maintaining the confidence and trust of our

resilient cyber and communications environment.

stakeholders, and the constitutional rights of
the American people.

                                                                          - Earn Trust. Relentlessly build our reputation as
the authoritative source of information and a
dependable partner, through technical
excellence and accurate, timely analysis. We are
the experts other professionals turn to for help.


-----

## LEADING A  GLOBAL FIGHT,  COORDINATING A  UNIFIED NATIONAL  EFFORT

###### NCCIC’s mission can only succeed with the help and active participation of our stakeholders. We are committed to dialogue and engagement at all levels, whether it is operational coordination on the NCCIC watch floor, analyst-to-analyst exchanges, participation in industry events and global forums, or leading national- level cyber exercises. Trust within the community of cyber and communications stakeholders is essential to this collective defense strategy. NCCIC builds trust by:

 • embedding confidentiality, privacy, and civil liberties protections into our information sharing culture;

 • demonstrating our technical competence; and

 • listening and responding to stakeholder needs.

 NCCIC’s primary stakeholders—customers, constituents, and partners—include the Federal Government; SLTT governments; private sector businesses (particularly those that manage critical infrastructure); the research and academic community; the public; and our international allies. Going forward, we will focus on new ways of adding value to our partnerships, and expanding the community of contributors to the global cyber and communications security mission.


-----

###### FEDERAL DEPARTMENTS  AND AGENCIES

Federal network defense is a coordinated
effort, and NCCIC collaborates closely
with its constituent departments and
agencies to help them take action to
mitigate cyber risk.


collaboration with departments and
agencies.[4 ] W e provide situational awareness and advice to DHS leadership and
senior government officials, Congress,
and the National Security Council.

NCCIC also plays a key role in the
Continuity Communications Manager’s
Group (CCMG) forum. Meeting every
quarter, CCMG provides a critical forum
for information sharing and coordination
among continuity communications
managers to address issues, challenges,
opportunities, new technologies, and
solutions. CCMG also addresses matters
related to policy, planning, operations,
testing, evaluation, and systems
interoperability affecting the executive
branch continuity communications
environment. It is also an important
forum to review and address continuity
communications test results, trends,
compliance assessment reports, and
long-term communications challenges.


partners. NCCIC needs private sector
information, innovation, technical expertise, and active engagement to successfully carry out our mission. Additionally,
our adversaries frequently target private
sector CI organizations due to the degree
to which society relies on the goods and
services they provide. Because of this,
private sector CI owners and operators are
major consumers of NCCIC products, as
well as essential partners.


TELECOMMUNICATIONS
INFORMATION SHARING

As part of our robust cyber collaboration with the private sector,
we maintain close coordination with the telecommunications
industry. In particular, NCCIC’s National Coordinating Center
for Communications (NCC) manages the Communications
Information Sharing and Analysis Center (Comms-ISAC) to share
and apply the technical expertise, threat awareness, and operational
capabilities required to address hazards and risks to the Nation’s
telecommunications infrastructure. We maintain integrated
operational relationships—physically and virtually—with
communications service providers and other stakeholders to get
real-time operating status and to coordinate assistance during
an incident.


###### Supporting Our Election Infrastructure

NCCIC was a critical contributor to a DHS initiative to ensure the
integrity of the Nation’s EI in preparation for the November 2016
general election. The purpose of the initiative was to raise
awareness of cybersecurity vulnerabilities within voting infrastructure
and increase the security and resilience of the electoral process.


4 Presidential Policy Directive (PPD)-41, United States Cyber Incident Coordination, outlines the roles federal agencies play during a significant cyber incident. DHS plays a major role in both
asset response and threat response. DHS is the lead agency for asset response during a significant cyber incident, focusing on the assets of the victim or potential targets of malicious
activity In fulfilling this responsibility NCCIC assists asset owners in mitigating vulnerabilities identifies other entities that may be at risk and shares information across the public and


5 Information Sharing and Analysis Organizations (ISAOs) seek to expand information sharing by encouraging the formation of communities that share information across a region or in
response to a specific emerging cyber threat Information Sharing and Analysis Centers (ISACs) are essential drivers of effective cybersecurity collaboration for specific industrial sectors


-----

###### INTERNATIONAL  PARTNERS

Cyber threats are borderless and ubiquitous. Attacks in distant parts of
the world may replicate quickly and cause cascading consequences for
our own cyber and communications infrastructure.

NCCIC is a leader in the global fight for secure cyber and communications
networks, and brings together a broad range of international partners
in a common effort to strengthen our capacity to fight threats. Through
this work, we improve the cyber and communications risk posture of the
United States.

Strengthening operational collaboration with international counterparts
enables us to prepare for, prevent, mitigate, and respond to incidents
that could degrade or overwhelm cyber and communications assets.
Operational relationships among nations play a significant role in
ensuring the safety and resilience of cyberspace. We know that our ability
to respond to and overcome global cyber challenges improves in part by
the degree to which we can act in close coordination and cooperation.

In close coordination with the State Department, NCCIC collaborates with
international partners to build situational awareness, reduce risk, and
coordinate information sharing and international response to incidents.
We coordinate with our global peers in a number of areas, including

 - exchange of technical expertise,

 - threat intelligence sharing,

 - establishing security standards,

 - industrial control systems security, and

 - cyber and communications capacity building.

We also participate in a range of multilateral and multi-stakeholder fora,
including the following:

 - Asia Pacific Economic Cooperation;

 - Organization of American States;

 - Organization of Economic Cooperation and Development;

 - North Atlantic Treaty Organization (NATO);

 - Organization for Security Cooperation in Europe;

 - International Telecommunications Union Development Sector, Forum
of Incident Response and Security Teams;

 - Asia Pacific Computer Emergency Response Team; and

 - Meridian Process and Conference.


###### Fighting WannaCry Ransomware:  A Sustained Global Effort

The May 2017 global WannaCry ransomware campaign
highlights continued attempts by malicious actors to
leverage cyberspace to disrupt international CI and cause
economic loss. It is also an excellent example of how,
together with our global partners, NCCIC can help fight
such attacks and minimize their impact.

WannaCry began in Asia on May 12, 2017, and rapidly
spread across the world—sources reported hundreds of
thousands of infections in over 150 countries in just days.
Due in part to the coordinated and sustained counteraction
by NCCIC and its domestic and foreign partners, WannaCry
had limited impact on U.S. CI.

WannaCry exploited a critical Windows Server Message
Block vulnerability to remotely compromise victim
systems, encrypt files, and spread to other hosts. Attackers
demanded money to unencrypt the affected files.

As soon as WannaCry sightings were reported, NCCIC
proactively began sharing information and coordinating
with its international partners to understand and mitigate
the impacts of the malware. NCCIC also worked with
domestic security experts and researchers, and other
federal departments and agencies. NCCIC’s response
included

- quickly sharing information that identified the
vulnerability WannaCry exploited;

- conducting analysis on malware samples;

- issuing technical alerts identifying the indicators of
compromise (IOCs);

- sharing the identified IOCs through AIS and the
Cybersecurity Information Sharing and Collaboration
Program (CISCP); and

- deploying signatures on EINSTEIN to protect federal
networks.

NCCIC coordinated with more than 40 IT and cybersecurity
companies (including major Internet service providers) to
convey what we knew.

As part of its mission to protect federal departments and
agencies, NCCIC also led Cybersecurity Coordination,
Assessment, and Response (C-CAR) meetings to share
actionable information about the threats. C-CARs are a
critical complement to NCCIC’s technical alerts and follow
a standard protocol. This protocol enables DHS to convey
information to CISOs and request action from federal
departments and agencies to gain awareness of potentially
affected systems across the Federal Government.

Recognizing that not all users would be able to install
patches immediately, NCCIC also shared additional
mitigation guidance to assist government and private
sector network defenders.


The following timeline highlights key events
in NCCIC’s immediate response to WannaCry:


###### [Our IT and security company partners] stayed on the line with us, on these chat
#### “
###### rooms and helped us pick [WannaCry] apart. And I really believe that that’s the model for the future and it really just highlights all of the work that’s gone on for years and years and years… just tremendous partnership and a
 [recognition] that we’re all sort of in this together and we have to have that willingness [to work together].

-- Jeanette Manfra, DHS Assistant Secretar[”]y for
Cybersecurity and Communications

|May 12, 2017|Open-source reporting on WannaCry ransomware began.|
|---|---|
||NCCIC conducted malware analysis on multiple ransomware samples.|
||NCCIC held cybersecurity coordination meetings.|
||NCCIC published a Current Activity (CA): “Multiple Ransomware Infections Reported.”|
||NCCIC published Technical Alert TA17-132A, “Indicators Associated with WannaCry Ransomware.”|
|May 13, 2017|NCCIC implemented Enhanced Coordination Procedures with cyber center partners to increase coordination and synchronization.|
||NCCIC held coordination calls with over 40 IT and cybersecurity companies and all major ISPs to share known information and connect NCCIC operational teams with partners for analysis and information sharing.|
||A researcher identified a potential kill switch for the ransom- ware. NCCIC analysts corroborated that this kill switch stopped propagation of the ransomware.|
|May 14, 2017|NCCIC became aware of additional variants of the ransomware.|
||The Small Business Administration posted DHS-provided information about the ransomware campaign to their website to assist small business owners.|
|May 15, 2017|NCCIC released ICS-ALERT-17-135-01, “Indicators Associated with WannaCry Ransomware.”|
||NCCIC posted ICS-ALERT-17-135-01 to its industrial control systems (ICS)-focused public website to raise awareness of the alert within the ICS community, and to identify affected ICS and medical device vendors.|
|May 16, 2017 NCCIC posted Malware Initial Findings Report 10124171 – Ransomware/WannaCry and the associated technical indicators of compromise file to its website. CERT Europe (CERT-EU) distributed a revised WannaCry- related advisory that contained additional IOCs derived from the latest ransomware sample. NCCIC conducted a data call to federal departments and agencies.|NCCIC posted Malware Initial Findings Report 10124171 – Ransomware/WannaCry and the associated technical indicators of compromise file to its website.|
||CERT Europe (CERT-EU) distributed a revised WannaCry- related advisory that contained additional IOCs derived from the latest ransomware sample.|
|May 17, 2017|NCCIC posted an ICS-CERT WannaCry fact sheet, “What is WannaCry/WanaCryptor?”.|
||NCCIC engaged department and agency security operation centers.|


-----

## WHAT WE DO

###### Each day, NCCIC personnel work tirelessly to help our stakeholders secure their cyber and communications systems. Yet it is only with the enthusiastic participation of the entire cyber community that we will succeed in our mission. Our partners are essential to everything we do.


-----

NCCIC is a hub for information and expertise. We build risk awareness and help people understand We defend federal networks and

how to mitigate threats and vulnerabilities. respond to significant incidents.

We are a global exchange for cyber and communications
information, sharing what we receive back to the community. We help customers take action to improve their risk posture Perhaps most importantly, we are here for our

and support a common operational picture of the national partners and customers when they need help. We
cyber and communications risk landscape. vigilantly defend the Federal Government’s critical

networks and stand ready to respond to attacks
on both government and private sector networks.

Shared more than 15,600 alerts, bulletins, and Detected more than 194,000 new vulnerabilities Provided on-site incident response
other information products that raised security through cyber hygiene scans for hundreds of support to roughly 30 government
awareness and helped customers mitigate risk Federal Government customers and private sector customers

Shared more than 3,000 indicators of Completed 58 external exercises to build Received roughly 106,000 incident
compromise (IOCs) through the Enhanced readiness and operational coordination among reports from Federal and state,
Cybersecurity Services program and helped government and private sector customers local, tribal, and territorial (SLTT)
Internet service providers (ISPs) block malicious governments and the private
traffic for their customers sector, affecting communications,

enterprise, and control systems

Received more than 727,000 reported Trained more than 1,400 professionals in
cyber and communications threats ICS security Detected 447 incidents through

the EINSTEIN program, resulting in
actions to secure federal networks

Grew Industrial Control Systems Joint Working Helped more than 2,100 customers use the
Group to 2,680 members, expanding the Cybersecurity Evaluation Tool (CSET) to conduct Helped customers mitigate
collaborative community of industrial control self-evaluations of their ICS security posture roughly 225,000 vulnerabilities
systems (ICS) partners identified through cyber

hygiene scans

Shared roughly 1.3 million IOCs since Conducted more than 160 on-site enterprise and
the inception of AIS in March 2016 control systems assessments to help customers

understand and mitigate risk across all critical
infrastructure (CI) sectors

Conducted 71 risk and vulnerability assessments
for government and private sector clients


-----

###### THE WATCH FLOOR:  NCCIC’S INFORMATION SHARING HUB

Each day, NCCIC’s 24/7 watch floor receives, triages, tracks,
coordinates, and manages high volumes of threat, vulnerability,
and incident information. The watch floor disseminates this
information to NCCIC analysts for resolution and—as quickly as
possible—shares alerts, reports, and other information products
back to the community, so that our customers and partners can
take action.

A diverse set of information sources is vital to developing a
big-picture perspective of the Nation’s systemic cyber and
communications risk. In turn, this overarching view helps us
“connect the dots,” so that we can quickly identify and help our
customers mitigate threats and respond to incidents.

Operating in two physical locations—Arlington, VA, and
Pensacola, FL—the watch floor provides shared national-level
situational awareness and a forum for real-time operational
collaboration with NCCIC’s many partners. Our Arlington
operations are co-located with the National Infrastructure
Coordinating Center (NICC)[6] to ensure coordinated and
consistent information exchange with our customers for both
physical and cyber threats.


###### EXPANDING OUR INFORMATION  SHARING CAPABILITIES


6 NICC is the dedicated 24/7 coordination and information sharing operations center that maintains situational awareness of the Nation’s critical infrastructure for the Federal Government.

###### BUILDING UNDERSTANDING  AND AWARENESS  OF SYSTEMIC RISK

As attacks on our cyber and communications infrastructure
grow in diversity, prevalence, and sophistication, NCCIC’s
mission demands that we stay ahead of the threat curve. One of

###### TECHNICAL ANALYSIS CAPABILITIES

the ways we do this is by synthesizing our data with data from
open-source research, private sector partners, the intelligence Our technical analysis directly supports our mission to reduce
community, international partners, and federal network feeds. risk to the Nation’s CI. NCCIC technical analysts provide
The greater the volume of high-quality data NCCIC receives malware analysis, digital analysis, reverse engineering, and trend
and analyzes, the better our understanding of threats and analysis. Their expertise and findings inform our exploration of
vulnerabilities. systemic vulnerabilities; potential future threats; tactics,


Using this data, along with state-of-the-art tools and techniques,
our analysts work to determine the nature of threats to systems,
including enterprise business networks, control systems, and
telecommunications infrastructure. They apply this knowledge
to analytical offerings, which include technical alerts, guidance,
best practices, and direct operational communication with other
analysts in government and the private sector. These products
integrate threat information, help provide an overall picture of


Our analysis and vulnerability coordination services reside
primarily in our advanced malware analysis laboratories. We are
increasing our focus on identifying trends and systemic risks
associated with rapidly evolving areas such as the Internet of
Things, including networked medical devices and avionics, cloud
technologies, and the continued convergence of traditional


defensive measures, as well as recommended practices focused
on threat detection, prevention, and mitigation. CISCP also hosts
analyst-to-analyst technical threat exchanges and analyst training
events that include detailed threat briefings.

Data Security: How We Safeguard Your Information

As a global information sharing hub, NCCIC bears a significant
responsibility to protect the information we receive and to ensure
we safeguard privacy, civil rights, and civil liberties. We take this
responsibility extremely seriously and we do everything in our power
to earn our stakeholders’ trust by maintaining the confidentiality of
sensitive information. collaboration.

The Protected Critical Infrastructure Information (PCII) program is one
significant way NCCIC ensures that critical infrastructure information
stakeholders share remains protected from

» the Freedom of Information Act (FOIA),

» SLTT disclosure laws,

» use in regulatory actions, and

» use in civil litigation.

Only trained and certified federal, state, and local government employees accounts.
or contractors may access PCII and only in accordance with strict
safeguarding and handling requirements.

###### Suspected Malware?  Our Data Analysis Team Can Help

While not every detected malware instance is as damaging or far-reaching as WannaCry,
all are worthy of NCCIC’s attention and support. NCCIC’s malware laboratories have a
streamlined process to help network owners understand the risks associated with suspected
malware activity. Network owners can submit files directly to NCCIC’s malware analysis team
for action through a secure web portal, email, or file transfer protocol.

Once received, NCCIC analysts review the files for IOCs to determine the type of malware
potentially present. We provide the network owner with a report detailing the type of malware
detected, an analysis of the IOCs present, and a list of appropriate mitigation strategies.
NCCIC develops reports in several formats and specifications, including Structured Threat
Information eXpression (STIX)—a standard language used to automate the exchange of cyber
threat information.

A combination of open-source, commercial, and custom-developed tools power the malware
analysis process. NCCIC analysts use automated toolsets to analyze malware, but also have
the capability to reverse engineer malware files to gather information and develop associated
IOCs. Analysts convert IOC information into anonymized, shareable reports to inform the
larger cyber community. By sharing information of suspected malware with NCCIC, network
operators can better secure their own network while reducing systemic risk across the entire
cyber landscape.


-----

FY17 also marked some innovative enhancements to our
information technology (IT) and operational technology (OT)
assessment capabilities. We integrated our end-to-end assessment
service offerings for enterprise and ICS environments, providing
fi


NCCIC’s cyber hunt services, which we continue to expand, also
provide customers greater visibility into the security posture of
their networks. NCCIC conducts hunt missions at the invitation
of government and private sector customers, including CI owners
and operators. Hunt missions proactively search for malicious
activity to help customers identify potential exploitation.
NCCIC’s cyber hunt focuses on deep technical analysis of a live
network with the intent of identifying previously unobserved
h


Within those categories, we have seen an increase
in use of insecure default configurations and
unsupported operating systems. On a positive note,
we have also seen an overall decrease in reuse of
administrator passwords as well as passwords stored
in clear text


-----

###### Assessment-to-Incident Response: Providing Fully Integrated  Cybersecurity Services

In 2017, NCCIC performed 139 on-site ICS assessments to determine how well customers’
cyber defenses could prevent malicious attacks. NCCIC assessments focus on identifying
security gaps with the greatest potential for exploitation and harm, and on identifying and
recommending solutions with the greatest benefit.

The teamwork and close collaboration between our assessment and response units is a good
example of NCCIC’s approach to customer service—we focus on providing customers with a
fully integrated cybersecurity service portfolio to meet all their needs. When NCCIC responds
to an incident, our response team often recommends that the affected organization undergo a
full network assessment (after the response team resolves the immediate issue) to maximize
overall network health and hygiene, and reduce the likelihood and severity of future incidents.

A recent routine assessment and analysis for a control systems customer in the
Transportation Sector exemplifies the benefits of NCCIC’s integrated customer service
approach. During the assessment process, our assessors noted excessive Internet Control
Message Protocol traffic originating from a control systems host that was communicating
out to various Internet Protocol (IP) addresses around the world. This indicated potentially
malicious activity, so NCCIC assessors immediately recommended involvement from NCCIC’s
incident response team.

At the asset owner’s request, NCCIC switched its focus from an assessment to an incident
investigation, and quickly discovered that the suspicious traffic was likely due to automated
scanning of external IPs by the ICS host. Forensics analysis revealed the ICS host had been
subjected to brute-force hacking attempts against its remote desktop service. The analysis
also revealed that the remote desktop service was directly accessible from the Internet and
not protected by a firewall or virtual private network. NCCIC provided mitigation guidance
to the organization, which included establishing firewall protection to prevent unauthorized
access from the Internet.

On federal networks, NCCIC cyber hunt teams search for malicious actors inside highvalue assets (HVAs), and tailor assessments specifically to systems that connect to—or
interact with—HVAs. These teams work closely with NCCIC HVA penetration testers.

NCCIC cyber hunt team services include

 - examination of existing cybersecurity policies, procedures, and processes;

 - system owner interviews;

 - host-based analysis;

 - review of existing logs;

 - network traffic analysis; and

 - data mappings and other diagrams.

NCCIC hunt teams use data drawn from the broad array of NCCIC sources—including
the intelligence and law enforcement communities—to identify malicious tools and
adversary TTPs extant on customer networks.

###### BUILDING TECHNICAL EXPERTISE AND PREPAREDNESS:  TRAINING AND EXERCISES

In FY17, NCCIC consolidated and integrated its technical training and exercise products
and services to enhance the way we deliver these capabilities to our customers.

Our robust cyber exercise program enables government and private sector partners to
plan and test their preparedness, policies, processes, and procedures when responding


###### Cyber Guard and Cyber Storm:  Preparing for National-Level Cyber Incidents


###### Assessment-to-Incident Response: to cyber and communications incidents. Cyber Guard and Cyber Storm: 

NCCIC offers a variety of scalable exercise

###### Providing Fully Integrated  Preparing for National-Level Cyber Incidents

formats—from facilitated, targeted

###### Cybersecurity Services attack tabletop discussions to full-scale, In FY17, NCCIC led DHS planning and coordination for Cyber Guard,

national-level functional exercises. Our an annual two-week exercise headed by Department of Defense

In 2017, NCCIC performed 139 on-site ICS assessments to determine how well customers’

services include the design, development, (DOD) U.S. Cyber Command and co-sponsored by DHS and the

cyber defenses could prevent malicious attacks. NCCIC assessments focus on identifying

planning, evaluation, and conduct of Federal Bureau of Investigation (FBI).

security gaps with the greatest potential for exploitation and harm, and on identifying and
recommending solutions with the greatest benefit. cybersecurity exercises. These critical Cyber Guard 2017 included experts from over 100 organizations,

exercises enable us to provide insight

including the Federal Government, state governments, industry,

The teamwork and close collaboration between our assessment and response units is a good into how our partners detect and respond academia, and international allies. Participants practiced tactical
example of NCCIC’s approach to customer service—we focus on providing customers with a to a variety of attacks and how they can cyber incident response processes and operational coordination.
fully integrated cybersecurity service portfolio to meet all their needs. When NCCIC responds

further strengthen their defenses. NCCIC personnel participated at the main exercise location in

to an incident, our response team often recommends that the affected organization undergo a

Suffolk, VA, and from NCCIC’s Pensacola, FL, location. Cyber Guard

full network assessment (after the response team resolves the immediate issue) to maximize An important focus for our technical

2017 enabled NCCIC to hone incident response processes while also

overall network health and hygiene, and reduce the likelihood and severity of future incidents. training is the planned expansion of enhancing working relationships with partners who are pivotal to our

A recent routine assessment and analysis for a control systems customer in the our ICS training capabilities. Current ability to respond effectively to national-level cyber incidents.
Transportation Sector exemplifies the benefits of NCCIC’s integrated customer service training offerings include web-based
approach. During the assessment process, our assessors noted excessive Internet Control and instructor-led technical training. As In FY18, NCCIC will lead all aspects of Cyber Storm, a national-level

exercise occurring every two years. Planning for Cyber Storm VI,

Message Protocol traffic originating from a control systems host that was communicating part of our advanced training course,

slated to occur in Spring 2018, is already well underway.

out to various Internet Protocol (IP) addresses around the world. This indicated potentially NCCIC offers an advanced Red Team-Blue
malicious activity, so NCCIC assessors immediately recommended involvement from NCCIC’s Team exercise within a simulated ICS Cyber Storm VI exercise will focus on the Critical Manufacturing

training environment. In March 2017, and Transportation Sectors with participation from the Information
NCCIC celebrated its 100th training class Technology and Communications Sectors; law enforcement, defense,

At the asset owner’s request, NCCIC switched its focus from an assessment to an incident

for Red-Blue Team training (formally and intelligence agencies; state and local governments; and

investigation, and quickly discovered that the suspicious traffic was likely due to automated
scanning of external IPs by the ICS host. Forensics analysis revealed the ICS host had been known as the Industrial Control Systems international partners.
subjected to brute-force hacking attempts against its remote desktop service. The analysis Cybersecurity (301) Advanced Training). We conducted Cyber Storm V in March 2016. The exercise focused
also revealed that the remote desktop service was directly accessible from the Internet and The training offers a hands-on approach on testing preparedness and response to a multi-sector cyber
not protected by a firewall or virtual private network. NCCIC provided mitigation guidance to understanding a network environment, attack targeting the Healthcare and Public Health and Commercial
to the organization, which included establishing firewall protection to prevent unauthorized identifying potential vulnerabilities, Facilities Sectors. The exercise included more than 100 organizations
access from the Internet. evaluating exploitation of vulnerabilities, and 1,200 players from across the globe. More than 96 percent of

and applying defensive and mitigation respondents to an after-action questionnaire indicated that

On federal networks, NCCIC cyber hunt teams search for malicious actors inside high- strategies to protect industrial control participation in Cyber Storm V helped them become better prepared
value assets (HVAs), and tailor assessments specifically to systems that connect to—or systems. To date, more than 4,500 to deal successfully with a cyber incident.
interact with—HVAs. These teams work closely with NCCIC HVA penetration testers. trainees have completed the training.

NCCIC cyber hunt team services include In 2017, NCCIC’s Training team:

- examination of existing cybersecurity policies, procedures, and processes; - conducted 12 ICS Red-Blue Team

- system owner interviews; courses;

- host-based analysis; - led four regional sessions with

introductory and intermediate

- review of existing logs;

content (three of which were for

- network traffic analysis; and

international partners); DEFENDING FEDERAL

- data mappings and other diagrams.

NCCIC hunt teams use data drawn from the broad array of NCCIC sources—including - trained more than 1,200 students in instructor-led classes; NETWORKS AND
the intelligence and law enforcement communities—to identify malicious tools and - conducted 17 tours of NCCIC’s RESPONDING TO
adversary TTPs extant on customer networks. control systems analysis center in

###### SIGNIFICANT INCIDENTS

Idaho Falls, Idaho; and

###### BUILDING TECHNICAL EXPERTISE AND PREPAREDNESS: 

One of our core mission areas is leading efforts to protect

                                       - saw roughly 20,000 trainees

###### TRAINING AND EXERCISES

federal civilian government networks. Threat actors

complete one or more online classes.

In FY17, NCCIC consolidated and integrated its technical training and exercise products consider federal departments and agencies high-value
and services to enhance the way we deliver these capabilities to our customers. targets, given the critical services they provide and the

sensitive data they store. NCCIC provides federal partners

Our robust cyber exercise program enables government and private sector partners to

with critical threat intelligence and network defense

plan and test their preparedness, policies, processes, and procedures when responding

tools to enable them to effectively thwart cyber attacks.
Additionally, NCCIC assists these partners with incident


###### DEFENDING FEDERAL NETWORKS AND RESPONDING TO SIGNIFICANT INCIDENTS

One of our core mission areas is leading efforts to protect
federal civilian government networks. Threat actors
consider federal departments and agencies high-value
targets, given the critical services they provide and the
sensitive data they store. NCCIC provides federal partners
with critical threat intelligence and network defense
tools to enable them to effectively thwart cyber attacks.
Additionally, NCCIC assists these partners with incident


-----

###### Disaster Response: Restoring Critical Communications

In 2017, NCCIC led an extensive interagency effort to restore critical communications in
the wake of four large-scale hurricanes that affected the lives of millions and devastated
large areas of Florida, Georgia, Puerto Rico, Texas, and the U.S. Virgin Islands.

Through Emergency Support Function (ESF #2) – Communications[8], NCCIC’s National
Coordinating Center for Communications (NCC) coordinated federal interagency efforts to
restore communications infrastructure; coordinated communications support to response
efforts; facilitated the delivery of information to emergency management decision makers;
and assisted in the stabilization and reestablishment of communications systems and
applications.

ESF #2 members within DHS—alongside the Federal Communications Commission, the
National Telecommunications and Information Administration, the General Services
Administration, and the Department of Defense—supported response efforts to affected
areas. Together, this interagency team

 - ensured communications were available to impacted communities and responders;

 - supported planning, including the development of a public safety recovery plan and
integrated power-communications restoration plans; and

 - acted as translators, radio operators, logisticians, and imagery analysts.

The team’s efforts supported the issuance of two communications-related executive orders
in Puerto Rico, which enabled expedited communications restoration and waived taxes for
communications equipment temporarily imported to restore communications. NCCIC also
led the ESF in developing a plan to restore public safety land mobile radio communications
in Puerto Rico. To improve customer connectivity, the interagency team leveraged partnerships in Puerto Rico and the U.S. Virgin Islands to increase roaming agreements.

As the national coordinator for ESF #2, NCCIC led efforts with industry partners in each of
the affected states and territories to share resources and information to improve the ability
of the Communications Sector to provide service to affected areas.

In the wake of each disaster, NCCIC and its partners joined in efforts to restore critical
communications by helping to prioritize and resolve issues related to fuel, transportation,
and access. NCCIC also helped forge an agreement—among carriers, tower owners, site
owners, debris removal and road clearance teams, tower climbers, generator technicians,
and fuel suppliers—to expedite site repair through prioritization and collaboration.

NCC also provided extensive analytical support to affected areas. This included

 - over 100 telecommunications infrastructure analysis reports before and after
hurricanes;

 - coordination of the expedited delivery of 30,000 phone numbers needed to put
replacement phones into service on the U.S. Virgin Islands, shrinking a multi-week
process to days;

 - deployment of more than 80 staff to assist affected areas in Florida, Georgia, Puerto
Rico, Texas, the U.S. Virgin Islands, and FEMA Headquarters;

 - daily reports and graphics providing overall telecommunications landline and cellular
networks statistics for the affected areas;

 - maps projecting cellular coverage of Puerto Rico at least three times a week, in
coordination with the telecommunications carriers; and

 - continuous updates to maps, identifying the availability and location of ancillary
cellular equipment (such as hotspots, cell on wheels, and cell on light trucks).

NCCIC continues to work with its government and industry partners to prepare for
communications disruptions through coordinated planning, exercises, and training.

8 ESF #2 is the Communications Annex to the National Response Framework (https://www.fema.gov/media-library/
assets/documents/117791). ESF #2 coordinates Federal actions to assist industry in restoring public
communications infrastructure and to assist SLTT governments with emergency communications and the restoration
of public safety communications systems and first responder networks. ESF #2 supports federal departments and
agencies in procuring and coordinating National Security and Emergency Preparedness communications services.
ESF #2 also addresses c bersec rit iss es that res lt from or occ r in conj nction ith incidents Ho e er for


In FY18, we will continue to expand our ability to provide hunt services and on-site incident
response to customers. We will also continue to mature our remote analysis capabilities,
enabling incident responders to support a larger number of systems with existing resources.


7 Presidential Policy Directive 41: United States
Cyber Incident Coordination, defines a significant
cyber incident as an incident that is “likely to
result in demonstrable harm to the national
security interests, foreign relations, or economy
of the United States or to the public confidence


###### THE EINSTEIN PROGRAM

Through the National Cybersecurity Protection System, NCCIC uses EINSTEIN program NCCIC is the lead federal organization
outputs to support cyber defense of the Federal Government. EINSTEIN is a unique responsible for assisting victims in
sensor grid that covers all federal department and agency civilian networks. It provides finding malicious activity on their systems
perimeter protection capabilities to help the Federal Government detect and block in the wake of a “significant cyber
cyber threats. EINSTEIN sensors monitor and capture network data flows to and from incident.”[7] This includes leading remote
federal systems , providing intrusion detection and prevention capabilities. NCCIC also and on-site responses to cyber attacks on
analyzes sensor data to discover and track adversary TTPs, and to identify new IOCs. federal networks. NCCIC also supports
When necessary, NCCIC generates and disseminates alerts to help federal departments operational awareness and mitigation
and agencies protect themselves from threats and vulnerabilities. NCCIC continues to actions across the federal domain by
implement tactics that strengthen government and the private sector network defense using threat information detected in one
capabilities, such as department or agency to protect the rest

of the government and to help the private

                           - increasing the number of IOCs that it shares,

sector protect itself.

                           - deploying “reputation scoring” to help organizations prioritize IOCs, and

During incidents and times of crisis, our

                            - piloting advanced analytics to identify cyber threat patterns.

operational planning and coordination
team works across government to provide

###### The Department of Homeland RESPONDING TO CYBER AND COMMUNICATIONS INCIDENTS

critical information and overarching

#### “Security, acting through the NCCIC focuses extensive resources on defending government networks and supporting context to inform the decisions of the

###### National Cybersecurity and private sector preparedness and protection. White House and other government

organizations. NCCIC works with affected

###### Communications Integration The persistence, dynamism, and volume of attacks against IT and OT networks,

government and—when requested—

however, combined with an ever-expanding attack surface as more devices connect to

###### Center, shall be the Federal private sector stakeholders to help repair

the Internet, means that some malicious attacks will inevitably succeed. In addition,

systems, patch vulnerabilities, reduce the

###### lead agency for asset response 2017 was a stark reminder of the devastation that natural disasters can wreak on people,

risk of future incidents, and prevent an

local and regional economies, and on our cyber and communications infrastructure.

###### activities. incident from spreading to others. Our

Responding to these events—and supporting our customers’ response—is a

incident response services include expert

—Presidential P”olicy Directive 41: United fundamental function that we continually strive to improve.

intrusion analysis and mitigation guidance

States Cyber Incident Coordination

to customers who require external
assistance. While NCCIC prioritizes major
cyber incidents that have the potential

Hunting for Malicious Activity

to disrupt or disable our CI, we offer
stakeholders—including federal, SLTT

In 2017, NCCIC actively tracked, researched, and analyzed the technologies and methods governments, and private sector
cyber threat actors used to exploit vulnerabilities, and the behaviors of new or high-impact

organizations—support for responding

malware not attributed to a known adversary. Through these activities, NCCIC identified

to minor incidents as well.

previously unrecognized threat actor TTPs. Based on these findings, NCCIC developed analytic
products and reports, providing federal network defenders with the information necessary to
understand adversary TTPs and reduce exposure to malicious activity.

Augmenting Incident Response Resources

In FY17, NCCIC merged its ICS and enterprise response resources, augmenting our overall
capabilities to meet increased customer demand and more efficiently deploy incident
responders. This integration helps us meet the requirements of

» Executive Order 13800: Strengthening the Cybersecurity of Federal Networks and Critical
Infrastructure,

» the Cybersecurity Information Sharing Act of 2015, and

» Presidential Policy Directive 41: U.S. Cyber Incident Coordination. 7 Presidential Policy Directive 41: United States

Cyber Incident Coordination, defines a significant

In FY18, we will continue to expand our ability to provide hunt services and on-site incident cyber incident as an incident that is “likely to
response to customers. We will also continue to mature our remote analysis capabilities, result in demonstrable harm to the national

security interests, foreign relations, or economy

enabling incident responders to support a larger number of systems with existing resources.

of the United States or to the public confidence


-----

###### The Future of NCCIC Information Sharing: Advancing Automated Indicator Sharing, Behavioral Analytics, and Orchestration

The launch of the DHS Automated Indicator Sharing (AIS) it comes from a sophisticated threat actor. To help provide this “Customers can look at their current defense coverage against

Leading Federal Cyber Information Sharing Efforts

initiative in March 2016 marked a significant milestone in context, NCCIC is focusing on automated capture of IOC “sight- those behaviors, assess gaps or observed behavior in their
the government’s use of automation to support cybersecurity. ings”—the number of times the community sees an IOC—and network, and act to take away the behaviors, thus significantly
NCCIC continues to evolve indicator sharing and is building on identifying the IOCs that resulted in recipients taking action. raising adversary costs,” Werntz added. “In the federal The Cybersecurity Information Sharing Act of 2015 states that
on the success of AIS to advance the sharing of actionable “We want to know when organizations see content and take environment, this also enables departments and agencies to NCCIC should operate the Federal Government’s capability

and process for receiving cyber threat indicators and defensive

cybersecurity information through automation and action based on that content,” said Werntz. “This information identify adversary behavior and use CDM to acquire the tools

measures.

behavioral analytics. helps us understand the types of indicators organizations find and services they need to block and disrupt that behavior.”

useful and whether we are sharing them in a timely manner.” Non-federal entities that share such information through NCCIC

Through AIS, government and private sector participants While many organizations already leverage big data analytics,

are eligible for protections that include liability protection,

exchange cyber threat indicators in near real-time. Threat “Capturing metadata related to which critical infrastructure NCCIC’s unique position allows it to serve as a collection point

protection from release under FOIA, and protection from most

indicators—also known as IOCs—are pieces of information, sectors are sharing or acting on which indicators, for example, for high-quality data from diverse sources. NCCIC combines

regulatory uses of the information.

such as malicious IP addresses or malware hashes that may helps us understand how adversaries are attacking these data collected from federal network sensors—and shared
signify potential malicious activity. AIS shares as many IOCs as sectors or whether there is a targeted campaign against a through programs like AIS and CISCP—with data from the intel- AIS is one of the principal mechanisms through which
possible, as quickly as possible. Through rapid, high volume IOC specific sector,” Werntz continued. “We also need to improve ligence and law enforcement communities. This set of data is NCCIC implements this capability and process for the

Federal Government.

sharing, AIS minimizes the number of times adversaries can the way we use data to feed other programs such as CDM [the growing and becoming available as departments and agencies
use the same attack, raising the opportunity costs of the at- Continuous Diagnostics and Mitigation program] and [the] adopt CDM.
tack, and decreasing the overall cyber attack prevalence. There EINSTEIN [program].”
are now 184 government and private sector entities—covering INCREASING DECISION SPEED THROUGH apply IACD concepts to the federal environment—working
all 16 CI sectors—connected to the AIS server. AIS has received MODELING ADVERSARY BEHAVIORS ORCHESTRATION with agencies on behavioral analytics to identify potential

gaps in coverage or vulnerabilities before exploitation—using

and shared more than 1.4 million IOCs since its inception.

While AIS is important and, critically, shows how automation NCCIC is also working closely with various organizations to consistent, automated workflows and processes across multiple

Mr. Preston Werntz oversees the implementation of AIS. He can shape the cybersecurity landscape, NCCIC recognizes that improve interoperability and automated cross-platform func- agencies.
works within DHS and with government and private sector it must look for new ways to make attacks more difficult, time tionality within a network’s defense environment. Specifically,
partners to explore how NCCIC can use technology to improve consuming, and costly for adversaries to carry out. One such DHS, NSA, and the John’s Hopkins University’s Applied Physics In late 2017, the Financial Services Information Sharing and
automated cybersecurity. Werntz sees AIS as an encouraging strategy is the use of analytics that describe malicious behavior Laboratory developed the Integrated Adaptive Cyber Defense Analysis Center (FS-ISAC) became the latest private sector
step in the right direction, while noting that NCCIC continues patterns. NCCIC shares those patterns with partners, who then (IACD) framework, which helps to automate orchestration of organization to embrace IACD concepts and technologies. The
to look for ways to improve the initiative. “AIS is successful look for that activity on their networks. Behavioral analytics cybersecurity products. use of automated workflows and orchestrations helped reduce

describe actions an adversary takes while operating within a investigation and response time from 11 hours to 10 minutes,

so far, but we recognize that we need to continue to explore

network (e.g., lateral movement, exfiltration, and credential Often, cyber defense tools and products made by different and enabled an operations team handling 65 events per day

ways to maximize its value,” Werntz said. One way to increase

access). This analysis helps NCCIC understand adversary vendors do not communicate directly with each other, meaning to automatically process up to 95 events simultaneously. IACD

the value of AIS is to expand coverage and participation.

tradecraft, discover security gaps, and communicate defense that cybersecurity analysts must take information from one will enable a variety of organizations to quickly share threat

Strategic partners such as vendors, Information Sharing and

actions. product and manually make changes to another. This process is information and prevent and respond to cyber attacks.

Analysis Centers (ISACs), and Information Sharing and Analysis

slow, and not an optimal use of human resources. IACD defines

Organizations (ISAOs)—with broad customer or membership

“At a basic level, we want to characterize adversary behavior— a framework focused on automating information sharing, Moving forward, the combination of enriched IOCs, behavioral

bases—can be highly effective force multipliers and significantly

tactics, techniques, and procedures—in a standard, machine- risk decisions, and action. People set the rules and approve analytics, and highly automated sharing and orchestration will

expand AIS participation.

readable format,” said Werntz. “We then share this in the form decisions or exceptions, but are otherwise not part of the be critical elements in NCCIC’s cybersecurity strategy. As both

NCCIC is also investigating ways to improve the operational of an analytic to customers so they can run it in their network operational decision loop. This frees analysts to tackle the threat environment and cybersecurity technologies continue
relevance and quality of the IOCs it shares by adding context to look for a match. This enables customers to keep data within anomalies and problems that are more serious. IACD operates to evolve, NCCIC remains committed to finding new and better
and correlation. This includes both technical context and their own infrastructure—there is no need to bring data back to under the principle that effective cyber threat mitigation ways to work with its partners and provide them with solutions
intelligence context, such as the IOC’s origination and whether DHS for analysis and correlation. Just tell us if it helped.” requires integration, synchronization, and rapid automation to the Nation’s most intractable cybersecurity challenges.

of capabilities across network defense layers. NCCIC can


-----

## EVOLVING TO SERVE CUSTOMERS BETTER:
##### FY 2018 AND BEYOND

###### In FY18, NCCIC will continue and launch a number  of new initiatives to enhance services for customers,  build our capabilities, and improve the efficiency and  agility of our organization.


###### SATELLITE UPLINK: MESSAGE RECEIVING

 COMMANDER FELKER

 PLANET ANALYSIS

 MISSION OBJECTIVES SCANNING FOR THREATS...

PROTECT FEDERAL AND CIVILIAN AGENCIES IN CYBERSPACE

DEFEND CRITICAL INFRASTRUCTURE

PARTNER WITH STATE AND LOCAL GOVERNMENTS

FORGE INTERNATIONAL PARTNERSHIPS ADVANCED MALWARE PHISHING


-----

|especial silient in|ly t|e|d rn|e e|p t|endent o and mu|
|---|---|---|---|---|---|---|
||||||||
|her part|n|e|rs|t|o|ward m|
||||||||
||||||||
|bersecu|ri|ty||p|ri|orities, i|
|vestigatio aring, re|n s|, p|a o|tt n|r s|ibution, e, capaci|

|Col1|Col2|Col3|Col4|Col5|Col6|Col7|
|---|---|---|---|---|---|---|
||||||||
||||||||
||||||||
||||||||
||||||||
|||Ex|p|a|n|d|


###### As a highly connected nation, the United States

Developing our workforce:

###### is especially dependent on a globally secure and

NCCIC’s most important asset is its people. We are “
making concerted efforts to retain and recruit the resilient internet and must work with allies and
very best and brightest. Specifically, we are focusing

###### other partners toward maintaining…international 

on expanding our workforce to meet expected
demand for incident response, risk assessment, cybersecurity priorities, including those concerning
cyber hunt services, and organizational investigation, attribution, cyber threat information
management.

###### sharing, response, capacity building, and cooperation.

— President Trum[”]p’s Executive Order 13800, Strengthening
the Cybersecurity of Federal Networks and Critical
Infrastructure (2017)

Expanding exercises and training: Supporting Election Infrastructure: Realigning operations

to serve customers better:

To attract, retain, and maintain a technically skilled NCCIC is preparing for additional requirements
and dedicated workforce, NCCIC is offering employees stemming from the FY17 establishment of Election NCCIC continues to evolve the way it aligns and
opportunities to hone their expertise. Our training Infrastructure (EI) as a critical infrastructure applies organizational resources to meet customer
and exercise functions will provide internal training subsector of the Government Facilities Sector. In needs. In FY17, we combined or realigned several
opportunities to our personnel—beginning with response, DHS stood up an EI Task Force, of which core functions—notably our assessment, analysis,
Incident Response and Assessment Qualifications NCCIC is a key member. NCCIC will expand the training, operational coordination, and outreach and
as a core offering. We are also developing additional scale and number of vulnerability scans, cyber hunt communications functions. These changes allow us
training and exercise offerings for our customers. activity, and risk assessments we already conduct to quickly access a larger resource pool, cross-train
Significant planned initiatives include additional on our EI. personnel, and streamline management and
advanced Industrial Control System (ICS) training administration functions. Importantly, we continue to
courses and the planning and conduct of Cyber Storm build our specialized technical expertise and expand
VI, scheduled for Spring 2018. partnerships to support the security of the Nation’s

IT, OT, and telecommunications systems. We expect
these changes to translate into meaningful
improvements to the way we serve and interact with
our customers, partners, and other stakeholders.

Expanding incident response capacity: Enriching data and automating

cybersecurity:

NCCIC continues to evolve and expand its incident
response capabilities to meet customer demand, Throughout 2018 and 2019, NCCIC expects to
as well as the requirements of Executive Order enhance AIS significantly, adding context and
13800, Strengthening the Cybersecurity of Federal correlation to enrich indicators of compromise (IOC)
Networks and Critical Infrastructure (2017), the data. We will also augment our technical capabilities
National Cybersecurity Protection Act of 2014, the to better leverage behavioral analytics and automated
Cybersecurity Act of 2015, and Presidential Policy orchestration, enabling quicker, more effective
Directive 41 (2016). As part of this effort, we are information sharing.
building toward the capability to field 12 incident
response teams simultaneously, expanding our
ability to provide analysis and on-site incident
response to customers.


-----

###### In the face of increasingly sophisticated threats, in our information sharing programs to limit NCCIC stands on the front lines of the Federal the likelihood and severity of incidents. We Government’s efforts to defend the Nation’s will emphasize utility, speed, and accuracy most essential cyber and communications in the information we provide, and we will networks. Every day brings challenges and share as broadly as possible, while protecting opportunities. Our work inspires us, and confidentiality and privacy. We will continuously

## CONCLUSION

###### we pursue it with a single-minded purpose: assess and optimize the way we perform as create a more secure and resilient cyber and an integrated organization across all locations communications infrastructure. and refine our processes, technologies, and
 The risk to the Nation’s cyber and
 organizational structure to best execute our
 communications infrastructure In pursuit of this goal, NCCIC will listen to mission and serve our customers. NCCIC will
 customers, operational partners, and other
 continues to evolve. remain a leader in the cybersecurity field by
 stakeholders, remaining attentive and
 recruiting the best and brightest people, and by
 responsive to their needs. We need and will
 remaining agile and leaning forward to tackle
 encourage active stakeholder participation
 current and future threats.


-----

###### APPENDIX A:  NCCIC SERVICES

NCCIC offers a broad portfolio of products, services, and partnership and collaboration opportunities. The offerings listed below are
available without fee to NCCIC stakeholders.

For more information on NCCIC services, contact +1 (888) 282-0870 or ncciccustomerservice@hq.dhs.gov. For more information
on DHS cyber programs, visit www.dhs.gov/cyber.


-----

### IN THE BATTLE FOR CYBERSPACE,
# YOU ARE NOT ALONE

###### N C C I C Y E A R I N R E V I E W 2 0 1 7 O P E R A T I O N C Y B E R G U A R D I A N


-----

###### NATIONAL CYBERSECURITY AND COMMUNICATIONS


-----