1 / 24

Lesson 3 Computer Security Incidents Taxonomy

Lesson 3 Computer Security Incidents Taxonomy. Need an accepted taxonomy because . . . Provides a common frame of reference If no taxonomy, then we: Can’t develop common reporting criteria Can’t develop processes and standardization Ultimately-no IA “Common Language”.

joelle
Download Presentation

Lesson 3 Computer Security Incidents Taxonomy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lesson 3 Computer Security Incidents Taxonomy

  2. Need an accepted taxonomy because . . . • Provides a common frame of reference • If no taxonomy, then we: • Can’t develop common reporting criteria • Can’t develop processes and standardization • Ultimately-no IA “Common Language”

  3. Logically related columns B + = C A 1 1 1 Must be: 2 2 2 3 3 3 Categories 4 4 5 Must have these characteristics . . . Taxonomy Exhaustive Mutually exclusive Repeatable Unambiguous Accepted Useful

  4. Where to start? • The inability to share data because of non- • standard terminology is not a new problem • For this reason several computer security • taxonomies have already been developed • Most comprehensive study done by Sandia • Labs in conjunction with Carnegie Mellon • University • Currently in use at Carnegie Mellon’s • CERT/CC • Sandia Report: “A Common Language for Computer • Security Incidents”, John D. Howard and • Thomas A. Longstaff (October 1998)

  5. Incident Attack Event Unauthorized Result Attackers Tool Vulnerability Action Objectives Target Increased Access Challenge, Status, Thrills Physical Attack Hackers Probe Account Design Disclosure of Information Network Based Taxonomy Political Gain Information Exchange Scan Spies Process Implementation Corruption of Information Financial Gain User Command Configuration Flood Terrorists Data Script or Program Denial of Service Corporate Raiders Damage Authenticate Component Theft of Resources Autonomous Agent Professional Criminals Computer Bypass Spoof Toolkit Network Vandals Distributed Tool Voyeurs Internetwork Read Data Tap Copy Steal Modify Delete Sandia Labs Network Based Taxonomy

  6. Incident Intrusions Attacks Objectives Attackers Intruders Basic Model Tool Vulnerability Action Target Unauthorized Result Objectives Attackers

  7. Computer Network Incident Defended Network Intrusions • Increased access • Disclosure of info • Theft of resources • Corruption of info • Denial of Service Objectives • Status/Thrills • Political Gain • Financial Gain • Damage Computer Network “Incident” Intruders • Hackers • Terrorists • Other

  8. Intrusion Event Action Target Intrusion Taxonomy Tool Tool Vulnerability Vulnerability Action Action Target Target Unauthorized Result Unauthorized Result Intruders Objectives

  9. Intrusion SECURITY Connection • Vulnerabilities • Design • Implementation • Configuration Intruder Tools • Physical force • Info exchange • User command • Script/Program • Autonomous agent • Toolkit • Distributed tool • Data tap Defended Network • Thrills • Political Gain • Financial Gain • Damage Intrusion Jl;j;j jjl;j;lj jl;kllkj • Events • Action • Target • Unauthorized • Results • Increased access • Disclosure • Corrupt data • Denial of Service • Theft Objective

  10. Attempted Intrusion Intruder FIREWALL FIREWALL Connection Tools • Physical force • Info exchange • User command • Script/Program • Autonomous agent • Toolkit • Distributed tool • Data tap Defended Network Did have Intent • Thrills • Political Gain • Financial Gain • Damage Intrusion Jl;j;j jjl;j;lj jl;kllkj • Vulnerabilities • Design • Implementation • Configuration No Unauthorized Results Objective

  11. Intrusion Attack Taxonomy in practice . . . Event Sandia Labs Intruders Objectives Unauthorized Result Action Tool Vulnerability Target Design Increased Access Physical Force Probe Account Design Process Disclosure of Information Information Exchange Scan Process Implementation Corruption of Information User Command Flood Configuration Data Denial of Service Script or Program Denial of Service Authenticate Component Bypass Theft of Resources Autonomous Agent Computer Bypass Toolkit Spoof Network Toolkit Distributed Tool Internetwork Read Copy Data Tap Steal Modify Delete Intrusion taxonomy in practice . . . Corruption of Data Computer Network Intrusion

  12. Intrusion Attack Taxonomy in practice . . . Event Sandia Labs Intruders Objectives Unauthorized Result Action Tool Vulnerability Target Increased Access Physical Force Design Probe Account Design Disclosure of Information Information Exchange Process Scan Process Implementation Intrusion Corruption of Information User Command Flood Configuration Data Script or Program Denial of Service Authenticate Component Theft of Resources Autonomous Agent Bypass Computer Bypass Tool Kit Spoof Network Toolkit Distributed Tool Internetwork Read Copy Data Tap Steal Modify Delete Intrusion taxonomy in practice . . . Unauthorized Result Increased Access Authorized User Authorized User Insider Threat

  13. Taxonomy applied A CaseStudy

  14. Intrusion Event Unauthorized Result Tool Vulnerability Action Target Increased Access Physical Force Design Account Probe Account Design Disclosure of Information Information Exchange Scan Process Implementation Corruption of Information User Command User Command Configuration Flood Data Script or Program Denial of Service Authenticate Authenticate Component Theft of Resources Autonomous Agent Computer Bypass Spoof Toolkit Network Distributed Tool Internetwork Read Data Tap Copy Steal Modify Delete Attack Sandia Labs Intruders Objectives Increased Access Network Based Taxonomy Network Based Taxonomy Intrusion 1

  15. Tool Vulnerability Action Physical Force Root Access Design Probe Design Information Exchange Process Scan Implementation User Command User Command Configuration Flood Script or Program Authenticate Autonomous Agent Bypass Bypass Spoof Toolkit Distributed Tool Read Data Tap Copy Steal Intrusion 2 Modify Delete Intrusion 1 - Increased Acess Intruders Objectives Unauthorized Result Target Increased Access Account Disclosure of Information Process Corruption of Information Data Denial of Service Component Theft of Resources Computer Network Internetwork

  16. Unauthorized Result Tool Vulnerability Action Target Increased Access Physical Force Design Probe Account Design Disclosure of Information Information Exchange Scan Process Implementation Corruption of Information User Command Data User Command Configuration Flood Data Script or Program Denial of Service Authenticate Component Theft of Resources Autonomous Agent Computer Bypass Spoof Toolkit Network Distributed Tool Internetwork Read Data Tap Copy Steal Steal Intrusion 3 Modify Delete Intrusion 2 - Root Level Access Intrusion 1 - Increased Access Intruders Objectives Root Access Disclosure of Information

  17. Unauthorized Result Tool Vulnerability Action Target Increased Access Physical Force Probe Account Design Disclosure of Information Information Exchange Scan Process Implementation Corruption of Information User Command Configuration Flood Data Script or Program Denial of Service Authenticate Component Theft of Resources Autonomous Agent Computer Bypass Spoof Toolkit Network Distributed Tool Internetwork Read Data Tap Copy Steal Modify Delete Intrusion 3 - Disclosure of Information Intrusion 2 - Root Level Access Intrusion 1 - Increased Access Intruders Objectives

  18. Unauthorized Result Tool Vulnerability Action Target Increased Access Physical Force Probe Account Design Disclosure of Information Information Exchange Process Implementation Scan Process Implementation Corruption of Information User Command Configuration Flood Data Script or Program Denial of Service Denial of Service Script or Program Authenticate Component Theft of Resources Autonomous Agent Theft of Resources Computer Bypass Spoof Toolkit Network Distributed Tool Internetwork Read Data Tap Copy Steal Modify Modify Delete Intrusion 3 - Disclosure of Information Intrusion 2 - Root Level Access Intrusion 1 - Increased Access Intruders Objectives Disclosure of Information

  19. Tool Vulnerability Unauthorized Result Action Target New definition: “Intrusion Set” Multiple related intrusions = “Intrusion Set” Multiple Events Objective Intruder

  20. Need to know who? • Need to know why? ? Intruder AND OBJECTIVES Who? What? Why? • answer the what Intrusion Sets • Need more information to get to • attribution

  21. Objectives Intruders Attribution Who and Why? Intrusion Set Tool Vulnerability Action Target Unauthorized Result

  22. Not every event? Intrusion(s) Action Action Target Target Unauthorized Result Action Tool Vulnerability Target Increased Access Including intrusion data Disclosure of Information Corruption of Information Unauthorized Result Unauthorized Result Denial of Service Increased Access Theft of Resources Disclosure of Information Must report all unauthorized results (Actual or attempted) Corruption of Information Denial of Service Theft of Resources Objective reporting criteria Action Attackers Tool Vulnerability Target Objectives Intruders Challenge, Status, Thrills Physical Force Challenge, Status, Thrill Hackers Probe Hackers Account Design Political Gain Information Exchange Scan Group 1 Pol/Mil Gain Spies Process Spies Implementation Financial Gain User Command Flood Configuration Terrorists Data Terrorists Financial gain Script or Program Corporate Raiders Corporate Raiders Group 2 Damage Authenticate Component Damage Professional Criminals Autonomous Agent Professional Criminals Computer Bypass Group 3 Spoof Network Toolkit Vandals Vandals Distributed Tool Voyeurs Internetwork Voyeurs Read Group 4 Copy Data Tap Steal Modify Delete

  23. New Work • CERT- CC: AirCERT • Effort to collect nationwide incident data • US Military: Joint Task Force-CNO • FBI: Cyber Forensic Centers • ITAC:

  24. SUMMARY • Common Taxonomy Developed • Increased Data Sharing Ongoing • Prosecutions Increasing

More Related