240 likes | 417 Views
Lesson 3 Computer Security Incidents Taxonomy. Need an accepted taxonomy because. Provides a common frame of reference If no taxonomy, then we: Can’t develop common reporting criteria Can’t develop processes and standardization Ultimately-no IA “Common Language”.
E N D
Lesson 3 Computer Security Incidents Taxonomy
Need an accepted taxonomy because . . . • Provides a common frame of reference • If no taxonomy, then we: • Can’t develop common reporting criteria • Can’t develop processes and standardization • Ultimately-no IA “Common Language”
Logically related columns B + = C A 1 1 1 Must be: 2 2 2 3 3 3 Categories 4 4 5 Must have these characteristics . . . Taxonomy Exhaustive Mutually exclusive Repeatable Unambiguous Accepted Useful
Where to start? • The inability to share data because of non- • standard terminology is not a new problem • For this reason several computer security • taxonomies have already been developed • Most comprehensive study done by Sandia • Labs in conjunction with Carnegie Mellon • University • Currently in use at Carnegie Mellon’s • CERT/CC • Sandia Report: “A Common Language for Computer • Security Incidents”, John D. Howard and • Thomas A. Longstaff (October 1998)
Incident Attack Event Unauthorized Result Attackers Tool Vulnerability Action Objectives Target Increased Access Challenge, Status, Thrills Physical Attack Hackers Probe Account Design Disclosure of Information Network Based Taxonomy Political Gain Information Exchange Scan Spies Process Implementation Corruption of Information Financial Gain User Command Configuration Flood Terrorists Data Script or Program Denial of Service Corporate Raiders Damage Authenticate Component Theft of Resources Autonomous Agent Professional Criminals Computer Bypass Spoof Toolkit Network Vandals Distributed Tool Voyeurs Internetwork Read Data Tap Copy Steal Modify Delete Sandia Labs Network Based Taxonomy
Incident Intrusions Attacks Objectives Attackers Intruders Basic Model Tool Vulnerability Action Target Unauthorized Result Objectives Attackers
Computer Network Incident Defended Network Intrusions • Increased access • Disclosure of info • Theft of resources • Corruption of info • Denial of Service Objectives • Status/Thrills • Political Gain • Financial Gain • Damage Computer Network “Incident” Intruders • Hackers • Terrorists • Other
Intrusion Event Action Target Intrusion Taxonomy Tool Tool Vulnerability Vulnerability Action Action Target Target Unauthorized Result Unauthorized Result Intruders Objectives
Intrusion SECURITY Connection • Vulnerabilities • Design • Implementation • Configuration Intruder Tools • Physical force • Info exchange • User command • Script/Program • Autonomous agent • Toolkit • Distributed tool • Data tap Defended Network • Thrills • Political Gain • Financial Gain • Damage Intrusion Jl;j;j jjl;j;lj jl;kllkj • Events • Action • Target • Unauthorized • Results • Increased access • Disclosure • Corrupt data • Denial of Service • Theft Objective
Attempted Intrusion Intruder FIREWALL FIREWALL Connection Tools • Physical force • Info exchange • User command • Script/Program • Autonomous agent • Toolkit • Distributed tool • Data tap Defended Network Did have Intent • Thrills • Political Gain • Financial Gain • Damage Intrusion Jl;j;j jjl;j;lj jl;kllkj • Vulnerabilities • Design • Implementation • Configuration No Unauthorized Results Objective
Intrusion Attack Taxonomy in practice . . . Event Sandia Labs Intruders Objectives Unauthorized Result Action Tool Vulnerability Target Design Increased Access Physical Force Probe Account Design Process Disclosure of Information Information Exchange Scan Process Implementation Corruption of Information User Command Flood Configuration Data Denial of Service Script or Program Denial of Service Authenticate Component Bypass Theft of Resources Autonomous Agent Computer Bypass Toolkit Spoof Network Toolkit Distributed Tool Internetwork Read Copy Data Tap Steal Modify Delete Intrusion taxonomy in practice . . . Corruption of Data Computer Network Intrusion
Intrusion Attack Taxonomy in practice . . . Event Sandia Labs Intruders Objectives Unauthorized Result Action Tool Vulnerability Target Increased Access Physical Force Design Probe Account Design Disclosure of Information Information Exchange Process Scan Process Implementation Intrusion Corruption of Information User Command Flood Configuration Data Script or Program Denial of Service Authenticate Component Theft of Resources Autonomous Agent Bypass Computer Bypass Tool Kit Spoof Network Toolkit Distributed Tool Internetwork Read Copy Data Tap Steal Modify Delete Intrusion taxonomy in practice . . . Unauthorized Result Increased Access Authorized User Authorized User Insider Threat
Taxonomy applied A CaseStudy
Intrusion Event Unauthorized Result Tool Vulnerability Action Target Increased Access Physical Force Design Account Probe Account Design Disclosure of Information Information Exchange Scan Process Implementation Corruption of Information User Command User Command Configuration Flood Data Script or Program Denial of Service Authenticate Authenticate Component Theft of Resources Autonomous Agent Computer Bypass Spoof Toolkit Network Distributed Tool Internetwork Read Data Tap Copy Steal Modify Delete Attack Sandia Labs Intruders Objectives Increased Access Network Based Taxonomy Network Based Taxonomy Intrusion 1
Tool Vulnerability Action Physical Force Root Access Design Probe Design Information Exchange Process Scan Implementation User Command User Command Configuration Flood Script or Program Authenticate Autonomous Agent Bypass Bypass Spoof Toolkit Distributed Tool Read Data Tap Copy Steal Intrusion 2 Modify Delete Intrusion 1 - Increased Acess Intruders Objectives Unauthorized Result Target Increased Access Account Disclosure of Information Process Corruption of Information Data Denial of Service Component Theft of Resources Computer Network Internetwork
Unauthorized Result Tool Vulnerability Action Target Increased Access Physical Force Design Probe Account Design Disclosure of Information Information Exchange Scan Process Implementation Corruption of Information User Command Data User Command Configuration Flood Data Script or Program Denial of Service Authenticate Component Theft of Resources Autonomous Agent Computer Bypass Spoof Toolkit Network Distributed Tool Internetwork Read Data Tap Copy Steal Steal Intrusion 3 Modify Delete Intrusion 2 - Root Level Access Intrusion 1 - Increased Access Intruders Objectives Root Access Disclosure of Information
Unauthorized Result Tool Vulnerability Action Target Increased Access Physical Force Probe Account Design Disclosure of Information Information Exchange Scan Process Implementation Corruption of Information User Command Configuration Flood Data Script or Program Denial of Service Authenticate Component Theft of Resources Autonomous Agent Computer Bypass Spoof Toolkit Network Distributed Tool Internetwork Read Data Tap Copy Steal Modify Delete Intrusion 3 - Disclosure of Information Intrusion 2 - Root Level Access Intrusion 1 - Increased Access Intruders Objectives
Unauthorized Result Tool Vulnerability Action Target Increased Access Physical Force Probe Account Design Disclosure of Information Information Exchange Process Implementation Scan Process Implementation Corruption of Information User Command Configuration Flood Data Script or Program Denial of Service Denial of Service Script or Program Authenticate Component Theft of Resources Autonomous Agent Theft of Resources Computer Bypass Spoof Toolkit Network Distributed Tool Internetwork Read Data Tap Copy Steal Modify Modify Delete Intrusion 3 - Disclosure of Information Intrusion 2 - Root Level Access Intrusion 1 - Increased Access Intruders Objectives Disclosure of Information
Tool Vulnerability Unauthorized Result Action Target New definition: “Intrusion Set” Multiple related intrusions = “Intrusion Set” Multiple Events Objective Intruder
Need to know who? • Need to know why? ? Intruder AND OBJECTIVES Who? What? Why? • answer the what Intrusion Sets • Need more information to get to • attribution
Objectives Intruders Attribution Who and Why? Intrusion Set Tool Vulnerability Action Target Unauthorized Result
Not every event? Intrusion(s) Action Action Target Target Unauthorized Result Action Tool Vulnerability Target Increased Access Including intrusion data Disclosure of Information Corruption of Information Unauthorized Result Unauthorized Result Denial of Service Increased Access Theft of Resources Disclosure of Information Must report all unauthorized results (Actual or attempted) Corruption of Information Denial of Service Theft of Resources Objective reporting criteria Action Attackers Tool Vulnerability Target Objectives Intruders Challenge, Status, Thrills Physical Force Challenge, Status, Thrill Hackers Probe Hackers Account Design Political Gain Information Exchange Scan Group 1 Pol/Mil Gain Spies Process Spies Implementation Financial Gain User Command Flood Configuration Terrorists Data Terrorists Financial gain Script or Program Corporate Raiders Corporate Raiders Group 2 Damage Authenticate Component Damage Professional Criminals Autonomous Agent Professional Criminals Computer Bypass Group 3 Spoof Network Toolkit Vandals Vandals Distributed Tool Voyeurs Internetwork Voyeurs Read Group 4 Copy Data Tap Steal Modify Delete
New Work • POTUS: Privacy Bill of Rights • DHS: Multi-State Information Sharing and Analysis Center (MS-ISAC) Cyber Security Operations Center • US Military: US Cyber Command • JCS: Joint Terminology for Cyber Operations • FBI: Cyber Forensic Centers in Major Cities
SUMMARY • Common Taxonomy Developed • Increased Data Sharing Ongoing • Prosecutions Increasing