Lesson 3 Computer Security Incidents Taxonomy Need an accepted taxonomy because . . . • Provides a common frame of reference • If no taxonomy, then we: • Can’t develop common reporting criteria • Can’t develop processes and standardization • Ultimately-no IA “Common Language” Must have these characteristics . . . Logically related columns + Must be: Exhaustive Mutually exclusive Repeatable Unambiguous Accepted Useful = 1 1 1 2 2 2 3 3 3 4 5 4 Where to start? • The inability to share data because of nonstandard terminology is not a new problem • For this reason several computer security taxonomies have already been developed • Most comprehensive study done by Sandia Labs in conjunction with Carnegie Mellon University • Currently in use at Carnegie Mellon’s CERT/CC • Sandia Report: “A Common Language for Computer Security Incidents”, John D. Howard and Thomas A. Longstaff (October 1998) Incident Attack Event Attackers Tool Sandia Labs Vulnerability Action Design Probe Account Implementation Scan Process Configuration Flood Data Authenticate Component Target Corporate Raiders Physical Attack Information Exchange User Command Script or Program Professional Criminals Autonomous Agent Bypass Computer Vandals Toolkit Spoof Network Voyeurs Distributed Tool Read Internetwork Data Tap Copy Hackers Spies Unauthorized Result Objectives Increased Access Disclosure of Information Corruption of Information Denial of Service Challenge, Status, Thrills Political Gain Financial Gain Network Based Taxonomy Terrorists Steal Modify Delete Theft of Resources Damage Basic Model Incident Attacks Intrusions Attackers Intruders Attackers Tool Vulnerability Action Target Unauthorized Result Objectives Computer Network Incident Computer Network “Incident” Intruders • Hackers • Terrorists • Other • • • • • Increased access Disclosure of info Theft of resources Corruption of info Denial of Service Defended Network Objectives • • • • Status/Thrills Political Gain Financial Gain Damage Intrusion Taxonomy Intrusion Event Intruders Tool Vulnerability Action Target Unauthorized Result Objectives Intrusion Vulnerabilities Tools •Design •Implementation •Configuration •Physical force •Info exchange •User command •Script/Program •Autonomous agent •Toolkit •Distributed tool •Data tap Events •Action •Target Unauthorized Results • • • • Thrills Political Gain Financial Gain Damage •Increased access •Disclosure •Corrupt data •Denial of Service •Theft Intrusion Tools Vulnerabilities •Design •Implementation •Configuration •Physical force •Info exchange •User command •Script/Program •Autonomous agent •Toolkit •Distributed tool •Data tap No • • • • Thrills Political Gain Financial Gain Damage Unauthorized Results Intrusion Attack Event in practice ... IntrusionTaxonomy taxonomy Sandia Labs Intruders Tool Vulnerability Action Physical Force Information Exchange User Command Script or Program Design Design Probe Account Implementation Scan Process Process Configuration Flood Data Authenticate Component Autonomous Agent Bypass Bypass Computer Toolkit Toolkit Spoof Network Distributed Tool Read Internetwork Data Tap Copy Computer Network Intrusion Steal Modify Delete Target Unauthorized Result Increased Access Disclosure of Information Corruptionof Corruption of Data Information Denial of Service Theft of Resources Objectives Intrusion Attack Event in practice ... IntrusionTaxonomy taxonomy Sandia Labs Unauthorized Vulnerability Action Design Design Probe Account Implementation Scan Process Configuration Flood Data Authenticate Component Autonomous Agent Tool Toolkit Kit Distributed Tool Bypass Bypass Computer Spoof Network Read Internetwork Data Tap Copy Intruders Tool Authorized User Physical Force Information Exchange User Command Script or Program Steal Insider Threat Modify Delete Target Unauthorized Result Result Increased Increased Access Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Objectives Taxonomy applied Intrusion Attack Event Intruders Sandia Labs Tool Vulnerability Action Target Physical Force Information Exchange User User Command Command Script or Program Design Design Probe Account Account Implementation Scan Process Configuration Flood Data Authenticate Authenticate Component Unauthorized Result Increased Increased Access Access Disclosure of Information Corruption of Information Denial of Service Objectives Network Based Taxonomy Autonomous Agent Bypass Computer Toolkit Spoof Network Distributed Tool Read Internetwork Data Tap Copy Steal Intrusion 1 Modify Delete Theft of Resources Intrusion 1 - Increased Acess Intruders Tool Vulnerability Action Physical Force Information Exchange User User Command Command Script or Program Design Design Probe Account Implementation Scan Process Process Configuration Flood Data Authenticate Component Autonomous Agent Bypass Bypass Computer Toolkit Spoof Network Distributed Tool Read Internetwork Data Tap Copy Steal Intrusion 2 Modify Delete Target Unauthorized Result Root Increased Access Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Objectives Intrusion 2 - Root Level Access Intrusion 1 - Increased Access Intruders Tool Vulnerability Action Physical Force Information Exchange User User Command Command Script or Program Design Design Probe Account Implementation Scan Process Configuration Flood Data Data Authenticate Component Autonomous Agent Bypass Computer Toolkit Spoof Network Distributed Tool Read Internetwork Data Tap Copy Steal Steal Intrusion 3 Modify Delete Target Unauthorized Result Root Increased Access Access Disclosure of Disclosure of Information Information Corruption of Information Denial of Service Theft of Resources Objectives Intrusion 3 - Disclosure of Information Intrusion 2 - Root Level Access Intrusion 1 - Increased Access Intruders Vulnerability Action Design Probe Account Implementation Scan Process Configuration Flood Data Authenticate Component Autonomous Agent Bypass Computer Toolkit Spoof Network Distributed Tool Read Internetwork Data Tap Copy Tool Physical Force Information Exchange User Command Script or Program Steal Modify Delete Target Unauthorized Result Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Objectives Intrusion 3 - Disclosure of Information Intrusion 2 - Root Level Access Intrusion 1 - Increased Access Intruders Vulnerability Action Design Probe Account Implementation Implementation Scan Process Process Configuration Flood Data Authenticate Component Autonomous Agent Bypass Computer Toolkit Spoof Network Distributed Tool Read Internetwork Data Tap Copy Tool Physical Force Information Exchange User Command Script oror Script Program Program Steal Modify Modify Delete Target Unauthorized Result Increased Access Disclosure of Disclosure of Information Information Corruption of Information Denial Denial ofof Service Service Theft of Resources Objectives New definition: “Intrusion Set” Multiple related intrusions = “Intrusion Set” Multiple Events Intruder Tool Vulnerability Action Target Unauthorized Result Objective Who? What? Why? • answer the what • Need more information to get to attribution • Need to know who? • Need to know why? Who and Why? Intrusion Set Intruders Tool Vulnerability Action Target Unauthorized Result Attribution Objectives Objective reporting criteria Intrusion(s) Not every Attackers Intruders Hackers Group 1 Spies Terrorists Tool Physical Force Information Exchange User Command Script or Program Corporate Group 2 Raiders Professional Criminals Group 3 Vandals Autonomous Agent Voyeurs Group 4 event? Vulnerability Action Action Target Target Design Probe Account Including intrusion data Implementation Scan Process Configuration Flood Data Authenticate Component Bypass Computer Toolkit Spoof Network Distributed Tool Read Internetwork Data Tap Copy Steal Modify Delete Unauthorized Unauthorized Result Result Objectives Increased Access Disclosure of Information Corruption of Information Denial of Service Challenge, Challenge, Status,Thrills Thrill Status, Political Pol/Mil Gain Gain Financial Financial Gain gain Damage Theft of Resources Damage New Work • US Military: US Cyber Command • FBI: Cyber Forensic Centers • MITRE ATT&CK – Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a model and framework for describing the actions an adversary may take while operating within an enterprise network. MITRE ATT&CK https://attack.mitre.org/wiki/File:ATT% 26CK_Matrix.png#file REF: https://attack.mitre.org/index.php/Main_Page SUMMARY • • • • Common Taxonomy Developed Increased Data Sharing Ongoing Prosecutions Increasing More Frameworks emerging
© Copyright 2024 Paperzz
