1 / 24

Incident Analysis

Incident Analysis. Why Incident Analysis?. Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major cyber-attack would be significant Cascading effects a major concern Reactive response must give way to Proactive preparation.

avery
Download Presentation

Incident Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Incident Analysis

  2. Why Incident Analysis? • Bad Guys! • Threats growing • Vulnerabilities Increasing • Internet now part of the social fabric • Impact of major cyber-attack would be significant • Cascading effects a major concern • Reactive response must give way to Proactive preparation

  3. Analytic Approach • The systematic and broad-scale accumulation of understanding for current and prospective behaviors on the Internet. • Technical, Political, Economic, and Social triggers • Attacks and defenses • Vulnerabilities and corrections • Victims and perpetrators • Physical-world impacts

  4. One Effort – Looking Inside the Noise Network Activity Example Overall Activity Several Gbytes/day Noise - Below the Radar

  5. Traffic is business-dominated

  6. A taxonomy of Attributes • Backscatter: Few sources, scattered evenly across enterprise network, generally contains RST or ACK flags. • Scans: Single source, usually strikes the same port on many machines, or different ports on the same machine • DoS: Multiple sources, single target, usually homogenous (but no requirement). May be oddly sized • Worms: Scanning from a steadily increasing number of hosts • Major servers: Identifiable by IP addresses.

  7. Let’s Play “Find The Scan”! Hmmmm

  8. Example DDoS Attack

  9. Example: SQLSlammer

  10. Slammer: Precursor Detection 160000 140000 120000 100000 Flows 80000 Series1 60000 40000 20000 0 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 0 1 2 3 4 Hour 1/24:00 1/25:04

  11. Fusion Efforts • Small Packet Probes analyzed • Patterns emerged • Identified potential threat • Analysis of CERT/CC Incident Data • Identified possible link between state and hacker groups • Hacker communications assessment • Working on profiles, country studies, event analysis

  12. Results of Fused Analysis • What was determined? • Data collected showed definite network indicators • Methodology can be developed to provide possible warning indicators • Based on limited dataset, network indicators suggest possible malicious probes by China • Network Indicators suggest number of motivations • Exploitation • Site mapping • Intelligence gathering for further activity

  13. Incident data flow Pr ior i t I zed At tacks Organization 1 Repor ted Incidents Observed Event s Context Filter Organization 2 Organization 3 Prioritize Context Organization n

  14. Why Share Incident Information? • Help in dealing with current attack • Improve future software • Better baseline for next attacks • Support non-technical solutions • Prosecution • Diplomacy • Legislation

  15. Why not share Incident Information? • Fear of publicity • Fear of stimulating attacks • Fear of educating attackers • Forcing action ahead of decision-makers • Fear of offending suppliers/customers

  16. How well does current response work? • For some incidents – great! • Viruses / slow worms • Narrow attacks • For others – not so great • Very fast worms • Covert compromises (Rootkits) • Broad attacks • Mass attacks

  17. Hybris Incidents

  18. Rootkit Incidents

  19. Role-based Incident Severity Tier Assignment Fusion Framework Incidents I1 I2 … In Clustering and Extrapolation System Mission Criticality Databases: DoD/MAC, Project Matrix, Key Asset Initiative Extrapolated Incidents (X-Incidents) X1 X2 … Xm Incidents Excluded Correlation and Abduction X-Incident Chains C1 C2 … Cm Other factors: Political, Social, Economic … System Admin T1 T2 T3 T4 T5 Law Enfrcmnt T1 T2 T3 T4 T5 Coord. CSIRT T1 T2 T3 T4 T5

  20. Clustering and Extrapolation • Clustering groups reports into meaningful classes • Similarity metric applied to common features • Cohesion function calculates degree of similarity • Clustering generates overlapping clusters (clumps) • Minimizes cohesion function betweens incident sets • Extrapolation fills in the reporting gaps • Extrapolation criterion establishes when and how • Generates extrapolated incidents (x-incidents)

  21. Correlation and Abduction • Identifies sequences that constitute staged attack • Generates x-incident chains • Starting context establishes understanding of initial system/network configuration • Causal relationships through pre-/post-condition chaining • Precondition of first incident must satisfy starting context • Postcondition of each incident must satisfy precondition of the subsequent incident • Techniques available (abduction) for filling in gaps • Strings together x-incident chains using attack patterns • Abduction criterion establishes when and how

  22. SubSeven Trojan horse Enables Leaves worm building “Bot Network” Launches Denial-of-service attack Ongoing uses of “Bot Network” Example 1. Clustering and extrapolation based on intruder tool signature 3. Correlation based on Leaves’ scan for SubSeven signature 2. Clustering based target of attack and flooding approach 4. Abduction using distributed denial of service pattern

  23. Challenges to Analysis Research • Gathering sufficient datasets to make statistically valid judgments • Developing automated technical analysis tools • Developing a reliable methodology for cyber-analysis • Overcoming organizational bias against sharing information

  24. Limits of Analysis • Inherently partial data • Baseline in dynamic environment • Correlation vs. Causation • Implications • Need to be cautious in kinds of conclusions • Consider strategies for dealing with analysis gone wrong

More Related