Taxonomy of Computer Security Incidents
Download
Report
Transcript Taxonomy of Computer Security Incidents
Taxonomy of Computer Security
Incidents
Yashodhan Fadnavis
How does it help?
• Taxonomy gives common names to event
• Security against a ‘class’ of attacks
Satisfying Taxonomy
•
•
•
•
•
•
Mutually Exclusive
Exhaustive
Unambiguous
Repeatable
Accepted
Useful
Listing Terms
• E.g. Password sniffing, Brute force attacks,
Eavesdropping, Harassment, Covert Channels,
Viruses, Logic Bombs, Software loopholes, WEP
loopholes, Source address spoofing, Software piracy,
Degradation of services, Session hijacking
• Failed six satisfying properties = Bad Taxonomy.
• Lists can be never ending.
Listing categories
Cheswick and Bellovin List
Stealing
passwords
Social
Engineering
•Password
sniffing
•Brute
force
•Eavesdropping
•Harassment
Bugs and Authentication
backdoors
Failures
•Covert
•Software
channels
loopholes
•Viruses
•Logic Bombs
Protocol
Failures
Info Leakage
•WEP
•Software
Loopholes
Piracy
•Source
Address
spoofing
DoS
•Degradation
Of Service
•Session
Hijacking
Other taxonomies
• Result categories
• Empirical categories
• Matrices
Incident Taxonomy
• Events: An action directed at a target which is
intended to result in change of the state of the
target.
• Action: Step taken by a user or a process to
achieve a result.
• Target: A computer or a network logical entity.
Action + Target = Event
Event
Action
Probe
Target
Account
Process
Scan
Data
Flood
Network
Authenticate
Computer
Bypass
Spoof
Read
Attack
Attack
Event
Tool
Vulnerability
Physical Attack
Design
Information
Exchange
User
Command
Script or
program
Autonomous
Agent
Toolkit
Implementation
Configuration
Action
Target
Probe
Account
Scan
Process
Flood
Data
Authenticate
Component
Bypass
Computer
Unauthorized
result
Increased Access
Disclosure of
Information
Corruption of
Information
Spoof
DoS
Read
Theft of
resources
Incident
• Incident: A group of attacks that can be
distinguished from other attacks because of
the uniqueness of the attackers, objectives,
sites and timing.
Attackers
Attack
Objectives
Incident Taxonomy
Incident
Attacker
Objectives
Hackers
Challenge,
Status, Thrill
Spies
Political Gain
Terrorists
Corporate
Attackers
Professional
Criminals
Vandals
Voyeurs
Financial
Gain
Damage
Federal Incident Reporting Guidelines
• Agency name
• Point of contact information including name, telephone, and email
address
• Incident Category Type (e.g., CAT 1, CAT 2, etc.)
• Incident Timestamp
• Source IP, Destination IP, port, and protocol
• Operating System, including version, patches, etc.
• System Function (e.g., DNS/web server, workstation, etc.)
• Antivirus software installed, including version, and latest updates
• Location of the system(s) involved in the incident (e.g. Clemson)
• Method used to identify the incident (e.g., IDS, audit log analysis, system
administrator)
• Impact to agency
• Resolution
Federal Agency Incident Categories
Category
Name
Reporting Timeframe
CAT 0
Exercise/Network Defense Testing
Not Applicable; this category is for each
agency's internal use during exercises.
CAT 1
*Unauthorized Access
Within one (1) hour of
discovery/detection.
CAT 2
*Denial of Service (DoS)
Within two (2) hours of
discovery/detection if the successful
attack is still ongoing and the agency is
unable to successfully mitigate activity.
CAT 3
*Malicious Code
Daily
Note: Within one (1) hour of
discovery/detection if widespread
across agency.
CAT 4
*Improper Usage
Weekly
CAT 5
Scans/Probes/Attempted Access
Monthly
Note: If system is classified, report
within one (1) hour of discovery.
CAT 6
Investigation
Not Applicable; this category is for each
agency's use to categorize a potential
incident that is currently being
investigated.
Questions?