Transcript A Common Language for Computer Security Incidents

A Common Language for Computer
Security Incidents
John D. Howard, Thomas A. Longstaff
Presented by:
Jason Milletary
9 November 2000
The Problem



Security incident data compiled by
many sources
Lack of agreement between security
incident terms used by different sources
Unable to combine and compare data
for useful analysis
Common Language Project




Cooperation between Sandia National Labs
and CERT/CC
Develop a minimum set of high-level terms
for security incidents
Flexible enough to allow site-specific low-level
terms
Develop taxonomy for these terms

Classification scheme that defines the terms and
their relationships
Satisfactory Taxonomy
Characteristics






Mutually exclusive
Exhaustive
Unambiguous
Repeatable
Accepted
Useful
Review of Previous
Taxonomies

List of terms


List of categories


External abuse of resource, masquerading
Matrices


Corruption, denial
Empirical lists


Social engineering, denial-of-service
Results categories


Trap doors, IP spoofing, dumpster diving
Vulnerabilities vs. potential perpetrators
Action-based

Interruption, interception
CLP Incident Taxonomy

Events


Action


An action directed at a target intended to change
the state of that target*
A step taken by a user or process in order to
achieve a result*
Target

Logical entity


Data, account
Physical entity

Computer, network
CLP Incident Taxonomy
event
Action
Target
Probe
Account
Scan
Process
Flood
Data
Authenticate
Component
Bypass
Computer
Spoof
Network
Read
Internetwork
Copy
Steal
Modify
Delete
CLP Incident Taxonomy

Attacks
 Use of a tool to exploit a vulnerability to perform
an action on a target in order to achieve an
unauthorized result



Tool
 Means or method by which a vulnerability is
exploited
Vulnerability
 System weakness in which unauthorized access
can be gained
Unauthorized result
 An consequence of an the event phase of an
attack
CLP Incident Taxonomy
attack
event
Action
Target
Probe
Account
Design
Information
Exchange
Scan
Process
Implementation
Flood
Data
User
Command
Configuration
Authenticate
Component
Tool
Physical
Attack
Script or
Program
Autonomous
Agent
Toolkit
Data Tap
Distributed
Tool
Vulnerability
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Computer
Unauthorized
Result
Increased Access
Disclosure of
Information
Corruption of Data
Network
Internetwork
Denial of Service
Theft of Resources
CLP Incident Taxonomy

Incident


Attacker


A distinct group of attacks involving specific
attackers, attacks, objectives, sites, and timing
Individual(s) who use one or more attacks to
reach an objective
Objective

End goal of an incident
CLP Incident Taxonomy
incident
attack
event
Attackers
Tool
Vulnerability
Action
Target
Hackers
Physical
Attack
Design
Probe
Account
Spies
Information
Exchange
Implementation
Scan
Process
Configuration
Flood
Data
Authenticate
Component
Terrorists
Corporate
Raiders
Profession
Criminals
Vandals
Voyeurs
User
Command
Script or
Program
Computer
Bypass
Autonomou
s Agent
Toolkit
Data Tap
Distributed
Tool
Unauthorized
Result
Objectives
Increased Access
Challenge,
status, thrill
Disclosure of
Information
Political gain
Corruption of Data
Denial of Service
Network
Spoof
Internetwork
Read
Copy
Steal
Modify
Delete
Theft of
Resources
Financial gain
Damage
CLP Incident Taxonomy

Other terms




Site and site name
Dates
Incident numbers
Corrective action
Future Plans

Implement common language


Analysis of data




Database
Forensics
Trending
Insight into hacker objectives and motives
Sharing of data between response
teams