Download Incident Analysis

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
page
23
page
24
Document related concepts
no text concepts found
Transcript 
Incident Analysis
1
Why Incident Analysis?
• Bad Guys!
• Threats growing
• Vulnerabilities Increasing
• Internet now part of the social fabric
• Impact of major cyber-attack would be significant
• Cascading effects a major concern
• Reactive response must give way to Proactive
preparation
2
Analytic Approach
•The systematic and broad-scale accumulation
of understanding for current and prospective
behaviors on the Internet.
• Technical, Political, Economic, and Social triggers
•
•
•
•
Attacks and defenses
Vulnerabilities and corrections
Victims and perpetrators
Physical-world impacts
3
One Effort – Looking Inside the
Noise
Network Activity Example
Overall Activity
Several Gbytes/day
Noise - Below the Radar
4
Traffic is business-dominated
Web Traffic (ports 80 and 443)
Outside Web service
Inside Brow sing
Inside Web Service
0
00
:0
0:
0
0
01
/1
8/
20
03
00
:0
0:
0
0
01
/1
7/
20
03
00
:0
0:
0
0
01
/1
6/
20
03
00
:0
0:
0
0
01
/1
5/
20
03
00
:0
0:
0
0
01
/1
4/
20
03
00
:0
0:
0
0
00
:0
0:
0
01
/1
3/
20
03
01
/1
2/
20
03
00
:0
0:
0
0
450000000
400000000
350000000
300000000
250000000
200000000
150000000
100000000
50000000
0
01
/1
1/
20
03
Packets per hour
Outside Brow sing
Date / Time GMT
5
A taxonomy of Attributes
• Backscatter: Few sources, scattered evenly across
enterprise network, generally contains RST or ACK flags.
• Scans: Single source, usually strikes the same port on many
machines, or different ports on the same machine
• DoS: Multiple sources, single target, usually homogenous
(but no requirement). May be oddly sized
• Worms: Scanning from a steadily increasing number of
hosts
• Major servers: Identifiable by IP addresses.
6
Let’s Play “Find The Scan”!
2e+06
flows
1.8e+06
Hmmmm
1.6e+06
1.4e+06
1.2e+06
1e+06
800000
600000
400000
200000
0
0
86400
172800
259200
345600
432000
518400
604800
691200
7
Example DDoS Attack
8
Example: SQLSlammer
Slammer Infected NIPRNet Hosts
7000
5892 hosts
in 2 h 41 m
6000
Cumulative Number of Hosts
5000
3838 hosts
in 44 min
4000
3025 hosts
in 36 min
3000
2000
2525 hosts
in 8 min
1000
0
0.00
0.25
0.50
0.75
1.00
1.25
1.50
1.75
2.00
2.25
Elapsed Time (Hrs)
2.50
2.75
3.00
3.25
3.50
3.75
4.00
9
Slammer: Precursor Detection
160000
140000
120000
Flows
100000
80000
Series1
60000
40000
20000
0
0
1
2
3
4
5
6
7
8
9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 0
1
2
3
4
Hour 1/24:00 1/25:04
10
Fusion Efforts
• Small Packet Probes analyzed
• Patterns emerged
• Identified potential threat
• Analysis of CERT/CC Incident Data
• Identified possible link between state and hacker groups
• Hacker communications assessment
• Working on profiles, country studies, event
analysis
11
Results of Fused Analysis
• What was determined?
• Data collected showed definite network indicators
• Methodology can be developed to provide possible
warning indicators
• Based on limited dataset, network indicators suggest
possible malicious probes by China
• Network Indicators suggest number of
motivations
• Exploitation
• Site mapping
• Intelligence gathering for further activity
12
Incident data flow
O
b
s
e
r
v
e
d
Organization 1
Organization 2
R
e
p
o
r
t
e
d
Organization 3
E
v
e
n
t
s
Organization n
I
n
c
i
d
e
n
t
s
Context
Filter
Prioritize
Context
P
r
i
o
r
i
t
I
z
e
d
A
t
t
a
c
k
s
13
Why Share Incident Information?
•
•
•
•
Help in dealing with current attack
Improve future software
Better baseline for next attacks
Support non-technical solutions
– Prosecution
– Diplomacy
– Legislation
14
Why not share Incident Information?
•
•
•
•
•
Fear of publicity
Fear of stimulating attacks
Fear of educating attackers
Forcing action ahead of decision-makers
Fear of offending suppliers/customers
15
How well does current response
work?
• For some incidents – great!
– Viruses / slow worms
– Narrow attacks
• For others – not so great
– Very fast worms
– Covert compromises (Rootkits)
– Broad attacks
– Mass attacks
16
W32/Hybris Comb
Hybris Incidents
20
18
16
14
12
10
8
6
4
2
0
Installed w32/hybris
Failed w32/hybris
Actual-Use w32/hybris
Oct-00
Nov-00
Dec-00
Jan-01
Feb-01
Mar-01
Apr-01
May-01
Jun-01
Oct-00
Nov-00
Dec-00
Jan-01
Feb-01
Mar-01
Apr-01
May-01
Jun-01
1
1
1
1
2
18
3
3
17
1
9
2
1
2
5
1
1
1
17
RootKit Comb
Rootkit Incidents
16
14
12
10
8
6
4
2
0
Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01
Jun-00 Jul-00 Aug-00 Sep-00 Oct-00 Nov-00 Dec-00 Jan-01 Feb-01 Mar-01 Apr-01 May-01 Jun-01
Installed rootkit
Failed rootkit
Actual-Use rootkit
6
1
2
10
1
2
14
11
6
1
2
3
4
1
4
11
5
8
4
3
3
6
1
4
18
Fusion Framework
I1
System Mission
Criticality Databases:
DoD/MAC,
Project Matrix,
Key Asset Initiative
Incidents
I2
…
In
Clustering and Extrapolation
Extrapolated Incidents (X-Incidents)
X1 X2 … Xm
Correlation and Abduction
Other factors:
Political,
Social,
Economic
Incidents
Excluded
X-Incident Chains
C1 C2 … Cm
Role-based Incident Severity Tier
Assignment
System Admin
T1 T2 T3 T4 T5
Law Enfrcmnt
T1 T2 T3 T4 T5
… Coord. CSIRT
T1 T2 T3 T4 T5
19
Clustering and Extrapolation
–Clustering groups reports into meaningful classes
–Similarity metric applied to common features
• Cohesion function calculates degree of similarity
• Clustering generates overlapping clusters (clumps)
– Minimizes cohesion function betweens incident sets
–Extrapolation fills in the reporting gaps
• Extrapolation criterion establishes when and how
–Generates extrapolated incidents (x-incidents)
20
Correlation and Abduction
– Identifies sequences that constitute staged attack
• Generates x-incident chains
• Starting context establishes understanding of initial
system/network configuration
– Causal relationships through pre-/post-condition chaining
• Precondition of first incident must satisfy starting context
• Postcondition of each incident must satisfy precondition of the
subsequent incident
– Techniques available (abduction) for filling in gaps
• Strings together x-incident chains using attack patterns
• Abduction criterion establishes when and how
21
Example
1. Clustering and
extrapolation based
on intruder tool
signature
SubSeven
Trojan horse
Enables
3. Correlation based
on Leaves’ scan for
SubSeven signature
2. Clustering based
target of attack and
flooding approach
Leaves worm
building “Bot
Network”
Launches
Ongoing uses of
“Bot Network”
4. Abduction
using distributed
denial of service
pattern
Denial-ofservice
attack
22
Challenges to Analysis Research
• Gathering sufficient datasets to make
statistically valid judgments
• Developing automated technical analysis
tools
• Developing a reliable methodology for
cyber-analysis
• Overcoming organizational
bias against sharing information
23
Limits of Analysis
•Inherently partial data
•Baseline in dynamic environment
•Correlation vs. Causation
•Implications
– Need to be cautious in kinds of conclusions
– Consider strategies for dealing with analysis
gone wrong
24
Related documents