Download presentation
Presentation is loading. Please wait.
Published byNancy Griffin Modified over 9 years ago
1
A Common Language for Computer Security Incidents John D. Howard, Thomas A. Longstaff Presented by: Jason Milletary 9 November 2000
2
The Problem Security incident data compiled by many sources Lack of agreement between security incident terms used by different sources Unable to combine and compare data for useful analysis
3
Common Language Project Cooperation between Sandia National Labs and CERT/CC Develop a minimum set of high-level terms for security incidents Flexible enough to allow site-specific low-level terms Develop taxonomy for these terms Classification scheme that defines the terms and their relationships
4
Satisfactory Taxonomy Characteristics Mutually exclusive Exhaustive Unambiguous Repeatable Accepted Useful
5
Review of Previous Taxonomies List of terms Trap doors, IP spoofing, dumpster diving List of categories Social engineering, denial-of-service Results categories Corruption, denial Empirical lists External abuse of resource, masquerading Matrices Vulnerabilities vs. potential perpetrators Action-based Interruption, interception
6
CLP Incident Taxonomy Events An action directed at a target intended to change the state of that target* Action A step taken by a user or process in order to achieve a result* Target Logical entity Data, account Physical entity Computer, network * The IEEE Standard Dictionary of Electrical and Electronics Terms, Sixth Edition, 1996.
7
CLP Incident Taxonomy Action Probe Scan Flood Authenticate Bypass Spoof Read Copy Steal Modify Delete Target Account Process Data Component Computer Network Internetwork event
8
CLP Incident Taxonomy Attacks Use of a tool to exploit a vulnerability to perform an action on a target in order to achieve an unauthorized result Tool Means or method by which a vulnerability is exploited Vulnerability System weakness in which unauthorized access can be gained Unauthorized result An consequence of an the event phase of an attack
9
CLP Incident Taxonomy Action Probe Scan Flood Authenticate Bypass Spoof Read Copy Steal Modify Delete Target Account Process Data Component Computer Network Internetwork event Unauthorized Result Increased Access Disclosure of Information Corruption of Data Denial of Service Theft of Resources Vulnerability Design Implementation Configuration Tool Physical Attack Information Exchange User Command Script or Program Autonomous Agent Toolkit Data Tap Distributed Tool attack
10
CLP Incident Taxonomy Incident A distinct group of attacks involving specific attackers, attacks, objectives, sites, and timing Attacker Individual(s) who use one or more attacks to reach an objective Objective End goal of an incident
11
CLP Incident Taxonomy Action Probe Scan Flood Authenticate Bypass Spoof Read Copy Steal Modify Delete Target Account Process Data Component Computer Network Internetwork event Unauthorized Result Increased Access Disclosure of Information Corruption of Data Denial of Service Theft of Resources Vulnerability Design Implementation Configuration Tool Physical Attack Information Exchange User Command Script or Program Autonomou s Agent Toolkit Data Tap Distributed Tool attack Attackers Hackers Spies Terrorists Corporate Raiders Profession Criminals Vandals Voyeurs Objectives Challenge, status, thrill Political gain Financial gain Damage incident
12
CLP Incident Taxonomy Other terms Site and site name Dates Incident numbers Corrective action
13
Future Plans Implement common language Database Analysis of data Forensics Trending Insight into hacker objectives and motives Sharing of data between response teams
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.