Download presentation
Presentation is loading. Please wait.
1
1 Incident Analysis
2
2 Why Incident Analysis? Bad Guys! Threats growing Vulnerabilities Increasing Internet now part of the social fabric Impact of major cyber-attack would be significant Cascading effects a major concern Reactive response must give way to Proactive preparation
3
3 Analytic Approach The systematic and broad-scale accumulation of understanding for current and prospective behaviors on the Internet. Technical, Political, Economic, and Social triggers Attacks and defenses Vulnerabilities and corrections Victims and perpetrators Physical-world impacts
4
4 One Effort – Looking Inside the Noise Network Activity Example Overall Activity Several Gbytes/day Noise - Below the Radar
5
5 Traffic is business-dominated
6
6 A taxonomy of Attributes Backscatter: Few sources, scattered evenly across enterprise network, generally contains RST or ACK flags. Scans: Single source, usually strikes the same port on many machines, or different ports on the same machine DoS: Multiple sources, single target, usually homogenous (but no requirement). May be oddly sized Worms: Scanning from a steadily increasing number of hosts Major servers: Identifiable by IP addresses.
7
7 Let’s Play “Find The Scan”! Hmmmm
8
8 Example DDoS Attack
9
9 Example: SQLSlammer
10
10 Slammer: Precursor Detection 0 20000 40000 60000 80000 100000 120000 140000 160000 0123456789101112131415161718192021222301234 Hour 1/24:00 1/25:04 Flows Series1
11
11 Fusion Efforts Small Packet Probes analyzed Patterns emerged Identified potential threat Analysis of CERT/CC Incident Data Identified possible link between state and hacker groups Hacker communications assessment Working on profiles, country studies, event analysis
12
12 Results of Fused Analysis What was determined? Data collected showed definite network indicators Methodology can be developed to provide possible warning indicators Based on limited dataset, network indicators suggest possible malicious probes by China Network Indicators suggest number of motivations Exploitation Site mapping Intelligence gathering for further activity
13
13 Incident data flow Organization 1 Organization 2 Organization 3 Organization n Observed EventsObserved Events Reported IncidentsReported Incidents Filter Prioritize PrioritIzedAttacksPrioritIzedAttacks Context
14
14 Why Share Incident Information? Help in dealing with current attack Improve future software Better baseline for next attacks Support non-technical solutions –Prosecution –Diplomacy –Legislation
15
15 Why not share Incident Information? Fear of publicity Fear of stimulating attacks Fear of educating attackers Forcing action ahead of decision-makers Fear of offending suppliers/customers
16
16 How well does current response work? For some incidents – great! –Viruses / slow worms –Narrow attacks For others – not so great –Very fast worms –Covert compromises (Rootkits) –Broad attacks –Mass attacks
17
17 Hybris Incidents
18
18 Rootkit Incidents
19
19 Fusion Framework Incidents I1 I2 … In Clustering and Extrapolation Extrapolated Incidents (X-Incidents) X1 X2 … Xm Correlation and Abduction X-Incident Chains C1 C2 … Cm Role-based Incident Severity Tier Assignment Incidents Excluded Other factors: Political, Social, Economic System Admin T1 T2 T3 T4 T5 Law Enfrcmnt T1 T2 T3 T4 T5 Coord. CSIRT T1 T2 T3 T4 T5 System Mission Criticality Databases: DoD/MAC, Project Matrix, Key Asset Initiative …
20
20 Clustering and Extrapolation –Clustering groups reports into meaningful classes –Similarity metric applied to common features Cohesion function calculates degree of similarity Clustering generates overlapping clusters (clumps) –Minimizes cohesion function betweens incident sets –Extrapolation fills in the reporting gaps Extrapolation criterion establishes when and how –Generates extrapolated incidents (x-incidents)
21
21 Correlation and Abduction –Identifies sequences that constitute staged attack Generates x-incident chains Starting context establishes understanding of initial system/network configuration –Causal relationships through pre-/post-condition chaining Precondition of first incident must satisfy starting context Postcondition of each incident must satisfy precondition of the subsequent incident –Techniques available (abduction) for filling in gaps Strings together x-incident chains using attack patterns Abduction criterion establishes when and how
22
22 Example SubSeven Trojan horse Leaves worm building “Bot Network” Denial-of- service attack Enables Launches Ongoing uses of “Bot Network” 1. Clustering and extrapolation based on intruder tool signature 3. Correlation based on Leaves’ scan for SubSeven signature 4. Abduction using distributed denial of service pattern 2. Clustering based target of attack and flooding approach
23
23 Challenges to Analysis Research Gathering sufficient datasets to make statistically valid judgments Developing automated technical analysis tools Developing a reliable methodology for cyber-analysis Overcoming organizational bias against sharing information
24
24 Limits of Analysis Inherently partial data Baseline in dynamic environment Correlation vs. Causation Implications –Need to be cautious in kinds of conclusions –Consider strategies for dealing with analysis gone wrong
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.