Lesson 2Computer Security
Incidents
Taxonomy
Need an accepted taxonomy because . . .
• Provides a common frame of reference
• If no taxonomy, then we:
• Can’t develop common reporting criteria
• Can’t develop processes and standardization
• Ultimately-no IA “Common Language”
Must have these characteristics . . .
+ =
Logically related columnsLogically related columns
11
22
33
44
55
11
22
33
11
22
33
44
Must be:
Mutually exclusive
Unambiguous
Repeatable
Accepted
Useful
Exhaustive
Where to start?
• For this reason several computer security taxonomies have already been developed
• Currently in use at Carnegie Mellon’s CERT/CC
• The inability to share data because of non- standard terminology is not a new problem
• Most comprehensive study done by Sandia Labs in conjunction with Carnegie Mellon University
• Sandia Report: “A Common Language for Computer Security Incidents”, John D. Howard and Thomas A. Longstaff (October 1998)
Sandia Labs
Network BasedTaxonomy
Network BasedTaxonomy
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Incident
Event
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Objectives
Challenge,Status, Thrills
PoliticalGain
FinancialGain
Damage
Attack
Vulnerability
Design
Implementation
Configuration
Tool
PhysicalAttack
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Attackers
Hackers
Spies
Terrorists
CorporateRaiders
ProfessionalCriminals
Vandals
Voyeurs
Basic Model
Tool VulnerabilityUnauthorized
ResultAction Target ObjectivesAttackers ObjectivesAttackers
AttacksIncidentIntrusions
Intruders
Computer Network “Incident”
Objectives• Status/Thrills• Political Gain• Financial Gain• Damage
Intruders• Hackers• Terrorists• Other
Intrusions• Increased access• Disclosure of info• Theft of resources• Corruption of info• Denial of Service
DefendedNetwork
Computer Network Incident
Intrusion Taxonomy
Tool VulnerabilityUnauthorized
ResultAction TargetIntruders Objectives
Intrusion
Tool VulnerabilityUnauthorized
ResultAction Target
Event
Action Target
Intrusion
Jl;j;jjjl;j;lj
jl;kllkj
• Physical force• Info exchange• User command• Script/Program• Autonomous agent• Toolkit• Distributed tool• Data tap
• Physical force• Info exchange• User command• Script/Program• Autonomous agent• Toolkit• Distributed tool• Data tap
Tools
Vulnerabilities• Design• Implementation• Configuration
Vulnerabilities• Design• Implementation• Configuration
Unauthorized Results • Increased access• Disclosure• Corrupt data• Denial of Service• Theft
Unauthorized Results • Increased access• Disclosure• Corrupt data• Denial of Service• Theft
• Thrills• Political
Gain• Financial
Gain• Damage
• Thrills• Political
Gain• Financial
Gain• Damage
Events• Action• Target
Events• Action• Target
Intrusion
Jl;j;jjjl;j;lj
jl;kllkj
• Physical force• Info exchange• User command• Script/Program• Autonomous agent• Toolkit• Distributed tool• Data tap
• Physical force• Info exchange• User command• Script/Program• Autonomous agent• Toolkit• Distributed tool• Data tap
Tools Vulnerabilities• Design• Implementation• Configuration
Vulnerabilities• Design• Implementation• Configuration
• Thrills• Political
Gain• Financial
Gain• Damage
• Thrills• Political
Gain• Financial
Gain• Damage
Did haveIntent No
UnauthorizedResults
NoUnauthorized
Results
Intrusion taxonomy in practice . . .Taxonomy in practice . . .Tool
PhysicalForce
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Sandia LabsAction
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Event
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Attack
Vulnerability
Design
Implementation
Configuration
Intrusion
Intruders Objectives
Toolkit
Design
Bypass
ProcessCorruption
of Data
Denial ofService
ComputerNetworkIntrusion
Intrusion taxonomy in practice . . .Taxonomy in practice . . .Tool
PhysicalForce
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Sandia LabsAction
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Event
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Attack
Vulnerability
Design
Implementation
Configuration
Intrusion
Intruders Objectives
InsiderThreat
AuthorizedUser
AuthorizedUser
IncreasedAccess
ToolKit
Design
Bypass
Process
UnauthorizedResult
AuthorizedUser
AuthorizedUser
Taxonomy applied
Sandia Labs
Network BasedTaxonomy
Network BasedTaxonomy
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Event
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Attack
Vulnerability
Design
Implementation
Configuration
Tool
PhysicalForce
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Intrusion
Intruders Objectives
Design
UserCommand
Authenticate
AccountIncreased
Access
Intrusion 1
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Vulnerability
Design
Implementation
Configuration
Tool
PhysicalForce
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Intrusion 1 - Increased Acess
Intruders Objectives
Intrusion 2
UserCommand
Design
Bypass
Process
RootAccess
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Vulnerability
Design
Implementation
Configuration
Tool
PhysicalForce
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Intrusion 1 - Increased Access
Intrusion 2 - Root Level Access
UserCommand
Design
Steal
Data
Disclosure ofInformation
Intruders Objectives
RootAccess
Intrusion 3
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Vulnerability
Design
Implementation
Configuration
Tool
PhysicalForce
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Intrusion 1 - Increased Access
Intrusion 2 - Root Level Access
Intrusion 3 - Disclosure of Information
Intruders Objectives
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
UnauthorizedResult
IncreasedAccess
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
Vulnerability
Design
Implementation
Configuration
Tool
PhysicalForce
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Intrusion 1 - Increased Access
Intrusion 2 - Root Level Access
Intrusion 3 - Disclosure of Information
Intruders Objectives
Script orProgram
Implementation
Modify
Process
Denial ofService
Theft ofResources
Disclosure ofInformation
New definition: “Intrusion Set”
Multiple Events
Multiple related intrusions = “Intrusion Set”
Tool VulnerabilityUnauthorized
ResultAction Target
Intruder Objective
Who? What? Why?
• answer the what
• Need more information to get to attribution
• Need to know who? • Need to know why?
Who and Why?
Intrusion Set
Intruders ObjectivesTool Vulnerability Action TargetUnauthorized
Result
Attribution
Challenge,Status, Thrills
PoliticalGain
FinancialGain
Damage
Challenge,Status, Thrill
Damage
Financialgain
Pol/MilGain
Action Target
Not every event?
Action Target
Objective reporting criteria
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Process
Data
Component
Computer
Network
Internetwork
Implementation
Configuration
InformationExchange
UserCommandScript orProgram
AutonomousAgent
Toolkit
DistributedTool
Data Tap
Spies
Terrorists
CorporateRaiders
ProfessionalCriminals
Vandals
Voyeurs
ObjectivesVulnerabilityToolAttackersIntruders
Probe Account
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
UnauthorizedResult
IncreasedAccessDesign
PhysicalForce
HackersHackers
Spies
Terrorists
CorporateRaiders
ProfessionalCriminals
Vandals
Voyeurs
Group 1
Group 2
Group 3
Group 4
UnauthorizedResult
Disclosure ofInformation
Corruption ofInformation
Denial ofService
Theft ofResources
IncreasedAccess
Action TargetUnauthorized
ResultAction TargetVulnerabilityTool
Includingintrusion
data
Intrusion(s)
Must report
all
unauthorized
results
(Actual or
attempted)
SUMMARY
• Common Taxonomy Developed• Increased Data Sharing Ongoing• Prosecutions Increasing
Top Related