More Related Content
Similar to Week 6Read Chapter 8 on CollectionRead Chapter 9 on Correlat.docx (20)
More from helzerpatrina (20)
Week 6Read Chapter 8 on CollectionRead Chapter 9 on Correlat.docx
- 1. Week 6
Read Chapter 8 on Collection
Read Chapter 9 on Correlation
Listen to weekly lectures
Complete the following
Post to discussion week 5
Complete Practical Connection Assignment
Complete Quiz 4 based on Chapter 6 Depth and Chapter 7
Discretion
Copyright © 2012, Elsevier Inc. All rights Reserved
‹#›
Copyright © 2012, Elsevier Inc. All Rights Reserved
Chapter 9
Correlation
Cyber Attacks
Protecting National Infrastructure, 1st ed.
‹#›
- 2. ‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
2
Correlation is one of the most powerful analytic methods for
threat investigation
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Introduction
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
3
Data comparison creates a clearer picture of adversary activity
Profile-based correlation
Signature-based correlation
Domain-based correlation
Time-based correlation
- 3. We rely on human analysis of data; no software can factor in
relevant elements
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Introduction
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
4
Fig. 9.1 – Profile-based activity anomaly
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
‹#›
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Fig. 9.2 – Signature-based activity match
- 4. ‹#›
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Fig. 9.3 – Domain-based correlation of a botnet attack at two
targets
‹#›
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Fig. 9.4 – Time-based correlation of a botnet attack
‹#›
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
- 5. Fig. 9.5 – Taxonomy of correlation scenarios
‹#›
Conventional Security Correlation Methods
Threat management – data from multiple sources is correlated to
identify patterns, trends, and relationships
The approach relies upon security information and event
management (SIEM)
Commercial firewalls are underutilized
Correlation function can be decentralized, but that often
complicates the process
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
10
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
- 6. Fig. 9.6 – Correlating intrusion detection alarms with firewall
policy rules
‹#›
Quality and Reliability Issues in Data Correlation
Quality and reliability of data sources important to consider
Service level agreements
Service level agreements guarantee quality of data
Quality and reliability not guaranteed with volunteered data
Without consistent, predictable, and guaranteed data delivery,
correlations likely to be incorrect and data likely missing
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
12
Copyright © 2012, Elsevier Inc. All rights Reserved
- 7. Chapter 9 – Correlation
Fig. 9.7 – Incorrect correlation result due to imperfect
collection
‹#›
Network service providers have best vantage point for
correlating data across multiple organizations, regions, etc.
Network service providers have view of network activity that
allows them to see problems
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Correlating Data to Detect a Worm
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
14
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
- 8. Fig. 9.8 – Time-based correlation to detect worm
‹#›
The context of carrier infrastructure may offer best chance to
perform correlation relative to a botnet
Botnets are often widely distributed, geographically
Sharing information on botnet tactics might help others protect
themselves
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Correlating Data to Detect a Botnet
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
16
For national infrastructure protection, large-scale correlation of
all-source data is complicated by several factors
Data formats
Collection targets
- 9. Competition
These can only be overcome with a deliberate correlation
process
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Large-Scale Correlation Process
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
17
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Fig. 9.10 – Large-scale, multipass correlation process with
feedback
‹#›
Organizations with national infrastructure responsibility should
be encouraged to create and follow a local program of data
correlation
- 10. National-level programs might be created to correlate collected
data at the highest level. This approach requires the following
Transparent operations
Guaranteed data feeds
Clearly defined value proposition
Focus on situational awareness
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
National Correlation Process
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
19
Week 6
Read Chapter 8 on Collection
Read Chapter 9 on Correlation
Listen to weekly lectures
Complete the following
Post to discussion week 5
Complete Practical Connection Assignment
Complete Quiz 4 based on Chapter 6 Depth and Chapter 7
Discretion
- 11. Copyright © 2012, Elsevier Inc. All rights Reserved
‹#›
Copyright © 2012, Elsevier Inc. All Rights Reserved
Chapter 8
Collection
Cyber Attacks
Protecting National Infrastructure, 1st ed.
‹#›
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
2
Diligent and ongoing observation of computing and networking
- 12. behavior can highlight malicious activity
The processing and analysis required for this must be done
within a program of data collection
A national collection process that combines local, regional, and
aggregated data does not exist in an organized manner
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
Introduction
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
3
Fig. 8.1 – Local, regional, and national data collection with
aggregation
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
‹#›
At local and national levels data collection decisions for
- 13. national infrastructure should be based on the following
security goals
Preventing an attack
Mitigating an attack
Analyzing an attack
Data collection must be justified (who is collecting and why)
The quality of data is more important than the quantity
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
Introduction
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
5
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
Fig. 8.2 – Justification-based decision analysis template for data
collection
‹#›
- 14. Metadata is perhaps the most useful type of data for collection
in national infrastructure
Metadata is information about data, not what the data is about
Data collection systems need to keep pace with growth of
carrier backbones
Sampling data takes less time, but unsampled data may be
reveal more
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
Collecting Network Data
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
7
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
Fig. 8.4 – Collection detects evidence of vulnerability in
advance of notification
‹#›
- 15. National initiatives have not traditionally collected data from
mainframes, servers, and PCs
The ultimate goal should be to collect data from all relevant
computers, even if that goal is beyond current capacity
System monitoring may reveal troubling patterns
Two techniques useful for embedding system management data
Inventory process needed to identify critical systems
Process of instrumenting or reusing data collection facilities
must be identified
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
Collecting System Data
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
9
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
Fig. 8.5 – Collecting data from mainframes, servers, and PCs
- 16. ‹#›
Security Information and Event Management
Security information and event management (SIEM) is the
process of aggregating system data from multiple sources for
purpose of protection
Each SIEM system (in a national system of data collection)
would collect, filter, and process data
Objections to this approach include both the cost of setting up
the architecture and the fact that embedded SIEM functionality
might introduce problems locally
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
11
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
Fig. 8.7 – Generic national SIEM architecture
- 17. ‹#›
Identifying trends is the most fundamental processing technique
for data collected across the infrastructure
Simplest terms
Some quantities go up (growth)
Some quantities go down (reduction)
Some quantities stay the same (leveling)
Some quantities doing none of the above (unpredictability)
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
Large-Scale Trending
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
13
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
Fig. 8.8 – Growth trend in botnet behavior over 9-month period
(2006–2007)
- 18. ‹#›
Some basic practical considerations that must be made by
security analysts before a trend can be trusted
Underlying collection
Volunteered data
Relevant coverage
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
Large-Scale Trending
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
15
Collecting network metadata allows security analysts track a
worm’s progress and predict its course
Consensus holds that worms work too fast for data collection to
be an effective defense
There’s actually some evidence that a closer look at the data
- 19. might provide early warning of worm threats
After collecting and analyzing, the next step is acting on the
data in a timely manner
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
Tracking a Worm
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
16
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
Fig. 8.9 – Coarse view of UDP traffic spike from SQL/Slammer
worm
(Figure courtesy of Dave Gross and Brian Rexroad)
‹#›
Copyright © 2012, Elsevier Inc. All rights Reserved
- 20. Chapter 8 – Collection
Fig. 8.10 – Fine view of UDP traffic spike from SQL/Slammer
worm
(Figure courtesy of Dave Gross and Brian Rexroad)
‹#›
Once the idea for a national data collection program is accepted,
the following need to be addressed
Data sources
Protected transit
Storage considerations
Data reduction emphasis
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 8 – Collection
National Collection Program
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
19