Detection and Decision Making Review an article aboutIncident Response: Detection and Decision Making. The review is between 400-to-550 words and should su
Detection and Decision Making Review an article aboutIncident Response: Detection and Decision Making. The review is between 400-to-550 words and should summarize the article. Please include how it applies to our topic, and why you found it interesting. Principles of Incident Response
and Disaster Recovery, 2nd Edition
Chapter 5
Incident Response: Detection and
Decision Making
Objectives
• Define incidents that pose a risk to the organization
• Discuss the elements necessary to detect incidents
• Explain the components of an intrusion detection
and prevention system
• Describe the processes used in making decisions
about incident detection and escalation
Principles of Incident Response and Disaster Recovery, 2nd Edition
2
Introduction
• Organizations’ challenge
– Classifying events as they occur
• Event
– Any observable system or network occurrence
• Adverse event
– Event with negative consequences
• Systems: computer, personnel, organization based
– Not all events computer or network oriented
• Event sources
– Product of routine system activities, critical situations
Principles of Incident Response and Disaster Recovery, 2nd Edition
3
Introduction (cont’d.)
• Incident
– Occurs when an adverse event becomes a genuine
threat to ongoing operations
• Incident classification process
– Evaluating circumstances around events
– Determining possible incidents (incident candidates)
– Determining if adverse event constitutes an actual
incident
• Incident response (IR) design team role
– Designing the process used to make a judgment
Principles of Incident Response and Disaster Recovery, 2nd Edition
4
Introduction (cont’d.)
• IR team responsibility
– Classifying an incident
• Sources for tracking and detecting incident
candidates
–
–
–
–
End user reports and other documents
Intrusion detection and prevention systems (IDPSs)
Virus management software
Systems administrators
• Careful incident candidate reporting training
– Allows vital information to be relayed to the IR team
Principles of Incident Response and Disaster Recovery, 2nd Edition
5
Introduction (cont’d.)
• NIST incident classification scheme for networkbased incident
–
–
–
–
–
Denial of service
Malicious code
Unauthorized access
Inappropriate usage
Multiple component
Principles of Incident Response and Disaster Recovery, 2nd Edition
6
Detecting Incidents
• Events occurring in and around an organization
– May indicate presence of an incident candidate
– May be normal operation mimicking incident
candidate
• Indication: adverse event underway
– Has probability of becoming an incident
• Precursor: activity now occurring
– Incident could occur in the future
• D. L. Pipkin incident indicator categories
– Possible, probable, and definite
Principles of Incident Response and Disaster Recovery, 2nd Edition
7
Possible Indicators of an Incident
• Presence of unfamiliar files
– Unfamiliar or unexplained files in illogical locations
• Presence or execution of unknown programs or
processes
– Unfamiliar programs running, or processes executing
• Unusual consumption of computing resources
– Memory or hard disk consumption spikes and falls
• Unusual system crashes
– System crashing, hanging, rebooting, or freezing
more frequently than usual
Principles of Incident Response and Disaster Recovery, 2nd Edition
8
Principles of Incident Response and Disaster Recovery, 2nd Edition
9
Probable Indicators of an Incident
• Activities at unexpected times
– Network traffic levels exceed baseline levels
• Presence of unexpected new accounts
– Periodic review indicates unfamiliar accounts
• Unlogged new account with root or special privileges
• Reported attacks
– Verify user technical sophistication
• Notification from IDPS
– Must determine if notification real or a false positive
Principles of Incident Response and Disaster Recovery, 2nd Edition
10
Definite Indicators
• Definite indicators requiring IR plan activation
–
–
–
–
–
Use of dormant accounts
Changes to logs
Presence of hacker tools
Notifications by partner or peer
Notification by hacker
• Confirmed events indicating attack underway
– Loss of availability or integrity or confidentiality
– Violation of policy or violation of law
Principles of Incident Response and Disaster Recovery, 2nd Edition
11
Identifying Real Incidents
• Actual incidents versus nonevents
– Vast majority of incidents: false positives
• Ways to process incidents
– Incident center; geographically separate review
locations; isolated incident candidate evaluations
• Noise: legitimate activities wrongly reported
– Activate feedback process to prevent flagging
– Inherent in the nature of best-tuned systems
• Causes of noise or false positives
– Sensor placement; policy; lack of awareness
Principles of Incident Response and Disaster Recovery, 2nd Edition
12
Identifying Real Incidents (cont’d.)
• Data collection tuning process
– Provides careful change analysis to data collection
rules
• False negative
– Incident deserving attention that is not reported
• New or modified systems placed in service
– May need additional data collection process tuning
• Tuning process objective
– Allow valid incidents while controlling false positives
Principles of Incident Response and Disaster Recovery, 2nd Edition
13
Intrusion Detection and Prevention
Systems
• Intrusion detection and prevention system (IDPS)
– Network burglar alarm
– Determines if network used in compliance with policy
• Intrusion
– Instigator attempting to gain unauthorized entry or
disrupt normal operations
– Access outside intended system or network use
– Attack types: automated or self-propagating
– Purpose of intrusion: harm an organization
Principles of Incident Response and Disaster Recovery, 2nd Edition
14
Intrusion Detection and Prevention
Systems (cont’d.)
• Intrusion detection systems (IDSs)
– Detects a violation and activates an alarm
• Alarm types: audible, visual, silent
– Custom configuration levels available
• Intrusion prevention system (IPS)
– Detects intrusion and prevents successful attack
using an active response
• IDPS source
– http://csrc.nist.gov/publications/nistpubs/80094/SP800-94.pdf
Principles of Incident Response and Disaster Recovery, 2nd Edition
15
IDPS Terminology
• Alarm or alert
– Indication system just attacked or under attack
• Alarm clustering
– Consolidation of almost identical alarms into a single
higher-level alarm
• Alarm compaction
– Form of alarm clustering based on similarities
• Alarm filtering
– Process of classifying attack alerts to distinguish or
sort false positives from actual attacks more efficiently
Principles of Incident Response and Disaster Recovery, 2nd Edition
16
IDPS Terminology (cont’d.)
• Confidence value
– Value associated with an IDPS’s ability to detect and
identify an attack correctly
• Evasion
– Process by which attacker changes network packets
format and/or timing to avoid being detected
• False attack stimulus
– Event triggering alarms causing false positive when
no actual attack in progress
• False negative
– IDPS’s failure to react to an actual attack event
Principles of Incident Response and Disaster Recovery, 2nd Edition
17
IDPS Terminology (cont’d.)
• False positive
– Alarm or alert indicating attack in progress or attack
successful when there is no attack
• Filtering
– Process of reducing IDPS events in order to receive a
better confidence in the alerts received
• Noise
– Ongoing activity from alarm events
• Site policy
– Rules and configuration guidelines governing IDPSs
implementation and operation
Principles of Incident Response and Disaster Recovery, 2nd Edition
18
IDPS Terminology (cont’d.)
• Site policy awareness
– IDPS’s ability to dynamically modify its site policies in
reaction or response to environmental activity
• True attack stimulus
– Event triggering an alarm causing IDPS to react as if
a real attack were in progress
• Tuning
– Process of adjusting an IDPS
• Maximize true positive detection efficiency
• Minimize both false positives and false negatives
Principles of Incident Response and Disaster Recovery, 2nd Edition
19
Why Use an IDPS?
• Prevent problem behaviors
– Increase perceived risk of discovery and punishment
• Detect attacks and security violations
– Not prevented by other security measures
• Detect and deal with preambles to attacks
• Document existing threat to an organization
• Act as quality control for security design and
administration
– Especially of large and complex enterprises
• Provide useful information about intrusions
Principles of Incident Response and Disaster Recovery, 2nd Edition
20
Why Use an IDPS? (cont’d.)
• Straightforward deterrent measure
– Increases fear of detection and discovery among
would-be attackers or internal system abusers
• NIST defined uses
– Identifying security policy problems
– Documenting the existing threat to an organization
– Deterring individuals from violating security policies
• Provides cover if network:
– Fails to protect itself from known vulnerabilities
– Unable to respond to rapidly changing threat
environment
Principles of Incident Response and Disaster Recovery, 2nd Edition
21
Forces Working against an IDPS
•
•
•
•
•
Tools fail to detect or correct a known deficiency
Vulnerability-detection performed too infrequently
Patch and upgrade installation delayed
Inability to disable or protect essential services
Use an IDPS for a Defense in Depth strategy
– Doorknob rattling conducted by footprinting
– Fingerprinting
– Early warning allows time to prepare for attack
• Automated responses lead to unintended
consequence
Principles of Incident Response and Disaster Recovery, 2nd Edition
22
Justifying the Cost
• Prepare and defend business case using IDPS data
• NIST IDPS key items
– Total cost of ownership well exceeds acquisition costs
– Designed with personnel availability around the clock
• Justify IDPS using Defense in Depth concept
• IDPS can provide information in post-attack review
– Remedy deficiency and trigger improvement process
– Forensic data
• IDPS systems: Network-based, host-based, and
application-based systems
Principles of Incident Response and Disaster Recovery, 2nd Edition
23
IDPS Network Placement
• Placement of sensor and detection devices or
software programs
– Has significant effect on IDPS operation
• Three widely used IDPS placement options
– Network-based
– Host-based
– Application-based
Principles of Incident Response and Disaster Recovery, 2nd Edition
24
Network-Based IDPS
• Network-based IDPS (NIDPS)
– Monitors segment traffic
• Looks for ongoing or successful attack indications
• Resides on a computer or appliance connected to that
network segment
– Programmed to recognize attacks and respond
• Examines packets
• Looks for patterns indicating intrusion event under way
or about to begin
– Detects more attack types than host-based IDPS
– More complex configuration, maintenance program
Principles of Incident Response and Disaster Recovery, 2nd Edition
25
Network-Based IDPS (cont’d.)
• Inline sensor
– Deployment on firewall interior of a firewall
• All traffic must pass through sensor, then report back
to the NIDPS
• NIDPS deployment
– Watch specific host computer grouping on specific
network segment
– Installed to monitor all traffic between systems
making up an entire network
Principles of Incident Response and Disaster Recovery, 2nd Edition
26
Principles of Incident Response and Disaster Recovery, 2nd Edition
27
Network-Based IDPS (cont’d.)
• Passive sensor
– Sits off to the side of a network segment
– Monitors traffic without mandating traffic physically
pass through the sensor
• Switched port analysis (SPAN) port or mirror port
– Switch or key networking device placed next to a hub
– NIDPS uses that device’s monitoring port
• Snort open source software (http://www.snort.org)
– For complex IDPS sensors and analysis systems
– Manage and query system from a desktop computer
Principles of Incident Response and Disaster Recovery, 2nd Edition
28
Principles of Incident Response and Disaster Recovery, 2nd Edition
29
Network-Based IDPS (cont’d.)
• Signature matching
– NIDPSs look for attack patterns
• Compares measured activity to known signatures in
their knowledge base
• Determines if attack occurred or may be under way
– Uses special TCP/IP stack implementation
– NIDPS looks for invalid data packets
– Application protocol verification
• Higher-order protocols examined for unexpected
packet behavior or improper use
• May have valid packets excessive quantities
Principles of Incident Response and Disaster Recovery, 2nd Edition
30
Network-Based IDPS (cont’d.)
• Signature matching (cont’d.)
– DNS cache poisoning
• Valid packets exploit poorly configured DNS servers
• Inject false information
• Corrupt servers’ answer to routine DNS queries from
other systems on the network
• Wireless NIDPS
– Monitors and analyzes wireless network traffic
– Looks for potential problems with wireless protocols
– Sensor deployment: at the access points, on
specialized components, or in mobile stations
Principles of Incident Response and Disaster Recovery, 2nd Edition
31
Network-Based IDPS (cont’d.)
• Wireless NIDPS (cont’d.)
– Centralized management stations collect information
– Detection
• Unauthorized wireless LANs (WLANs) and WLAN
devices; poorly secured WLAN devices; unusual
usage patterns; use of wireless network scanners;
DoS attacks and conditions; impersonation and manin-the-middle attacks
– Issues
• Higher protocol monitoring; physical security; sensor
range; access point and wireless switch locations;
wired network connections; cost
Principles of Incident Response and Disaster Recovery, 2nd Edition
32
Network-Based IDPS (cont’d.)
• Advantages and disadvantages of NIDPSs
Principles of Incident Response and Disaster Recovery, 2nd Edition
33
Host-Based IDPSs
• Host-based IDPS (HIDPS)
– Resides on a particular computer or server (host)
• Monitors activity on that system
– Known as system integrity verifiers
• Benchmarks and monitors key system files status
• Detects when intruder creates, modifies, or deletes
monitored files
– Can monitor system configuration databases and
stored configuration files
– Uses principle of configuration or change
management
Principles of Incident Response and Disaster Recovery, 2nd Edition
34
Host-Based IDPSs (cont’d.)
• Host-based IDPS (cont’d.)
– Alert or alarm triggers
• File attributes change, new files created, existing files
deleted
– Can monitor systems logs for predefined events
– HIDPS log file provides an independent audit trail
– Very reliable
• False positive alert produced only when authorized
monitored file changed
– Can access encrypted information
– Information to determine legitimate traffic present
Principles of Incident Response and Disaster Recovery, 2nd Edition
35
Host-Based IDPSs (cont’d.)
• HIDPS configuration
– Simple change-based system
• Relies on file classification into various categories
• Triggers alert on changes within a critical data folder
• Can log all activity and instantly page or e-mail any
administrator
• Can generate large volume of false alarms
– Can monitor multiple computers simultaneously
– Must identify and categorize folders and files
• Common method: red, yellow, and green
• Some systems use an alternative scale of 0–100
Principles of Incident Response and Disaster Recovery, 2nd Edition
36
Principles of Incident Response and Disaster Recovery, 2nd Edition
37
Host-Based IDPSs (cont’d.)
• Advantages and Disadvantages of HIDPS
Principles of Incident Response and Disaster Recovery, 2nd Edition
38
Application-Based IDPS
• Application-based IDPS (AppIDPS)
– Examines an application for abnormal events
• Looks for anomalous occurrences
– Tracks interaction between users and applications
• Allows tracing of specific activity back to individual
users
– Can view encrypted data
– Types of requests examined
• File systems, network, configuration, execution space
– The need for intrusion detection is organization
dependent
Principles of Incident Response and Disaster Recovery, 2nd Edition
39
Application-Based IDPS (cont’d.)
• Advantages and disadvantages of AppIDPS
Principles of Incident Response and Disaster Recovery, 2nd Edition
40
Principles of Incident Response and Disaster Recovery, 2nd Edition
41
IDPS Detection Approaches
• Signature-based IDPS (knowledge-based)
– Examines data traffic in search of patterns matching
known signatures
– Weaknesses
• Signatures must be continually updated
• Time frame over which attacks occur
• Anomaly-based IDPS (behavior-based IDPS)
– Samples network activity and applies statistical
analysis against a baseline
– Clipping level
• Measured activity outside baseline parameters
Principles of Incident Response and Disaster Recovery, 2nd Edition
42
IDPS Detection Approaches (cont’d.)
• Anomaly-based IDPS (cont’d.)
– Advantage
• Can detect new attack types
– Disadvantages
• Requires overhead and processing capacity
• May not detect minor changes to system variables
generating false positives
Principles of Incident Response and Disaster Recovery, 2nd Edition
43
IDPS Detection Approaches (cont’d.)
• Log file monitor (LFM)
– Type of IDPS similar to the NIDPS
– Reviews servers, network devices, other IDPSs log
files
– Can look at multiple log files from a number of
different systems
– Uses a holistic approach
• Requires considerable resource allocation
Principles of Incident Response and Disaster Recovery, 2nd Edition
44
Automated Response
• New systems can respond incident threats
autonomously
– Based on preconfigured options
– Goes beyond usual IDPS and IPS defensive actions
• Trap and trace
– Uses a combination of resources to:
• Detect an intrusion
• Trace the intrusion back to its source
– Allows security administrators to take the offense
– Legal issue: temptation to back hack
Principles of Incident Response and Disaster Recovery, 2nd Edition
45
Automated Response (cont’d.)
• Honeypots and honeynets
• Honeypots
– Servers configured to resemble production systems
– Closely monitored network decoys
– Advantages
• Distracts adversaries from more valuable machines
• Provides early warning about new attack trends
• Allows in-depth examination of adversaries
– Two general types
• Production and research
Principles of Incident Response and Disaster Recovery, 2nd Edition
46
Automated Response (cont’d.)
• Honeytoken
– System resource placed onto a functional system
• No normal use for that system
– Unauthorized access triggers notification or response
• Honeynet (honeypot farm)
– High-interaction honeypot
– Designed to capture extensive information on threats
– Network of systems designed for attackers interaction
• Inbound connections: indicates probe, scan, attack
• Outbound connections: indicates system compromise
Principles of Incident Response and Disaster Recovery, 2nd Edition
47
Automated Response (cont’d.)
• Legal issues with honeypots and honeynets
–
–
–
–
Line between enticement and entrapment
Fourth amendment to the U.S. Constitution
Electronic Communications Protection Act
Pen Register, Trap and Trace Devices law (Pen/Trap
statute)
– Wasp trap syndrome
• Downside of current enhanced automated response
systems may outweigh the upside
Principles of Incident Response and Disaster Recovery, 2nd Edition
48
Incident Decision Making
• Incident known to be underway
– Must determine actual incidents a…
Purchase answer to see full
attachment