Importance of Computer Security Incident Taxonomy

Importance of Computer Security Incident Taxonomy
Slide Note
Embed
Share

Establishing an accepted taxonomy in computer security incidents is crucial for developing common reporting criteria, standardized processes, and a universal language. Without a taxonomy, sharing data becomes hindered by non-standard terminology, leading to challenges in information exchange and incident management. Various taxonomies have been developed, with the Sandia Labs and Carnegie Mellon University's CERT/CC taxonomy being one of the most comprehensive studies in the field.

  • Computer Security
  • Incident Taxonomy
  • Data Sharing
  • Information Exchange
  • Standardization
averyanna
averyanna Follow

Uploaded on Feb 24, 2025 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

You are allowed to download the files provided on this website for personal or commercial use, subject to the condition that they are used lawfully. All files are the property of their respective owners.

Download Presentation

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author.

E N D

Presentation Transcript

  1. Lesson 2 Computer Security Incidents Taxonomy

  2. Need an accepted taxonomy because . . . Provides a common frame of reference If no taxonomy, then we: Can t develop common reporting criteria Can t develop processes and standardization Ultimately-no IA Common Language

  3. Must have these characteristics . . . Logically related columns Taxonomy B B= + C C 1 1 1 Must be: Exhaustive 2 2 2 Mutually exclusive 3 3 3 Repeatable Unambiguous 4 4 Accepted 5 Useful

  4. Where to start? The inability to share data because of non- standard terminology is not a new problem For this reason several computer security taxonomies have already been developed Most comprehensive study done by Sandia Labs in conjunction with Carnegie Mellon University Currently in use at Carnegie Mellon s CERT/CC Sandia Report: A Common Language for Computer Security Incidents , John D. Howard and Thomas A. Longstaff (October 1998)

  5. Incident Attack Event Sandia Labs Target Result Unauthorized Action Attackers Tool Vulnerability Objectives Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Challenge, Status, Thrills Political Gain Financial Gain Physical Attack Information Exchange User Command Script or Program Autonomous Probe Hackers Account Design Network Based Bypass Agent Criminals Network Based Taxonomy Taxonomy Copy Data Tap Scan Process Spies Implementation Flood Configuration Data Terrorists Corporate Raiders Professional Damage Authenticate Component Computer Spoof Network Toolkit Vandals Distributed Tool Internetwork Voyeurs Read Steal Modify Delete

  6. Basic Model Incident Intrusions Attacks Unauthorized Result Objectives Objectives Attackers Attackers Intruders Tool Vulnerability Action Target

  7. Computer Network Incident Computer Network Incident Intruders Hackers Terrorists Other Defended Network Increased access Disclosure of info Theft of resources Corruption of info Denial of Service Objectives Status/Thrills Political Gain Financial Gain Damage

  8. Intrusion Taxonomy Intrusion Event Unauthorized Result Result Unauthorized Intruders Tool Tool Vulnerability Vulnerability Action Action Action Target Target Target Objectives

  9. Intrusion Intrusion Intrusion Connection Vulnerabilities Design Implementation Configuration Tools Physical force Info exchange User command Script/Program Autonomous agent Toolkit Distributed tool Data tap Events Action Target Unauthorized Results Increased access Disclosure Corrupt data Denial of Service Theft Thrills Political Gain Financial Gain Damage

  10. Attempted Intrusion Attempted Intrusion Intrusion Connection Vulnerabilities Design Implementation Configuration Tools Physical force Info exchange User command Script/Program Autonomous agent Toolkit Distributed tool Data tap No Unauthorized Results Thrills Political Gain Financial Gain Damage

  11. Intrusion Attack Intrusion taxonomy in practice . . . Taxonomy in practice . . . Action Vulnerability Event Sandia Labs Target Result Unauthorized Intruders Tool Objectives Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Physical Force Information Exchange User Command Script or Program Autonomous Agent Toolkit Design Design Probe Account Process Process Scan Implementation Corruption of Data Denial of Service Flood Configuration Data Authenticate Component Bypass Bypass Computer Spoof Network Toolkit Distributed Tool Internetwork Read Copy Data Tap Computer Network Intrusion Steal Modify Delete

  12. Intrusion Attack Intrusion taxonomy in practice . . . Taxonomy in practice . . . Action Vulnerability Event Sandia Labs Target Result Result Unauthorized Unauthorized Intruders Tool Objectives Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Physical Force Information Exchange User Command Script or Program Autonomous Agent Tool Kit Increased Access Design Design Probe Account Scan Process Process Implementation Authorized User User Authorized Intrusion Intrusion Flood Configuration Data Authenticate Component Computer Bypass Bypass Spoof Network Toolkit Distributed Tool Internetwork Read Copy Data Tap Steal Insider Threat Modify Delete

  13. Taxonomy applied A A Case Case Study Study

  14. Intrusion Attack Event Sandia Labs Target Result Unauthorized Action Intruders Tool Vulnerability Objectives Increased Access Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Physical Force Information Exchange User Command Script or Program Autonomous Account Account Design Design Probe Network Based Bypass Agent Network Based Taxonomy Taxonomy Copy Data Tap Scan Process Implementation User Flood Configuration Data Command Authenticate Authenticate Component Computer Spoof Network Toolkit Distributed Tool Internetwork Read Steal Intrusion 1 Modify Delete

  15. Intrusion 1 - Increased Acess Unauthorized Result Action Intruders Tool Vulnerability Target Objectives Root Access Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Physical Force Information Exchange User Command Script or Program Autonomous Agent Design Design Probe Account Process Process Scan Implementation User Flood Configuration Data Command Authenticate Component Bypass Bypass Computer Spoof Network Toolkit Distributed Tool Internetwork Read Copy Data Tap Steal Intrusion 2 Modify Delete

  16. Intrusion 2 - Root Level Access Intrusion 1 - Increased Access Unauthorized Result Root Access Action Intruders Tool Vulnerability Target Objectives Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Physical Force Information Exchange User Command Script or Program Autonomous Agent Design Design Probe Account Disclosure of Information Scan Process Implementation User Data Data Flood Configuration Command Authenticate Component Computer Bypass Spoof Network Toolkit Distributed Tool Internetwork Read Copy Data Tap Steal Steal Intrusion 3 Modify Delete

  17. Intrusion 3 - Disclosure of Information Intrusion 2 - Root Level Access Intrusion 1 - Increased Access Unauthorized Result Action Intruders Tool Vulnerability Target Objectives Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Physical Force Information Exchange User Command Script or Program Autonomous Agent Probe Account Design Scan Process Implementation Flood Configuration Data Authenticate Component Computer Bypass Spoof Network Toolkit Distributed Tool Internetwork Read Copy Data Tap Steal Modify Delete

  18. Intrusion 3 - Disclosure of Information Intrusion 2 - Root Level Access Intrusion 1 - Increased Access Unauthorized Result Action Intruders Tool Vulnerability Target Objectives Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Resources Resources Physical Force Information Exchange User Command Script or Program Autonomous Agent Probe Account Design Disclosure of Information Process Process Scan Implementation Implementation Flood Configuration Data Denial of Service Theft of Script or Program Authenticate Component Computer Bypass Spoof Network Toolkit Distributed Tool Internetwork Read Copy Data Tap Steal Modify Modify Delete

  19. New definition: Intrusion Set Multiple related intrusions = Intrusion Set Multiple Events Unauthorized Result Tool Vulnerability Action Target Objective Intruder

  20. Who? What? Why? answer the what Need more information to get to attribution Need to know who? Need to know why?

  21. Who and Why? Intrusion Set Objectives Intruders Unauthorized Result Tool Action Target Vulnerability Attribution

  22. Objective reporting criteria Intrusion(s) Not every event? Unauthorized Unauthorized Unauthorized Result Result Result Action Action Action Target Target Target Action Attackers Intruders Tool Tool Vulnerability Vulnerability Target Objectives Increased Access Disclosure of Information Corruption of Information Denial of Service Theft of Increased Access Challenge, Status, Thrills Political Gain Financial Gain Financial gain Physical Force Challenge, Status, Thrill Hackers Hackers Probe Account Design Implementation Including intrusion Disclosure of Information Corruption of Information Denial of Service Theft of Resources Resources Information Exchange User Command Script or Program Autonomous Agent Scan Pol/Mil Gain Group 1 Spies Spies Process Flood Configuration Terrorists Terrorists Data Corporate Raiders Professional Corporate Raiders Professional Criminals Criminals Group 3 Group 2 Damage Damage Authenticate data Component Computer Bypass Spoof Network Toolkit Vandals Vandals Distributed Tool Voyeurs Voyeurs Group 4 Internetwork Read Copy Data Tap Steal Modify Delete

  23. New Work US Military: US Cyber Command FBI: Cyber Forensic Centers MITRE ATT&CK Matrix Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK framework for describing the actions an adversary may take while operating within an enterprise network. ) is a model and

  24. MITRE ATT&CK Matrix https://attack.mitre.org/wiki/File:ATT% 26CK_Matrix.png#file REF: https://attack.mitre.org/index.php/Main_Page

  25. SUMMARY Common Taxonomy Developed Increased Data Sharing Ongoing Prosecutions Increasing More Frameworks emerging

Related


EU Taxonomy and Green Asset Ratio Update

EU Taxonomy and Green Asset Ratio Update

phoenix
Effective Incident Briefings and Meetings Overview

Effective Incident Briefings and Meetings Overview

ananya
Comprehensive Overview of Incident Command System for Schools

Comprehensive Overview of Incident Command System for Schools

innes
Taxonomies in Sustainable Development

Taxonomies in Sustainable Development

ali
Incident Management Fundamentals and Command Structure Review

Incident Management Fundamentals and Command Structure Review

westley
Incident Briefings and Meetings: Overview and Best Practices

Incident Briefings and Meetings: Overview and Best Practices

hussein
Insights into Plant Taxonomy and Systematics by Dr. Habibur Rahman

Insights into Plant Taxonomy and Systematics by Dr. Habibur Rahman

este
Basic Incident Command System Overview

Basic Incident Command System Overview

arav
Incident Command System Overview and Structure

Incident Command System Overview and Structure

vela
Fundamentals of Taxonomy Explained: From Classification to Nomenclature

Fundamentals of Taxonomy Explained: From Classification to Nomenclature

sonder
KYTC.D-3 Incident Management Meeting 2nd Quarter May 6th, 2014

KYTC.D-3 Incident Management Meeting 2nd Quarter May 6th, 2014

shyam
Cyber Incident Response Planning and Team Organization

Cyber Incident Response Planning and Team Organization

hareem
Incident Command Structure and Span of Control Overview

Incident Command Structure and Span of Control Overview

azarias
Computer Security Principles and Practices

Computer Security Principles and Practices

jos_o
KYTC District 6 Great Eight Incident Management Task Force Meeting Recap

KYTC District 6 Great Eight Incident Management Task Force Meeting Recap

dracel
Public Health Incident Leadership: Roles, Responsibilities, and Expectations

Public Health Incident Leadership: Roles, Responsibilities, and Expectations

aza_fr
Incident Command System (ICS) Organizational Components

Incident Command System (ICS) Organizational Components

zyr_m
Blooms Taxonomy in Educational Settings

Blooms Taxonomy in Educational Settings

audrio
Bloom's Taxonomy: A Guide to Cognitive Levels

Bloom's Taxonomy: A Guide to Cognitive Levels

schueller_b
Incident Management Plan Development Process Overview

Incident Management Plan Development Process Overview

kelin
Effective Management of Public Health Incidents: Objectives and Team Leadership

Effective Management of Public Health Incidents: Objectives and Team Leadership

bullinger_m
Lessons Learned from Roanoke City Health Department's Active Shooter Incident

Lessons Learned from Roanoke City Health Department's Active Shooter Incident

sna_mic

More Related Content