Cyber_Sec Ch 15

In a certification authority workstation, for example, a list of security events can include the following:

**Logging an operator** into or out of the system **Performing a cryptographic operation**, such as signing a digital certificate or certificate revocation list *Performing a cryptographic card operation* (creation, insertion, removal, or backup) *Performing a digital certificate life cycle operation* (rekey, renewal, revocation, or update) *Posting a digital certificate to an X.500 directory* Receiving a key compromise notification *Receiving an improper certification request* *Detecting an alarm condition* reported by a cryptographic module *Failing a built-in hardware self-test or a software system integrity check* Only the final four events in this list are security incidents. This section and the following one address issues related to security events. Sections 15.6 Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

What to Log

*Operating system logs*: Successful user logon/logoff; failed user logon; user account change or deletion; service failure; password changes; service started or stopped; object access denied; object access changed *Network device logs*: Traffic allowed through firewall, traffic blocked by firewall; bytes transferred; protocol usage; detected attack activity; user account changes; administrator access *Web servers*: Excessive access attempts to nonexistent files; code (for example, SQL [Structured Query Language] or HTML [Hypertext Markup Language]) seen as part of the URL; attempted access to extensions not implemented on the server; web service stopped/started/failed messages;failed user authentication; invalid request; internal server error Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

phishing

A digital form of social engineering that attempts to acquire sensitive data, such as bank account numbers or passwords, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

Types of Threats

A number of organizations have published taxonomies or catalogs of threat types. NIST provides a catalog consisting of 83 adversarial threat events and 18 non-adversarial threat events in SP 800-30, Guide for Conducting Risk Assessments. The adversarial threats are organized based on the cyber attack kill chain, discussed in Section 15.5. The non-adversarial threat events include user error, hardware failures, and environmental events. The European Union Agency for Network and Information Security (ENISA) Threat Taxonomy [ENIS16] lists 177 separate threats. The Web Application Security Consortium (WASC) Threat Classification [WASC10] lists 34 threat types. The Information Security Forum's (ISF's) Standard of Good Practice for Information Security (SGP) list 22 adversarial threats, 11 accidental threats, and 13 environmental threats; Table 15.2 shows the SGP's lists of threats. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

APT Attack Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

A typical APT attack proceeds through the following steps: Conduct background research. An APT attack begins with research on potential targets to identify specific avenues of attack. This maximizes the chance of the target reacting as desired. Execute the initial attack. Typically, the initial attack targets one or more specific individuals through some form of social engineering: embedding a link to malicious content into an email message, an instant message, or a social media posting or another attack vector and then persuading the target to open an attachment or click on a link to infect one or more devices with malicious software. Establish a foothold. The APT establishes an initial foothold into the target environment by using customized malware. In almost every case, that custom software does not trigger any antivirus alert, but it does let the APT know about the successful attack. The initial infection tool, sometimes called first-stage malware, can have very little malicious functionality, but it generally is able to beacon home and download additional functionality, sometimes called second-stage malware. Enable persistence. One of the primary objectives of the APT is to establish persistent command and control over compromised computers in the target environment—meaning control and access that survives a reboot of the targeted device and provides the APT with regular connectivity to the target environment. In most cases, this persistence is established simply by installing new services (including the attacker's command-and-control software) on the target computer that automatically start when the computer boots. Conduct enterprise reconnaissance. After establishing persistent access to the target environment, the APT typically attempts to find the servers or storage facilities holding the targeted information. In most cases, the reconnaissance uses the tools available on the compromised computers. In some cases, the APT uploads scanning tools to search for specific types of systems (for example, identity and access management, authentication, virtual private networks [VPNs], database or email servers). Move laterally to new systems. Part of enterprise reconnaissance necessarily includes moving laterally to new systems to explore their contents and understand the new parts of the enterprise accessed from the new systems. The APT can directly install command-and-control software on new systems to expand persistent access to the environment. Escalate privileges. As the attackers conduct reconnaissance and move around the network using the compromised credentials of their first few targets, they inevitably seek to escalate from local user to local administrator to higher levels of privilege in the environment so that they are not constrained to any specific part of the environment. In enterprises where access to information is tightly controlled, compromising all the credentials in the environment allows the attackers to masquerade as anyone in the environment and access any resource they desire.Gather and encrypt data of interest. Having found the data of interest to the attackers, the APT generally gathers the data into an archive and then compresses and encrypts the archive. This enables the APT to hide the contents of the archive from technologies that include deep packet inspection and data loss prevention (DLP) capabilities at the enterprise boundary. Exfiltrate data from victim systems. The APT uses a variety of tools and protocols to surreptitiously transfer data from the target systems. Maintain persistent presence. An APT seeks to attain what its controllers have tasked it to do: maintain access to the target environment. It is not uncommon for the APT to sit undetected in an enterprise network for lengthy periods of time before being activated. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

TABLE 15.2 Threats Defined in the SGP

Adversarial Threats Session hijacking Unauthorized access to legitimate authentication credentials Exploit vulnerable authorization mechanisms Unauthorized monitoring and/or modification of communications Denial of service (DoS) attack Exploit insecure disposal of an organization's information assets Introduce malware to information systems Exploit misconfigured organizational information systems Exploit design or configuration issues in an organizations remote access service Exploit poorly-designed network architecture Misuse of information systems Unauthorized physical access to information systems Physical damage to or tampering with information systems Theft of information system hardware Conduct physical attacks on organizational facilities or their supporting infrastructure Unauthorized network scanning and/or probing Gathering publicly-available information about an organization Phishing Insert subversive individuals into organizations Interpersonal manipulation Exploit vulnerabilities in an organization's information systems Compromise supplier or business partner of target organization Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Accidental Threats User error (accidental) Mishandling of critical and/or sensitive information by authorized users User error (negligence) Loss of information systems Undesirable effects of change Resource depletion Misconfiguration Maintenance error Software malfunction (internally produced software) Software malfunction(externally acquired software) Accidental physical damage Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Environmental Threats Pathogen (e.g., disease outbreak) Storm (hail, thunder, blizzard) Hurricane Tornado Earthquake Volcanic eruption Flooding Tsunami Fire (wild) Power failure or fluctuation Damage to or loss of external communications Failure of environmental control systems Hardware malfunction or failure Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

Another useful source of threat intelligence is information sharing and analysis centers (ISACs).

An ISAC is a **nonprofit organization, generally sector specific, that provides a central resource for gathering information on cyber threats** to critical infrastructure and providing two-way sharing of information between the private and public sector. In the United States, the National Council of ISACs is a central home for many ISACs. Although U.S. based, these ISACs generally have **global significance**. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

Threat Taxonomy Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

In order to effectively use threat intelligence and respond to attacks, it is important to have a clear understanding of the types of threats faced by the enterprise. This entails understanding the potential sources of threats as well as the types of threats that may occur. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

SEM Functions The first phase of event management is the collection of event data in the form of logs, as discussed in the preceding section. As event data are generated, they are generally stored in logs local to the devices that generate them. A number of steps need to be taken at this point:

Normalization: For effective management, the log data needs to be in a common format to enable further processing. Filtering: This step includes assigning priorities to various types of events. On the basis of priority, large number of events can be set aside and not subject to further analysis, or they can be archived in case there is a need to review them later. Aggregation: The IT facility of a large enterprise generates millions of events per day. It is possible to aggregate them by categories into a more manageable amount of data. For example, if a particular type of traffic is blocked a number of times, it is sufficient to record as a single aggregate event the type of traffic and the number of times it was blocked over a particular time frame. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

Simplify A simplification of the overall security infrastructure has benefits in and of itself and also makes the task of SEM easier. There are several considerations in this regard: Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

Over time, the security infrastructure can contain elements that are either no longer needed because they duplicate other functions or that are configured or deployed ineffectively. Remove, reconfigure, or redeploy these elements. As much as feasible, retire legacy software and equipment and consolidate external routes into the enterprise network. Consider grouping high-value assets together for highest security. Deploy a default deny policy as broadly as possible. For example, perhaps only user actions that are specifically allowed are performed, and all others are prohibited. Or maybe applications on a whitelist are allowed to run, and all others are automatically blocked. Default deny makes for short and elegant configuration, fewer events that need investigation, and greater overall security. Another aspect of simplification is to configure and deploy systems in such a way as to reduce the number of alerts and especially the number of false positives. For example, logically group servers so that sensors selectively ignore Windows attacks directed at UNIX systems and vice versa. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

Analysis includes the following aspects:

Pattern matching: It is important to look for data patterns within the fields of stored event records. A collection of events with a given pattern can signal a security incident. Scan detection: Often, an attack begins with a scan of IT resources by the attacker, such as port scans, vulnerability scans, or other types of pings. A substantial number of scans being found from a single source or a small number of sources can signal a security incident. Threshold detection: A straightforward form of analysis is the detection of a threshold being crossed. For example, if the number of occurrences of a type of event exceeds a given threshold in a certain time period, that constitutes an incident. Event correlation: Correlation consists of using multiple events from a number of sources to determine that an attack or suspicious activity occurred. For example, if a particular type of attack proceeds in multiple stages, the separate events that record those multiple activities need to be correlated in order to see the attack. Another aspect of correlation is to correlate particular events with known system vulnerabilities, which might result in a high-priority incident. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

sources of security events can be logged, including the following:

Server and workstation operating system logs log: A record of the events occurring within an organization's systems and networks. Application logs (for example, web server, database server) Security tool logs (for example, antivirus, change detection, intrusion detection/prevention system) Outbound proxy logs and end-user application logs Firewalls and other perimeter security devices for traffic between local user and remote database or server (referred to as north-south traffic) Security devices between data center storage elements that communicated across a network (referred to as east-west traffic), which may involve virtual machines and software-based virtual security capabilities Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

Threat Sources

The nature of threats depends to a great extent on the type of source. Threat sources can be categorized as follows: Adversarial: Individuals, groups, organizations, or states that seek to exploit the organization's dependence on cyber resources (that is, information in electronic form, information and communications technologies, and the communications and information-handling capabilities provided by those technologies) Accidental: Erroneous actions taken by individuals in the course of executing their everyday responsibilities Structural: Failures of equipment, environmental controls, or software due to aging, resource depletion, or other circumstances that exceed expected operating parameters Environmental: Natural disasters and failures of critical infrastructures on which the organization depends, but which are outside the control of the organization Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

The Importance of Threat Intelligence

The primary purpose of threat intelligence is to help organizations understand the risks of the most common and severe external threats, such as advanced persistent threats (APTs), exploits, and zero-day threats. Although threat actors also include internal (or insider) and partner threats, the emphasis is on the types of external threats that are most likely to affect a particular organization's environment. Threat intelligence includes in-depth information about specific threats to help an organization protect itself against the types of attacks that could do them the most damage. advanced persistent threat (APT) A network attack in which an unauthorized person gains access to a network and stays there, undetected, for a long period of time. The intention of an APT attack is to steal data rather than to cause damage to the network or organization. APT attacks target organizations in sectors with high-value information, such as national defense, manufacturing, and the financial industry. APTs differ from other types of attacks in their careful target selection and persistent, often stealthy, intrusion efforts over extended periods. exploit An attack on a computer system, especially one that takes advantage of a particular vulnerability the system offers to intruders. zero-day threat The threat of an unknown security vulnerability in a computer software or application for which either a patch has not been released or the application developers are unaware or have not had sufficient time to address the issue. A zero-day attack is also sometimes defined as an attack that takes advantage of a security vulnerability on the same day that the vulnerability becomes generally known. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

Gathering Threat Intelligence Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

The starting point for using threat intelligence is, of course, to gather that intelligence. This section looks at the wide variety of sources available to assist security personnel in this task. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

15.4 Threat Intelligence

Threat intelligence, also known as cyber threat intelligence (CTI), or cyberintelligence, is the knowledge established as a result of analyzing information about potential or current attacks that threaten an organization. The information is taken from a number of internal and external sources, including application, system, and network logs; security products such as firewalls and intrusion detection systems; and dedicated threat feeds. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

"Preparing for Security Event Management" [HUTT07] lists the following objectives: Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

Understand your priorities. What systems should you plug into the SEM first, and what part of your IT is subject to the most attacks? Determine which portions of the IT infrastructure are critical. This will dictate the level of alert level settings configure within the SEM for various IT infrastructure components. Determine which events are logged and which are not, as well as the level of detail of the logging for each logged event.Develop an inventory of all security products, their intended use, and whether or not each product is being used properly. Understand where you need vulnerability remediation before event management. SEM software works best when used to monitor well-configured systems; it does not fix things that are currently insecure or broken. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

more specific questions about the SEM to guide acquisition and development, including the following: Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

Which systems should be monitored? Which events are important, and what information should be collected from the local logs?Where should the central event log be stored, and how will it be protected and accessed? How long should log data be retained? How will the event data be analyzed to generate meaningful alerts and metrics? How will the performance of the SEM system be monitored? Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

External Sources

While it is possible to assign the threat intelligence task to one or more employees whose job it is to engage in research on existing and evolving threats, a more effective approach is to subscribe to a regular feed of threat data from a threat intelligence subscription service. One commercial example is Wapack Labs Cyber Threat Analysis Center. Wapack Labs Cyber Threat Analysis Center http://www.wapacklabs.com/ There are a number of cyberintelligence vendors whose services can be employed. In addition, many of the sources of vulnerability information, such as CERTs, discussed in Section 15.1, are useful sources of threat intelligence. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.

Log Management Policy NIST SP 800-92, Guide to Computer Security Log Management,

recommends addressing the following questions in a log management policy: log management The process for generating, transmitting, storing, analyzing, archiving, and disposing of log data. Log generation: Which types of hosts perform logging? Which host components perform logging (for example, operating system, service, application)? Which types of events each component logs (for example, security events, network connections, authentication attempts)? Which data characteristics are logged for each type of event (for example, username and source IP address for authentication attempts)? How frequently each type of event is logged (for example, every occurrence, once for all instances in x minutes, once for every x instances, every instance after x instances)? Log transmission: Which types of hosts transfer logs to a log management infrastructure? Which types of entries and data characteristics are transferred from individual hosts to a log management infrastructure? How is log data transferred (for example, which protocols are permissible), including out-of-band methods, where appropriate (for example, for standalone systems)? How frequently is log data transferred from individual hosts to a log management infrastructure (for example, in real time, every five minutes, every hour)? How are the confidentiality, integrity, and availability of each type of log data protected while in transit, and is a separate logging network used? Log storage and disposal: How often are logs rotated or archived? How are the confidentiality, integrity, and availability of each type of log data protected while in storage (at both the system level and the application level)? How long is each type of log data preserved (at both the system level and the infrastructure level)? How is unneeded log data disposed of (at both the system level and the infrastructure level)? How much log storage space is available (at both the system level and the infrastructure level)? How are log preservation requests, such as a legal requirement to prevent the alteration and destruction of particular log records, handled (for example, how the impacted logs must be marked, stored, and protected)? Log analysis:How often is each type of log data analyzed (at both the system level and the infrastructure level)? Who is able to access the log data (at both the system level and the infrastructure level), and how are accesses logged? What should happen when suspicious activity or an anomaly is identified? How are the confidentiality, integrity, and availability of the results of log analysis (for example, alerts, reports) protected while in storage (at both the system level and the infrastructure level) and in transit? How does the organization handle inadvertent disclosures of sensitive information recorded in logs, such as passwords or the contents of emails? Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition. Stallings, William. Effective Cybersecurity . Pearson Education. Kindle Edition.