Incident detection strategies
NIST SP 800-61, Rev. 1 provides a five-category incident classification scheme for network-based incidents:
Denial of service—An attack that prevents or impairs the authorized use of networks, systems, or applications by exhausting resources Malicious code—A virus, worm, Trojan horse, or other code-based malicious entity that successfully infects a host Unauthorized access—When a person, without permission, gains logical or physical access to a network, system, application, data, or other IT resource Inappropriate usage—When a person violates acceptable use of any network or computer policies Multiple component—A single incident that encompasses two or more incidents
Cyber kill chain
a series of steps that follow stages of a cyberattack from the early reconnaissance stages to the exfiltration of data; it helps you understand, identify, and combat many cyberattack strategies and advanced persistent threats
four types of adverse events that are probable indicators of actual incidents:
activities at unexpected times presence of unexpected new accounts reported attacks notification from an IDPS
Incident candidates
an adverse event that is a possible incident
Noise
candidate events that are legitimate activities wrongly reported as incident candidates in a properly designed system (whether human-based or machine-based)
Violation of policy
if organizational policies adressing info or info security has been violated, an incident has occurred
Violation of law
if the law has been broken and the organization's info assets are involved, an incident has occurred
Loss of availability
info or info systems become unavailable
four types of indicators that actual incidents are possibly under way:
presence of unfamiliar files presence or execution of unknown programs or processes unusual consumption of computing resources unusual system crashes
Ransomware
software designed to penetrate security controls, identify valuable content, and then encrypt files and data in place in order to extort payment for the key needed to unlock the encryption
False negatives
the failure of a technical control to react to the intended stimulus so that it goes unreported
Footprinting
the organized research and investigation of Internet addresses owned or controlled by a target organization
Tuning
the process of adjusting a technical control to maximize its efficiency in detecting true positives while minimizing false positives and false negatives
Incident classification
the process of evaluating the circumstances of reported events
Fingerprinting
the process of gathering information about the organization and its network activities and the subsequent process of identifying network assets by a potential attacker
five types of adverse events that are definite indicators of an actual incident: (they clearly and specifically signal that an incident is in progress or has occurred)
use of dormant accounts changes to logs presence of hacker tools notifications by partner or peer notification by hacker
Loss of integrity
users report corrupt data files, garbage where data should be, or data that just looks wrong
Incident
when an adverse event becomes a genuine threat to the ongoing operations of an organization
loss of confidentiality
you are notified of sensitive information leaks, or info you thought was protected has been disclosed