Detection and Decision Making

Anonymous
timer Asked: Feb 7th, 2019
account_balance_wallet $5

Question Description

Review an article about

Incident Response: Detection and Decision Making

. The review is between 400-to-550 words and should summarize the article. Please include how it applies to our topic, and why you found it interesting.

Unformatted Attachment Preview

Principles of Incident Response and Disaster Recovery, 2nd Edition Chapter 5 Incident Response: Detection and Decision Making Objectives • Define incidents that pose a risk to the organization • Discuss the elements necessary to detect incidents • Explain the components of an intrusion detection and prevention system • Describe the processes used in making decisions about incident detection and escalation Principles of Incident Response and Disaster Recovery, 2nd Edition 2 Introduction • Organizations’ challenge – Classifying events as they occur • Event – Any observable system or network occurrence • Adverse event – Event with negative consequences • Systems: computer, personnel, organization based – Not all events computer or network oriented • Event sources – Product of routine system activities, critical situations Principles of Incident Response and Disaster Recovery, 2nd Edition 3 Introduction (cont’d.) • Incident – Occurs when an adverse event becomes a genuine threat to ongoing operations • Incident classification process – Evaluating circumstances around events – Determining possible incidents (incident candidates) – Determining if adverse event constitutes an actual incident • Incident response (IR) design team role – Designing the process used to make a judgment Principles of Incident Response and Disaster Recovery, 2nd Edition 4 Introduction (cont’d.) • IR team responsibility – Classifying an incident • Sources for tracking and detecting incident candidates – – – – End user reports and other documents Intrusion detection and prevention systems (IDPSs) Virus management software Systems administrators • Careful incident candidate reporting training – Allows vital information to be relayed to the IR team Principles of Incident Response and Disaster Recovery, 2nd Edition 5 Introduction (cont’d.) • NIST incident classification scheme for networkbased incident – – – – – Denial of service Malicious code Unauthorized access Inappropriate usage Multiple component Principles of Incident Response and Disaster Recovery, 2nd Edition 6 Detecting Incidents • Events occurring in and around an organization – May indicate presence of an incident candidate – May be normal operation mimicking incident candidate • Indication: adverse event underway – Has probability of becoming an incident • Precursor: activity now occurring – Incident could occur in the future • D. L. Pipkin incident indicator categories – Possible, probable, and definite Principles of Incident Response and Disaster Recovery, 2nd Edition 7 Possible Indicators of an Incident • Presence of unfamiliar files – Unfamiliar or unexplained files in illogical locations • Presence or execution of unknown programs or processes – Unfamiliar programs running, or processes executing • Unusual consumption of computing resources – Memory or hard disk consumption spikes and falls • Unusual system crashes – System crashing, hanging, rebooting, or freezing more frequently than usual Principles of Incident Response and Disaster Recovery, 2nd Edition 8 Principles of Incident Response and Disaster Recovery, 2nd Edition 9 Probable Indicators of an Incident • Activities at unexpected times – Network traffic levels exceed baseline levels • Presence of unexpected new accounts – Periodic review indicates unfamiliar accounts • Unlogged new account with root or special privileges • Reported attacks – Verify user technical sophistication • Notification from IDPS – Must determine if notification real or a false positive Principles of Incident Response and Disaster Recovery, 2nd Edition 10 Definite Indicators • Definite indicators requiring IR plan activation – – – – – Use of dormant accounts Changes to logs Presence of hacker tools Notifications by partner or peer Notification by hacker • Confirmed events indicating attack underway – Loss of availability or integrity or confidentiality – Violation of policy or violation of law Principles of Incident Response and Disaster Recovery, 2nd Edition 11 Identifying Real Incidents • Actual incidents versus nonevents – Vast majority of incidents: false positives • Ways to process incidents – Incident center; geographically separate review locations; isolated incident candidate evaluations • Noise: legitimate activities wrongly reported – Activate feedback process to prevent flagging – Inherent in the nature of best-tuned systems • Causes of noise or false positives – Sensor placement; policy; lack of awareness Principles of Incident Response and Disaster Recovery, 2nd Edition 12 Identifying Real Incidents (cont’d.) • Data collection tuning process – Provides careful change analysis to data collection rules • False negative – Incident deserving attention that is not reported • New or modified systems placed in service – May need additional data collection process tuning • Tuning process objective – Allow valid incidents while controlling false positives Principles of Incident Response and Disaster Recovery, 2nd Edition 13 Intrusion Detection and Prevention Systems • Intrusion detection and prevention system (IDPS) – Network burglar alarm – Determines if network used in compliance with policy • Intrusion – Instigator attempting to gain unauthorized entry or disrupt normal operations – Access outside intended system or network use – Attack types: automated or self-propagating – Purpose of intrusion: harm an organization Principles of Incident Response and Disaster Recovery, 2nd Edition 14 Intrusion Detection and Prevention Systems (cont’d.) • Intrusion detection systems (IDSs) – Detects a violation and activates an alarm • Alarm types: audible, visual, silent – Custom configuration levels available • Intrusion prevention system (IPS) – Detects intrusion and prevents successful attack using an active response • IDPS source – http://csrc.nist.gov/publications/nistpubs/80094/SP800-94.pdf Principles of Incident Response and Disaster Recovery, 2nd Edition 15 IDPS Terminology • Alarm or alert – Indication system just attacked or under attack • Alarm clustering – Consolidation of almost identical alarms into a single higher-level alarm • Alarm compaction – Form of alarm clustering based on similarities • Alarm filtering – Process of classifying attack alerts to distinguish or sort false positives from actual attacks more efficiently Principles of Incident Response and Disaster Recovery, 2nd Edition 16 IDPS Terminology (cont’d.) • Confidence value – Value associated with an IDPS’s ability to detect and identify an attack correctly • Evasion – Process by which attacker changes network packets format and/or timing to avoid being detected • False attack stimulus – Event triggering alarms causing false positive when no actual attack in progress • False negative – IDPS’s failure to react to an actual attack event Principles of Incident Response and Disaster Recovery, 2nd Edition 17 IDPS Terminology (cont’d.) • False positive – Alarm or alert indicating attack in progress or attack successful when there is no attack • Filtering – Process of reducing IDPS events in order to receive a better confidence in the alerts received • Noise – Ongoing activity from alarm events • Site policy – Rules and configuration guidelines governing IDPSs implementation and operation Principles of Incident Response and Disaster Recovery, 2nd Edition 18 IDPS Terminology (cont’d.) • Site policy awareness – IDPS’s ability to dynamically modify its site policies in reaction or response to environmental activity • True attack stimulus – Event triggering an alarm causing IDPS to react as if a real attack were in progress • Tuning – Process of adjusting an IDPS • Maximize true positive detection efficiency • Minimize both false positives and false negatives Principles of Incident Response and Disaster Recovery, 2nd Edition 19 Why Use an IDPS? • Prevent problem behaviors – Increase perceived risk of discovery and punishment • Detect attacks and security violations – Not prevented by other security measures • Detect and deal with preambles to attacks • Document existing threat to an organization • Act as quality control for security design and administration – Especially of large and complex enterprises • Provide useful information about intrusions Principles of Incident Response and Disaster Recovery, 2nd Edition 20 Why Use an IDPS? (cont’d.) • Straightforward deterrent measure – Increases fear of detection and discovery among would-be attackers or internal system abusers • NIST defined uses – Identifying security policy problems – Documenting the existing threat to an organization – Deterring individuals from violating security policies • Provides cover if network: – Fails to protect itself from known vulnerabilities – Unable to respond to rapidly changing threat environment Principles of Incident Response and Disaster Recovery, 2nd Edition 21 Forces Working against an IDPS • • • • • Tools fail to detect or correct a known deficiency Vulnerability-detection performed too infrequently Patch and upgrade installation delayed Inability to disable or protect essential services Use an IDPS for a Defense in Depth strategy – Doorknob rattling conducted by footprinting – Fingerprinting – Early warning allows time to prepare for attack • Automated responses lead to unintended consequence Principles of Incident Response and Disaster Recovery, 2nd Edition 22 Justifying the Cost • Prepare and defend business case using IDPS data • NIST IDPS key items – Total cost of ownership well exceeds acquisition costs – Designed with personnel availability around the clock • Justify IDPS using Defense in Depth concept • IDPS can provide information in post-attack review – Remedy deficiency and trigger improvement process – Forensic data • IDPS systems: Network-based, host-based, and application-based systems Principles of Incident Response and Disaster Recovery, 2nd Edition 23 IDPS Network Placement • Placement of sensor and detection devices or software programs – Has significant effect on IDPS operation • Three widely used IDPS placement options – Network-based – Host-based – Application-based Principles of Incident Response and Disaster Recovery, 2nd Edition 24 Network-Based IDPS • Network-based IDPS (NIDPS) – Monitors segment traffic • Looks for ongoing or successful attack indications • Resides on a computer or appliance connected to that network segment – Programmed to recognize attacks and respond • Examines packets • Looks for patterns indicating intrusion event under way or about to begin – Detects more attack types than host-based IDPS – More complex configuration, maintenance program Principles of Incident Response and Disaster Recovery, 2nd Edition 25 Network-Based IDPS (cont’d.) • Inline sensor – Deployment on firewall interior of a firewall • All traffic must pass through sensor, then report back to the NIDPS • NIDPS deployment – Watch specific host computer grouping on specific network segment – Installed to monitor all traffic between systems making up an entire network Principles of Incident Response and Disaster Recovery, 2nd Edition 26 Principles of Incident Response and Disaster Recovery, 2nd Edition 27 Network-Based IDPS (cont’d.) • Passive sensor – Sits off to the side of a network segment – Monitors traffic without mandating traffic physically pass through the sensor • Switched port analysis (SPAN) port or mirror port – Switch or key networking device placed next to a hub – NIDPS uses that device’s monitoring port • Snort open source software (http://www.snort.org) – For complex IDPS sensors and analysis systems – Manage and query system from a desktop computer Principles of Incident Response and Disaster Recovery, 2nd Edition 28 Principles of Incident Response and Disaster Recovery, 2nd Edition 29 Network-Based IDPS (cont’d.) • Signature matching – NIDPSs look for attack patterns • Compares measured activity to known signatures in their knowledge base • Determines if attack occurred or may be under way – Uses special TCP/IP stack implementation – NIDPS looks for invalid data packets – Application protocol verification • Higher-order protocols examined for unexpected packet behavior or improper use • May have valid packets excessive quantities Principles of Incident Response and Disaster Recovery, 2nd Edition 30 Network-Based IDPS (cont’d.) • Signature matching (cont’d.) – DNS cache poisoning • Valid packets exploit poorly configured DNS servers • Inject false information • Corrupt servers’ answer to routine DNS queries from other systems on the network • Wireless NIDPS – Monitors and analyzes wireless network traffic – Looks for potential problems with wireless protocols – Sensor deployment: at the access points, on specialized components, or in mobile stations Principles of Incident Response and Disaster Recovery, 2nd Edition 31 Network-Based IDPS (cont’d.) • Wireless NIDPS (cont’d.) – Centralized management stations collect information – Detection • Unauthorized wireless LANs (WLANs) and WLAN devices; poorly secured WLAN devices; unusual usage patterns; use of wireless network scanners; DoS attacks and conditions; impersonation and manin-the-middle attacks – Issues • Higher protocol monitoring; physical security; sensor range; access point and wireless switch locations; wired network connections; cost Principles of Incident Response and Disaster Recovery, 2nd Edition 32 Network-Based IDPS (cont’d.) • Advantages and disadvantages of NIDPSs Principles of Incident Response and Disaster Recovery, 2nd Edition 33 Host-Based IDPSs • Host-based IDPS (HIDPS) – Resides on a particular computer or server (host) • Monitors activity on that system – Known as system integrity verifiers • Benchmarks and monitors key system files status • Detects when intruder creates, modifies, or deletes monitored files – Can monitor system configuration databases and stored configuration files – Uses principle of configuration or change management Principles of Incident Response and Disaster Recovery, 2nd Edition 34 Host-Based IDPSs (cont’d.) • Host-based IDPS (cont’d.) – Alert or alarm triggers • File attributes change, new files created, existing files deleted – Can monitor systems logs for predefined events – HIDPS log file provides an independent audit trail – Very reliable • False positive alert produced only when authorized monitored file changed – Can access encrypted information – Information to determine legitimate traffic present Principles of Incident Response and Disaster Recovery, 2nd Edition 35 Host-Based IDPSs (cont’d.) • HIDPS configuration – Simple change-based system • Relies on file classification into various categories • Triggers alert on changes within a critical data folder • Can log all activity and instantly page or e-mail any administrator • Can generate large volume of false alarms – Can monitor multiple computers simultaneously – Must identify and categorize folders and files • Common method: red, yellow, and green • Some systems use an alternative scale of 0–100 Principles of Incident Response and Disaster Recovery, 2nd Edition 36 Principles of Incident Response and Disaster Recovery, 2nd Edition 37 Host-Based IDPSs (cont’d.) • Advantages and Disadvantages of HIDPS Principles of Incident Response and Disaster Recovery, 2nd Edition 38 Application-Based IDPS • Application-based IDPS (AppIDPS) – Examines an application for abnormal events • Looks for anomalous occurrences – Tracks interaction between users and applications • Allows tracing of specific activity back to individual users – Can view encrypted data – Types of requests examined • File systems, network, configuration, execution space – The need for intrusion detection is organization dependent Principles of Incident Response and Disaster Recovery, 2nd Edition 39 Application-Based IDPS (cont’d.) • Advantages and disadvantages of AppIDPS Principles of Incident Response and Disaster Recovery, 2nd Edition 40 Principles of Incident Response and Disaster Recovery, 2nd Edition 41 IDPS Detection Approaches • Signature-based IDPS (knowledge-based) – Examines data traffic in search of patterns matching known signatures – Weaknesses • Signatures must be continually updated • Time frame over which attacks occur • Anomaly-based IDPS (behavior-based IDPS) – Samples network activity and applies statistical analysis against a baseline – Clipping level • Measured activity outside baseline parameters Principles of Incident Response and Disaster Recovery, 2nd Edition 42 IDPS Detection Approaches (cont’d.) • Anomaly-based IDPS (cont’d.) – Advantage • Can detect new attack types – Disadvantages • Requires overhead and processing capacity • May not detect minor changes to system variables generating false positives Principles of Incident Response and Disaster Recovery, 2nd Edition 43 IDPS Detection Approaches (cont’d.) • Log file monitor (LFM) – Type of IDPS similar to the NIDPS – Reviews servers, network devices, other IDPSs log files – Can look at multiple log files from a number of different systems – Uses a holistic approach • Requires considerable resource allocation Principles of Incident Response and Disaster Recovery, 2nd Edition 44 Automated Response • New systems can respond incident threats autonomously – Based on preconfigured options – Goes beyond usual IDPS and IPS defensive actions • Trap and trace – Uses a combination of resources to: • Detect an intrusion • Trace the intrusion back to its source – Allows security administrators to take the offense – Legal issue: temptation to back hack Principles of Incident Response and Disaster Recovery, 2nd Edition 45 Automated Response (cont’d.) • Honeypots and honeynets • Honeypots – Servers configured to resemble production systems – Closely monitored network decoys – Advantages • Distracts adversaries from more valuable machines • Provides early warning about new attack trends • Allows in-depth examination of adversaries – Two general types • Production and research Principles of Incident Response and Disaster Recovery, 2nd Edition 46 Automated Response (cont’d.) • Honeytoken – System resource placed onto a functional system • No normal use for that system – Unauthorized access triggers notification or response • Honeynet (honeypot farm) – High-interaction honeypot – Designed to capture extensive information on threats – Network of systems designed for attackers interaction • Inbound connections: indicates probe, scan, attack • Outbound connections: indicates system compromise Principles of Incident Response and Disaster Recovery, 2nd Edition 47 Automated Response (cont’d.) • Legal issues with honeypots and honeynets – – – – Line between enticement and entrapment Fourth amendment to the U.S. Constitution Electronic Communications Protection Act Pen Register, Trap and Trace Devices law (Pen/Trap statute) – Wasp trap syndrome • Downside of current enhanced automated response systems may outweigh the upside Principles of Incident Response and Disaster Recovery, 2nd Edition 48 Incident Decision Making • Incident known to be underway – Must determine actual incidents a ...
Purchase answer to see full attachment

Tutor Answer

DR_SHINAWATA
School: Boston College

hello t...

flag Report DMCA
Review

Anonymous
Thanks, good work

Brown University





1271 Tutors

California Institute of Technology




2131 Tutors

Carnegie Mellon University




982 Tutors

Columbia University





1256 Tutors

Dartmouth University





2113 Tutors

Emory University





2279 Tutors

Harvard University





599 Tutors

Massachusetts Institute of Technology



2319 Tutors

New York University





1645 Tutors

Notre Dam University





1911 Tutors

Oklahoma University





2122 Tutors

Pennsylvania State University





932 Tutors

Princeton University





1211 Tutors

Stanford University





983 Tutors

University of California





1282 Tutors

Oxford University





123 Tutors

Yale University





2325 Tutors