Up
Previous Next

Sheriff CSM™

How Do I Discover a Possibly Larger Attack in Progress?

Most day-to-day security monitoring work involves detecting where security controls have failed and a system has become compromised by malware or exploits. However, situations will always exist that require more investigation, with reason to believe that one compromised host may have been used to compromise others, or a more complex sequence of specific events can be used to carry out an attack or exploit, commonly referred to as an attack vector.

Indicators of Compromise (IOCs)

Indicators of compromise, or IOCs, represent pieces of information about an attack vector. An IOC can be used to observe a relationship to other attacks. In fact, if you see an IOC responsible for multiple malware infections that all take instructions from the same remote host on the internet, you should track it. This allows you to disable many infections at the same time by blocking that server

For related information about IOCs comprising Open Threat Exchange®(OTX) pulses, see Open Threat Exchange® and Sheriff CSM.

Common Attack Vectors and Strategies to Combat Them

The best way to determine the appropriate incident response in any given situation is to understand what types of attacks your organization may most logically face.

The National Institute of Standards and Technology (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf) publishes the following list of common attack vectors:

• External/Removable Media
  An attack executed from removable media (for example, flash drive, CD) or a peripheral device.

• Attrition
  An attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services.

• Web
  An attack executed from a website or a web-based application (for example, drive-by download).

• Email
  An attack executed via an email message or attachment (for example, malware infection).

• Improper Usage
  Any incident resulting from violation by an authorized user of the acceptable usage policies established by an organization, excluding the above categories.

• Loss or Theft of Equipment
  The loss or theft of a computing device or media used by the organization, such as a laptop or smart phone. Identify which pieces of equipment would cause the greatest risk to the company in the event of loss or theft. In most companies, the laptop belonging to the CFO would be included along with any server hard drive containing IP or other sensitive data.

• Other
  An attack that does not fit into any of the other categories.

Review the foregoing list to make sure that you have security policies and controls in place to mitigate the majority of risks from these attack vectors. Also, use this list to guide your team in determining how to classify the various types of security incidents.

Alert Taxonomy

An alert taxonomy can help you to order related alerts into a picture of a larger attack in progress, as the attacker does the following:

• Performs reconnaissance.
• Delivers the attack to many systems.
• Successfully exploits some of them.
• Uses the compromised system as a base from which to attack others.

Get Inside the Mind of the Attacker Through Security Event Categorization

Traditional information security falsely assumes that you know which path an attacker will take through your network. For example, attackers rarely come through your front door, or in this context, your gateway firewall. On the other hand, each attack does generally follow a certain pattern, or what Lockheed Martin calls the Cyber Kill Chain®.

The Cyber Kill Chain is a sequence of stages required for an attacker to successfully infiltrate a network and exfiltrate data from it. Each stage demonstrates a specific goal along the attacker’s path. Designing your monitoring and response plan around the cyber kill chain model is an effective method, because it focuses on how actual attacks happen.

Cyber Kill Chain model

Intent	Attacker Goal
Reconnaissance & Probing	Find target. Develop plan of attack based on opportunities for exploitation.
Delivery & Attack	Place delivery mechanism on line. Use social engineering to get target to access malware or other exploit.
Exploitation & Installation	Exploit vulnerabilities on target systems to acquire access. Elevate user privileges and install persistence payload.
System Compromise	Exfiltrate high-value data as quietly and quickly as possible. Use compromised system to gain additional access, "steal" computing resources, and/or use in an attack against someone else.

When devising an incident response plan, you may find it helpful to prioritize security events or alarms.

Sample incident response spreadsheet

Incident Type	Kill Chain Stage	Priority Level	Recommended Action
Port scanning	Reconnaissance & probing	Low	You can ignore these unless Sheriffhim OTX IP Reputation gives the IP responsible a bad score. OTX IP Reputation stores reports on any suspicious IP activity, which may or may not be malicious. See Open Threat Exchange® and Sheriff CSM.
Malware infection	Delivery & attack	Low-Medium	Remediate malware infections as quickly as possible before they progress. Scan the rest of your system for related IoCs, for example, MD5 hashes. See Open Threat Exchange® and Sheriff CSM.
Distributed denial of service	Exploitation & Installation	High	Configure web servers to protect against HTTP and SYN flood requests. Coordinate with your Internet service provider (ISP) during an attack to block the responsible IPs.
Unauthorized access	Exploitation & Installation	Medium	Detect, monitor, and investigate unauthorized access attempts—with priority on those that are mission-critical and/or contain sensitive data.
Insider breach	System compromise	High	Identify the privileged user accounts for all domains, servers, applications, and critical devices. Make sure that you enabled monitoring for all systems, and for all system events. Verify that your Sheriff CSM raw log infrastructure is actively recording all events.
Unauthorized privilege escalation	Exploitation & installation	High	Through its built-in correlation directives, Sheriff CSM automatically records all privileged escalation events, and sends alarms for unauthorized attempts. Depending on requirements, you may also enhance your Sheriff CSM environment by adding custom correlation directives.
Destructive attack on systems, data.	System compromise	High	Back up all critical data and systems; test, document, and update system recovery procedures. During a system compromise, capture evidence carefully. Document all recovery steps and all evidential data.
Advanced persistent threat (APT) or multistage attack	Represents all stages from reconnaissance through system compromise	High	Any of the individual events illustrated could represent part of an APT, the most formidable type of security threat. For that reason, view each event as part of a larger context, incorporating the latest threat intelligence. Sheriff CSM correlation directives often look at how many events of a specific nature occurred before generating an alarm, thereby increasing its reliability. OTX pulses, on the other hand, require only one event to do so.
False alarms	Represents all stages.	Low	Much of the job of an incident responder consists of eliminating irrelevant information and removing false positives. This process is continuous. For more information, see Establishing Baseline Network Behavior and also Policy Management.
Other	All stages	High	Incident response never stops and provides a source for continuous improvement. Over time, as you see events turn into alarms, you gather knowledge that helps you discover new ways to categorize events and to prevent them from becoming alarms in the first place.

About Port Scanning Alarms

You may feel certain that attackers are getting no useful information from their scanning. However, if their scans of your external systems appear to be detailed and comprehensive, you can reasonably assume that they have the intent to follow up the reconnaissance with attack attempts later on.

If the scanning originates from a legitimate organization’s networks, your best approach is to contact their security team, if they have one, or network management personnel.

If no contact details are apparent, look for details about the domain in WHOIS, a link to which is available at the bottom of the Sheriff CSM Security Events list and also from the applicable OTX web pages for such IOCs.

Note: Blocking the source address may be counter productive, and merely cause the attacker to use a different source address.