DOCSLIB.ORG

Actionable Information for Security Incident Response Study

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Actionable Information for Security Incident Response Study Actionable Information for Security Incident Response November 2014 European Union Agency for Network and Information Security www.enisa.europa.eu Actionable Information for Security Incident Response November 2014 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Authors: This document was created by the CERT capability team at ENISA in consultation with CERT Polska / NASK (Poland)1 Project Manager: Cosmin Ciobanu (ENISA) Acknowledgements: Luc Dandurand (NATO) Mark Davidson (MITRE) and STIX / TAXII team Bernd Grobauer (Siemens) Pavel Kácha (CESNET) Aaron Kaplan (CERT.at) Andrew Kompanek (CERT/CC) Maarten Van Horenbeeck (FIRST) Additionally, our “thank you” goes to all participants of the Birds of a Feather session Finding & Sharing Actionable Information, co-organized by CERT Polska, US-CERT, and Microsoft during the 26th annual FIRST conference in Boston.2 Contact For contacting the authors please use [email protected] For media enquires about this paper, please use [email protected]. 1 Paweł Pawliński, Przemysław Jaroszewski, Piotr Kijewski, Łukasz Siewierski, Paweł Jacewicz, Przemysław Zielony, Radosław Żuber 2 See http://first.org/conference/2014/program#pbof-finding-sharing-actionable-information PageII Actionable Information for Security Incident Response November 2014 Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Copyright Notice © European Union Agency for Network and Information Security (ENISA), 2014 Reproduction is authorised provided the source is acknowledged. ISBN: 978-92-9204-107-6 doi: 10.2824/38111 Catalog number: TP-05-14-107-EN-N PageIII Actionable Information for Security Incident Response November 2014 Executive summary In the world of incident response, information is everything. The sooner incidents and vulnerabilities are detected and understood, the faster they can be handled and the less damage is caused. Accurate and timely information may help incident handlers reduce the number of infections, or address vulnerabilities before they are exploited. Unfortunately, although security information sharing is now commonplace, it has not always improved the situation for incident response teams. Extracting timely information, that can be immediately acted on from vast amounts of all types of data flowing in, remains a challenge. This type of information is referred as “actionable information” and identified as one of the fundamental building blocks of successful incident response. This document is intended as a good practice guide for the exchange and processing of actionable information. The report is relevant to incident response in all types of organizations, the primary audience of this study isnational and governmental CERTs. The scope of the study is purposefully broad. Many of the issues related to making information actionable for CERTs have not been adequately explored in previouspublications. The goal for this report was to touch on a wide variety of challenges that should be addressed in the area of processing information. Another goal of the study is also to outline a general framework that could be used as the basis for future, more detailed, studies. The main contributions of this study are as follows: A definition of actionable information for CERTs and identification of its 5 key properties: relevance, timeliness, accuracy, completeness, ingestibility. Introduction of a generalized information processing pipeline for the processing of actionable information. This pipeline consists of 5 stages: collection, preparation, storage, analysis and distribution. Each stage is discussed in detail with recommendations on how to approach implementation. A set of 3 detailed case studies that cover various aspects of handling actionable information by CERTs: “Using indicators to enhance defense capabilities,” “Improved situational awareness through botnet monitoring, ” “Effective data exchange on a national level.” A hands-on exercise that expands on these case studies by walking a student through a concrete information processing and sharing scenario. An inventory of 53 information sharing standards and 16 information management tools relevant to the concept of actionable information. This inventory is available as a separate document, titled “Standards and tools for exchange and processing of actionable information”. Identification of gaps and recommendations in the exchange and processing of actionable information. In particular, despite the improvement ingeneral awareness of the issues involved, the emergence of new standards such as STIX/TAXII, and new tools, the exchanges have not yet reached full maturity. Based on this study, it is recommend CERTs abide by the following three general principles when building an information-sharing capability: Establish a doctrine to set expectations among the CERT community. Define clear sharing rules and labels on the data exchanged, as well as expectations for handling and any specific actions that should be taken by the recipient. Try not to start from scratch. Consider what has already been developed and can be leveraged immediately. Explore the possibility of applying additional processes that can provide more context and make the information more actionable. PageIV Actionable Information for Security Incident Response November 2014 As a set of general recommendations to CERTs and the following are suggested: If possible, standard data formats and transports mechanisms should be used. The accompanying inventory document contains a reference to standards that are currently in use within the incident handling community. For some recipients, standard formats may be less helpful for distributing actionable information since they lack the capability to process them. Simpler methods should be used in these cases (e.g., human-readable text). Alternatively, a CERT may consider providing automatically-generated, human-readable reports along with the original data in a structured standard format. Adjust the way the information is processed and distributed based on the requirements and constraints for each data type. Be sensitive to the overhead of data formats for large volumes of data, and use more elaborate formats for less frequent reports. The assumptions are that this study will be of help to CERTs and the information security community in general to better understand the issues involved in the creation, sharing, and processing of actionable information as well as aid the development of tools in this area. PageV Actionable Information for Security Incident Response November 2014 Table of Contents Executive summary iv 1 Introduction 1 1.1 Audience and scope 1 1.2 Definition of “actionable information” 2 1.3 Properties of actionable information 2 1.3.1 Relevance 3 1.3.2 Timeliness 3 1.3.3 Accuracy 3 1.3.4 Completeness 3 1.3.5 Ingestibilty 4 1.4 Levels of information 4 1.4.1 Low-level data 6 1.4.2 Detection indicators 7 1.4.3 Advisories 8 1.4.4 Strategic reports 8 2 Processing actionable information 10 2.1 Collection 11 2.1.1 Sources of information: internal vs. external 11 2.1.2 Level of automation 12 2.1.3 Properties of data collection methods 12 2.1.4 Evaluation of data sources 14 2.1.5 Recommendations 14 2.2 Preparation 15 2.2.1 Parsing 15 2.2.2 Normalization 17 2.2.3 Aggregation 19 2.2.4 Enrichment 20 2.2.5 Automation 21 2.2.6 Recommendations 22 2.3 Storage 22 2.3.1 Retention time 23 2.3.2 Scale 23 2.3.3 Dataset management 24 2.3.4 Technologies 25 2.3.5 Recommendations 26 2.4 Analysis 27 2.4.1 Fundamentals 27 2.4.2 Investigation 29 2.4.3 Situational awareness 32 2.4.4 Metrics 39 PageVI Actionable Information for Security Incident Response November 2014 2.4.5 Meta-analysis and source evaluation 39 2.4.6 Recommendations 40 2.5 Distribution 41 2.5.1 Recipients of information 41 2.5.2 Technical aspects of information distribution 43 2.5.3 Sharing policy 45 2.5.4 Recommendations 46 3 Case studies 48 3.1 Using indicators to enhance defense capabilities 48 3.1.1 Collection 48 3.1.2 Preparation 48 3.1.3 Storage 48 3.1.4 Analysis 48 3.1.5 Distribution 51 3.1.6 Summary 52 3.2 Improving situational awareness through botnet monitoring 52 3.2.1 Collection 53 3.2.2 Preparation 53 3.2.3 Storage 53 3.2.4 Analysis 53 3.2.5 Distribution 57 3.3 Effective data exchange on a national level 58 3.3.1 Collection 58 3.3.2 Preparation 59 3.3.3 Storage 59 3.3.4 Analysis 60 3.3.5 Distribution 60 4 Gaps and recommendations 61 5 Conclusion 64 6 References 65 PageVII Actionable Information for Security Incident Response November 2014 1 Introduction In the world of incident response, information is everything.
Load more

Recommended publications
  • Using Web Honeypots to Study the Attackers Behavior
    i 2017 ENST 0065 EDITE - ED 130 Doctorat ParisTech THÈSE pour obtenir le grade de docteur délivré par TELECOM ParisTech Spécialité « Informatique » présentée et soutenue publiquement par Onur CATAKOGLU le 30 Novembre 2017 Using Web Honeypots to Study the Attackers Behavior Directeur de thèse : Davide BALZAROTTI T H Jury È William ROBERTSON, Northeastern University Rapporteur Magnus ALMGREN, Chalmers University of Technology Rapporteur S Yves ROUDIER, University of Nice Sophia Antipolis Examinateur Albert LEVI, Sabanci University Examinateur E Leyla BILGE, Symantec Research Labs Examinateur TELECOM ParisTech École de l’Institut Télécom - membre de ParisTech Using Web Honeypots to Study the Attackers Behavior Thesis Onur Catakoglu [email protected] École Doctorale Informatique, Télécommunication et Électronique, Paris ED 130 November 30, 2017 Advisor: Prof. Dr. Davide Balzarotti Examiners: EURECOM, Sophia-Antipolis Prof. Dr. Yves ROUDIER, University of Nice Sophia Antipolis Reviewers: Prof. Dr. William ROBERTSON, Prof. Dr. Albert LEVI, Northeastern University Sabanci University Prof. Dr. Magnus ALMGREN, Dr. Leyla BILGE, Chalmers University of Technology Symantec Research Labs Acknowledgements First and foremost I would like to express my gratitude to my supervisor, Davide Balzarotti. He was always welcoming whenever I need to ask questions, discuss any ideas and even when he was losing in our long table tennis matches. I am very thankful for his guidance throughout my PhD and I will always keep the mental image of him staring at me for various reasons as a motivation to move on when things will get tough in the future. I would also like to thank my reviewers for their constructive comments regarding this thesis.
    [Show full text]
  • Security Operations and Incident Management Knowledge Area (Draft for Comment)
    SECURITY OPERATIONS AND INCIDENT MANAGEMENT KNOWLEDGE AREA (DRAFT FOR COMMENT) AUTHOR: Hervé Debar – Telecom SudParis EDITOR: Howard Chivers – University of York REVIEWERS: Douglas Weimer – RHEA Group Magnus Almgren – Chalmers University of Technology Marc Dacier – EURECOM Sushil Jajodia – George Mason University © Crown Copyright, The National Cyber Security Centre 2018. Security Operations and Incident Management Hervé Debar September 2018 INTRODUCTION The roots of Security Operations and Incident Management (SOIM) can be traced to the original report by James Anderson [5] in 1981. This report theorises that full protection of the information and communication infrastructure is impossible. From a technical perspective, it would require complete and ubiquitous control and certification, which would block or limit usefulness and usability. From an economic perspective, the cost of protection measures and the loss related to limited use effectively require an equilibrium between openness and protection, generally in favour of openness. From there on, the report promotes the use of detection techniques to complement protection. The first ten years afterwards saw the development of the original theory of intrusion detection by Denning [18], which still forms the theoretical basis of most of the work detailed in this ka. Security Operations and Incident Management can be seen as an application and automation of the Monitor Analyze Plan Execute - Knowledge (MAPE-K) autonomic computing loop to cybersecu- rity [30], even if this loop was defined later than the initial developments of SOIM. Autonomic com- puting aims to adapt ICT systems to changing operating conditions. The loop, described in figure 1, is driven by events that provide information about the current behaviour of the system.
    [Show full text]
  • Standards and Tools for Exchange and Processing of Actionable Information
    Standards and tools for exchange and processing of actionable information November 2014 Standards and tools for exchange and processing of actionable information November 2014 European Union Agency for Network and Information Security www.enisa.europa.eu Standards and tools for exchange and processing of actionable information November 2014 About ENISA The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Authors : This document was created by the CERT capability team at ENISA in consultation with CERT Polska /NASK (Poland)1 Acknowledgements (in alphabetical order): Luc Dandurand (NATO) Aaron Kaplan (CERT.at) Pavel Kácha (CESNET) Youki Kadobayashi (NAIST) Andrew Kompanek (CERT/CC) Tomás Lima (CERT.PT) Thomas Millar (US-CERT) Jose Nazario (Invincea) Richard Perlotto (Shadowserver) Wes Young (CSIRT Gadgets Foundation) Contact For contacting the authors please use [email protected] For media enquires about this paper, please use [email protected]. 1 Paweł Pawliński, Przemysław Jaroszewski, Janusz Urbanowicz, Paweł Jacewicz, Przemysław Zielony, Piotr Kijewski (CERT Polska), Katarzyna Gorzelak (CERT Polska) Page ii Standards and tools for exchange and processing of actionable information November 2014 Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise.
    [Show full text]
  • SGTF EG2 Report On
    SMART GRIDS TASK FORCE - EXPERT GROUP 2 - CYBERSECURITY Smart Grid Task Force Expert Group 2 Recommendations to the European Commission for the Implementation of Sector-Specific Rules for Cybersecurity Aspects of Cross-Border Electricity Flows, on Common Minimum Requirements, Planning, Monitoring, Reporting and Crisis Management. Final Report June 2019 The mission of the Smart Grid Task Force Expert Group 2 on cybersecurity is to prepare the ground for sector-specific rules for cyber security aspects of cross-border electricity flows, on common minimum requirements, planning, monitoring, reporting and crisis management for the electricity subsector. SGTF EG2 / Cybersecurity June 2019 1. Contents 1. Contents ........................................................................................................................................ 2 1. Introduction .................................................................................................................................. 5 1.1 Context .................................................................................................................................. 5 1.2 1st Interim Report .................................................................................................................. 5 1.3 2nd Interim Report ................................................................................................................. 5 1.4 Acknowledgements ..............................................................................................................
    [Show full text]
  • D2.1 Cyber Incident Handling Trend Analysis
    D2.1 Cyber Incident handling Trend Analysis Project number: 833683 Project acronym: CyberSANE Cyber Security Incident Handling, Warning and Project title: Response System for the European Critical Infrastructures Start date of the project: 1st September, 2019 Duration: 36 months Programme: H2020-SU-ICT-2018 Deliverable type: Report DS-01-833683 / D2.1/ Final | 0.8 Deliverable reference number: 2020_CSN_RP_05_Deliverable 2.1_Cyber Incident Handling Trend Analysis_v1 Work package contributing to the WP 2 deliverable: Due date: 01/03/2020 Actual submission date: 02/03/2020 Responsible organisation: Inria Editor: Inria Dissemination level: PU Revision: V2.0 This deliverable describes the different incident handling trend analysis performed in Task T2.1. It provides a categorisation of attacks, a description of the different tools Abstract: identified to be used in the design and development of the CyberSANE infrastructure. In addition, it reviews the related standards and provides the best practices to follow in the rest of the project. Keywords: Attacks categorisation and trends, standards, tools The project CyberSANE has received funding from the European Union’s Horizon 2020 research and innovation program under grant agreement No 833683. D2.1 – Cyber Incident Handling Trend Analysis Editor Nathalie Mitton (Inria) Contributors (ordered according to beneficiary numbers) Luís Landeiro Ribeiro (PDMFC) Luis Miguel Campos (PDMFC) Oleksii Osliak (CNR) Stefen Beyer (S2) Sergio Zamarripa (S2) Valeria Loscri (Inria) Nathalie Mitton (Inria) Edward Staddon (Inria) Mania Hatzikou (MAG) Athanasios Karantjias (MAG) Spyridon Papastergiou (MAG) Sophia Karagiorgou (UBI) Manos Athanatos (FORTH) Georgios Spanoudakis (STS) Paris-Alexandros Karypidis (SID) Anastasios Lytos (SID) Umar Ismail (UoB) Haris Mouratidis (UoB) Disclaimer The information in this document is provided “as is”, and no guarantee or warranty is given that the information is fit for any particular purpose.
    [Show full text]
  • To Augment Cyber Threat Intelligence (CTI): a Comprehensive Study Mohammad Ashraful Huq Shahi St
    St. Cloud State University theRepository at St. Cloud State Culminating Projects in Information Assurance Department of Information Systems 5-2018 Tactics, Techniques and Procedures (TTPs) to Augment Cyber Threat Intelligence (CTI): A Comprehensive Study Mohammad Ashraful Huq Shahi St. Cloud State University, [email protected] Follow this and additional works at: https://repository.stcloudstate.edu/msia_etds Recommended Citation Shahi, Mohammad Ashraful Huq, "Tactics, Techniques and Procedures (TTPs) to Augment Cyber Threat Intelligence (CTI): A Comprehensive Study" (2018). Culminating Projects in Information Assurance. 54. https://repository.stcloudstate.edu/msia_etds/54 This Starred Paper is brought to you for free and open access by the Department of Information Systems at theRepository at St. Cloud State. It has been accepted for inclusion in Culminating Projects in Information Assurance by an authorized administrator of theRepository at St. Cloud State. For more information, please contact [email protected]. Tactics, Techniques and Procedures (TTPs) to Augment Cyber Threat Intelligence (CTI): A Comprehensive Study by Mohammad Ashraful Huq Shahi A Starred Paper Submitted to the Graduate Faculty of St. Cloud State University in Partial Fulfillment of the Requirements for the Degree of Master of Science in Information Assurance May, 2018 Starred Paper Committee: Tirthankar Ghosh, Chairperson Dennis C. Guster Jim Q. Chen 2 Abstract Sharing Threat Intelligence is now one of the biggest trends in cyber security industry. Today, no one can deny the necessity for information sharing to fight the cyber battle. The massive production of raw and redundant data coupled with the increasingly innovative attack vectors of the perpetrators demands an ecosystem to scrutinize the information, detect and react to take a defensive stance.
    [Show full text]
  • Catalogue of EATM-CERT Services
    Catalogue of EATM-CERT Services Edition: 2.0 Edition date: 13-03-2020 Classification: WHITE Reference nr: SRV00-Catalogue of EATM-CERT Services EUROCONTROL Network Management Directorate DOCUMENT CONTROL Document Title Catalogue of EATM-CERT Services Document Subtitle This field is automatically updated Document Reference SRV00-Catalogue of EATM-CERT Services Edition Number 2.0 Edition Validity Date 13-03-2020 Classification WHITE Status Released Issue Author(s) Patrick MANA NMD/INF/IAC Contact Person(s) Patrick MANA NMD/INF/IAC APPROVAL TABLE Authority Date Signature Prepared by: 13/03/2020 EATM-CERT Team Reviewed and endorsed by: 13/03/2020 Patrick MANA Approved by: 17/03/2020 Iacopo PRISSINOTTI Edition Number: 2.0 Edition Validity Date: 13-03-2020 Classification: WHITE Page: i EUROCONTROL Network Management Directorate EDITION HISTORY Edition No. Validity Date Author(s) Reason 1.0 11/09/2017 Patrick MANA First Version 2.0 13/03/2020 Patrick MANA Update of EATM-CERT services Edition Number: 2.0 Edition Validity Date: 13-03-2020 Classification: WHITE Page: ii EUROCONTROL Network Management Directorate TABLE OF CONTENT DOCUMENT CONTROL ................................................................................................... I APPROVAL TABLE ......................................................................................................... I EDITION HISTORY ......................................................................................................... II INTRODUCTION ............................................................................................................
    [Show full text]