Taxonomy of Computer Security Incidents

Yashodhan Fadnavis

How does it help?

• Taxonomy gives common names to event• Security against a ‘class’ of attacks

Satisfying Taxonomy

• Mutually Exclusive• Exhaustive• Unambiguous• Repeatable• Accepted• Useful

Listing Terms

• E.g. Password sniffing, Brute force attacks, Eavesdropping, Harassment, Covert Channels, Viruses, Logic Bombs, Software loopholes, WEP loopholes, Source address spoofing, Software piracy, Degradation of services, Session hijacking

• Failed six satisfying properties = Bad Taxonomy.• Lists can be never ending.

Listing categories

Stealing Social passwords Engineering

•Password sniffing•Brute force

•Eavesdropping •Harassment

Bugs and backdoors

•Covert channels•Viruses •Logic Bombs

Authentication Failures

•Software loopholes

Protocol Failures

Info Leakage DoS

•WEP Loopholes•Source Address spoofing

•Software Piracy

•Degradation Of Service•Session Hijacking

Cheswick and Bellovin List

Other taxonomies

• Result categories

• Empirical categories

• Matrices

Incident Taxonomy

• Events: An action directed at a target which is intended to result in change of the state of the target.

• Action: Step taken by a user or a process to achieve a result.

• Target: A computer or a network logical entity.

Action + Target = Event

Action

Probe

Scan

Flood

Authenticate

Bypass

Spoof

Read

Target

Account

Process

Data

Network

Computer

Event

Attack

Tool

Physical Attack

Information Exchange

User Command

Script or program

Autonomous Agent

Toolkit

Action

Probe

Scan

Flood

Authenticate

Bypass

Spoof

Read

Target

Account

Process

Data

Component

Computer

Event

Vulnerability

Design

Implementation

Configuration

Unauthorized result

Increased Access

Disclosure of Information

Corruption of Information

DoS

Theft of resources

Attack

Incident

• Incident: A group of attacks that can be distinguished from other attacks because of the uniqueness of the attackers, objectives, sites and timing.

Attackers Attack Objectives

Incident Taxonomy

Attacker

Hackers

Spies

Terrorists

Corporate Attackers

Professional Criminals

Vandals

Voyeurs

Objectives

Challenge, Status, Thrill

Political Gain

Financial Gain

Damage

Incident

Federal Incident Reporting Guidelines

• Agency name• Point of contact information including name, telephone, and email

address• Incident Category Type (e.g., CAT 1, CAT 2, etc.)• Incident Timestamp• Source IP, Destination IP, port, and protocol• Operating System, including version, patches, etc.• System Function (e.g., DNS/web server, workstation, etc.)• Antivirus software installed, including version, and latest updates• Location of the system(s) involved in the incident (e.g. Clemson)• Method used to identify the incident (e.g., IDS, audit log analysis, system

administrator)• Impact to agency• Resolution

Federal Agency Incident CategoriesCategory Name Reporting Timeframe

CAT 0 Exercise/Network Defense Testing Not Applicable; this category is for each agency's internal use during exercises.

CAT 1 *Unauthorized Access Within one (1) hour of discovery/detection.

CAT 2 *Denial of Service (DoS) Within two (2) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate activity.

CAT 3 *Malicious Code DailyNote: Within one (1) hour of discovery/detection if widespread across agency.

CAT 4 *Improper Usage Weekly

CAT 5 Scans/Probes/Attempted Access MonthlyNote: If system is classified, report within one (1) hour of discovery.

CAT 6 Investigation Not Applicable; this category is for each agency's use to categorize a potential incident that is currently being investigated.

Questions?