A Common Language for Computer Security Incidents

1
A Common Language for Computer Security Incidents

• John D. Howard, Thomas A. Longstaff
• Presented by
• Jason Milletary
• 9 November 2000

2
The Problem

• Security incident data compiled by many sources
• Lack of agreement between security incident terms
  used by different sources
• Unable to combine and compare data for useful
  analysis

3
Common Language Project

• Cooperation between Sandia National Labs and
  CERT/CC
• Develop a minimum set of high-level terms for
  security incidents
• Flexible enough to allow site-specific low-level
  terms
• Develop taxonomy for these terms
• Classification scheme that defines the terms and
  their relationships

4
Satisfactory Taxonomy Characteristics

• Mutually exclusive
• Exhaustive
• Unambiguous
• Repeatable
• Accepted
• Useful

5
Review of Previous Taxonomies

• List of terms
• Trap doors, IP spoofing, dumpster diving
• List of categories
• Social engineering, denial-of-service
• Results categories
• Corruption, denial
• Empirical lists
• External abuse of resource, masquerading
• Matrices
• Vulnerabilities vs. potential perpetrators
• Action-based
• Interruption, interception

6
CLP Incident Taxonomy

• Events
• An action directed at a target intended to change
  the state of that target
• Action
• A step taken by a user or process in order to
  achieve a result
• Target
• Logical entity
• Data, account
• Physical entity
• Computer, network
• The IEEE Standard Dictionary of Electrical and
  Electronics Terms, Sixth Edition, 1996.

7
CLP Incident Taxonomy
event
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
8
CLP Incident Taxonomy

• Attacks
• Use of a tool to exploit a vulnerability to
  perform an action on a target in order to achieve
  an unauthorized result
• Tool
• Means or method by which a vulnerability is
  exploited
• Vulnerability
• System weakness in which unauthorized access can
  be gained
• Unauthorized result
• An consequence of an the event phase of an attack

9
CLP Incident Taxonomy
attack
event
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Vulnerability
Design
Implementation
Configuration
Tool
Physical Attack
Information Exchange
User Command
Script or Program
Autonomous Agent
Toolkit
Data Tap
Distributed Tool
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Unauthorized Result
Increased Access
Disclosure of Information
Corruption of Data
Denial of Service
Theft of Resources
10
CLP Incident Taxonomy

• Incident
• A distinct group of attacks involving specific
  attackers, attacks, objectives, sites, and timing
• Attacker
• Individual(s) who use one or more attacks to
  reach an objective
• Objective
• End goal of an incident

11
CLP Incident Taxonomy
incident
attack
event
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Copy
Steal
Modify
Delete
Target
Account
Process
Data
Component
Computer
Network
Internetwork
Unauthorized Result
Increased Access
Disclosure of Information
Corruption of Data
Denial of Service
Theft of Resources
Vulnerability
Design
Implementation
Configuration
Tool
Physical Attack
Information Exchange
User Command
Script or Program
Autonomous Agent
Toolkit
Data Tap
Distributed Tool
Attackers
Hackers
Spies
Terrorists
Corporate Raiders
Profession Criminals
Vandals
Voyeurs
Objectives
Challenge, status, thrill
Political gain
Financial gain
Damage
12
CLP Incident Taxonomy

• Other terms
• Site and site name
• Dates
• Incident numbers
• Corrective action

13
Future Plans

• Implement common language
• Database
• Analysis of data
• Forensics
• Trending
• Insight into hacker objectives and motives
• Sharing of data between response teams