Taxonomy of Computer Security Incidents Yashodhan Fadnavis

How does it help? Taxonomy gives common names to event Security against a ‘class’ of attacks

Satisfying Taxonomy Mutually Exclusive Exhaustive Unambiguous Repeatable Accepted Useful

Listing Terms E.g. Password sniffing, Brute force attacks, Eavesdropping, Harassment, Covert Channels, Viruses, Logic Bombs, Software loopholes, WEP loopholes, Source address spoofing, Software piracy, Degradation of services, Session hijacking Failed six satisfying properties = Bad Taxonomy. Lists can be never ending.

Listing categories Stealing Social passwords Engineering Password sniffing Brute force Eavesdropping Harassment Bugs and backdoors Covert channels Viruses Logic Bombs Authentication Failures Software loopholes Protocol Failures Info LeakageDoS WEP Loopholes Source Address spoofing Software Piracy Degradation Of Service Session Hijacking Cheswick and Bellovin List

Other taxonomies Result categories Empirical categories Matrices

Incident Taxonomy Events: An action directed at a target which is intended to result in change of the state of the target. Action: Step taken by a user or a process to achieve a result. Target: A computer or a network logical entity.

Action + Target = Event Action Probe Scan Flood Authenticate Bypass Spoof Read Target Account Process Data Network Computer Event

Attack Tool Physical Attack Information Exchange User Command Script or program Autonomous Agent Toolkit Action Probe Scan Flood Authenticate Bypass Spoof Read Target Account Process Data Component Computer Event Vulnerability Design Implementation Configuration Unauthorized result Increased Access Disclosure of Information Corruption of Information DoS Theft of resources Attack

Incident Incident: A group of attacks that can be distinguished from other attacks because of the uniqueness of the attackers, objectives, sites and timing. AttackersAttackObjectives

Incident Taxonomy Attacker Hackers Spies Terrorists Corporate Attackers Professional Criminals Vandals Voyeurs Objectives Challenge, Status, Thrill Political Gain Financial Gain Damage Incident

Federal Incident Reporting Guidelines Agency name Point of contact information including name, telephone, and address Incident Category Type (e.g., CAT 1, CAT 2, etc.) Incident Timestamp Source IP, Destination IP, port, and protocol Operating System, including version, patches, etc. System Function (e.g., DNS/web server, workstation, etc.) Antivirus software installed, including version, and latest updates Location of the system(s) involved in the incident (e.g. Clemson) Method used to identify the incident (e.g., IDS, audit log analysis, system administrator) Impact to agency Resolution

Federal Agency Incident Categories CategoryNameReporting Timeframe CAT 0Exercise/Network Defense TestingNot Applicable; this category is for each agency's internal use during exercises. CAT 1*Unauthorized AccessWithin one (1) hour of discovery/detection. CAT 2*Denial of Service (DoS)Within two (2) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate activity. CAT 3*Malicious CodeDaily Note: Within one (1) hour of discovery/detection if widespread across agency. CAT 4*Improper UsageWeekly CAT 5Scans/Probes/Attempted AccessMonthly Note: If system is classified, report within one (1) hour of discovery. CAT 6InvestigationNot Applicable; this category is for each agency's use to categorize a potential incident that is currently being investigated.

Questions?