Taxonomy of Computer Security Incidents
Yashodhan Fadnavis
How does it help?
• Taxonomy gives common names to event• Security against a ‘class’ of attacks
Satisfying Taxonomy
• Mutually Exclusive• Exhaustive• Unambiguous• Repeatable• Accepted• Useful
Listing Terms
• E.g. Password sniffing, Brute force attacks, Eavesdropping, Harassment, Covert Channels, Viruses, Logic Bombs, Software loopholes, WEP loopholes, Source address spoofing, Software piracy, Degradation of services, Session hijacking
• Failed six satisfying properties = Bad Taxonomy.• Lists can be never ending.
Listing categories
Stealing Social passwords Engineering
•Password sniffing•Brute force
•Eavesdropping •Harassment
Bugs and backdoors
•Covert channels•Viruses •Logic Bombs
Authentication Failures
•Software loopholes
Protocol Failures
Info Leakage DoS
•WEP Loopholes•Source Address spoofing
•Software Piracy
•Degradation Of Service•Session Hijacking
Cheswick and Bellovin List
Other taxonomies
• Result categories
• Empirical categories
• Matrices
Incident Taxonomy
• Events: An action directed at a target which is intended to result in change of the state of the target.
• Action: Step taken by a user or a process to achieve a result.
• Target: A computer or a network logical entity.
Action + Target = Event
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Target
Account
Process
Data
Network
Computer
Event
Attack
Tool
Physical Attack
Information Exchange
User Command
Script or program
Autonomous Agent
Toolkit
Action
Probe
Scan
Flood
Authenticate
Bypass
Spoof
Read
Target
Account
Process
Data
Component
Computer
Event
Vulnerability
Design
Implementation
Configuration
Unauthorized result
Increased Access
Disclosure of Information
Corruption of Information
DoS
Theft of resources
Attack
Incident
• Incident: A group of attacks that can be distinguished from other attacks because of the uniqueness of the attackers, objectives, sites and timing.
Attackers Attack Objectives
Incident Taxonomy
Attacker
Hackers
Spies
Terrorists
Corporate Attackers
Professional Criminals
Vandals
Voyeurs
Objectives
Challenge, Status, Thrill
Political Gain
Financial Gain
Damage
Incident
Federal Incident Reporting Guidelines
• Agency name• Point of contact information including name, telephone, and email
address• Incident Category Type (e.g., CAT 1, CAT 2, etc.)• Incident Timestamp• Source IP, Destination IP, port, and protocol• Operating System, including version, patches, etc.• System Function (e.g., DNS/web server, workstation, etc.)• Antivirus software installed, including version, and latest updates• Location of the system(s) involved in the incident (e.g. Clemson)• Method used to identify the incident (e.g., IDS, audit log analysis, system
administrator)• Impact to agency• Resolution
Federal Agency Incident CategoriesCategory Name Reporting Timeframe
CAT 0 Exercise/Network Defense Testing Not Applicable; this category is for each agency's internal use during exercises.
CAT 1 *Unauthorized Access Within one (1) hour of discovery/detection.
CAT 2 *Denial of Service (DoS) Within two (2) hours of discovery/detection if the successful attack is still ongoing and the agency is unable to successfully mitigate activity.
CAT 3 *Malicious Code DailyNote: Within one (1) hour of discovery/detection if widespread across agency.
CAT 4 *Improper Usage Weekly
CAT 5 Scans/Probes/Attempted Access MonthlyNote: If system is classified, report within one (1) hour of discovery.
CAT 6 Investigation Not Applicable; this category is for each agency's use to categorize a potential incident that is currently being investigated.
Questions?