Week 5 Flashcards
Intrusion detection system (IDS)
is a software application that monitors a network or system for malicious activity or policy violations. A violation is reported to an administrator or collected in a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.
Signature-based detection:
Signature-based IDS monitors packets in the Network and compares with pre-configured and pre-determined attack patterns known as signatures.
Statistical anomaly-based detection:
An IDS which is anomaly-based will monitor network traffic and compare it against an established baseline. The baseline will identify what is “normal” for that network.
Stateful protocol analysis detection:
This method identifies deviations of protocol states by comparing observed events with pre-determined profiles of activity.
Types of intrusion detection:
- Signature-based detection
- Statistical anomaly-based detection
- Stateful protocol analysis detection
Monitoring:
detecting ‘abnormal’ patterns of behavior in streams of data
- E.g. log-files, ticket systems, TCP packets, messages, …
- Time-stamp + Case ID
- Combine data sources:top-down; bottom-up
- Compliance monitoring: detect a violation to a law or policy
- Capacity management: detect a sudden need, or drop in capacity
- Security monitoring: detect illicit activity on the network
Type I and Type II errors
- Based on some measurements, we reject the null hypothesis (H0).
- So the alternative hypothesis (H1) must be true.
- Type I error: mistaken rejection of the zero hypothesis (false positive)
- Type II error: mistaken acceptance of the null hypothesis (false negative)
Cyber Kill Chain
The cyber kill chain is essentially a cybersecurity model created by Lockheed Martin that traces the stages of a cyber-attack, identifies vulnerabilities, and helps security teams to stop the attacks at every stage of the chain.
attackers work goal-directed and proceed in stages: preparation, intrusion and controlled breach. They take time to prepare. So, try to find countermeasures, to detect them in the early stages.
3 steps: preparation, intrusion and controlled breach
Attack-Defense Tree (Bruce Schneier)
- Start with a simple architecture (e.g. U-model)
- Identify and analyze possible access paths (scenarios) of the attacker, and organize them in a game-tree.
- For groups of attacks with common elements: identify countermeasures.
- Game (like chess); possible moves determined by architecture
- Which move should B take, given that A would take move ai, based on the assumption that B takes move bj, …?
•Evaluation based on likelihood, impact, or time, expertise, …
Red and blue teaming
- Red teams are offensive security professionals who are experts in attacking systems and breaking into defences. They need written permission.
- Blue teams are defensive security professionals responsible for maintaining internal network defences against all cyber attacks and threats.
- Identify and analyse various scenarios and countermeasures. Prevention but also monitoring, and real-time response and recovery action.
- Data-driven: collect attack-data, to be used in simulation later.
Designing Control Measures
Cost of security measures =< risk reduction
Prevent, or detect and correct?
Time-based Model of Information Security (Romney and Steinbart)
•The time-based model of information security P > D + R,
- where P is the time it takes an attacker to break through the various controls that protect the organization’s information assets, D is the time it takes for the organization to detect that an attack is in progress, and R is the time it takes to respond to and stop the attack
- If the equation is satisfied (P > D + R is true), then the organization’s information security procedures are effective. Otherwise, security is ineffective.
- NB. Instead of time, we can also take likelihood of an attack, or resources. See the paper on Attack trees by Bruce Schneier.
Resilience formalized
- Resilience: relatively immune to threats:
- Total impact, depends on ability to:
- anticipate: reduce uncertainty
- prepare: reduce likelihood P
- absorb: reduce initial loss
- detect: reduce Td
- respond: reduce Trs
- recover: reduce Tre
- adapt: learn and improve
Ransomware – outcomes
- The optimal ransom depends on the willingness of the victim to pay to recover her files. (W)
- The bargaining power of the criminal is enhanced by the likelihood of irrational aggression, i.e. the destruction of files if a ransom demand is not met. (threat)
- The bargaining power of the criminal is enhanced by a credible commitment to return files to any victim who pays the required ransom. A way to achieve this is to build a reputation of honouring ransom payments.
- Criminals will only be deterred if the measures to prevent successful attack, whether that be anti-virus software or personal vigilance, are near perfect. This seems unlikely.
- There are important spill over effects between potential victims. For instance, if the victims who value their files most spend enough to deter attack, then this benefits all users. Similarly, those who regularly back up files may still be vulnerable to attack and losses (even if small) because there are others who do little to deter attack. So government needs to subsidize spending on cyber security or good backup practices.
- Deterrence is costly. An estimate of costs of ransomware, should take into account all the costs of deterrence and dealing with an attack. The payment of ransoms is likely to be a relatively small fraction of the total social and economic costs of ransomware.
Conclusions:
- So, we need systematic methods:
- Scenario analysis: which scenarios can be prevented?
- Attack-defense trees: measuers and countermeasures (design time)
- Red and Blue Teaming: collect data about effectiveness of measures (run time)
- Theory is based on economics: risk analysis, decision theory, or game-theory.
- In practice, mostly qualitative measures. Need for data-driven approaches.