|Applies to Product:||USM Appliance™||AlienVault OSSIM®|
Most day-to-day security monitoring work involves detecting where security controls have failed and a system has become compromised by malware or exploits. However, situations will always exist that require more investigation, with reason to believe that one compromised host may have been used to compromise others, or a more complex sequence of specific events can be used to carry out an attack or exploit, commonly referred to as an attack vector.
Indicators of Compromise (IoCs)
Indicators of compromise, or IoCs, represent pieces of information about an attack vector. An IoC can be used to observe a relationship to other attacks. In fact, if you see an IoC responsible for multiple malware infections that all take instructions from the same remote host on the internet, you should track it. This allows you to disable many infections at the same time by blocking that server
For related information about IoCs comprising Open Threat Exchange®(OTX) pulses, see Open Threat Exchange® and USM Appliance.
Common Attack Vectors and Strategies to Combat Them
The best way to determine the appropriate incident response in any given situation is to understand what types of attacks your organization may most logically face.
The National Institute of Standards and Technology (http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf) publishes the following list of common attack vectors:
An attack executed from removable media (for example, flash drive, CD) or a peripheral device.
An attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services.
An attack executed from a website or a web-based application (for example, drive-by download).
An attack executed via an email message or attachment (for example, malware infection).
Any incident resulting from violation by an authorized user of the acceptable usage policies established by an organization, excluding the above categories.
Loss or Theft of Equipment
The loss or theft of a computing device or media used by the organization, such as a laptop or smart phone. Identify which pieces of equipment would cause the greatest risk to the company in the event of loss or theft. In most companies, the laptop belonging to the CFO would be included along with any server hard drive containing IP or other sensitive data.
An attack that does not fit into any of the other categories.
Review the foregoing list to make sure that you have security policies and controls in place to mitigate the majority of risks from these attack vectors. Also, use this list to guide your team in determining how to classify the various types of security incidents.
An alert taxonomy can help you to order related alerts into a picture of a larger attack in progress, as the attacker does the following:
- Performs reconnaissance.
- Delivers the attack to many systems.
- Successfully exploits some of them.
- Uses the compromised system as a base from which to attack others.
Get Inside the Mind of the Attacker Through Security Event Categorization
Traditional information security falsely assumes that you know which path an attacker will take through your network. For example, attackers rarely come through your front door, or in this context, your gateway firewall. On the other hand, each attack does generally follow a certain pattern, or what Lockheed Martin calls the Cyber Kill Chain®.
The Cyber Kill Chain is a sequence of stages required for an attacker to successfully infiltrate a network and exfiltrate data from it. Each stage demonstrates a specific goal along the attacker’s path. Designing your monitoring and response plan around the cyber kill chain model is an effective method, because it focuses on how actual attacks happen.
When devising an incident response plan, you may find it helpful to prioritize security events or alarms.
|Incident Type||Kill Chain Stage||Priority Level||Recommended Action|
|Port scanning||Reconnaissance & probing||Low||
You can ignore these unless AlienVault OTX IP Reputation gives the IP responsible a bad score.
OTX IP Reputation stores reports on any suspicious IP activity, which may or may not be malicious. See Open Threat Exchange® and USM Appliance.
|Malware infection||Delivery & attack||Low-Medium||Remediate malware infections as quickly as possible before they progress. Scan the rest of your system for related IoCs, for example, MD5 hashes. See Open Threat Exchange® and USM Appliance.|
|Distributed denial of service||Exploitation & Installation||High||Configure web servers to protect against HTTP and SYN flood requests. Coordinate with your Internet service provider (ISP) during an attack to block the responsible IPs.|
|Exploitation & Installation||Medium||Detect, monitor, and investigate unauthorized access attempts—with priority on those that are mission-critical and/or contain sensitive data.|
|Insider breach||System compromise||High||
Identify the privileged user accounts for all domains, servers, applications, and critical devices.
Make sure that you enabled monitoring for all systems, and for all system events.
Verify that your USM Appliance raw log infrastructure is actively recording all events.
|Unauthorized privilege escalation||Exploitation & installation||High||
Through its built-in correlation directives, USM Appliance automatically records all privileged escalation events, and sends alarms for unauthorized attempts.
Depending on requirements, you may also enhance your USM Appliance environment by adding custom correlation directives.
|Destructive attack on systems, data.||System compromise||High||
Back up all critical data and systems; test, document, and update system recovery procedures.
During a system compromise, capture evidence carefully. Document all recovery steps and all evidential data.
|Advanced persistent threat (APT) or multistage attack||Represents all stages from reconnaissance through system compromise||High||
Any of the individual events illustrated could represent part of an APT, the most formidable type of security threat. For that reason, view each event as part of a larger context, incorporating the latest threat intelligence.
USM Appliance correlation directives often look at how many events of a specific nature occurred before generating an alarm, thereby increasing its reliability. OTX pulses, on the other hand, require only one event to do so.
|False alarms||Represents all stages.||Low||
Much of the job of an incident responder consists of eliminating irrelevant information and removing false positives. This process is continuous. For more information, see Establishing Baseline Network Behavior and also Policy Management.
|Other||All stages||High||Incident response never stops and provides a source for continuous improvement. Over time, as you see events turn into alarms, you gather knowledge that helps you discover new ways to categorize events and to prevent them from becoming alarms in the first place.|
About Port Scanning Alarms
You may feel certain that attackers are getting no useful information from their scanning. However, if their scans of your external systems appear to be detailed and comprehensive, you can reasonably assume that they have the intent to follow up the reconnaissance with attack attempts later on.
If the scanning originates from a legitimate organization’s networks, your best approach is to contact their security team, if they have one, or network management personnel.
If no contact details are apparent, look for details about the domain in WHOIS, a link to which is available at the bottom of the USM Appliance Security Events list and also from the applicable OTX web pages for such IoCs.
Note: Blocking the source address may be counter productive, and merely cause the attacker to use a different source address.