Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 672 views

    AlienVault Alarm Taxonomy

    Uploaded by

    mario_kgl
    The new alarm taxonomy in AlienVault USM and OSSIM v4.3 introduces standardized alarm categories based on an attacker's intent. The categories - Reconnaissance & Probing, Delivery & Attack, Exploitation & Installation, and System Compromise - describe the typical stages of an attack based on the Lockheed Martin kill chain model. This provides necessary context to understand alarms and prioritize incident response. The original alarm names are still viewable for backward compatibility. Any existing or new custom correlation rules can apply the new taxonomy during configuration. System Compromise alarms indicate the highest risk as an attacker has already gained access.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    AlienVault Alarm Taxonomy

    Uploaded by

    mario_kgl
    672 views5 pages
    The new alarm taxonomy in AlienVault USM and OSSIM v4.3 introduces standardized alarm categories based on an attacker's intent. The categories - Reconnaissance & Probing, Delivery & Attack, Exploitation & Installation, and System Compromise - describe the typical stages of an attack based on the Lockheed Martin kill chain model. This provides necessary context to understand alarms and prioritize incident response. The original alarm names are still viewable for backward compatibility. Any existing or new custom correlation rules can apply the new taxonomy during configuration. System Compromise alarms indicate the highest risk as an attacker has already gained access.

    Original Description:

    SIEM

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The new alarm taxonomy in AlienVault USM and OSSIM v4.3 introduces standardized alarm categories based on an attacker's intent. The categories - Reconnaissance & Probing, Delivery & Attack, Exploitation & Installation, and System Compromise - describe the typical stages of an attack based on the Lockheed Martin kill chain model. This provides necessary context to understand alarms and prioritize incident response. The original alarm names are still viewable for backward compatibility. Any existing or new custom correlation rules can apply the new taxonomy during configuration. System Compromise alarms indicate the highest risk as an attacker has already gained access.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    672 views5 pages

    AlienVault Alarm Taxonomy

    Uploaded by

    mario_kgl
    The new alarm taxonomy in AlienVault USM and OSSIM v4.3 introduces standardized alarm categories based on an attacker's intent. The categories - Reconnaissance & Probing, Delivery & Attack, Exploitation & Installation, and System Compromise - describe the typical stages of an attack based on the Lockheed Martin kill chain model. This provides necessary context to understand alarms and prioritize incident response. The original alarm names are still viewable for backward compatibility. Any existing or new custom correlation rules can apply the new taxonomy during configuration. System Compromise alarms indicate the highest risk as an attacker has already gained access.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    of 5

    FAQ:

    New Alarm Taxonomy in 4.3


    (A Guide for USM and OSSIM Users and Evaluators)

    What are the new alarm categories in USM and OSSIM v4.3?

    What are some examples of each alarm category?

    Whats the rationale behind the change?


    Typically, the verbiage included in log messages for infrastructure devices and security products
    is incredibly difficult to understand. Theres no consistency, context or easy way to prioritize
    these events when the language is inconsistent and difficult to interpret. At AlienVault, our
    goal has always been to reduce the complexity inherent in security monitoring to better assist
    security analysts with incident response. Thats why were excited to introduce this new alarm
    taxonomy which:

    User FAQ: Alarm Taxonomy Page 1 of 5

    Provides the necessary context for each alarm


    Enables effective prioritization for incident response by describing the INTENT behind
    attack activity
    Simplifies security monitoring by using clear language rather than the esoteric
    categories from the original data source/vendor


    What are these Intent categories based on?
    Were using a simplified version of an industry standard for understanding how cyber attackers
    conduct attacks. Published in 2009, Lockheed Martins Kill Chain methodology is one of the
    best ways of associating a specific event within the larger context of an attack. Considered in
    the context of network intrusions, the kill chain describes a scenario in which an attacker must
    develop a payload to breach a trusted boundary, establish a presence inside a trusted
    environment, and take actions towards the attackers objectiveswhether these objectives
    consist of moving laterally inside the environment or violating the confidentiality, integrity, or
    availability of a system in the environment.
    How do you know what an attackers intent is?
    This can be surmised based on attack activity and how theyre interacting with a network and
    its assets. AlienVault Labs applies their extensive research into attacker profiles, tools, and
    techniques to evaluate each threat to determine the appropriate category for each alarm. As a
    reference, the table below provides some very high-level information regarding the attackers
    goals during each attack stage / type of alarm.

    Alarm Type / Intent Attackers Goals


    Find target.

    Reconnaissance & Probing Develop plan of attack based on opportunities for exploit.

    Place delivery mechanism online

    Delivery & Attack

    Use social engineering to induce target to access malware or other exploit

    Exploitation & Installation Exploit vulnerabilities on target systems to acquire access


    Elevate user privileges and install persistence payload

    Ex-filtrate high-value data as quietly and quickly as possible.

    System Compromise

    Use compromised system to gain additional access, steal computing


    resources, and/or use in an attack against someone else


    User FAQ: Alarm Taxonomy Page 2 of 5

    Is there some way of identifying the previous naming convention for the alarm?
    Yes. Weve retained the original (pre-4.3) naming convention and you can view that in italics at
    the top of the alarm detail window for each alarm. For example, you can see the pre-4.3
    naming convention for this alarm highlighted in the blue box below:

    What happens when I want to add a custom correlation rule?


    Any custom correlation rules youve created prior to v4.3 will still be present in the system.
    When viewing alarms that have been triggered by these rules, youll simply be prompted to add
    and apply the new taxonomy categories via a configuration wizard. This will include the full
    listing of choices available for each category, so it will just take a few moments to make this
    change. This is also true of any new custom correlation rules youd like to add within v4.3.
    Which category of alarms should I look at first?
    In terms of security exposure, the most critical events will be the System Compromise category.
    Once a system has been compromised, an attacker has gained a foothold into your network.
    This may be a contained incident to one system; however, in most cases this is just the tip of
    the iceberg.
    So when viewing all of your alarms, you may want to begin with those that are the most critical,
    and typically, this would be signaled by the System Compromise intent.
    In general, keep these tips in mind:
    For each incident, ask yourself these questions: How close to a successful breach is
    this? and How close are the attackers to their goal?
    Move away from a first-in-first-out pipe model. Look at each event in the context of
    other events as well as the context of what an attackers goal or intent might be.
    Use the context of your environment and business model to surmise what the intent
    of the attacker is, and use the reporting source of the event to further refine
    prioritization efforts. Establish the reliability of the data source based on the full
    context of what it is reporting.

    User FAQ: Alarm Taxonomy Page 3 of 5

    Describe the quantity of alarm content. How many specific alarms are there?
    Each alarm is triggered by an event correlation rule. So, another way of explaining this would
    be to say that there are currently 1500+ event correlation rules in our threat intelligence
    subscription. However, this number will continue to increase as threats evolve and emerge,
    and the technological ability to detect them evolves as well.
    The following should provide some highlights with respect to the breadth of our threat
    intelligence content:

    Reconnaissance & Probing In addition to 21 specific checks for discovering services on


    target hosts, we look for port scanning and vulnerability scanning activities, webserver
    probes, and scans initiated by internal hosts.
    Delivery & Attack We look for 16 different types of delivery and attack strategies.
    These include 116 specific rules for various bruteforce authentication techniques as well
    as 53 specific rules for Denial of Service (DOS) attack methods.
    Exploit & Installation Within the 10 specific attack strategies for exploitation and
    installation, we look for 115 specific client-side vulnerabilities a common vector for
    exploitation. Other checks include detection of website exploit kits, service exploits,
    network protocol anomalies and more.
    System Compromise With System Compromise being the most critical stage in an
    attack, we wanted to make sure we had the most coverage here. With 1010 specific
    rules to identify a compromised system, we look for 20 different attack strategies
    including:
    o Trojan infections 673 unique types of Trojans and their variants, plus 33 Trojans
    specific to mobile devices detected
    o Worm infections 43 unique types of worms and their variants detected
    o Spyware infections 74 unique types of spyware detected
    o Adware infections 52 types of adware detected
    o Fake Anti-Virus installation 39 specific signatures to detect fake AV
    o Additional checks include: backdoor detection, C&C communication, covert
    channel communication, and file downloads from bad reputation hosts.
    Environmental Awareness We include 117 specific checks regarding the configuration
    of your environment including potentially unauthorized or vulnerable desktop software
    such as BitCoin, games, P2P, remote desktop tools, and video. Additionally, we detect
    the presence of sensitive data without controls such as encryption, default passwords or
    passwords in cleartext and more. Finally, we include checks for network anomalies as
    well in order to help define network baselines.

    What should I do to resolve an issue once an alarm has fired?


    Each event that triggers an alarm will require specific remediation tasks based on the context
    of the event, the assets involved, and the relative severity of the activity. That said, weve
    provided how to guidance for every single alarm produced within AlienVault. These
    instructions are found within the alarm detail window as seen in the screenshot below. These

    User FAQ: Alarm Taxonomy Page 4 of 5

    instructions are written by our AlienVault Labs team members, who have decades of CSIRT and
    DFIR experience responding to information security incidents and investigations. Updates to
    this information are included in our threat intelligence subscription content, along with updates
    to our event correlation rules, IDS signatures, vulnerability and asset inventory databases, and
    more.


    User FAQ: Alarm Taxonomy Page 5 of 5

    You might also like