Practical Reflection

1

Copyright © 2012, Elsevier Inc.

All Rights Reserved

Chapter 8

Collection

Cyber Attacks Protecting National Infrastructure, 1st ed.

2

• Diligent and ongoing observation of computing and networking behavior can highlight malicious activity – The processing and analysis required for this must be done

within a program of data collection

• A national collection process that combines local, regional, and aggregated data does not exist in an organized manner

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Introduction

3

Fig. 8.1 – Local, regional, and national data collection with aggregation

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

4

• At local and national levels data collection decisions for national infrastructure should be based on the following security goals – Preventing an attack

– Mitigating an attack

– Analyzing an attack

• Data collection must be justified (who is collecting and why)

• The quality of data is more important than the quantity

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Introduction

5

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.2 – Justification-based decision analysis template for data collection

6

• Metadata is perhaps the most useful type of data for collection in national infrastructure – Metadata is information about data, not what the data is

about

• Data collection systems need to keep pace with growth of carrier backbones

• Sampling data takes less time, but unsampled data may be reveal more

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Collecting Network Data

7

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.3 – Generic data collection schematic

8

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.4 – Collection detects evidence of vulnerability in advance of notification

9

• National initiatives have not traditionally collected data from mainframes, servers, and PCs

• The ultimate goal should be to collect data from all relevant computers, even if that goal is beyond current capacity

• System monitoring may reveal troubling patterns

• Two techniques useful for embedding system management data – Inventory process needed to identify critical systems

– Process of instrumenting or reusing data collection facilities must be identified

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Collecting System Data

10

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.5 – Collecting data from mainframes, servers, and PCs

11

Security Information and Event Management

• Security information and event management (SIEM) is the process of aggregating system data from multiple sources for purpose of protection

• Each SIEM system (in a national system of data collection) would collect, filter, and process data

• Objections to this approach include both the cost of setting up the architecture and the fact that embedded SIEM functionality might introduce problems locally

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

12

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.6 – Generic SIEM architecture

13

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.7 – Generic national SIEM architecture

14

• Identifying trends is the most fundamental processing technique for data collected across the infrastructure

• Simplest terms – Some quantities go up (growth)

– Some quantities go down (reduction)

– Some quantities stay the same (leveling)

– Some quantities doing none of the above (unpredictability)

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Large-Scale Trending

15

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.8 – Growth trend in botnet behavior over 9-month period (2006–

2007)

16

• Some basic practical considerations that must be made by security analysts before a trend can be trusted – Underlying collection

– Volunteered data

– Relevant coverage

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Large-Scale Trending

17

• Collecting network metadata allows security analysts track a worm’s progress and predict its course

• Consensus holds that worms work too fast for data collection to be an effective defense – There’s actually some evidence that a closer look at the

data might provide early warning of worm threats

• After collecting and analyzing, the next step is acting on the data in a timely manner

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Tracking a Worm

18

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.9 – Coarse view of UDP traffic spike from SQL/Slammer worm

(Figure courtesy of Dave Gross and Brian Rexroad)

19

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

Fig. 8.10 – Fine view of UDP traffic spike from SQL/Slammer worm (Figure courtesy of Dave Gross and Brian Rexroad)

20

• Once the idea for a national data collection program is accepted, the following need to be addressed – Data sources

– Protected transit

– Storage considerations

– Data reduction emphasis

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 8 –

C o lle

c tio

n

National Collection Program