Practical Connection Assignment
srk
Week6_Part2.pptxWeek 6
Read Chapter 8 on Collection
Read Chapter 9 on Correlation
Listen to weekly lectures
Complete the following
Post to discussion week 5
Complete Practical Connection Assignment
Complete Quiz 4 based on Chapter 6 Depth and Chapter 7 Discretion
Copyright © 2012, Elsevier Inc. All rights Reserved
‹#›
Copyright © 2012, Elsevier Inc. All Rights Reserved
Chapter 9
Correlation
Cyber Attacks
Protecting National Infrastructure, 1st ed.
‹#›
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
2
Correlation is one of the most powerful analytic methods for threat investigation
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Introduction
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
3
Data comparison creates a clearer picture of adversary activity
Profile-based correlation
Signature-based correlation
Domain-based correlation
Time-based correlation
We rely on human analysis of data; no software can factor in relevant elements
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Introduction
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
4
Fig. 9.1 – Profile-based activity anomaly
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
‹#›
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Fig. 9.2 – Signature-based activity match
‹#›
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Fig. 9.3 – Domain-based correlation of a botnet attack at two targets
‹#›
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Fig. 9.4 – Time-based correlation of a botnet attack
‹#›
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Fig. 9.5 – Taxonomy of correlation scenarios
‹#›
Conventional Security Correlation Methods
Threat management – data from multiple sources is correlated to identify patterns, trends, and relationships
The approach relies upon security information and event management (SIEM)
Commercial firewalls are underutilized
Correlation function can be decentralized, but that often complicates the process
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
10
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Fig. 9.6 – Correlating intrusion detection alarms with firewall policy rules
‹#›
Quality and Reliability Issues in Data Correlation
Quality and reliability of data sources important to consider
Service level agreements
Service level agreements guarantee quality of data
Quality and reliability not guaranteed with volunteered data
Without consistent, predictable, and guaranteed data delivery, correlations likely to be incorrect and data likely missing
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
12
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Fig. 9.7 – Incorrect correlation result due to imperfect collection
‹#›
Network service providers have best vantage point for correlating data across multiple organizations, regions, etc.
Network service providers have view of network activity that allows them to see problems
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Correlating Data to Detect a Worm
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
14
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Fig. 9.8 – Time-based correlation to detect worm
‹#›
The context of carrier infrastructure may offer best chance to perform correlation relative to a botnet
Botnets are often widely distributed, geographically
Sharing information on botnet tactics might help others protect themselves
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Correlating Data to Detect a Botnet
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
16
For national infrastructure protection, large-scale correlation of all-source data is complicated by several factors
Data formats
Collection targets
Competition
These can only be overcome with a deliberate correlation process
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Large-Scale Correlation Process
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
17
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
Fig. 9.10 – Large-scale, multipass correlation process with feedback
‹#›
Organizations with national infrastructure responsibility should be encouraged to create and follow a local program of data correlation
National-level programs might be created to correlate collected data at the highest level. This approach requires the following
Transparent operations
Guaranteed data feeds
Clearly defined value proposition
Focus on situational awareness
Copyright © 2012, Elsevier Inc. All rights Reserved
Chapter 9 – Correlation
National Correlation Process
‹#›
The University of Adelaide, School of Computer Science
5 August 2019
Chapter 2 — Instructions: Language of the Computer
19
