TAXONOMY FOR UNSECURE BIG DATA ...

BigR&I 2016

Taxonomy for Unsecure Big Data Processing in Security Operations Centers Natalia Miloslavskaya, Alexander Tolstoy and S.Zapechnikov National Research Nuclear University MEPhI (Moscow Engineering Physics Institute) “Information Security of Banking Systems” Department

Vienna, 23 August 2016

TAXONOMY FOR UNSECURE BIG DATA PROCESSING IN SECURITY OPERATIONS CENTERS

CONTENT Introduction 1. Definitions Introduced. 2. Security Operations Centers. 3. Classification of Vulnerabilities.

4. Classifications of IS Threats, Attacks and IS Incidents.

BigR&I 2016

Conclusion


2

Introduction (1/3) State-of-the art features generating specific requirements to ensure information security  Modern organizations, businesses and individuals are going online, relying heavily on the use of information and associated networks  They implement e-business on a global scale with online public services  They need to protect organization's clients/employees not only inside but also outside (“teleworking”/“telecommuting”)  Local (standalone) computers have almost gone – network starts/ends at any connected device  Information is a malefactors’ hunting object and its value is an increasingly talked-about issue  Today an integrated approach to support company's business is required as never before  The need to match different requirements (compliance)  The need to ensure differentiated quality of service (QoS)  Heterogeneous environment (integration of heterogeneous components into a single system)  Cloud services’ development  Virtualization tools’ application  Wireless networks’ usage  Growth in new devices’ usage (iPad, iPhone ...) and BYOD (Bring Your Own Device) approach... Range of the new IS threats, especially those related to the new IT, network technologies and devices, is constantly growing Vienna, 23 August 2016

BigR&I 2016


3


Introduction (2/3) Environment: 1) the vast quantity and variety of log data and security alarms detected and reported daily by security information and event management (SIEM) systems, intrusion detection and prevention systems (IDPSs), firewalls (FWs), Unified Threat Management (UTM) systems, operating systems (OSs), security appliances (SAPP), anti-viruses (AVs), etc. with false positives 2) the diversity of tasks performed by IS department including management of assets, risks, information protection tools (IPTs), patching, IS incidents and information, encryption, etc. The problem: to isolate from the white noise of IDPS, FW, OS, SAPP and AV and to prioritize the few messages that do indeed indicate real IS events and incidents, utilizing organizations’ existing security measures more effectively.

BigR&I 2016

The key to a more effective automation of IS maintenance (ISM): creating a Security Operations Center (SOC) that brings security intelligence and knowledge management to the forefront. For the informed and competent formulation of IS requirements for secure big data processing (BDP) in SOCs it is vital to precisely and fully describe an internal and external environment of their functioning. Vienna, 23 August 2016

4


Introduction (3/3)

Main research object: UNSECURE BIG DATA PROCESSING (BDP) (including information transfer and storage). “Unsecure” means that only negative elements influencing secure BDP are considered: vulnerabilities exploited by information security (IS) threats for implementation as particular attacks, being estimated by an organization as IS incidents.

BigR&I 2016

The right choice of adequate IS strategy, policies, system, methods, tools and controls depends on the completeness and quality of their classifications. Taxonomy: the scientific classification.

Research basis: 1) Modern IS threats landscape from different analytical and statistical sources 2) The international standard ISO/IEC 27035:2011 "Information technology – Security techniques -- Information security incident management“ Vienna, 23 August 2016

5


1 Definitions Introduced (1/3) Information security (IS): a quality (property) of information to maintain its confidentiality, integrity, availability, authenticity, accountability, non-repudiation and reliability.

IS maintenance (ISM): a complicated process divided into many sub-processes of maintaining the secure (protected) state of information, characterized by its confidentiality, integrity, availability, etc. ISM can be presented by two parallel processes: the protection of information and protection against information (for example information with a harmful content, misinformation or malicious software). In Russia ISM is a broader term in comparison with IS management or Information Assurance as it contains management added by information protection tools/systems. Information protection implying "protection of information" involves all the activities aimed at IS maintaining, namely, preventing diversion of protected information, unauthorized and unintended impacts on the protected information.

Information protection tools/systems (IPTs): tools/systems that implement information protection in a particular environment such as a separate computer, network or whole organization’s IT infrastructure (ITI). Vienna, 23 August 2016

BigR&I 2016

IS of a system (system’s IS): its quality to be characterized, on the one hand, by its ability to resist the destabilizing effects of external and internal threats, and, on the other hand, by the level of threats posed by its operation to the elements of the system and its external environment.

6


1 Definitions Introduced (2/3) IS threat (threat of IS violation): a set of conditions and factors that create an actual or potential opportunity for violation of IT assets’ IS. IS threat source/actor/agent: a person, a material object or a physical event, realizing an IS threat. Intruder = Attacker: a person deliberately exploiting vulnerabilities in technical and non-technical security controls in order to steal or compromise information systems and networks, or to compromise availability to legitimate users of information system and network resources [ISO/IEC 27033-1:2009]. He/she implements the threats to IT resources’ security, disrupting the authority given to him/her for access or control them.

Attack: any intruder’s action leading to IS threat implementation via vulnerabilities exploitation. It is the actual violation of IS with the aim to destroy, expose, alter, disable, steal or gain unauthorized access to or make unauthorized use of an IT asset. Any attack on a system, service or network can be classified as an IS event or incident. IS event: an identified occurrence of a system, service or network state indicating a possible breach of IS, policy or failure of controls, or a previously unknown situation that may be security relevant . IS incident: a single or a series of unwanted or unexpected IS events that have a significant probability of compromising business operations and threatening IS.


BigR&I 2016

Vulnerabilities in an organization’s ITI: the IT assets’ properties (including IPTs themselves) exploited by IS threat source for IS threat realization.

7


1 Definitions Introduced (3/3)

Threat Model

Intruder Model In case of a human being

Threat sources (=agents, actors)

1) anthropogenic 2) technogenic 3) spontaneous

Threat sources IS threats

Vulnerabilities exploited by the threats

Vulnerabilities

Attacks’ techniques suitable for the threats realization

Security objects

Consequences

Types of possible loss Damage extent Security objects Vienna, 23 August 2016

BigR&I 2016

Security objects

8


2 Security Operations Centers SOC: a nucleus of ITI’s protection, dealing with IS issues for all types of sensitive data and providing continuous prevention, detection, visibility, alerting, investigation and response capabilities against IS threats, remotely exploitable vulnerabilities and real-time IS incidents. It should be a productive, real-time analytical and predictive center, which output gives a logical picture of the IS health of organization’s ITI to make informed decisions in order to minimize IS risks and to instantly respond to critical IS events as they happen.

SOC’s functions: asset tracking and recovery, IS risk management, vulnerability scanning, security information management, sniffing, IPTs centralized management, patch management, reporting, response, data forensics…

The data are generated from the information considered in a particular context and coming not just from the separate domain controllers, proxy servers, DNS servers, IPTs, but also describing the current configuration of network devices, the characteristics of network traffic, application and network services functioning, activity and specific actions of individual end-users, as well as containing e-mails, phone records, web-based content, metadata, digitized audio and video, GPS locations, the data of business processes, enterprise’s internal documents and analytical data for many years of its existence. Ever-increasing volumes of all these heterogeneous data should be evaluated from a viewpoint of any attack to find its source and used vulnerabilities, consider its type, weight its consequences, visualize its vector, associate all target systems, prioritize countermeasures and offer mitigation solutions with weighted impact relevance.


BigR&I 2016

The core technologies of a successful SOC: ITI-wide data collection, management and consolidated analysis.

9


3 Classification of Vulnerabilities (1/2) Source: Symantec Internet Security Threat Report 2016 0day = zero day — term denoting vulnerabilities and attacks, against which there are no security mechanisms at present

http://nvd.nist.gov – metabase with vulnerabilities CVSS (Common Vulnerability Scoring System) – vulnerabilities risk counting system (risk is expressed quantitatively) Vienna, 23 August 2016

BigR&I 2016

Source: Symantec Internet Security Threat Report 2015: 81 % of attacks detected were associated with the specific Vs in Microsoft ActiveX Control, 10 % were caused by Vs in Microsoft Internet Explorer and 7 % in Adobe Flash

10


3 Classification of Vulnerabilities (2/2)

Origin sources

Parameters content

Description or examples

Design (technologies, protocols, services)

Telnet with user’s login and password transferred via the Internet as a plain text. Mistakes in TCP/IP protocols stack programming, leading to DoS attacks; mistakes in application implementation, leading to buffer overflow, etc. OS, protocols and services misconfiguring, non-persistent passwords, not removed default accounts. Information remaining in the memory. Vulnerabilities allowing an attacker to access a host with a superuser’s rights and/or to bypass firewalls or another security tool. Vulnerabilities allowing an attacker to get information which with high probability will allow him to access a host (e.g. after password hash interception) and vulnerabilities leading to high system resource consumption (DoS attacks). Vulnerabilities allowing to collect sensitive information about a system (e.g. unused services, current time on a computer -> for attacks against crypto algorithms). Vulnerabilities in channel equipment, protocols, etc. Vulnerabilities in hardware, platforms, OSs, etc. Vulnerabilities in client and server software, applications and software that support a business activity (e.g. CRM). DBMS, etc. Vulnerabilities in service application software and SOC ITI. Vulnerabilities in service management and operational processes carried out by IT operations and support staff. Vulnerabilities in management and protection tools and services to the Infrastructure, Platform and Software Layers. “Holes in users’ heads” is a more serious problem than back doors in software! Vulnerability is easy to use; protection is absent or very weak. Vulnerability can be used, but protection exists. Vulnerability is hard to use, good protection exists. Dependence on design features and specifications of hardware and software used in SOC ITI. Dependence on personnel actions. Dependence on environmental features and contingencies.

Implementation (programming) Operation Decommissioning High

Risk level (criticality, Intermediate severity) Low Infrastructure Platform Software SOC layer

Service Delivery Operations Management

Personnel Probability/ Highly probable or probable likelihood of a threat Possible realization Unlikely/ impossible Objective Prerequisites Subjective Spontaneous


BigR&I 2016

Classification parameters

Only a fragment

11


4 Classification of IS Threats, Attacks and IS Incidents (1/8) The analysis of numerous publications shows that the attacks exhibit a massive increase in volume, velocity, variation (as spear-phishing: an e-mail spoofing fraud attempt that targets a specific organization, seeking unauthorized access to confidential data)

BigR&I 2016

malware for data kidnapping, an exploit in which the attacker encrypts the victim's data and demands payment for the decryption key (also called a cryptovirus, cryptotrojan or cryptoworm). Spreads through e-mail attachments, infected programs and compromised websites.

malware designed to trick victims into purchasing and downloading useless and potentially dangerous software. The messages typically say that a large number of problems -- such as infected files -- have been found on the computer and the user is prompted to purchase software to fix the problems.

Source: CERT Australia Vienna, 23 August 2016

12


4 Classification of IS Threats, Attacks and IS Incidents (2/8)

•

• • • •

Heartbleed attack on Web servers that used the open source Heartbleed: software OpenSSL and not merely strip its encryption, but force it to cough random data from its memory. That could allow the direct theft of passwords, private cryptographic keys, and other sensitive user data Shellshock: malware that make the infected computers part of Shellshock botnets used for DoS attacks POODLE: hijacking of a user’s session, interception of all the data POODLE that traveled between their computer and a supposedly encrypted online service Gotofail: Apple users’ encrypted Internet traffic can be intercepted Gotofail by anyone on their local network BadUSB: malware that invisibly infects the USB controller chip itself BadUSB

•

Highly targeted and selective APT

•

Spear--phishing eSpear e-mails

•

Scams

•

Pharming

•

Never--dying Nigerian spam Never

•

Denial--of Denial of--service (DoS (DoS))

•

Cross--Site Scripting (XSS) Cross

•

SQL injections

•

Watering hole

•

Crypto--Ransomware Crypto

•

Etc.


BigR&I 2016

Attacks of 2015

Top 5 Attacks of 2014

13


Source: Symantec Internet Security Threat Report 2016 Source: Global State of Information Security® Survey 2016


BigR&I 2016


14



Source: The PwC’s 2015 Global State of Information Security® Online Survey: vulnerable mobile devices, modern malware, browsers with their vulnerabilities, phishing, employee use of social networking sites, insider abuse of privileged access, employee use of consumer cloud services, social engineering (non-email) and distributed DoS.

Top 5 Attacks of 2015 •

The health insurance company Anthem :

Loses 80 Million (+18 Million records) •

JPMorgan Chase : 86 Million Records

•

The CanadianCanadian-based online dating site Ashley Madison: 37 Million Records

•

The Federal Office of Personnel Management : 21.5 Million Records

•

The credit reporting agency Experian/ TT-

Mobile : 15 Million Records


BigR&I 2016

The Ernst & Young Global characterized the rapidly expanding IS threats (including cyber threats) by increased external and internal threats emerging because of the following reasons: disappearing organization’s network perimeter; growing attacking power of criminals; threats multiplying; lack of skills, agility and budget in organizations.

15



2016 The research company Gartner predicts there will be 6.8 billion connected devices in use, a 30 % increase over 2015. The Fortinet’s security strategist Derek Manky says that every minute they are seeing about half a million attack attempts that are happening in cyber space.

BigR&I 2016

2016 will likely bring entirely new worms and viruses able to propagate from device to device (such as smartwatches, smartphones and medical devices) and the rise of attacks against cloud infrastructures, machine-to-machine and even machine-to-people attacks as well as detection evading techniques.


16


4 Classifications of IS Threats, Attacks and IS Incidents (6/8) Parameter content

physical integrity logical structure content IS Threat types – confidentiality Violation of property rights availability privacy etc. Accidental IS Threat origin nature Malicious Objective (natural) IS Threat prerequisites Subjective (artificial)

Anthropogenic

Threat sources

Technogenic

Environmental

Description or destructive actions Destruction (distortion). Distortion of the structure. Unauthorised modification. Unauthorised obtaining. Misappropriation of rights. Disconnection, destruction. Personal data theft. Failures, crashes, errors, disasters, adverse impact. Improper actions of people. Quantitative or qualitative paucity of system elements. Intelligence agencies of foreign countries, industrial espionage, criminal elements, disgruntled employees. Internal: main staff (programmers, administrators, technicians, developers, users); IS department officers (administrators); supporting staff (cleaners, guards); technical staff (life support, maintenance); top management. External: criminal structures; potential criminals and hackers; unscrupulous partners; technical staff of telecommunications service providers; representatives of the supervisory organisations and emergency services. Combined: internal + external. Internal: bad-quality general-purpose/applied/auxiliary hand/ interactive/intramachine/network/technical/technological/ hardware/software (including models and algorithms) for registration, transmission, storage, processing and delivery; supporting tools (guard, signalling, phones); another technical tools. External: communications; utilities (water supply, sewerage); transport. Natural disaster; thunderbolt; dust, pollution; unacceptable temperature or humidity; fire; flood; effects of magnetic fields; adverse noise and stray; radiation exposure; bomb attack; act of terrorism; capital facilities accident; accident of engineering systems (electricity, plumbing, heating, air conditioning and sanitation); technological or anthropogenic disaster; force majeure (unforeseen) circumstances. Vienna, 23 August 2016

BigR&I 2016


Only a fragment

17


4 Classifications of IS Threats, Attacks and IS Incidents (7/8) Influence type

Aim – Violation of

Start conditions Allocation of a victim and an attacker Number of victims and attackers Feedback with a victim

Parameter content Passive Active physical integrity logical structure content confidentiality property rights availability privacy etc. On request from a victim On a particular event occurrence Unconditionally In one network segment In different network segments Traditional Distributed With a feedback Without a feedback Physical Data link

ISO/OSI implementation level

Method Tools Attack from… Anonymizing proxies usage Motivation

Network

Description or destructive actions E.g. sniffing. DoS attack, spoofing, “Man-in-the-Middle” (MiTM), flooding. Destruction (distortion). Distortion of the structure. Unauthorized modification. Unauthorized obtaining. Misappropriation of rights. Disconnection, destruction. Personal data theft. E.g. MiTM. E.g. replay attack, spoofing. E.g. sniffing, phishing, MiTM, flooding. E.g. sniffing, spoofing, flooding. E.g. DoS attack, spoofing, MiTM, flooding. One attacker to one/many victims. Many attackers to one/many victims. E.g. spoofing, MiTM. E.g. sniffing, spoofing, MiTM. E.g. lock picking, hardware modification, wiretapping. E.g. MiTM, MAC modification, sniffing, ARP cache poisoning, de-authentication of wireless clients, DHCP starvation. E.g. spoofing, ICMP flooding, Wormhole and Blackhole attacks, Route cache poisoning, DHCP attack. E.g. spoofing, Smurf attack, session hijacking, TCP port scan, TCP host sweeps, UDP flooding. E.g. Telnet DDoS, flooding, sniffing, viruses, MiTM, repudiation, buffer overflow.

Transport Session, Presentation & Application Combined E.g. DDoS attack, jamming, SYN flooding. Scanning & probing, sniffing, flooding, spoofing, hijacking, MiTM, masquerade, APT, etc. Information interchange, user’s commands, software (including scripts), toolkits/rootkits, viruses, worms, social engineering, etc. Internet, Intranet, Extranet, Cloud (public/private), Workstation, Mobile device, etc. Yes or no Enrichment, hacktivism, vengeance, self-assertion, sabotage, espionage, vandalism, etc. Vienna, 23 August 2016

BigR&I 2016


Only a fragment

18


4 Classifications of IS Threats, Attacks and IS Incidents (8/8) Classification parameters Priority Malefactors Agents of realization Started from… Incident aims Method and tools used Actions Affected objects

Affected information assets Damage Damage severity Reasons IPTs disruption

Parameter content Accomplished (with duration), an attempt or suspected. Origin nature: malicious or accidental. 0 (highest), 1 (high), 2 (above average), 3 (average), 4 (low) or 5 (minimum). Employee (user, administrator, manager, developer), Industrial spy, Criminal, etc. People, software, hardware, processes, data, etc. Internet, Intranet, Extranet, Cloud (public/private), Workstation, Mobile device, etc. Financial profit, , Violation of availability (including Business continuity violation), Violation of integrity (physical, logical structure, files, databases, content…), Violation of confidentiality, privacy, property rights, etc. Social engineering, Physical attack, Hardware, Software (including scripts), Information interchange, User’s commands, Toolkits/rootkits, Virus, etc. Copying, Reading, Modification, Deleting, Scanning & Probing, Sniffing, Flooding, Spoofing, Hijacking, MiTM, Phishing/spear phishing, Pharming, Masquerade, Spamming, etc. Outside organization, Whole organization, Organization’s divisions, Business processes, Technological processes, Security operation center, Computer-aided systems, Network, Devices (wired/wireless), Channels, Physical level, IPTs, Workstations, Databases and Database management systems, Operational systems, Servers, Clients, Media, Files, Information, Accounts, etc. Billing information, personal data, financial and analytical information, service information, general and special purpose control information, reference information, operating and telecommunication environment information, etc. Software and hardware failures, DoS, Disclosure, Resource theft, Assets damage, IS policies breach, etc. Minimum, medium, high or critical. Lack of IS knowledge, poor IS policies, IS policies violation, lack of IPTs, etc. None, failure, unavailability of critical information to perform functions, violation of IPT’s software/hardware integrity, IPT’s settings change, etc.

Detection/response complexity; Normal or high. response urgency Status Registered, assigned to, being processed or closed. Probability of Minimum, medium, high or critical. recurrence


BigR&I 2016

Type

Only a fragment

19


Conclusion  The given classifications do not pretend to completeness as new vulnerabilities, IS threats and attacks are detected almost every day.  The parameters of classifications are interrelated in a complex manner. For example, the IS threats sources and the form of their implementation determine the possibility of forming a plurality of the IS threats origin nature and vice versa.

 The first three classifications are ready for developing IS threat and intruder models. These models are described either in the separate documents or in the high level documents (IS strategies, concepts, policies).  The fourth classification is required for IS incident management policy and program.


BigR&I 2016

 The proposed taxonomy can be used by any organization while writing internal documentation for supporting its ISM system and processes as a framework for further expansion and refinement.

20


BigR&I 2016 Natalia Miloslavskaya

BigR&I 2016

[email protected]


21