Monday, January 29, 2007

The Art of Digital War - [Part 4] Understanding the Threat and Normalization

Part 1 / Part 2 / Part 3 / Part 4 /

You have seen the abstract data types in the section 3 of this series. The most critical element in this is to understand the context of these atomic events, which brings in the next topic “Context based DNA – Data Normalization and Aggregation”. This modal moves away from the concept of static normalization and aggregation rules. Without data normalization in the security domain, the end user has to deal with 50,000 to 80,000 thousand different types of Alerts (this is not the number of alerts an analyst receives every second). Normalization process (across the vendors) reduces this to a manageable number (100 to 300 Normalized Alert).


These rules will be formed dynamically based on the network context, placement of the security devices, placement of important assets and the traffic flow.
Normalizing the data across the vendors is the key to build vendor neutral correlation rules. Normalization helps to understand the digital attack patterns before diving deep into actual signature produced by the devices. Without Normalization linking events across the vendors will not be possible and writing rules per vendor will leads into rule management nightmares.


Current Normalization Pyramid


Following data shows how the current pyramid works with vendor alarms.
Breaking the Pyramid

The pyramid structure was definitely a good start. However, over a period of time the digital attacks were so sophisticated and complex, the pyramid structure become very rigid. However, this doesn’t mean that normalization is not right. Normalization is the key. The question over here is can we avoid this rigid pyramid like structure and can we have something very flexible and dynamic.

Before we move onto the breaking the pyramid let us understand some of the sophisticated digital attacks and what makes them sophisticated and complex.

Analyzing the Attack by a Virus/Worms
In this section let us look at one of the sophisticated Virus “MyTob” and see its behaviors.


With the above data if you compare the behaviors of virus / worms you a see the new entrants are more sophisticated compare to the viruses of early 2000. For example, MyTob has a built in SMPT engine to send out Emails. It has a backdoor and virus author can send commands via IRC channels control the system remotely. It propagates using two completely different mechanisms (an application exploit on port 445 and using SMTP engine on port 25). Once infected its self defense mechanisms are more robust compare to the earlier ones. So, the sophistication of these worms clearly shows the need for breaking the pyramid model and come up with a more flexible and adaptive model for the data normalization.

Data Aggregation


Current set of products does aggregation based on a static aggregation rules based vendor alarms or normalized alarms. This needs to be changed and it should be based on network topology and the placement of the device. Most common fields for aggregation is based on device, device alarm, severity, source, destination, and destination port.

Take the example of a firewall placed near the border router at the perimeter. This device logs lot of Access Denied device Alarm (which is based on the firewall rule) for the inbound traffic (traffic from internet to the enterprise). Over here based on the above rule which aggregates data on device, device alarm, severity, source, destination and destination port.

However, as the firewall has already blocked the inbound connection (at the perimeter) what’s more important is to aggregate the data based on device, device alarm, and source and destination port. This will give a very good aggregation on firewall data as well as a good view on the attacker his modus of operandi.

At the same time, if the firewall allows the (inbound) connection then the data needs to be aggregated based on device, device alarm, source, source port, destination and destination port.

Following tables shows the event aggregation based on different parameters which is specific to the context of the security device and the network traffic. The table shows different rules for the Firewall (placed at the perimeter) Device Alarm Network Access Denied and Network Access Allowed.


Conclusion

The objective of this article is to show how the rigid pyramid fails handling sophisticated attacks by hackers as well as automated attacks by virus / worms. Next section follows up with an adaptive Normalization technique along with context sensitive aggregation rules.