Saturday, June 06, 2009

Incident Detection Paradigms

This is the second in a series of "mindset" posts where I'd like to outline how I've been thinking of various aspects of incident detection and response. My primary focus for these discussions will be intrusions.

I'd like to discuss incident detection paradigms. These are ways that security people tend to think when they are trying to identify intrusions. I'm going to list the three attitudes I've encountered.

  1. Detection is futile. This school of thought says that some intruders are so crafty that it is not possible to detect them. I consider this paradigm short-sighted and defeatist. If you read the intruder's dilemma you'll know that it is generally not possible for intruders to hide themselves perfectly, continuously, perpetually. True, as the intruder's persistence time decreases, and as the amount of data exfiltrated decreases, it becomes more difficult to detect the intruder. However, both conditions are good for the defense. The question for the intruder is how persistent and successful he can be without alerting the defender to his presence.

  2. Sufficient knowledge. This school of thought says that it is possible for a defender to know so much about an intruder's actions that one can apply that understanding to automated systems to detect the intruder. This is essentially the opposite of the futility school. Unfortunately, this paradigm is unrealistic too. As I mentioned in Security Event Correlation: Looking Back, Part 3, the natural question to ask if one believes the sufficient knowledge paradigm is this: if you can detect it, why can't you prevent it?

    As I explained in Why is the Snort IDS still alive and thriving?, that question supposedly made "IDS dead" at the expense of IPS. Users and vendors who believe the sufficient knowledge school expect security people to be satisfied when they receive an alert that something bad happened, but the analyst is not given sufficient evidence to validate that claim.

  3. Indicators plus retrospective security analysis. In good debating style I save the best approach for last. I wish I had a better name but this phrase captures the essence of this paradigm. Here the analyst recognizes that any alert or other input one collects and analyzes is simply an indicator. Indicators may have various levels of confidence associated with them, but the importance of an indicator is that it should signal the start of the analysis process. Validating the indicator to produce a warning that can be escalated to perform incident response is accomplished by analyzing sufficient evidence. This evidence can be network traffic or data about network traffic, system logs, host information, and so on.

    As I discussed in Black Hat Briefings Justify Retrospective Security Analysis, once an analyst has learned of new indicators to detect advanced intruders, he can apply them to stored evidence. Retrospective security analyst finds the crafty intruders missed by traditional approaches, but it requires sufficient digital situational awareness to know how to proceed.

I'll discuss different digital situational awareness paradigms in a later post.

Richard Bejtlich is teaching new classes in Las Vegas in 2009. Regular Las Vegas registration ends 1 July.

No comments: