In this scenario, hackers launch cyber attacks that affect several parts of the nation’s financial infrastructure over the course of several weeks. Specifically, sensitive credit card processing facil

1 Copyright © 2012, Elsevier Inc. All Rights Reser ved Chapter 8 Collection Cyber Attacks Protecting National Infrastructure, 1 st ed. 2 • Diligent and ongoing observation of computing and networking behavior can highlight malicious activity – The processing and analysis required for this must be done within a program of data collection • A national collection process that combines local, regional, and aggregated data does not exist in an organized manner Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Introduction 3 Fig. 8.1 – Local, regional, and national data collection with aggregation Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection 4 • At local and national levels data collection decisions for national infrastructure should be based on the following security goals – Preventing an attack – Mitigating an attack – Analyzing an attack • Data collection must be justified (who is collecting and why) • The quality of data is more important than the quantity Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Introduction 5 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Fig. 8.2 – Justification - based decision analysis template for data collection 6 • Metadata is perhaps the most useful type of data for collection in national infrastructure – Metadata is information about data, not what the data is about • Data collection systems need to keep pace with growth of carrier backbones • Sampling data takes less time, but unsampled data may be reveal more Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Collecting Network Data 7 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Fig. 8.3 – Generic data collection schematic 8 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Fig. 8.4 – Collection detects evidence of vulnerability in advance of notification 9 • National initiatives have not traditionally collected data from mainframes, servers, and PCs • The ultimate goal should be to collect data from all relevant computers, even if that goal is beyond current capacity • System monitoring may reveal troubling patterns • Two techniques useful for embedding system management data – Inventory process needed to identify critical systems – Process of instrumenting or reusing data collection facilities must be identified Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Collecting System Data 10 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Fig. 8.5 – Collecting data from mainframes, servers, and PCs 11 Security Information and Event Management • Security information and event management (SIEM) is the process of aggregating system data from multiple sources for purpose of protection • Each SIEM system (in a national system of data collection) would collect, filter, and process data • Objections to this approach include both the cost of setting up the architecture and the fact that embedded SIEM functionality might introduce problems locally Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection 12 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Fig. 8.6 – Generic SIEM architecture 13 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Fig. 8.7 – Generic national SIEM architecture 14 • Identifying trends is the most fundamental processing technique for data collected across the infrastructure • Simplest terms – Some quantities go up (growth) – Some quantities go down (reduction) – Some quantities stay the same (leveling) – Some quantities doing none of the above (unpredictability) Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Large - Scale Trending 15 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Fig. 8.8 – Growth trend in botnet behavior over 9 - month period (2006 – 2007) 16 • Some basic practical considerations that must be made by security analysts before a trend can be trusted – Underlying collection – Volunteered data – Relevant coverage Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Large - Scale Trending 17 • Collecting network metadata allows security analysts track a worm’s progress and predict its course • Consensus holds that worms work too fast for data collection to be an effective defense – There’s actually some evidence that a closer look at the data might provide early warning of worm threats • After collecting and analyzing, the next step is acting on the data in a timely manner Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Tracking a Worm 18 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Fig. 8.9 – Coarse view of UDP traffic spike from SQL/Slammer worm (Figure courtesy of Dave Gross and Brian Rexroad ) 19 Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection Fig. 8.10 – Fine view of UDP traffic spike from SQL/Slammer worm (Figure courtesy of Dave Gross and Brian Rexroad ) 20 • Once the idea for a national data collection program is accepted, the following need to be addressed – Data sources – Protected transit – Storage considerations – Data reduction emphasis Copyright © 2012, Elsevier Inc. All rights Reser ved Chapter 8 – Collection National Collection Program