Proactive detection of network security incidents
(Publication) Google search: [1]
| Proactive detection of network security incidents | |
|---|---|
| Botnet | |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2011 / 2011-12-07 |
| Editor/Conference | Enisa |
| Link | http://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-report/at download/fullReport www.enisa.europa.eu (pdf) (www.enisa.europa.eu (pdf) Archive copy) |
| Author | Katarzyna Gorzelak, Tomasz Grudziecki, Paweł Jacewicz, Przemysław Jaroszewski, Łukasz Juszczyk, Piotr Kijewski |
| Type | |
Abstract
“ This document is the final report of the ‘Proactive Detection of Network Security Incidents’ study.
The goal of the study was to investigate ways in which CERTs – national and governmental ones in particular – proactively detect incidents concerning their constituencies, identify good practice and recommended measures for new and already established CERTs, analyse problems they face and offer recommendations to relevant stakeholders on what can be done to further this process. It is important to note that the results of the study are largely community driven. That is, they are based not just on research and the experience of the experts who conducted the study, but to a large extent on the results of a survey carried out amongst 105 different CERTs (which resulted in 45 responses overall) and external expert group input. The outcome is thus a work by the community for the CERT community. Proactive detection of incidents is the process of discovery of malicious activity in a CERT’s constituency through internal monitoring tools or external services that publish information about detected incidents, before the affected constituents become aware of the problem. It can be viewed as a form of early warning service from the constituents’ perspective. Effective proactive detection of network security incidents is one of the cornerstones of an efficient CERT service portfolio capability. It can greatly enhance a CERT’s operations, improve its situational awareness and enable it to handle incidents more efficiently, thus strengthening the CERT’s incident handling capability, which is one of the core services of national / governmental CERTs.1 The report covers 30 external services identified that can be used by CERTs to obtain information about their constituency, often in an automated manner. Some are public and some have restricted access. Most of them are free. In many cases, national and governmental CERTs can gain access to data covering an entire country. Additionally, 12 different categories of internal tools were identified (with specific tools as examples) that can be used by a CERT to detect incidents. Both external services and tools were rated according to several criteria defined during the study, and priorities for their implementation suggested. The study has identified that CERTs are currently not fully utilising all possible external sources at their disposal – despite their wide availability and relative ease of use, and despite the fact that many CERTs declare their readiness to adopt new sources of information. Similarly, a large number of CERTs do not collect incident data about other constituencies. Even those that do, often do not share this data with other CERTs. This is an area of concern as exchange of such information is key to the effective combating of malware and malicious activities and is extremely important in a cross-border environment. These and other shortcomings (16 overall) in the process of detection of incidents are examined in more depth, both on a technical and legal/organisational level. The most important technical gaps identified include problems with data quality (such as the existence of false positives in reports, poor
timeliness of delivery, lack of contextual information, no validity indicators, unclear data aging policies), and lack of automation and correlation, partly due to data quality issues, but also due to the lack of standard formats, tools or simply resources and skills. The most important legal problem involves privacy regulations and personal data protection laws that often hinder the exchange of information – an obstacle faced by CERTs but unfortunately not by miscreants responsible for network attacks. For each identified shortcoming, one or more recommendations are formulated as part of the study. They are aimed at a) data providers, b) data consumers and c) organisations at the EU or national level. For data providers key recommendations focus on suggestions on how to better reach out to CERTs, better data format and distribution approaches as well as data quality improvement and enrichment. For data consumers a guide on how to acquire access to datasets is given, suggestions on better integration of external feeds with internal monitoring systems put forward, additional activities that can be performed by a CERT to verify quality of data feeds enumerated, and specific deployments of new technologies recommended. Finally, at the EU or national level , activities are pointed out that are aimed at achieving a balance between privacy protection and security provision needs, the encouragement of the adoption of common formats and underused technologies and the integration of statistical incident data on a wider scale. Research is also suggested into the area of data leakage reporting. The summary of recommendations made per stakeholder group is provided in Section 8 (Summary of recommendations). Detailed shortcomings identified, together with extended recommendations to mitigate them, are provided in Section 7 (Identification of shortcomings in the proactive detection of incidents). It is hoped that the results published here will encourage national/government CERT managers of both new and established CERTs to obtain access to many identified external sources of incident information as well as to consider additional internal tools to collect such information that they can deploy at their organisation. Enhancing their own network incident detection infrastructure enables them not only to get better at proactively detecting incidents in their own constituency but also to detect incidents that concern others. This fosters cooperation and data sharing between CERTs, which helps to resolve the incidents and improve the security of the Internet.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR1001,
editor = {Enisa},
author = {Katarzyna Gorzelak, Tomasz Grudziecki, Paweł Jacewicz, Przemysław Jaroszewski, Łukasz Juszczyk, Piotr Kijewski},
title = {Proactive detection of network security incidents},
date = {07},
month = Dec,
year = {2011},
howpublished = {\url{http://www.enisa.europa.eu/activities/cert/support/proactive-detection/proactive-detection-report/at_download/fullReport www.enisa.europa.eu (pdf)}},
}