1Copyright__2012_Elsevier_IncAll_Rights_ReservedChapter

Chapter 9

Correlation

Cyber Attacks Protecting National Infrastructure, 1st ed.

• Correlation is one of the most powerful analytic methods for threat investigation

C h a p te

r 9 –

C o rre

la tio

Introduction

Fig. 9.1 – Profile-based activity anomaly

C h a p te

r 9 –

C o rre

la tio

• Comparing data determines what is normal and what is an anomaly

C h a p te

r 9 –

C o rre

la tio

Introduction

C h a p te

r 9 –

C o rre

la tio

Fig. 9.2 – Signature-based activity match

• Data comparison creates a clearer picture of adversary activity – Profile-based correlation

– Signature-based correlation

– Domain-based correlation

– Time-based correlation

• We rely on human analysis of data; no software can factor in relevant elements

C h a p te

r 9 –

C o rre

la tio

Introduction

C h a p te

r 9 –

C o rre

la tio

Fig. 9.3 – Domain-based correlation of a botnet attack at two targets

C h a p te

r 9 –

C o rre

la tio

Fig. 9.4 – Time-based correlation of a botnet attack

C h a p te

r 9 –

C o rre

la tio

Fig. 9.5 – Taxonomy of correlation scenarios

Conventional Security Correlation Methods

• Threat management – data from multiple sources is correlated to identify patterns, trends, and relationships – The approach relies upon security information and event

management (SIEM)

• Commercial firewalls are underutilized

• Correlation function can be decentralized, but that often complicates the process

C h a p te

r 9 –

C o rre

la tio

C h a p te

r 9 –

C o rre

la tio

Fig. 9.6 – Correlating intrusion detection alarms with firewall policy

rules

Quality and Reliability Issues in Data Correlation

• Quality and reliability of data sources important to consider

• Service level agreements – Service level agreements guarantee quality of data

– Quality and reliability not guaranteed with volunteered data

• Without consistent, predictable, and guaranteed data delivery, correlations likely to be incorrect and data likely missing

C h a p te

r 9 –

C o rre

la tio

C h a p te

r 9 –

C o rre

la tio

Fig. 9.7 – Incorrect correlation result due to imperfect collection

• Network service providers have best vantage point for correlating data across multiple organizations, regions, etc.

• Network service providers have view of network activity that allows them to see problems

C h a p te

r 9 –

C o rre

la tio

Correlating Data to Detect a Worm

C h a p te

r 9 –

C o rre

la tio

Fig. 9.8 – Time-based correlation to detect worm

• The context of carrier infrastructure may offer best chance to perform correlation relative to a botnet

• Botnets are often widely distributed, geographically

• Sharing information on botnet tactics might help others protect themselves

C h a p te

r 9 –

C o rre

la tio

Correlating Data to Detect a Botnet

C h a p te

r 9 –

C o rre

la tio

Fig. 9.9 – Correlative depiction of a typical botnet

• For national infrastructure protection, large-scale correlation of all-source data is complicated by several factors – Data formats

– Collection targets

– Competition

• These can only be overcome with a deliberate correlation process

C h a p te

r 9 –

C o rre

la tio

Large-Scale Correlation Process

C h a p te

r 9 –

C o rre

la tio

Fig. 9.10 – Large-scale, multipass correlation process with feedback

• Organizations with national infrastructure responsibility should be encouraged to create and follow a local program of data correlation

• National-level programs might be created to correlate collected data at the highest level. This approach requires the following – Transparent operations

– Guaranteed data feeds

– Clearly defined value proposition

– Focus on situational awareness

C h a p te

r 9 –

C o rre

la tio

National Correlation Process

blog6

Get help from top-rated tutors in any subject.