1

Copyright © 2012, Elsevier Inc.

All Rights Reserved

Chapter 9

Correlation

Cyber Attacks Protecting National Infrastructure, 1st ed.

2

• Correlation is one of the most powerful analytic methods for threat investigation

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

Introduction

3

Fig. 9.1 – Profile-based activity anomaly

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

4

• Comparing data determines what is normal and what is an anomaly

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

Introduction

5

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

Fig. 9.2 – Signature-based activity match

6

• Data comparison creates a clearer picture of adversary activity – Profile-based correlation

– Signature-based correlation

– Domain-based correlation

– Time-based correlation

• We rely on human analysis of data; no software can factor in relevant elements

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

Introduction

7

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

Fig. 9.3 – Domain-based correlation of a botnet attack at two targets

8

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

Fig. 9.4 – Time-based correlation of a botnet attack

9

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

Fig. 9.5 – Taxonomy of correlation scenarios

10

Conventional Security Correlation Methods

• Threat management – data from multiple sources is correlated to identify patterns, trends, and relationships – The approach relies upon security information and event

management (SIEM)

• Commercial firewalls are underutilized

• Correlation function can be decentralized, but that often complicates the process

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

11

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

Fig. 9.6 – Correlating intrusion detection alarms with firewall policy

rules

12

Quality and Reliability Issues in Data Correlation

• Quality and reliability of data sources important to consider

• Service level agreements – Service level agreements guarantee quality of data

– Quality and reliability not guaranteed with volunteered data

• Without consistent, predictable, and guaranteed data delivery, correlations likely to be incorrect and data likely missing

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

13

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

Fig. 9.7 – Incorrect correlation result due to imperfect collection

14

• Network service providers have best vantage point for correlating data across multiple organizations, regions, etc.

• Network service providers have view of network activity that allows them to see problems

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

Correlating Data to Detect a Worm

15

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

Fig. 9.8 – Time-based correlation to detect worm

16

• The context of carrier infrastructure may offer best chance to perform correlation relative to a botnet

• Botnets are often widely distributed, geographically

• Sharing information on botnet tactics might help others protect themselves

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

Correlating Data to Detect a Botnet

17

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

Fig. 9.9 – Correlative depiction of a typical botnet

18

• For national infrastructure protection, large-scale correlation of all-source data is complicated by several factors – Data formats

– Collection targets

– Competition

• These can only be overcome with a deliberate correlation process

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

Large-Scale Correlation Process

19

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

Fig. 9.10 – Large-scale, multipass correlation process with feedback

20

• Organizations with national infrastructure responsibility should be encouraged to create and follow a local program of data correlation

• National-level programs might be created to correlate collected data at the highest level. This approach requires the following – Transparent operations

– Guaranteed data feeds

– Clearly defined value proposition

– Focus on situational awareness

Copyright © 2012, Elsevier Inc.

All rights Reserved

C h a p te

r 9 –

C o rre

la tio

n

National Correlation Process

Get help from top-rated tutors in any subject.

Efficiently complete your homework and academic assignments by getting help from the experts at homeworkarchive.com