1
Copyright © 2012, Elsevier Inc.
All Rights Reserved
Chapter 9
Correlation
Cyber Attacks Protecting National Infrastructure, 1st ed.
2
• Correlation is one of the most powerful analytic methods for threat investigation
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
Introduction
3
Fig. 9.1 – Profile-based activity anomaly
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
4
• Comparing data determines what is normal and what is an anomaly
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
Introduction
5
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
Fig. 9.2 – Signature-based activity match
6
• Data comparison creates a clearer picture of adversary activity – Profile-based correlation
– Signature-based correlation
– Domain-based correlation
– Time-based correlation
• We rely on human analysis of data; no software can factor in relevant elements
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
Introduction
7
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
Fig. 9.3 – Domain-based correlation of a botnet attack at two targets
8
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
Fig. 9.4 – Time-based correlation of a botnet attack
9
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
Fig. 9.5 – Taxonomy of correlation scenarios
10
Conventional Security Correlation Methods
• Threat management – data from multiple sources is correlated to identify patterns, trends, and relationships – The approach relies upon security information and event
management (SIEM)
• Commercial firewalls are underutilized
• Correlation function can be decentralized, but that often complicates the process
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
11
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
Fig. 9.6 – Correlating intrusion detection alarms with firewall policy
rules
12
Quality and Reliability Issues in Data Correlation
• Quality and reliability of data sources important to consider
• Service level agreements – Service level agreements guarantee quality of data
– Quality and reliability not guaranteed with volunteered data
• Without consistent, predictable, and guaranteed data delivery, correlations likely to be incorrect and data likely missing
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
13
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
Fig. 9.7 – Incorrect correlation result due to imperfect collection
14
• Network service providers have best vantage point for correlating data across multiple organizations, regions, etc.
• Network service providers have view of network activity that allows them to see problems
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
Correlating Data to Detect a Worm
15
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
Fig. 9.8 – Time-based correlation to detect worm
16
• The context of carrier infrastructure may offer best chance to perform correlation relative to a botnet
• Botnets are often widely distributed, geographically
• Sharing information on botnet tactics might help others protect themselves
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
Correlating Data to Detect a Botnet
17
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
Fig. 9.9 – Correlative depiction of a typical botnet
18
• For national infrastructure protection, large-scale correlation of all-source data is complicated by several factors – Data formats
– Collection targets
– Competition
• These can only be overcome with a deliberate correlation process
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
Large-Scale Correlation Process
19
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
Fig. 9.10 – Large-scale, multipass correlation process with feedback
20
• Organizations with national infrastructure responsibility should be encouraged to create and follow a local program of data correlation
• National-level programs might be created to correlate collected data at the highest level. This approach requires the following – Transparent operations
– Guaranteed data feeds
– Clearly defined value proposition
– Focus on situational awareness
Copyright © 2012, Elsevier Inc.
All rights Reserved
C h a p te
r 9 –
C o rre
la tio
n
National Correlation Process

Get help from top-rated tutors in any subject.
Efficiently complete your homework and academic assignments by getting help from the experts at homeworkarchive.com