Rabu, 12 Desember 2007

Incident Severity Ratings

Much of digital security focuses on pre-compromise activities. Not as much attention is paid to what happens once your defenses fail. My friend Bamm brought this problem to my attention when he discussed the problem of rating the severity of an incident. He was having trouble explaining to his management the impact of an intrusion, so he asked if I had given any thought to the issue.

What follows is my attempt to apply a framework to the problem. If anyone wants to point me to existing work, please feel free. This is not an attempt to put a flag in the ground. We're trying to figure out how to talk about post-compromise activities in a world where scoring vulnerabilities receives far more attention.

This is a list of factors which influence the severity of an incident. It is written mainly from the intrusion standpoint. In other words, an unauthorized party is somehow interacting with your asset. I have ordered the options under each category such that the top items in each sub-list is considered worst, and the bottom is best. Since this is a work in progress I put question marks in many of the sub-lists.

  1. Level of Control


    • Domain or network-wide SYSTEM/Administrator/root

    • Local SYSTEM/Administrator/root

    • Privileged user (but not SYSTEM/Administrator/root

    • User

    • None?


  2. Level of Interaction


    • Shell

    • API

    • Application commands

    • None?


  3. Nature of Contact


    • Persistent and continuous

    • On-demand

    • Re-exploitation required

    • Misconfiguration required

    • None?


  4. Reach of Victim


    • Entire enterprise

    • Specific zones

    • Local segment only

    • Host only


  5. Nature of Victim Data


    • Exceptionally grave damage if destroyed/altered/disclosed

    • Grave damage if destroyed/altered/disclosed

    • Some damage if destroyed/altered/disclosed

    • No damage if destroyed/altered/disclosed


  6. Degree of Friendly External Control of Victim


    • None; host has free Internet access inbound and outbound

    • Some external control of access

    • Comprehensive external control of access


  7. Host Vulnerability (for purposes of future re-exploitation


    • Numerous severe vulnerabilities

    • Moderate vulnerability

    • Little to no vulnerability


  8. Friendly Visibility of Victim


    • No monitoring of network traffic or host logs

    • Only network or host logging (not both)

    • Comprehensive network and host visibility


  9. Threat Assessment


    • Highly skilled and motivated, or structured threat

    • Moderately skilled and motivated, or semi-structured threat

    • Low skilled and motivated, or unstructured threat


  10. Business Impact (from continuity of operations plan)


    • High

    • Medium

    • Low


  11. Onsite Support


    • None

    • First level technical support present

    • Skilled operator onsite



Based on this framework, I would be most worried about the following -- stated very bluntly so you see all eleven categories: I worry about an incident where the intruder has SYSTEM control, with a shell, that is persistent, on a host that can reach the entire enterprise, on a host with very valuable data, with unfettered Internet access, on a host with lots of serious holes, and I can't see the host's logs or traffic, and the intruder is a foreign intel service, and the host is a high biz impact system, and no one is on site to help me.

What do you think?
di

Tidak ada komentar:

Posting Komentar