In almost every cyber attack scenario you will find that following elements will always be present:
Attacker: Attacker will be a hacker (or cracker) who will attack the asset of the organization.
Payload Delivery Medium: Payload delivery medium is the route or the way by which an attacker delivers the payload on the victim machine.
Payload Execution Mechanism: Payload Execution Mechanism is a mechanism by which a hacker (or cracker) execute the payload.
Asset: Asset is the target machine which attacker wants to compromise.
Security Device Action: It is the response that deployed security device generated.
Security monitoring tool should be capable enough to capture the components associated with above elements. This will provide you clear understanding of when, what and how threat intrusion happened, which will hep you take right decision for mitigation steps and prioritize various intrusion incident.
Security monitoring tool like SIEM collects logs from different endpoint devices (Desktop computers, laptops, printers, servers etc.), network devices ( like routers, switches etc.), security devices (like Firewall, IDS\IPS, Web Proxy, Mail Transfer Agent etc.) and give detail information of Intrusion happened.
Its like you have different rooms and in a building deployed various security controls. What if you can monitor the activities of these different rooms and places from one central place. SIEM gives you the similar power to monitor the activities happening in an organization IT infrastructure.
Following could be some of the component associated with various above mentioned elements:
Components associated with Attacker: Source IP address, owner of the IP address, IP reputation, Port used, Geographical location of the attacker (depends on IP address), External / Internal w.r.t. organization Infrastructure etc.
Components associated with Payload delivery medium: USB / Removable Media, Web, P2P, Wireless Hotspots, Email etc.
Components associated with Payload execution mechanism: Malware, misconfiguration, system vulnerabilities' Exploit, social engineering, human errors etc.
Components of Asset/ Victim Machine/ Target: Asset Vulnerabilities, IP Address, ports, location (where it is located in the network infrastructure), Owner of Asset, Asset Criticality etc.
Components of Impact Prediction: Confidentiality Impact, Availability Impact, Integrity Impact, Reputation loss, Financial Loss, Degradation of performance etc.
Finally after analyzing the components, you can get an idea about the motive of the attack and take appropriate action required.
Impact prediction is the most important thing that helps in determining the priority of the incident (time in which incident should be resolved). Your incident priority formula should involve all the relevant components (Confidentiality Impact, Integrity Impact, Availability Impact, Financial Impact etc.) associated with the impact , to get the accurate result.
No comments:
Post a Comment