IDS mailing list archives
RE: Intrusion Risk Assessment
From: Fengmin Gong <fengmin () intruvert com>
Date: Sat, 18 Jan 2003 14:16:04 -0800
Hi Robert, It's good to see that you are putting effort into this topic. Sorry for this late follow-up and I hope it's helpful. Although there is a recognized need for a framework linking vulnerability assessment and countermeasures systematically from the research community for a while, the IDS data model and the IDMEF from IDWG represent the only widely supported standard effort, as Herve and others have pointed out. I want to mainly add on to one issue that has barely been brought up in the discussion. From a VA or IDS tool perspective, the impact severity rating can only take into account the "inherent" damaging effect, much like what you have started with. It can only reasonably account for the "direct" impact. For example, you may be able to determine if an vulnerability/attack leads to unprivileged remote access versus privileged access. This is only a direct impact in the sense anything could happen after a root compromise. This impact is inherent in the sense that you have not accounted for the "asset value" of the target being compromised. This information may not generally be available to anyone outside the owning organization. What it means is that the general framework must recognize this and make provisions for the ultimate users to factor in their asset value in the severity rating of such events. There are papers on applying battlefield intelligence process to intrusion detection that discusses asset value along with many other factors, see Jim Yuill's page at: www4.ncsu.edu/~jjyuill/Professional/Research/Publications/index.html To give you a more concrete example of how it can be done, IntruVert's IntruShield system has an underlying Threat and Countermeasure language that links exploits/attack conditions, affected systems and software, multiple detection methods/mechanisms, on-trigger response actions including packet logging, and other relevant info, all together on a per vulnerability basis. This lanaguage is very similar to IDWG model regarding intrusion event characterization but with many extensions to make it a complete Threat and Countermeasure language (I am a believer of the IDWG work, being involved in the Requirements Specification). In IntruShield, the inherent impact severity of an attack is rated from 0 to 9, while the confidence level of the detection (reliability and specificity of the detection) is rated with a similar scale. All attack conditions are described in this language in our database, which is the basis for all the IDS policy configuration, real-time alert correlation, aggregation and suppression. The user, upon deployment, can then modify the severity ratings for any attacks to reflect their valuation of the asset under protection through customized policies. The new severity rating is then used in all the alert handling and reporting. FYI, I am also including an example list of the high-level impact categories used in IntruShield along with the severity rating guidelines. ---- Informational - Anything which is only useful for audit or detecting normal network activity 0 Reconnaissance - host sweep 1-2 - port scan 3-4 Exploits - File read exposure (non-privileged) 1-2 - File read exposure (privileged) 3-5 - File modification (non-privileged): 3-4 - File modification (privileged) 5-6 - Unprivileged access (nobody): 5-6 - Root-level access gained: 7-9 DOS (including ddos) - disable machine/network 7-9 - disable single applicagtion 5-6 - performance degradation 2-4 PolicyViolation - installation of illegal application 1-2 - unauthorized access 2-8 - installation of network serices 3-5 - information leak tunnels 5-6 - backdoor access (non-privileged) 5-6 - backdoor access (privileged) 7-9 Regards, Fengmin -- Dr. Fengmin Gong Director, Intrusion Detection Technologies IntruVert Networks, Inc. Email: fengmin () intruvert com Voice: (408) 434-8306
Current thread:
- RE: Intrusion Risk Assessment, (continued)
- RE: Intrusion Risk Assessment Rob Shein (Jan 07)
- Re: Intrusion Risk Assessment Herve Debar (Jan 07)
- RE: Intrusion Risk Assessment Alan Shimel (Jan 07)
- Re: Intrusion Risk Assessment Fernando Cardoso (Jan 07)
- RE: Intrusion Risk Assessment Robert Buckley (Jan 07)
- FW: Intrusion Risk Assessment Peter Schwarz (Jan 07)
- re[2]: Intrusion Risk Assessment Richard Bennison (Jan 08)
- re[2]: Intrusion Risk Assessment Ron Gula (Jan 10)
- RE: VA/IDS Integration (Was: RE: re[2]: Intrusion Risk Assessment) David J. Meltzer (Jan 10)
- re[2]: Intrusion Risk Assessment Ron Gula (Jan 10)
- RE: Intrusion Risk Assessment Nicole Nicholson (Jan 08)
- RE: Intrusion Risk Assessment Fengmin Gong (Jan 21)