A Computer Security A Computer Security Incident Response Incident Response

Team’s Support Team’s Support SystemSystem

Meletis A. Belsis, Anthony N. Godwin, Leon Meletis A. Belsis, Anthony N. Godwin, Leon SmalovSmalov

Coventry University, 2002Coventry University, 2002

Computer Crime and Computer Crime and CSIRTsCSIRTs

Today computer crime is on the rise. Adversaries Today computer crime is on the rise. Adversaries attack corporate systems daily.attack corporate systems daily.

To provide adequate security support, Computer To provide adequate security support, Computer Security Incident Response Teams (CSIRT) have Security Incident Response Teams (CSIRT) have been assembled.been assembled.

Their job is to gather and organize information Their job is to gather and organize information coming from security incidents.coming from security incidents.

Along with that CSIRTs provide security advice Along with that CSIRTs provide security advice and help to identify the perpetrators.and help to identify the perpetrators.

The Security Incident information is used to The Security Incident information is used to statistically analyze computer crime, to assist statistically analyze computer crime, to assist enterprises in protecting themselves against enterprises in protecting themselves against known known security holessecurity holes and for educational purposes. and for educational purposes.

CSIRTsCSIRTs

Currently there are a number of CSIRT teams. Currently there are a number of CSIRT teams. Examples of such include CERT/CC, CIAC and also Examples of such include CERT/CC, CIAC and also the the CERIAS LaboratoryCERIAS Laboratory..

Each one of these is using their own techniques, tools, Each one of these is using their own techniques, tools, policies and provide a number of different functions to policies and provide a number of different functions to its registered users.its registered users.

Currently large scale enterprises try to develop their Currently large scale enterprises try to develop their own internal CSIRT to handle incidents that take own internal CSIRT to handle incidents that take place within the corporate IT infrastructures.place within the corporate IT infrastructures.

Building a CSIRT includes providing solution to a Building a CSIRT includes providing solution to a number of managerial and technical problems. Two of number of managerial and technical problems. Two of the technical problems are:the technical problems are: the type and structure of data that need to storedthe type and structure of data that need to stored the way this data is going to be gathered and the way this data is going to be gathered and

accessed accessed

Current Incident Data Current Incident Data StructuresStructures

Every CSIRT is using their own data structures Every CSIRT is using their own data structures to store details of the security breaches that have to store details of the security breaches that have taken place.taken place.

Generally these are concentrated in storing Generally these are concentrated in storing technical details that an incident includes. The technical details that an incident includes. The technical details of an attack are useful to the technical details of an attack are useful to the technical expertise but are far from useful to technical expertise but are far from useful to corporate managers.corporate managers.

The last few years new trends in hacking has The last few years new trends in hacking has sought for collaboration between the CSIRTs. sought for collaboration between the CSIRTs.

CSIRTs from around the world need to CSIRTs from around the world need to collaborate and compare their information in collaborate and compare their information in order to trace attacks that take place in a order to trace attacks that take place in a number of system simultaneously.number of system simultaneously.

Current Incident Data Current Incident Data StructuresStructures

Based on the current incident data structures Based on the current incident data structures automatic collaboration is impossible.automatic collaboration is impossible.

This collaboration is currently taking place using This collaboration is currently taking place using telephones or emails which is a slow process.telephones or emails which is a slow process.

A couple of solutions that proposed a common A couple of solutions that proposed a common structure are still in a research stage.structure are still in a research stage.

Examples of such are the Examples of such are the European proposal, European proposal, Project Project S2003S2003 and the and the Incident Object Incident Object Description and Exchange Format (IODEFDescription and Exchange Format (IODEF).).

The authors of this paper have presented their The authors of this paper have presented their own views in a paper presented at the IFIP/Sec own views in a paper presented at the IFIP/Sec 2002 conference in Cairo. 2002 conference in Cairo.

Reporting Security Reporting Security IncidentsIncidents

The way that incident are reported and The way that incident are reported and accessed is essential. accessed is essential.

Current CSIRTs use off line mediums or the Current CSIRTs use off line mediums or the WEB to allow for new incidents to be stored WEB to allow for new incidents to be stored and/or to allow individuals to access this data.and/or to allow individuals to access this data.

The off line mediums are quite insufficient The off line mediums are quite insufficient and make the technical experts and make the technical experts uncomfortable. uncomfortable.

Managing the security of the incident data Managing the security of the incident data (Confidentiality, Integrity and Availability (Confidentiality, Integrity and Availability (CIA)) when accessed with the previous (CIA)) when accessed with the previous method is difficultmethod is difficult

Limitations of the WEBLimitations of the WEB The WEB is insecure. CSIRT can provide only a The WEB is insecure. CSIRT can provide only a

fraction of the actual information stored for every fraction of the actual information stored for every incident.incident.

The queries used to search the DB are The queries used to search the DB are predetermined. There is predetermined. There is no spaceno space for smart queries for smart queries (i.e. Show all incidents that had as target an Apache (i.e. Show all incidents that had as target an Apache Server).Server).

Users depending on their role need to see different Users depending on their role need to see different types of incident data. E.g. Security experts need to types of incident data. E.g. Security experts need to know the protocols that were used to attack a know the protocols that were used to attack a system. Managers need to know the time it took to system. Managers need to know the time it took to recuperate from the attack. recuperate from the attack.

Current interfaces do not allow the development of Current interfaces do not allow the development of data views.data views.

The CORBA approachThe CORBA approach CORBA has widely CORBA has widely

proposed and used to proposed and used to access databases.access databases.

CORBA allows access CORBA allows access from both standalone from both standalone applications and web applications and web based ones.based ones.

CORBA provides a CORBA provides a number of security number of security objects that are objects that are adequate to fulfill the adequate to fulfill the CIA Model.CIA Model.

Client Object Server Object

Object Request Broker (ORB)

DynamicInvocation

Interface (DII)

Interface DefinitionLanguage (IDL)

Object Adapter (OA)

IDL Skeleton

DynamicSkeletonInterface

CORBA SERVICES : LifeCycle ,Naming, Persistence, Security e.t.c.

CORBA FACILITIES : UserInterface, Health Care, Financial

e.t.c.

Operation + Arguments

Operation Result +Arguments

Our proposalOur proposal The new system allows access to the incident DB The new system allows access to the incident DB

from both a Web based interface and a from both a Web based interface and a standalone application. standalone application.

Using this we can connect the main security Using this we can connect the main security management console that companies have, to a management console that companies have, to a security incident DB anywhere in the world.security incident DB anywhere in the world.

The registration of incidents could be carried out The registration of incidents could be carried out using automated processes by the security using automated processes by the security software that detects them.software that detects them.

In addition to this security experts can use the In addition to this security experts can use the management console to access their company’s management console to access their company’s private security incident records and perform private security incident records and perform statistical analysis.statistical analysis.

Our ProposalOur Proposal A Natural Language A Natural Language

Interface to DB (NLIDB) Interface to DB (NLIDB) is used.is used.

This allows to create real This allows to create real time complex queries time complex queries using plain English using plain English statements.statements.

This allows inexperience This allows inexperience users to perform dynamic users to perform dynamic searches to the DB. searches to the DB.

The NLIDB formats the The NLIDB formats the results depending on the results depending on the user that is currently user that is currently logged in. So we do not logged in. So we do not overflow managers with overflow managers with technical information or technical information or technical experts with technical experts with management informationmanagement information

Web Client

1) Authenticate with X.509

CSIRT Web Server

2) Download JavaApplet

NLIDB

3) Execute user natural English query

4)Execute SQL Query

DBMS

5) Find Data

6) Return Result

7) Return Results8) Return Formatted Result

ORB

Security Management Console

TCP/IP

HTTP

Incident Data

Our ProposalOur Proposal

Using CORBA Using CORBA security services security services we can protect we can protect incident data much incident data much more efficiently more efficiently (i.e. create better (i.e. create better authentication).authentication).

CSIRT can provide CSIRT can provide new services on new services on demand.demand.

Web Client

1) Authenticate with X.509

CSIRT Web Server

2) Download JavaApplet

NLIDB

3) Execute user natural English query

4)Execute SQL Query

DBMS

5) Find Data

6) Return Result

7) Return Results8) Return Formatted Result

ORB

Security Management Console

TCP/IP

HTTP

Incident Data

Our ProposalOur Proposal By using CORBA By using CORBA

CSIRTs can CSIRTs can interoperate more interoperate more efficiently.efficiently.

CSIRTs can exchange CSIRTs can exchange incident information incident information much easier. much easier.

The system can be The system can be programmed to programmed to automate exchanges automate exchanges of information when of information when required.required.

CSIRT A’s ORBCSIRT

B’s ORB

CSIRT C’s ORB

TCP/IPTCP/IP

TCP/IP

Incident DB

IncidentDB

Incident DB

Firewall

CSIRT’s Client

CSIRT’s Client

ConclusionsConclusions CSIRTs is one of the best weapons against computer CSIRTs is one of the best weapons against computer

crime.crime. Providing more efficient ways to access incident DBs Providing more efficient ways to access incident DBs

will allow to cut the incident response times to a will allow to cut the incident response times to a minimum. This can be translated into millions of minimum. This can be translated into millions of pounds worth of savings.pounds worth of savings.

Interconnecting CSIRTs will create better statistical Interconnecting CSIRTs will create better statistical data, identifying new trends of hacking, and this data, identifying new trends of hacking, and this information will also be used by the authorities for information will also be used by the authorities for arresting the criminals.arresting the criminals.

Future plans of this system will be to automate Future plans of this system will be to automate updates of security breaches into security tools like updates of security breaches into security tools like intrusion detection systems and firewalls that intrusion detection systems and firewalls that registered enterprises have.registered enterprises have.

In Correspondence:In Correspondence:

Belsis A. MeletisBelsis A. MeletisDKERG, Coventry University,DKERG, Coventry University,

Belsis@Coventry.ac.uk Belsis@Coventry.ac.ukwww.mis.cov.ac.uk/Research/DKERG/DKERG.htmlwww.mis.cov.ac.uk/Research/DKERG/DKERG.html