Execute: attack mitigation and countermeasures (advanced)

The SOIM community has long focused on detection and analysis from the perspectives of research and operational deployment. There has been little enthusiasm for automating the final part of the MAPE-K loop, because system and network operators fear losing control of their environments. There are, however, many reasons why developing automatic mitigation would be important. This is a significant topic, as is evident, for example, in the Respond and Recover areas of NIST Cyber Security Framework.

Intrusion prevention systems (advanced)

IDPS sensors have been extended to include enforcement capabilities for responding to attacks. An IDPS is able to act when it makes an observation from the monitored data stream. This requires the ability to operate as a gateway or proxy through which all communication is analysed. When a decision is made that malicious activity has been detected, additional actions can be applied to the data stream, such as blocking, terminating, or modifying the data flow. These actions depend on the reliability of detection, and the general practice is to limit actions to a subset of malicious activity signatures in misuse-based IDPS sensors.

The actions performed by IDPS sensors are directly linked to the detection outcome. As such, the planning phase is carried out through static configuration, and the response to an attack is therefore independent of the context in which the attack occurs.

Because well-identified attacks must be responded to in real time, modern network-based IDPSs operate by combining detection with firewall functionality. If a sensor detects malicious activity, a packet is immediately dropped or rejected, or the connection is terminated. The advantage of this solution is that attacks are handled instantly as they occur. Errors have a direct impact on the effectiveness of an IDPS: False positives can deny service to legitimate users, while false negatives may slip some attacks through unnoticed. A drawback of IDPSs is their operation at the packet layer, which can cause side effects that may leak information to an attacker. Because an IDPS sensor is a device capable of terminating network connections, it also introduces a potential single point of failure into the ICT infrastructure.

More recently, IDPSs have evolved to modify packet payloads, a practice referred to as virtual patching. As a result, the protected server receives benign content instead of the content intended by the attacker, and the response sent back to the attacker indicates that the attack has failed. The main advantage here is that mitigating the attack does not require disrupting the data flow.

Denial-of-service attacks (advanced)

An area where automatic, network-based attack mitigation is particularly needed is denial-of-service attacks (DoS), and especially large-scale distributed denial-of-service attacks (DDoS). The number and volume of DDoS attacks have grown steadily. In a 2016 survey by Arbor Networks, it was found that half of the responding cloud service providers had suffered from connection outages with a major impact on their business. The emergence of attacks exploiting Internet of Things (IoT) infrastructure and their use in DDoS attacks (for example, Mirai) has led to record numbers of attacks. More recently, DDoS amplification attacks have also been studied; these exploit protocols such as DNS and NTP to generate large volumes of traffic with minimal bandwidth requirements.

DDoS attacks are large-scale phenomena that affect many components and operators of Internet infrastructure, ranging from autonomous system operators to cloud service providers. Attacks targeting specific services can also have wide-ranging effects. For example, the DynDNS DDoS attack affected the availability of well-known services such as Netflix, Spotify, and Twitter. The ongoing migration of services to the cloud continuously increases the harm caused by denial-of-service attacks.

Due to their scale and impact, DDoS attacks are primary targets for automatic remediation. This has led to the emergence of specialised DDoS mitigation services. These services provide load-management capabilities, such as adding new servers, redirecting traffic to other services, or selectively throttling traffic.

Classical traffic-reduction techniques include IP blacklists with ingress filtering or the use of TCP SYN cookies at the application level to ensure proper TCP session establishment. These approaches help against DDoS attacks, but they are unable to prevent or counter extremely large-scale attacks.

Multiprotocol Label Switching (MPLS) can be used to carry IP packets over predefined paths through high-speed backbone nodes without requiring routing decisions at each node. This can be used to mitigate DDoS attacks, as it enables bandwidth reservation and control of bandwidth usage, ensuring that legitimate traffic receives sufficient capacity while potentially malicious traffic can be eliminated. The use of Software Defined Networking (SDN) as a basic network management technique in cloud environments enables flexible network configuration and control, as well as cooperation between Internet service providers and cloud operators to mitigate DDoS attacks.

In addition to blocking network connections, DoS attacks may also target computing resources, storage capacity, or processing power. The emergence of the Internet of Things and the growing need to connect inexpensive, battery-powered devices to the Internet may increase the DoS attack surface in the future.

SIEM: platforms and countermeasures (advanced)

The contribution of SIEM platforms to the execute function of the MAPE-K loop is currently limited. Once analysts have defined and validated a plan, other functions, such as change management ticketing systems, take over and ensure that actions are appropriate and do not interfere with business operations.

Within a SOC, analysts use ticketing systems to track the progression and resolution of security incidents and, when necessary, escalate incidents to more experienced or specialised analysts. Ticketing systems can also be used in post-mortem analysis of incidents to evaluate and improve SOC processes.

SOC analysts use ticketing systems to submit change requests to other teams responsible for network or system management. This can extend to security operations, for example if the organisation has its own firewall management platform. This process is largely manual, which delays threat mitigation. It also relies on system or network operators on the other side of the ticketing system understanding the requested change and implementing it quickly. On the other hand, such delays are often seen as necessary for handling false positives and assessing business impact.

SOAR: impact and risk assessment (advanced)

In the past, cyber risk assessment focused primarily on protecting ICT assets, machines, network devices, and links. Risk assessment methods concentrate on identifying protected assets, analysing their vulnerabilities, and modelling impacts. Traditional attack trees were adopted in software tools as attack graphs. These enable individuals responsible for network or system security to model the ICT environment and its vulnerabilities in order to determine the paths an attacker might follow when seeking targets to compromise. Attack graphs allow assessment of the probability of attacker progression, potential damages, and the effects of possible countermeasures.

From a business perspective, attack graphs and vulnerability management technologies support risk management and regulatory compliance. As the impacts of cyber attacks grow and may threaten human life or business continuity, regulators mandate protective and detection measures to ensure that cyber risk is appropriately managed. Although many protection techniques are available, ranging from identification and authentication to filtering and firewalls, the complexity and interconnectivity of ICT infrastructure make comprehensive protection against all threats technically or economically infeasible. Cybersecurity thus becomes an economic trade-off between deploying protective measures, accepting risk, and insuring against negative consequences. Cyber insurance has been challenging, but growing interest in the economics of cybersecurity may support the development of cyber insurance models.

Another aspect of attack graphs is their use in countermeasures. Work on countermeasures has focused on technical solutions because they can be activated to block threats. These include, for example, adding or modifying firewall rules to block unwanted traffic, disabling user account privileges, blocking network or system access for suspicious machines, or shutting down a service or machine. Deploying countermeasures requires impact assessment at both asset and business levels. The heavy dependence of business operations on technical systems means that firewall rules or disabled accounts can disrupt operations more severely than the actual attack, at least temporarily. New impact assessment models must consider not only information and communication technology but also the business services they support, in order to assess criticality and the costs incurred by changes in ICT behaviour.

Posting submission...