SPINZ: A Speculating Incident Zone System for Incident Handling
Keywords:Cyber Security, Incident Handling, Triage, Traffic Measurement, Anomaly Detection
Organizations introducing computer and network systems need to quickly and accurately respond to information security incidents to counter intense cyber attacks. However, computer security incident response teams (CSIRTs) in organizations receive a large amount of alerts and logs that they have to investigate. Such a situation increases incident handling time. Our previous research revealed that the triage process in incident handling failed in many incident cases. In our consideration, the triage process lacks the ability to assess overall risks to modern cyber attacks. Zoning of local area networks by measuring internal-network traffic in response to such risks is important. Therefore, we propose the SPeculating INcident Zone (SPINZ) system for supporting the triage process. The SPINZ system analyzes internal-network flows and outputs an incident zone, which is composed of devices related to the incident. We evaluated the performance of the SPINZ system through simulations using two incident-flow dataset generated from two types of internal-network datasets and malicious-activity flows generated from legitimate commands. We confirm that the SPINZ system can detect an incident zone, but removing unrelated devices from an incident zone is an issue requiring further investigated.
Cichonski, P., Millar, T., Grance, T., and Scarfone, K. (2012). Computer security incident handling guide. NIST Special Publication, 800(61).
Ponemon Institute (2017). 2017 Cost of Data Breach Study Global Overview. https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?html fid=SEL03130WWEN
Verizon (2016). 2016 Data Breach Investigations Report. https://www.verizonenterprise.com/resources/reports/rp_DBIR_2016_Report_en_xg.pdf
Hasumi, D., Shima, S., and Kakumaru, T. (2016). Issue analysis toward forensics gathering infrastructure that supports the more efficient incident handling. In The Special Interest Group Technical Reports of IPSJ, 2016-SPT-17(7). pp. 1–6.
West-Brown, M. J., Stikvoort, D., Kossakowski, K. P., Killcrece, G., and Ruefle, R. (2013). Handbook for computer security incident response teams (CSIRTs). Technical Report, Carnegie Mellon SEI, CMU/SEI2003-HB-002.
Virvilis, N., and Gritzalis, D. (2013). The big four-what we did wrong in advanced persistent threat detection?. In Availability, Reliability and Security (ARES), 2013 Eighth International Conference on. pp. 248–254. IEEE.
Beukema, W. J. B. (2016). Enhancing Network Intrusion Detection through Host Clustering. Master’s thesis, University of Twente.
Simos, M. (2018). Overview of Petya, a rapid cyberattack. https://cloud blogs.microsoft.com /microsoftsecure/2018/02/05/overview-of-petya-a-rapid-cyberattack/
Li, B., Gunes, M. H., Bebis, G., and Springer, J. (2013). A supervised machine learning approach to classify host roles on line using sFlow. In Proceedings of the first edition workshop on High performance and programmable networking (HPPN 2013). pp. 53–60. ACM.
Takeuchi, J. I., and Yamanishi, K. (2002). A unifying framework for detecting outliers and change points from time series. In IEEE transactions on Knowledge and Data Engineering, 18(4). pp. 482–492. IEEE.
Proakis, J. G., and Salehi, M. (2002). Communication Systems Engineering. 2nd ed. Prentice Hall Inc.
Kent, A. D. (2015). Comprehensive, Multi-Source Cyber-Security Events. Los Alamos National Lab. (LANL). doi:10.17021/1179829.
Kent, A. D. (2015). Cybersecurity Data Sources for Dynamic Network Research. Dynamic Networks in Cybersecurity, Imperial College Press. pp. 37–65.
Microsoft. (2016). Microsoft TechNet Windows Sysinternals PsExec. Ver 2.2. https://docs.microsoft.com/en-us/sysinternals/downloads/psexec
JPCERT/CC. (2017). Detecting Lateral Movement through Tracking Event Logs. https://www. jpcert.or.jp/english/pub/sr/ ir_research.html
National Audit Office. (2017). Investigation: WannaCry cyber attack and the NHS. https: //www.nao.org.uk/report/ investigation-wannacry-cyber-attack-and-the-nhs/
Verizon (2018). 2018 Data Breach Investigations Report. https://www.verizonenterprise.com/resources/reports/rp_DBIR_2018_Report_en_xg.pdf
Gu, G., Porras, P. A., Yegneswaran, V., Fong, M. W., and Lee, W. (2007). Bothunter: Detecting malware infection through ids-driven dialog correlation. In USENIX Security Symposium, 7. pp. 1–16.
Gu, G., Zhang, J., and Lee, W. (2008). BotSniffer: Detecting botnet command and control channels in network traffic. In Proceedings of the 15th Annual Network and Distributed System Security Symposium (NDSS’08).
Fawaz, A., Bohara, A., Cheh, C., and Sanders, W. H. (2016). Lateral Movement Detection Using Distributed Data Fusion. In 2016 IEEE 35th Symposium on Reliable Distributed Systems (SRDS’16), 10. pp. 21–30. IEEE.
Hasegawa, H., Yamaguchi, Y., Shimada, H., and Takakura, H. (2016). An incident response support system based on seriousness of infection. In 2016 International Conference on Information Networking (ICOIN). pp. 69–74. IEEE.