Network Intrusion Detection Systems and Indicators of Compromise

Introductions

Introductions:
Network intrusion detection systems utilize a myriad of data to generate alerts. There are multiple detection mechanisms used to analyze, correlate, and attribute an incident to an adversary or their tactics.  Most common forms use the signature-based detection, while other systems use patterns or trends.  These types are considered anomaly-based detection, which observe network behavior and any deviations that occur.  Regardless of the type of detection mechanism, all data are included as part of the analysis and considered an Indicator of Compromise (IOC).

 

Indicators of Compromise
Most common types of indicators are categorized as host-based and network-based.  As provided by the initial analysis of network systems, we are presented with network-based indicators of compromise.  The following list of Internet Protocol (IP) addresses have been correlated to some type of anomalous activity within the United States.  Seven (7) of the 14 IP addresses were attributed to the United States, while the seven (7) other IP addresses were attributed to countries, China, Netherlands, New Zealand, Russia, Saudi Arabia, and Venezuela.

 

Attribution Criteria and Determination
During the summit proceedings, every nation was given a list of IP addresses that are currently exhibiting anomalous behavior with the hopes of discovering the source.  Figure 1 provides a list of the IP addresses in question.  The summit organization team would like each of the FVEY nation's cyber teams to analyze the IP address given and offer steps to assist with provided defense or remediation.  As discussed in the previous section websites such as Alien Vault’s Open Threat Exchange and Ip2nation would be used to corroborate the finding.  The criteria that Australia will be utilizing is to compare the two databases to establish a trend of advanced persistent threat (APT) and using that data to identify the bad actors and build a cooperating list to share with the other nations apart of the

Five Eyes intelligence alliance. 

We found that Alien Vault’s Open Threat Exchange provides an update today database of all known viruses and vulnerabilities.  We will use that data along with holistic trends of point of origin to determine whether this was an individual who acted alone, or nation-state attack which is a government-sponsored group of computer experts launching a cyber-attack (Pratt, 2020). We will then be able to identify and implement the required security standards to litigate that threat. 

 

Trust Based on International Policy
The Five Eyes (FVEY) is an intelligence alliance comprising Australia, Canada, New Zealand, the United Kingdom, and the United States and was established in 1955.  These countries are parties to the multilateral UKUSA Agreement, a treaty for joint cooperation in signals intelligence (UKDJ, 2020).  The original UKUSA agreement had a strict set of standards for collecting, sharing, reporting, and analyzing intelligence data.  However, due to the United States September attack on the world trade centers, the Australian government agreed to loosen the restriction set forth by the original 1955 amendment to the UKUSA agreement.  This allowed Australia to build upon the already established relationship by providing more with fewer formalities for the partnering nations.

Indicators of Compromise

 

Network Security Checklist
A Network Security Checklist is a document that contains hardware and software standards, policies, and procedures that will be utilized to protect the network while ensuring maximum communication across the infrastructure. The components in this network security checklist will be used for multilevel security communications in a multilevel trusted environment. Trust levels are the appropriate level of hardware and software protection mechanisms in a computer system based on its intended use. They are established based on a risk analysis that includes a probability and consequence of occurrence of an attack on the system (Papa & Casper, 2011). This document will contain the framework for how network components for both WAN & LAN will be used to litigate risk and secure the network.

 

System Description
Insert system name, location, POCs, boundaries, mission, system security categorizations, type of data processed, classification levels, etc.

 

Scope
Identify assumptions, constraints, timeframe
The scope of this risk assessment is focused on the system’s use of resources and controls to mitigate vulnerabilities exploitable by threat agents (internal and external) identified during the RMF control selection process based on the system’s categorization.

This initial assessment will be a Tier 3 or “information system level” risk assessment.  While not entirely comprehensive of all threats and vulnerabilities to , this assessment will include any known risks related to the incomplete or inadequate implementation of the NIST SP 800-53 controls selected for this system.  This document will be updated after certification testing to include any findings or observations by the independent assessment team.  Data collected during this assessment may be used to support higher level risk assessments at the mission/business or organization level.

 

Purpose
Why is this being done – initial or subsequent and state circumstances that prompted subsequent assessment
Example: This initial risk assessment was conducted to document areas where the selection and implementation of RMF controls may have left residual risk.  This will provide security control assessors and authorizing officials an upfront risk profile.

 

Risk Assessment Approach
This initial risk assessment was conducted using the guidelines outlined in the NIST SP 800-30, Guide for Conducting Risk Assessments.  A approach will be utilized for this assessment.  Risk will be determined based on a threat event, the likelihood of that threat event occurring, known system vulnerabilities, mitigating factors, and consequences/impact to mission.
The following table is provided as a list of sample threat sources.  Use this table to determine relevant threats to the system.  Based on the evaluated threats, the risks to the system are listed in Table 6: Risk Assessment Results along with any mitigating factors.

Attribution Criteria and Determination

 

Identify Attack Vectors
You and your nation state have just suffered an intrusion attack. As a cybersecurity professional, one of the first steps is to identify potential attack vectors. For each known cybersecurity vulnerability and known threats (addressing cybersecurity threats through risk management, international cybersecurity approaches, you and your team members need to identify attack vectors via information systems hardware, information systems software, operating systems (operating system fundamentals, operating system protections), telecommunications (internet governance), and human factors (intrusion motives/hacker psychology). Then, you must determine if any attribution is known for the threat actor most likely involved in exploiting each weakness. 
Review the materials on attack vectors if a refresher is needed. Once you've identified the attack vectors in this step, you will be able to participate in the next step, in which you will discuss your findings with colleagues and compare the findings with their analyses. 

 

Discuss Attack Vectors and Known Attribution
In light of your research in the last step, you will now use your group’s discussion board to share your thoughts with other members of your nation team. Review the findings of classmates in your group, noting points of agreement or disagreement, asking critical questions, and making suggestions for improvement or further research.

You should research incidents of known attribution of the hackers and actors who employ the attack vectors previously discussed by your group. This step provides a variety of options and perspectives for your group to consider when drafting the Attack Vector and Attribution Analysis in the next step.
This step also provides the foundation for research into known attribution, which will help you to discern the motivation for intrusion as well as the identity of the hackers and actors who employ the attack vectors noted.

 

Analyze Attack Vectors and Known Attribution
You've discussed attack vectors and attribution with your nation state team members. In this step, your group will prepare an Attack Vector and Attribution Analysis of your group's findings in the previous steps. The analysis should first identify all possible attack vectors via hardware, software, operating systems, telecommunications, and human factors. Next, you should discuss whether attribution is known for the threat actor (hackers and actors) likely involved in exploiting each weakness. Integrate supporting research via in-text citations and a reference list. This analysis will play a key role in the development of a Vulnerability Assessment Matrix and Cybersecurity Risk Assessment in the next few steps.

Trust Based on International Policy

 

Develop the Vulnerability Assessment Matrix
With the Attack Vector and Attribution Analysis complete, in this step your nation team will assess the impact of identified threats and prioritize the allocation of resources to mitigate or prevent risks. As a group, you will collaborate to develop and submit one Vulnerability Assessment Matrix for your nation.

 

This spreadsheet includes the following:
Characterization of current and emerging vulnerabilities and threats (cybersecurity vulnerability)
Identification of the attack vector(s) employed 
Your assessment (high, medium, or low) of the impact the vulnerability could have on your organization
Submit your team's matrix for feedback. This matrix will be included in the final project deliverable, the Cybersecurity Risk Assessment.

 

Research Industry Best Practices and Countermeasures
At this point, you and your team members have analyzed attack vectors and used your research to construct a vulnerability assessment matrix. The next step in the process of analyzing the intrusion is to look at common practices and countermeasures that can be used for the type of attack your team incurred at the summit.

In this step, you and your team members will perform research on current best practices for authentication, authorization, and access control methods. You will also research possible countermeasures and cyber offense strategies that may be available. Review the materials on countermeasures and cyber offensives/warfare if needed. This research will help you make recommendations in the cybersecurity risk assessment, which you develop in the next step. Approach your research with transparency to support trust among your team. Review these resources on risk assessment and risk assessment approaches to prepare for the next step. The following links will provide you with resources on industry standards and best practices:
Security Operations
Software Development Security
Security Assessment and Testing
Security Engineering

 

Develop the Cybersecurity Risk Assessment
In this step, your team will prepare the Cybersecurity Risk Assessment in the form of a PowerPoint presentation. This is one of your three final deliverables, which you will submit for feedback as a group, and then for individual assessment at the end of the project.

The presentation should identify current measures for authentication, authorization, and access control, and clearly explain weaknesses in your organization's security (to include people, technology, and policy) that could result in successful exploitation of vulnerabilities and/or threats. The presentation should conclude with recommendations (e.g., continue to accept risks, accept some risks (identify them), mitigate some risks (identify them), mitigate all risks, etc.). Include the attack vector and attribution analysis, and the vulnerability matrix from the previous steps. Don’t try to shoehorn every point into your presentation.