Download PDF - Codenomicon
Download PDF - Codenomicon
Download PDF - Codenomicon
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
CODENOMICON WHITEPAPER - Proactive Cyber Security: Stay Ahead of Advanced Persistent Threats (APTs)<br />
12<br />
Abuse Situation Awareness Best Practices<br />
To respond to cyber attacks in a timely and effective manner, organizations need to adopt systematic<br />
incident handling processes. To develop such processes is the ability to share real abuse situation<br />
information. The key to designing an effective situation awareness system is understanding<br />
that real situation awareness only exists in the mind of the human operators [14]. Thus, tons of data<br />
will not help unless it successfully transmitted, absorbed and assimilated in a timely manner by the<br />
operator [14]. Here are some best practices for abuse situation awareness.<br />
Automated Data Collection<br />
External abuse feeds are an under-used resource, and it is easy to understand why: There can be<br />
billions of abuse notifications daily, each of them different in terms of timing, format, transport and<br />
content [3]. Security personnel must sift through emails, website postings or other communications.<br />
In most organizations, these tasks are performed manually by skilled analysts. It makes a lot<br />
of sense automate basic tasks like collecting and processing abuse information, and free up the<br />
analysts’ time to do the actual analysis [3].<br />
Automated Analysis<br />
Expertise plays a major role in situation awareness [14]. An experienced operator will be able to<br />
spot similarities between events, even if the events are not exactly alike [14]. For novices this task<br />
is much harder [14]. Thus, a good situation awareness system should help the operators draw parallels<br />
between events [14]. In AbuseSA, incidents are stored into a knowledge database for users<br />
with access rights to share. This information can be used to automatically augment abuse feeds’<br />
information in real-time. For example, if a certain IP address has been identified as a drop-time,<br />
then traffic to this address will immediately be flagged as high risk.<br />
Actionable Reporting<br />
Abuse feed transports and formats vary considerably. Reporting standards, on the other hand, can<br />
be strict [17]. The AbuseSA sanitizes and normalizes all the information, sending reports to stakeholders<br />
at preferred times, in preferred formats. Actionable reporting enables stakeholders to take<br />
swift action. Organizations often waste time handling notifications that contain inaccurate, false or<br />
old information, or do not contain vital information, like IP-addresses. The AbuseSA removes all this<br />
information only reporting actionable abuse information.