Cyber-Security-Monitoring-Guide

More documents

Recommendations

Info

Cyber Security Monitoring and Logging GuidePart 2 Setting the sceneOverviewCreative, talented and aggressive attackers continue to drive the threat world into new areas. The cyber security threatlandscape continues to evolve, with new and innovative attack methods being able to adapt to their chosen targetenvironment(s).Cyber security incidents – including sophisticated cyber security attacks - can and do occur in many different ways. Therisks to your organisation from cyber security incidents are real, with cyber security attacks now regularly causing significantdamage to the performance and reputation of many different organisations.One of the main ways you can deal with suspected or actual cyber security incidents is to record cyber security-related events,monitor them on a continual basis, and investigate suspected cyber security breaches thoroughly, remediating any issues.However, many organisations have vastly insufficient logging, archiving, correlation and simulation capabilities. This is oftenbecause of a range of significant challenges face them when it comes to implementing an appropriate cyber security monitoringand logging capability. Your organisation may therefore need practical guidance to help with monitoring the relevantevents on your systems and networks for signs of a cyber security attack.Defining a cyber security incidentThere are many types of incident that could be classified as a cyber security incident, ranging from serious cyber securityattacks and major organised cybercrime, through hacktivism and basic malware attacks, to internal misuse of systems andsoftware malfunction.However, project research has revealed that there is no one common definition of a cyber security incident. The two mostcommon (and somewhat polarised) sets of understanding – as shown in Figure 3 below - are either that cyber securityincidents are no different from traditional information (or IT) security incidents – or that they are solely cyber securityattacks.Traditional information(or IT) security incidents are:• Small-time criminals• Individuals or groups just‘having fun’• Localised or communityHacktivists• InsidersCYBERSECURITYINCIDENTSCyber security attacks• Serious organised crime• State-sponsored attack• Extremist groupsFigure 3: Different types of cyber security incidentsThe main difference between the myriad types of cyber security incident appears to lie in the source of the incident (eg.a minor criminal compared to a major organised crime syndicate), rather than the type of incident (eg. hacking, malwareor social engineering). Therefore, it may be useful to define cyber security incidents based on the type of attacker, theircapability and intent.At one end of the spectrum come basic cyber security incidents, such as minor crime, localised disruption and theft.At the other end we can see major organised crime, widespread disruption, critical damage to national infrastructureand even warfare.10
Cyber Security Monitoring and Logging Guide!Capability and intent is what makes both detecting and responding to attacksfrom well-resourced organised crime/state-sponsored attackers different and moredifficult than ‘traditional’ incidents.The main focus of this Guide is to help you monitor indicators of possible cyber security attacks, but it will also beuseful for monitoring traditional information (or IT) security incidents.Details about how to prepare for, respond to and follow up cyber security incidentscan be found in the CREST Cyber Security Incident Response Guide, available fromCREST at http:// www.crest-approved.orgTypical phases in a cyber security attackCyber criminals innovate just as business does and the potential rewards for them grow as business use of cyberspacegrows. They have access to powerful, evolving capabilities which they use to identify, attack and exploit carefullychosen targets. They also have well-developed marketplaces for buying and selling tools and expertise to executesophisticated attacks.!Well-resourced attackers, sufficiently motivated by their target, will often innovateand evolve their methods during a single attack, trying different techniques untilsomething works. Evolution and innovation in ‘traditional’ attacks happens moreslowly, with new techniques evolving over time between waves of attack.For example, in traditional attacks, new variants of malware are released withinweeks/months (after many systems have been patched/AV protected). In contrast, insome state-sponsored attacks, the attackers re-compile their malware several times aday to overcome responsive actions taken.When looking at a cyber security attack in more detail there are often a number of phases that attackers willundertake, which can sometimes take place over a long period of time. An example of the basic componentsof such a phased approach is outlined in Figure 4 on the following page, together with some of the commoncountermeasures for each phase.11
Page 1: Cyber SecurityMonitoring and Loggin
Page 4 and 5: Cyber Security Monitoring and Loggi
Page 60:
The quadrants in this diagram outli
show all

Cyber-Security-Monitoring-Guide

Create successful ePaper yourself

Delete template?

Save as template?