RE: Intrusion Risk Assessment

Hi Robert,

It's good to see that you are putting effort into this topic. Although there is a recognized need for a framework linking vulnerability assessment and countermeasures systematically from the research community for a while, the IDS data model and the IDMEF from IDWG represent the only widely supported standard effort, as Herve and others have pointed out.

I want to mainly add on to one issue that has barely been brought up in the discussion. From a VA or IDS tool perspective, the impact severity rating can only take into account the "inherent" damaging effect, much like what you have started with. It can only reasonably account for the "direct" impact. For example, you may be able to determine if an vulnerability/attack leads to unprivileged remote access versus privileged access. This is only a direct impact in the sense anything could happen after a root compromise.

This impact is inherent in the sense that you have not accounted for the "asset value" of the target being compromised. This information may not generally be available to anyone outside the owning organization. What it means is that the general framework must recognize this and make provisions for the ultimate users to factor in their asset value in the severity rating of such events. There are papers on applying battlefield intelligence process to intrusion detection that discusses asset value along with many other factors, see Jim Yuill's page at:
www4.ncsu.edu/~jjyuill/Professional/Research/Publications/index.html

To give you a more concrete example of how it can be done, IntruVert's IntruShield system has an underlying Threat and Countermeasure language that links exploits/attack conditions, affected systems and software, multiple detection methods/mechanisms, on-trigger response actions including packet logging, and other relevant info, all together on a per vulnerability basis. This lanaguage is very similar to IDWG model regarding intrusion event characterization but with many extensions to make it a complete Threat and Countermeasure language (I am a believer of the IDWG work, being involved in the Requirements Specification).

In IntruShield, the inherent impact severity of an attack is rated from 0 to 9, while the confidence
level of the detection (reliability and specificity of the detection) is rated with a similar scale. All attack conditions are described in this language in our database, which is the basis for all the IDS policy configuration, real-time alert correlation, aggregation and suppression.

The user, upon deployment, can then modify the severity ratings for any attacks to reflect their valuation of the asset under protection through customized policies. The new severity rating is then used in all the alert handling and reporting. FYI, I am also including an example list of the high-level impact categories used in IntruShield along with the severity rating guidelines.

   Informational

• Anything which is only useful for audit or detecting normal network activity 0

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

   Reconnaissance

• host sweep 1-2
• port scan 3-4

   Exploits

• File read exposure (non-privileged) 1-2
• File read exposure (privileged) 3-5
• File modification (non-privileged): 3-4
  • File modification (privileged) 5-6
• Unprivileged access (nobody): 5-6
• Root-level access gained: 7-9

   DOS (including ddos)                    

    - disable machine/network         7-9

    - disable single applicagtion 5-6


    - performance degradation         2-4



   PolicyViolation

    - installation of illegal application      1-2

    - unauthorized access              2-8

    - installation of network serices      3-5

    - information leak tunnels          5-6                          

    - backdoor access (non-privileged)      5-6


    - backdoor access (privileged)          7-9

Regards,
Fengmin

--
Dr. Fengmin Gong
Director, Intrusion Detection Technologies
IntruVert Networks, Inc.
Email: fengmin@intruvert.com
Voice: (408) 434-8306