RE: Intrusion Risk Assessment

[Fengmin Gong <fengmin () intruvert com>]

Hi Robert,

It's good to see that you are putting effort into this topic.
Sorry for this late follow-up and I hope it's helpful. Although
there is a recognized need for a framework linking vulnerability
assessment and countermeasures systematically from the research
community for a while, the IDS data model and the IDMEF from IDWG
represent the only widely supported standard effort, as Herve and
others have pointed out.

I want to mainly add on to one issue that has barely been brought up
in the discussion.  From a VA or IDS tool perspective, the impact
severity rating can only take into account the "inherent" damaging
effect, much like what you have started with. It can only reasonably
account for the "direct" impact. For example, you may be able to
determine if an vulnerability/attack leads to unprivileged remote
access versus privileged access.  This is only a direct impact in
the sense anything could happen after a root compromise.

This impact is inherent in the sense that you have not accounted for
the "asset value" of the target being compromised.  This information
may not generally be available to anyone outside the owning
organization. What it means is that the general framework must recognize
this and make provisions for the ultimate users to factor in their
asset value in the severity rating of such events. There are papers
on applying battlefield intelligence process to intrusion detection
that discusses asset value along with many other factors, see
Jim Yuill's page at:
www4.ncsu.edu/~jjyuill/Professional/Research/Publications/index.html

To give you a more concrete example of how it can be done, IntruVert's
IntruShield system has an underlying Threat and Countermeasure language
that links exploits/attack conditions, affected systems
and software, multiple detection methods/mechanisms, on-trigger response
actions including packet logging, and other relevant info, all together
on a per vulnerability basis. This lanaguage is very similar to IDWG
model regarding intrusion event characterization but with many extensions
to make it a complete Threat and Countermeasure language (I am a believer
of the IDWG work, being involved in the Requirements Specification).

In IntruShield, the inherent impact severity of an attack is rated
from 0 to 9, while the confidence
level of the detection (reliability and specificity of the detection)
is rated with a similar scale. All attack conditions are described in
this language in our database, which is the basis for all the IDS policy
configuration, real-time alert correlation, aggregation and suppression.

The user, upon deployment, can then modify the severity ratings for
any attacks to reflect their valuation of the asset under protection
through customized policies. The new severity rating is then used in
all the alert handling and reporting.  FYI, I am also including an
example list of the high-level impact categories used in IntruShield
along with the severity rating guidelines.

----
   Informational
    - Anything which is only useful for audit or detecting normal
          network activity 0

   Reconnaissance
        - host sweep 1-2
        - port scan 3-4

   Exploits
        - File read exposure (non-privileged) 1-2
        - File read exposure (privileged) 3-5
        - File modification (non-privileged): 3-4
        - File modification (privileged) 5-6
        - Unprivileged access (nobody): 5-6
        - Root-level access gained: 7-9

   DOS (including ddos)                                 
        - disable machine/network                7-9
        - disable single applicagtion 5-6
        - performance degradation                2-4

   PolicyViolation
        - installation of illegal application     1-2
        - unauthorized access                     2-8
        - installation of network serices         3-5
        - information leak tunnels                5-6                                           
        - backdoor access (non-privileged)        5-6
        - backdoor access (privileged)            7-9

Regards,
Fengmin

--
Dr. Fengmin Gong
Director, Intrusion Detection Technologies
IntruVert Networks, Inc.
Email: fengmin () intruvert com
Voice: (408) 434-8306