3

(Judging by voting and answers, I failed rather badly at asking a question that in my head was superbly clear. Clearly I was wrong. I've since attempted to rephrase the original question to more precisely reflect my original thought, and now with the help of two good answers to a terrible question!)

Question:

Have anyone come across a repository of Honeypot configurations modelled based on the CAPEC and a set of suitable metrics for discovering the attack pattern in question?

Background

Reports and discussions often surround the number of confirmed breaches, such as DBIR et al. While it's possible to draw a number of conclusions from this data about the effectiveness of security mechanisms it's certainly no easy task, nor particularly accurate.

I learned of CAPEC a few months back and have only recently been reintroduced to Honeypots. A failed breach attempt could, if modelled correctly, demonstrate what exactly prevented the attempted breach and hence what security mechanisms actually do work.

(Having recently had the DBIR presented to me by one of the original writers it was only in a minority of cases where for example an IDS was responsible for the discovery of the breach.)

Christoffer
  • 1,030
  • 1
  • 6
  • 14
  • Honeypots do all this, but they do not cover global data or attempts on real assets. – schroeder May 16 '13 at 14:44
  • @schroeder Forgive me but I'll have to express some skepticism to your comment considering the all inclusive "... do all this". Would you mind, in somewhat more detail, explain how you derive effectiveness and metrics from the Honeypot? – Christoffer May 16 '13 at 14:55

2 Answers2

2

While the question is a bit general - the answer is yes. That is the good news, the bad news is that you will have to work.

What do I mean?

There is an excellent threat modeling tool called PTA - Practical threat analysis (you can download it from our web site www.software.co.il). If you follow the methodology of mapping assets, threats (breaches..), vulnerabilities (people, systems, network, software), and security countermeasures, you will be able to build a fairly good model of your system. The PTA software will then show you what are the most cost-effective countermeasures based on the asset value, probability of threat occurrence and level of damage/threat.

Regarding metrics - metrics are in a sense the measurement data for a threat model. Regarding data breaches - not knowing what kind of assets you are trying to protect - it is hard for me to give you a general answer but I would collect metrics from your firewalls/IPS, DLP appliance (if you have one) and Linux auth logs - like the number of failed login attempts, root login attempts etc.

If you are interested in metrics - I would highly recommend reading Jaquith "Security Metrics" - it's available on Amazon.

Hope this gives you some direction

Danny Lieberman
  • 388
  • 2
  • 6
  • Appreciate your reply despite my, now obvious, lack of clarity in my question. Threat analysis is something I'm fairly comfortable with having performed them roughly a few times each month for about three years. Combining your answer with Mr.Schroeder I believe that this could make for some interesting research. An aggregated repository of threat scenarios modelled in honeypot configurations to ascertain the effectiveness of various security mechanisms. Thanks! (+1) – Christoffer May 16 '13 at 20:18
2

The nature of the question is vague, and the word 'model' is undefined in this case. But, I will endeavour to talk about Honeypots as a potential response to the question.

A Honeypot (or series of Honeypots) is designed to allow a breach to occur in a safe environment. From this resource, the attack vector can be determined as well as an inference as to the intended target. Each successful Honeypot 'hit' can be defined as a 'failed' breach attempt.

Different Honeypots can capture different kinds of data on different kinds of attacks, and it allows an organization to determine the effectiveness of deployed protection technologies. Web-based, service-based, network-based, and, recently, password-based Honeypots allow a researcher to model the type of attack and gather further data on the intended next steps of the attack. Many Honeypots capture uploaded files and code for deeper analysis, which seems to satisfy the OP's desire for modeling data, if this is what he meant by the term.

Placing Honeypots inside and outside of protection boundaries allows for a comparison of attack attempts in order to further quantify the effectiveness of protection measures in the light of actual attack or probing events.

It seems that the question intends to differentiate between a 'probe' and a potential 'breach' (otherwise, one could simply gather probe event data and assume each is a failed breach attempt, of which there is much data to be found). Honeypots allow for this type of differentiation be allowing a probe to escalate to an attack, thereby gathering the data required to model and categorize.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Thank you for taking the time to expand on your previous comment. I do realize now that my question was rather vague and I should have taken the time to be more precise. Nonetheless I appreciate the answer. (+1) – Christoffer May 16 '13 at 20:14