An Attack Timeline

Sorting out the value propositions of different detection and response technologies can be challenging. This makes it difficult for organizations to implement a complete and appropriate toolset.
Written by Paul Proctor, Contributor on

Sorting out the value propositions of different detection and response technologies can be challenging. This makes it difficult for organizations to implement a complete and appropriate toolset.

META Trend: Threat and vulnerability management integration will accelerate, with intrusion detection (under the guise of "intrusion prevention") capturing more vulnerability and asset information (2004/05). Although automated response to alerts will be commonly available, organizations will make limited use of it through 2005/06. Managed services of various types (e.g., vulnerability alerts, intrusion detection systems) will continue to experience increased demand, but despite vendor consolidation, maturity will lag for many disciplines through 2007.

Our research indicates continued growth of monitoring and detection within enterprises through 2008. To better comprehend a detection technology, it is important to understand the time frame in which the detection is accomplished because not all attacks are equal, and it can be easy to end up comparing apples and oranges when seeking to implement a new solution in the enterprise. This Delta presents an attack timeline to understand how and where detection, response, and other security technologies can be used.

The timeline itself is a continuum with an attack event at the center at time zero. On either side of the attack, there are different points where monitoring and intrusion detection technology can be applied. Generally speaking, mechanisms on the left side of the timeline are considered protection activities, and events on the right side are considered detection activities. The far left is assessment, and the far right is forensics (see Figure 1).

Each point in the timeline has its own benefits and technology requirements. It is necessary to cover multiple points in the timeline to work toward a comprehensive end-to-end monitoring-and-intrusion detection. The timeline is intended to give organizations a framework to discuss detection and response requirements from a common understanding. Technologies may be overlaid on the timeline to fully understand the benefits. Specific incidents may be overlaid to facilitate better understanding of their scope and effect.

Days or Weeks Before the Attack
This is an appropriate place in the timeline to assess a target system for proper configuration, including known patches, policies, and vulnerabilities. Technologies in this space would traditionally include, but are not limited to, manual analysis (e.g., security posture assessments, penetration testing), vulnerability assessment, and enterprise security policy management tools. The benefit in the assessment space is in confirming that a system is secure or at least not vulnerable to certain types of attacks.

Hours Before the Attack
This is also usually associated with the periodic assessment space. However, the second point in Figure 1 implies mechanisms that run with hours of frequency (e.g., file integrity checker) versus days/weeks/months of frequency (e.g., vulnerability assessment, penetration test).

Milliseconds Before the attack
Active monitoring is enabled as pass-through mechanisms capture the data and make a decision to pass it on or not. In this case, the access control mechanism can functionally stop an attack before it happens.

Time Zero (the Attack)
This point is deceptively simple on the surface. Capturing an attempt to access an unauthorized file or pass on a worm infection like SoBig is fairly simple to understand in this context. However, many attacks that result in substantial loss are in a more extended form. For example, a large software manufacturer suffered an attack in 2001 when the invader logged in multiple times over 12 days using a legitimate user ID and password. Eventually, the attacker found the source code to one of its key applications and downloaded parts of it. Several questions arise out of this example, including the following:

  • What is the definition of the attack?
  • Was it an attack before the source code was downloaded?
  • Was time zero at the first unauthorized login?
  • How many unauthorized logins were there? If more than one, were these multiple attacks?
It should be obvious that the definition of an attack and the necessary mechanisms to detect attacks can be muddled. It is important to understand and be able to clearly communicate the attacks that the organization is required to detect and which mechanisms address those requirements. There is only a single time in some attacks, but many are a spanning set of actions that together equate to an attack, so it can be difficult to identify time zero.

Milliseconds After the Attack
This is traditionally known as real-time detection. An active monitoring mechanism is used to look for patterns of misuse within a short period of time. Industry definitions have pegged the definition of real time at anywhere from within five seconds to five minutes of an event occurring. An organization should understand its own definition for real time and ensure that its technologies are able to meet this requirement.

Hours After the Attack
This is commonly known as post-processing detection. Data is gathered and held for processing together. One of the significant benefits to this approach is the ability to aggregate across multiple sources that may have time delays before all data is present. Post-processing detection uses fewer network and host resources than real-time detection. This is critical when using target-resident agents to gather data.

Days/Weeks After the Attack
The forensics area has applications in many areas, including long-term attack detection, damage assessment, investigation support, and even protection (by showing areas of weakness based on past attack detection). Long-term attack detection is routinely ignored, but common wisdom shows that up to 80% of the losses are attributable to insider misuse or abuse. An insider profile can show multiple attacks over long time periods. Several processes may benefit from the use of the timeline (see Figure 2.).

Bottom Line: The attack timeline is an important concept for organizations to understand their requirements and the capabilities of different security tools on the market.

Business Impact: Failure to understand detection requirements can lead to the purchase of incorrect technologies and the inefficient use of existing tools.

META Group originally published this article on 8 January 2004.

Editorial standards