Portaledge has an event hierarchy. The hierarchy (from smallest to largest) consists of: Event Triggers, which cause Events, which are correlated in a class into Event Class Events. Events and Event Class Events can be correlated across classes into Meta Events.

Today I am going to discuss Event Class Events. Triggers and Events were covered last week in Part 5 of this series. Meta Events will be described in an upcoming post.

To date for Portaledge we have released one set of Event Class modules, the Availability Class. And there is another set, the Enumeration Class forthcoming. The other classes to be developed are: Communication, Escalation, Exploitation, Obfuscation, Process Manipulation, and possibly Reconnaissance. More information on the Portaledge classes and hierarchy can be seen on the SCADApedia.

Each Event occurs in one and only one Event Class. For example in the Enumeration Event Class there are the; UDP Port Scan, SYN Port Scan, ICMP Scan, TCP Port Scan, and FIN Port Scan events as well as the associated Port Sweep events. The Enumeration Class also contains a Finger Detection Event and an Event that monitors for out of range communications, namely the Traffic Monitor Event. These Enumeration Events, scheduled for release shortly, only represent a subsection of the total events defined in the Enumeration Event Class.

As Events occur they are logged and written to the historical database. When the Event Class Event module periodically fires it examines the Events associated with it’s Event Class across a time slice and correlates the Events on commonalities. The Events sharing commonalities are “chained” into Event Chains within the Event Class.

For clarification of this process, consider the following examples:

An attacker runs a Nmap UDP scan on a subset of systems on a network segment. As each system in the subset is scanned an Enumeration Class Event reporting that the system has been scanned, the source IP and port of the scan, and the number of ports touched on the system being scanned is created, and written to the historical database. When the Enumeration Event Class module fires it gathers all of these data points across a time slice and correlates them on the common source IP and protocol of the scan. The common events are sorted on time and chained into an “Enumeration Event Class Chain.” The chain is composed of the same number of parts as the number of events detected and each part contains data relative to the event that caused it.

In the second example consider the case where an attacker performs a TCP port scan of a single system. This port scan creates an TCP Port Scan Enumeration Event indicating that a number of ports were scanned from the attacker’s system and port. The attacker, noticing that the finger port is enable next tries to enumerate user accounts using finger. This creates a number of Finger Enumeration Events. The Event Class Event module correlates these events based on the common source IP of the attackers system and the common destination IP of the system scanned and fingered. An Enumeration Event Class Chain is created containing as its first part the TCP port scan and then the subsequent finger events.

Post in the Portaledge Series;
Part 1: Portaledge Overview
Part 2: Aggregating and Identifying Security Events
Part 3: PI Points, Tags and the Module Database
Part 4: The PI ACE Engine
Part 5: Triggers and Events
Part 6: Event Class Events
Part 7: Meta Events
Portaledge GUI