Portaledge Event Taxonomy
From SCADApedia
Digital Bond's Portaledge project aggregates and correlates security events from a wide variety of data sources in OSIsoft's PI server to detect cyber attacks on control systems. The correlation takes a composite approach where one or more triggers cause events; multiple events can cause event class events; and multiple event class events can cause meta events.
Portaledge is funded by a U.S. Department of Energy research contract.
Contents |
Commonalities
All correlation rules in Portaledge are based on a commonality between two or more items that serve as triggers for that level of the taxonomy. Examples of commonalities are:
- Time Periods - items occurring within the same time period, default is ten minutes, may be related
- Source IP Address - Traffic generated from the same source IP address are likely to represent the same attacker
- Event - The same Event seen on multiple systems could represent a broad based scan, attack or other cause.
Each Event and Event Class can and is likely to have its own unique commonalities.
The correlation rules are written in PI Advanced Computing Engine (ACE) templates. These ACE templates and the associated documentation are the main deliverables in Portaledge, and the ACE templates will be available as Digital Bond subscriber content.
Portaledge Taxonomy
The Portaledge Event Taxonomy is a hierarchical structure where triggers cause events, events cause event class events, and event class events cause meta events. This taxonomy is depicted in the drawing below and explained later on this page.
Chains
The data that caused an event, event class event, or meta event to be created is captured in a chain and kept with it's respective event/event class event/ or meta event. This chain will help an analyst better understand the activity in the network during a live or after incident investigation.
Events
Events are the base level of correlated information in the Portaledge Event Taxonomy. An event is generated by one or more triggers with a commonality. For example, a Port Scan event could be triggered by both a firewall log and an IDS alert. The chain of triggers for each event will be recorded and kept with the event.
An event is targeted at a single system or device, i.e. a single IP address. So a broad based port scan would create many Port Scan events.
Each event is a member of one event class.
Event Classes
A Portaledge event class is a logical grouping of events based on the goal of the attacker. The current list of event class events include:
- Availability
- Communication
- Enumeration
- Escalation
- Exploitation
- Obfuscation
- Process Manipulation
- Reconnaissance
NOTE: Each event class will soon have its own SCADApedia page that will list all of the events and event triggers in the event class.
When an event occurs an event class event is generated. The PI ACE template for the event class will identify commonalities among all events in the event class and create an event class chain. The longer and more varied the chain, the more confidence one can have in the event class event occurring. For example, if a variety of servers, workstations, routers and PLC's are causing events in the Availability event class, then there is more confidence that Availability issue is occurring on the control system.
Examples of event class events and their chains are:
- Availability: WindowsSystemAvailability>WindowsSystemAvailability>WebServerAvailability>RouterAvailabilty
- Enumeration: PortScan>FunctionCodeScan>PointsListScan
Asset owners will be able to select which event class ACE templates they want to deploy. An asset owner could choose to deploy only the Availability, Reconnaissance and Exploitation ACE templates, or decide to deploy the templates in a phased manner to fully understand and tune each event class ACE template.
Meta Events
A meta event is generated when two or more event class events with a commonality occur. There are no specific names for meta events. Instead the meta event is named by the event class event chain that triggered the meta event. Some Meta Event Chain examples are shown below:
- Meta Event Chain: Reconnaissance>Enumeration>Exploitation
- Meta Event Chain: Enumeration>Availability
- Meta Event Chain: Escalation>Communication>Obfuscation
Confidence Calculations
The Portaledge event taxonomy has the promise of calculating the confidence in an identified event, event class event or meta event based on the number and variety of triggers that caused each class of events. The triggers are identified and saved in the chains. In theory, the length of a chain, which represents the number of triggers, increases the confidence that the event has occurred.
Currently Digital Bond is simply counting the number of triggers and publishing this as a confidence level with the event. As Portaledge matures this metric is likely to be modified. For example, should the number of different data sources have a larger impact? Should all triggers at all levels be considered in the calculation? Should each trigger have a confidence level to differentiate between triggers?
