Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Epidigitalogy: Digital Disease Control (Part VI)

Samples and References
Created: 25 Aug 2014
EfrainO's picture
0 0 Votes
Login to vote

Survey Study Tools
     The following tables, graphs and visualizations are examples of tools for performing continuous surveying of digital populations.

Cohort Study
      A cohort study takes a look at a random sampling of the population and compares it to a known group of infected systems. It than takes a specific variable or set of variables and compares the hosts’ health outcome. In table 1, we can see that users who used a resource from USB were 5.69 times more likely to become infected. This study would warrant further study to ascertain exactly what caused the infection from USB use, but at a minimum a USB protection layer can be considered to reduce the overall probability of an infection outcome. If all the USB borne disease pathogens were executable files, security administrators may consider applying a prevent execution, but allow read and write to/from USB devices policy on their endpoint security software on the host.
Table1.PNG

Case-Control Study
     If a specific resource is suspected as a determinant of a digital disease, a case control table may help shed some light. This case control table asks the question, “who accessed a resource” (for example the \\Nas1server\fileshare), and of those who did, how many were infected when compared to known infected and known uninfected.
 

table2.PNG

Distribution of Hosts by Source of Symptom Alerting Technology (MultiVariable Table)
     This multivariable table highlights the different sources of logging that are identifying a known digital disease pathogen on hosts. This type of table can help inform which technology is best used for identifying a particular threat, and can be further leveraged as a mitigating control mechanism. It may be beneficial to sort by any of the columns to discover tell-tale signs of susceptibility. For example, if a sort by operating system is chosen and it is determined that more Windows XP systems are becoming infected, further investigation of what specifically in Windows XP makes it susceptible may help with formulating a mitigating control.
 

diagnosis.PNG

Frequency Distribution of files by reputation and file size
This scatter plot shows the reputation placement by reputation score and by file size. The files on the far right on the x-axis are known-good and can potentially be ignored. The files between -106 and -8 are of unknown reputation and are therefore suspect.
 

illustration7.PNG

Epicurves
     The illustration 8 epicurve is an example of a set of logs specific to Autorun.inf activity logged to a central server and the frequency of Network Attached Storage (NAS) server access violations of autorun.inf. This epicurve shows that autorun.inf writes to the NAS has significantly increased in an upward steady curve. This may be indicative of a new digital disease pathogen introduced into the environment.
illustration8.PNG

MxN Table Reports

The following table is a listing of the possible reports that can help an epidigitalogist surveying a digital community for symptoms of digital disease onset.

(MxN) Reports

(BxJ)

Total number of events by operating system

(BxC)

Total number of events by registry key

(CxD)

Total number of registry events by Process Events

(GxJ)

Total number of IPS events by operating system

(GxC)

Total number of IPS events by registry

(CxI)

Total number of registry events by subnet

(DxI)

Total number of process events by subnet

(BxL)

Total number of AV events by application

(CxL)

Total number of registry events by application

(DxL)

Total number of process events by application

(GxL)

Total number of IPS events by application

(AxP)

Total number of events by Publisher

(AxQ)

Total number of events by first seen worst infection

 

 

A. Total number of events

B. Total number of AV events

C. Total number of Registry events

D. Total number of Process events

E. Total number of Host Integrity events

F. Total number of Network firewall events

G. Total number of IPS events

H. Total number of IPS events by signature type

I. Total count by subnet

J. Total count by Operating System Type

K. Total count by service pack

L. Total count by application

M. Count of application discovered

N. Executable name X.exe

O. Company label

P. Publisher

Q. Date of First Worse Infection

 

Epidigitalogy helps answer the following types of questions:
1. Does exposure to USB executables increase likelihood of infection?
2. Does limiting execution from certain resources reduce infection rate and simultaneously allow for continuance of acceptable level of functionality?
3. Does limiting access to specific resource improve security without disproportionately hurting the business?
4. What is the ratio of machines infected versus non-infected based on type of resource used?
5. Where is the best mitigation target: the host, the environment or the pathogen?
6. Is the best mitigating control:
     a. A patch on the host?
     b. A web filtering device block rule?
     c. An update to the endpoint protection software (Antivirus, Intrusion Prevention System, Behavior, Firewall, Application Control)

 

Epidigitalogy Investigative Questionnaire
1. When did the digital disease determinant first appear?
2. Where did the digital disease first appear?
3. Where did the digital disease pathogen first originate from?
4. Who is the probable index case (patient zero)?
5. Were the affected parts a specific group of assets or persons?
6. What is common about the affected hosts?
7. Are the digital disease determinants endemic?
8. Who was within the area when the infections began?
9. Would assigning different people to specific target areas improve discovery odds?
10. Is the corporation willing to change?
11. Is the organization prepared and willing to make OS changes quickly?
12. Is the organization prepared to make security product changes quickly?
13. Should alternate security software and or procedure controls be used as a second opinion?
14. Is information for all departments logged to a central authority?
15. What are the actual and potential health problems in the community?
16. Which populations are at increased risk to digital disease exposure?
17. Which problems have declined over time? Why?
18. Which ones are increasing or have the potential to increase? Why?
19. How does distribution of security services and controls relate to the level and distribution of digital diseases?

 

Epidemiology References

Vinten-Johansen, Peter et al. Cholera, Chloroform, and the Science of Medicine. Oxford University Press; (2003)

Who is Dr. John Snow? Site http://www.ph.ucla.edu/epi/snow.html

Johnson, Steven. The Ghost Map. Riverhead Trade; 1 Reprint edition (October 2, 2007)

Pendergrast, Mark. Inside the Outbreak. Mariner Books; Reprint edition (April 13, 2011)

Principles of Epidemiology in Public Health Practice” Retrieved from http://www.cdc.gov/osels/scientific_edu/ss1978/SS1978.pdf

Friis, Robert H. Epidemiology 101. John & Bartlett LLC 2010

"D3.JS” [Software] Retrieved from http://www.d3js.org/

"jQuery[Software] Retrieved from http://www.jqplot.com/tests/bubble-plots.php

"Center for Disease Control and Prevention Epidemic Intelligence Service" web site http://www.cdc.gov/eis/

EpiInfo “(7)” [Software]. (2014). Center for Disease Control and Prevention Retrieved from, http://wwwn.cdc.gov/epiinfo/

Outbreak. Dir. Wolfgang Peterson. Perfs. Dustin Hoffman, Rene Russo. Warner Bros, 1995.

Contagion. Dir. Steven Soderbergh. Perfs. Matt Damon, Kate Winslet. Warner Bros, 2011.

Andromeda Strain. Dir. Robert Wise. Perfs. James Olson, Arthur Hill. Universal Pictures, 1971.

 

Previous post Trust in Our Digital Cities