Wireless Threat Triage and Response: Part 2, Impact and Correlation
Author/Blog Contributor - Chia-Chee Kuan, CTO at AirMagnet
Date: September 24, 2010
Welcome to part two of a three part series on wireless threat triage and response. In the last post, we discussed the first of three key factors in evaluating wireless threats: severity. Today, we'll look at two more elements - who the threat will affect and correlation.
Prioritizing threats based on the profile of the target is key. Threats can be relative to the people or systems that may be impacted. For example, a security vulnerability in a finance or research and development network is likely more important than a vulnerability in a guest network. A compromised CEO is (typically) more important than a compromised entry-level employee.
It is important to ask yourself the following questions:
- Who and what key assets are affected? How many devices are impacted?
- Is the threat on the wire? Inside?
To prioritize based on targets, use ACLs and device grouping to segment your users and infrastructure, set important devices as VIPs, set devices with chronic problems as VIPs for easy tracking and tag security violators to be instantly recognized if they reappear.
Correlation is sometimes difficult to evaluate when triaging a wireless threat. Unless you have complete visibility into the history of your wireless network (which is easily possible with some wireless solutions), it can be difficult to place a threat in context to other threats or patterns. Hence the importance of wireless forensic (event history and network traffic), which can serve the following purposes:
- Postmortem analysis on attack entry point, attack tools, data volume lost, etc.
- Evidence of the attack
- Attack frequency and trending analysis
- Wired and wireless correlation
Some questions to keep in mind:
- Could this be part of a larger attack?
- Does this threat share any correlations with other recent threats?
Could there be a trend?
Some wireless issues become more important when they occur together. Because of this, you need to see the big picture of events that could be connected as part of an attack, quickly find devices that are at the root of attacks or performance problems and detect anomalies in threat patterns that may expose an attack. Visibility into the history of your network is key, including short-term trends and long-term patterns.
Another way of correlating activity is to categorize by device. If there is a type of device with a concentration of alarms it may be easier to discover the root cause. Scoring systems, like those found in AirMagnet Enterprise, are extremely helpful in this analysis. Wireless solutions also help you to determine the reach of a threat and its potential impact.
Once you fully evaluated the severity, targets that will be affected and correlation of a threat, you are ready to respond to the issue. Look for our final post coming soon, where we'll outline the RESPONSE.
Chia-Chee Kuan is CTO and co-founder of AirMagnet. Chia-Chee will contribute his expertise on technology, security vulnerabilities, and future trends in the WLAN industry.