Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New evict and recover techniques #240

Merged
merged 10 commits into from
Sep 19, 2024
Merged

New evict and recover techniques #240

merged 10 commits into from
Sep 19, 2024

Conversation

ryantxu1
Copy link
Collaborator

@ryantxu1 ryantxu1 commented May 1, 2024
edited
Loading

New Evict Techniques:

  • Evict Access
    • Unenroll Suspicious MFA Tokens
    • Remove User Account
  • Evict From Network
    • Black Hole
    • Flush DNS Cache
  • Evict Object
    • Remove Registry Key

New Restore Techniques

@ryantxu1
Copy link
Collaborator Author

ryantxu1 commented May 1, 2024

@netfl0 STILL WIP! But if time allows, please review to see if I'm on the right track

@ryantxu1 ryantxu1 force-pushed the ryantxu1/new-evict-and-restore-techniques branch from 19c25fe to 1163387 Compare May 8, 2024 16:34
@netfl0 netfl0 added this to the 0.17.0 milestone Jul 10, 2024
netfl0
netfl0 reviewed Aug 2, 2024
View reviewed changes
src/ontology/d3fend-protege.ttl Outdated
@@ -2701,6 +2713,19 @@ BERT (language model). (n.d.). In Wikipedia. [Link](https://en.wikipedia.org/wik
:kb-reference :Reference-TokenlessBiometricTransactionAuthorizationMethodAndSystem,
:Reference-www.biometric-solutions.com_keystroke-dynamics .

:BlackHoleRoute a :BlackHoleRoute,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This might be its own taxonomy. Sometimes you might route for more monitoring/inspection.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah I agree that "BlackHoleRoute" might be too specific for a technique, will broaden the scope...

netfl0
netfl0 requested changes Aug 2, 2024
View reviewed changes
Copy link
Contributor

@netfl0 netfl0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need feedback from others listed.

src/ontology/d3fend-protege.ttl Outdated
@@ -14481,6 +14551,18 @@ Wikipedia. (n.d.). Nonlinear regression. [Link](https://en.wikipedia.org/wiki/No
:d3fend-id "D3A-NPM" ;
:definition "Numeric pattern matching uses a pattern specification and sees if the numeric value matches that pattern--simple forms include exact matching and range matching." .

:ObjectEviction a :ObjectEviction,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We DO need a broader category like this, Object is something specific in CCO however. Would like to get thoughts from @hack-sentinel @giacomodecolle and @johnbeve

Object will resonate with practitioners but has ontological issues.

We already use "Decoy Object", but I am deciding if we want to exacerbate this or move in another direction.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, "object" is a material entity in BFO/CCO. Have you considered using two labels, one for practitioners and one for ontologists? I think @johnbeve usually recommends prefLabel or altLabel.

Then we can also start thinking about a corresponding CCO mapping and label (e.g. "malicious information entity eviction").

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@hack-sentinel @netfl0 I guess this is also related to how the current "Restore" tactic is set up since it has a "Restore Object" bucket. Personally, I'm in favor of this because otherwise we get into a situation where there are potentially too many buckets (Evict Hardware Object, Evict Software, etc)

What do yall think? Maybe we can use "Evict ARTIFACT" instead?

@ryantxu1 ryantxu1 mentioned this pull request Aug 8, 2024
Open
@ryantxu1
Copy link
Collaborator Author

ryantxu1 commented Aug 16, 2024
edited
Loading

Before 8/16 commit:

image

After:

image

Notes

  • Added Session Termination and Takedown Domain Registration techniques, latter courtesy of DNS Eviction #199
  • Deleted Black Hole Route
    • Blackholing and its cousin sinkholing are captured by DNS Denylisting
  • Deleted Network Eviction
    • Given the matrix heuristics, there's not enough techniques that fall under that currently, so Flush DNS Cache and Takedown Domain Registration are moved to object eviction. (The definition of Evict still covers 'network') I chose not to group Flush DNS Cache and Takedown Domain Registration together in a DNS Eviction technique because technically the artifacts are very different.

@netfl0 Please review

@ryantxu1
Copy link
Collaborator Author

I could see Rogue Device Removal as a possible addition... @apapaa do you have any further details or references on this?

@ryantxu1
Copy link
Collaborator Author

@netfl0 Are there any further changes that need to be made? I don't think the AccessMediator thing is an issue.

@netfl0
Copy link
Contributor

netfl0 commented Aug 19, 2024
edited by ryantxu1
Loading

Edits:

  • Drop "suspicious" from unenroll; more importantly MFA Token Disenrollment
  • Move process Eviction & Credential back up, and reassociate with tactic
  • Move Delete User account to Object Eviction
    • User Account Deletion versus Delete User
  • Move Session Termination to Process Eviction
  • Delete Access Eviction; bring back it later as we expand IAM modeling
  • instead, Domain Registration Takedown
  • DNS Cache Eviction
  • Registry Key Deletion

@apapaa
Copy link

apapaa commented Aug 19, 2024

Edits:

  • Drop "suspicious" from unenroll; more importantly MFA Token Disenrollment

  • Move process Eviction & Credential back up, and reassociate with tactic

  • Move Delete User account to Object Eviction

    • User Account Deletion versus Delete User

  • Move Session Termination to Process Eviction

  • Delete Access Eviction; bring back it later as we expand IAM modeling

  • instead, Domain Registration Takedown

  • DNS Cache Eviction

  • Registry Key Deletion

@ryantxu1 and @netfl0
Agree with "Domain Registration Takedown" wording. Could also add the following:

  • "Service Takedown" - related to takedown requests that could be sent to abuse notification emails for hosting providers, DNS providers and SaaS providers

@ryantxu1
Copy link
Collaborator Author

Post restructure:

image

@apapaa
Copy link

apapaa commented Aug 19, 2024

Post restructure:

image

Is Revocation a better word than Disenrollment under "MFA Token Disenrollment"

@netfl0
Copy link
Contributor

netfl0 commented Aug 21, 2024

Post restructure:
image

Is Revocation a better word than Disenrollment under "MFA Token Disenrollment"

I think so. I think we're trying to avoid the notion of getting it physically returned. However, CRLs use the same terminology. In D3FEND 1.0 we should also change CredentialRevoking to CredentialRevocation . cc @hack-sentinel

@ryantxu1
Copy link
Collaborator Author

Renaming complete

netfl0
netfl0 reviewed Aug 22, 2024
View reviewed changes
src/ontology/d3fend-protege.ttl
@@ -4046,10 +4046,10 @@ Effective implementation requires identifying any location that could end up con
rdfs:isDefinedBy <http://dbpedia.org/resource/Credential_Management> ;
:definition "Credential Management, also referred to as a Credential Management System (CMS), is an established form of software that is used for issuing and managing credentials as part of public key infrastructure (PKI)." .

:CredentialRevoking a :CredentialRevoking,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I meant to do this in the future, but we can use this as a case study to test out our deprecation strategy. cc @hack-sentinel

@ryantxu1
Copy link
Collaborator Author

@netfl0 is there anything else to be done before merging?

@ryantxu1
Copy link
Collaborator Author

image

@apapaa
Copy link

apapaa commented Sep 13, 2024

I think it looks good @ryantxu1
@netfl0 could you please consider adding me as a Contributor when this goes live?

netfl0
netfl0 reviewed Sep 13, 2024
View reviewed changes
src/ontology/d3fend-protege.ttl Outdated
owl:someValuesFrom :File ],
[ a owl:Restriction ;
owl:onProperty :may-access ;
owl:someValuesFrom :FileServer ] ;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think we ought to drop this, this would be a transitive inference.

@netfl0
Copy link
Contributor

netfl0 commented Sep 13, 2024

it appears there are merge conflicts, can you resolve? @ryantxu1

@ryantxu1 ryantxu1 force-pushed the ryantxu1/new-evict-and-restore-techniques branch from 9fe42a9 to 3a8346f Compare September 17, 2024 16:11
@netfl0 netfl0 merged commit 610cf2e into develop Sep 19, 2024
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@giacomodecolle giacomodecolle giacomodecolle left review comments

@netfl0 netfl0 netfl0 approved these changes

@hack-sentinel hack-sentinel Awaiting requested review from hack-sentinel

Assignees
No one assigned
Labels
new-technique
Projects
None yet
Milestone
0.17.0
Development

Successfully merging this pull request may close these issues.
4 participants
@ryantxu1 @netfl0 @apapaa @giacomodecolle