FAQ:

New Alarm Taxonomy in 4.3

(A Guide for USM and OSSIM Users and Evaluators)

What are the new alarm categories in USM and OSSIM v4.3?

What are some examples of each alarm category?

Whats the rationale behind the change?

Typically, the verbiage included in log messages for infrastructure devices and security products
is incredibly difficult to understand. Theres no consistency, context or easy way to prioritize
these events when the language is inconsistent and difficult to interpret. At AlienVault, our
goal has always been to reduce the complexity inherent in security monitoring to better assist
security analysts with incident response. Thats why were excited to introduce this new alarm
taxonomy which:

User FAQ: Alarm Taxonomy Page 1 of 5

Provides the necessary context for each alarm

Enables effective prioritization for incident response by describing the INTENT behind
attack activity
Simplifies security monitoring by using clear language rather than the esoteric
categories from the original data source/vendor

What are these Intent categories based on?
Were using a simplified version of an industry standard for understanding how cyber attackers
conduct attacks. Published in 2009, Lockheed Martins Kill Chain methodology is one of the
best ways of associating a specific event within the larger context of an attack. Considered in
the context of network intrusions, the kill chain describes a scenario in which an attacker must
develop a payload to breach a trusted boundary, establish a presence inside a trusted
environment, and take actions towards the attackers objectiveswhether these objectives
consist of moving laterally inside the environment or violating the confidentiality, integrity, or
availability of a system in the environment.
How do you know what an attackers intent is?
This can be surmised based on attack activity and how theyre interacting with a network and
its assets. AlienVault Labs applies their extensive research into attacker profiles, tools, and
techniques to evaluate each threat to determine the appropriate category for each alarm. As a
reference, the table below provides some very high-level information regarding the attackers
goals during each attack stage / type of alarm.

Alarm Type / Intent Attackers Goals

Find target.

Reconnaissance & Probing Develop plan of attack based on opportunities for exploit.

Place delivery mechanism online

Delivery & Attack

Use social engineering to induce target to access malware or other exploit

Exploitation & Installation Exploit vulnerabilities on target systems to acquire access

Elevate user privileges and install persistence payload

Ex-filtrate high-value data as quietly and quickly as possible.

System Compromise

Use compromised system to gain additional access, steal computing

resources, and/or use in an attack against someone else

User FAQ: Alarm Taxonomy Page 2 of 5

Is there some way of identifying the previous naming convention for the alarm?
Yes. Weve retained the original (pre-4.3) naming convention and you can view that in italics at
the top of the alarm detail window for each alarm. For example, you can see the pre-4.3
naming convention for this alarm highlighted in the blue box below:

What happens when I want to add a custom correlation rule?

Any custom correlation rules youve created prior to v4.3 will still be present in the system.
When viewing alarms that have been triggered by these rules, youll simply be prompted to add
and apply the new taxonomy categories via a configuration wizard. This will include the full
listing of choices available for each category, so it will just take a few moments to make this
change. This is also true of any new custom correlation rules youd like to add within v4.3.
Which category of alarms should I look at first?
In terms of security exposure, the most critical events will be the System Compromise category.
Once a system has been compromised, an attacker has gained a foothold into your network.
This may be a contained incident to one system; however, in most cases this is just the tip of
the iceberg.
So when viewing all of your alarms, you may want to begin with those that are the most critical,
and typically, this would be signaled by the System Compromise intent.
In general, keep these tips in mind:
For each incident, ask yourself these questions: How close to a successful breach is
this? and How close are the attackers to their goal?
Move away from a first-in-first-out pipe model. Look at each event in the context of
other events as well as the context of what an attackers goal or intent might be.
Use the context of your environment and business model to surmise what the intent
of the attacker is, and use the reporting source of the event to further refine
prioritization efforts. Establish the reliability of the data source based on the full
context of what it is reporting.

User FAQ: Alarm Taxonomy Page 3 of 5

Describe the quantity of alarm content. How many specific alarms are there?
Each alarm is triggered by an event correlation rule. So, another way of explaining this would
be to say that there are currently 1500+ event correlation rules in our threat intelligence
subscription. However, this number will continue to increase as threats evolve and emerge,
and the technological ability to detect them evolves as well.
The following should provide some highlights with respect to the breadth of our threat
intelligence content:

Reconnaissance & Probing In addition to 21 specific checks for discovering services on

target hosts, we look for port scanning and vulnerability scanning activities, webserver
probes, and scans initiated by internal hosts.
Delivery & Attack We look for 16 different types of delivery and attack strategies.
These include 116 specific rules for various bruteforce authentication techniques as well
as 53 specific rules for Denial of Service (DOS) attack methods.
Exploit & Installation Within the 10 specific attack strategies for exploitation and
installation, we look for 115 specific client-side vulnerabilities a common vector for
exploitation. Other checks include detection of website exploit kits, service exploits,
network protocol anomalies and more.
System Compromise With System Compromise being the most critical stage in an
attack, we wanted to make sure we had the most coverage here. With 1010 specific
rules to identify a compromised system, we look for 20 different attack strategies
including:
o Trojan infections 673 unique types of Trojans and their variants, plus 33 Trojans
specific to mobile devices detected
o Worm infections 43 unique types of worms and their variants detected
o Spyware infections 74 unique types of spyware detected
o Adware infections 52 types of adware detected
o Fake Anti-Virus installation 39 specific signatures to detect fake AV
o Additional checks include: backdoor detection, C&C communication, covert
channel communication, and file downloads from bad reputation hosts.
Environmental Awareness We include 117 specific checks regarding the configuration
of your environment including potentially unauthorized or vulnerable desktop software
such as BitCoin, games, P2P, remote desktop tools, and video. Additionally, we detect
the presence of sensitive data without controls such as encryption, default passwords or
passwords in cleartext and more. Finally, we include checks for network anomalies as
well in order to help define network baselines.

What should I do to resolve an issue once an alarm has fired?

Each event that triggers an alarm will require specific remediation tasks based on the context
of the event, the assets involved, and the relative severity of the activity. That said, weve
provided how to guidance for every single alarm produced within AlienVault. These
instructions are found within the alarm detail window as seen in the screenshot below. These

User FAQ: Alarm Taxonomy Page 4 of 5

instructions are written by our AlienVault Labs team members, who have decades of CSIRT and
DFIR experience responding to information security incidents and investigations. Updates to
this information are included in our threat intelligence subscription content, along with updates
to our event correlation rules, IDS signatures, vulnerability and asset inventory databases, and
more.

User FAQ: Alarm Taxonomy Page 5 of 5