ETSI GS ISI 005 V1.1.1 (2015-11)

ETSI GS ISI 005 V1.1.1 (2015-11)






GROUP SPECIFICATION
Information Security Indicators (ISI);
Guidelines for security event detection testing and
assessment of detection effectiveness
Disclaimer
This document has been produced and approved by the Information Security Indicators (ISI) ETSI Industry
Specification Group (ISG) and represents the views of those members who participated in this ISG.
It does not necessarily represent the views of the entire ETSI membership.

---------------------- Page: 1 ----------------------
2 ETSI GS ISI 005 V1.1.1 (2015-11)



Reference
DGS/ISI-005
Keywords
ICT, security

ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
The present document can be downloaded from:
http://www.etsi.org/standards-search
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the
print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
https://portal.etsi.org/People/CommiteeSupportStaff.aspx
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying
and microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2015.
All rights reserved.

TM TM TM
DECT , PLUGTESTS , UMTS and the ETSI logo are Trade Marks of ETSI registered for the benefit of its Members.
TM
3GPP and LTE™ are Trade Marks of ETSI registered for the benefit of its Members and
of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI

---------------------- Page: 2 ----------------------
3 ETSI GS ISI 005 V1.1.1 (2015-11)
Contents
Intellectual Property Rights . 6
Foreword . 6
Modal verbs terminology . 7
Introduction . 7
1 Scope . 8
2 References . 8
2.1 Normative references . 8
2.2 Informative references. . 8
3 Definitions and abbreviations . 9
3.1 Definitions . 9
3.2 Abbreviations . 9
4 Objectives of security event detection testing . 10
4.1 Assessment of detection effectiveness . 10
4.1.0 Introduction on assessment of detection effectiveness . 10
4.1.1 Examples of quantitative results . 10
4.1.1.1 Detection level . 10
4.1.1.2 Coverage of events specified in ETSI GS ISI 001-1 . 10
4.1.1.3 False-positive rate . 10
4.1.2 Examples of qualitative results . 11
4.2 Conformity evaluation . 11
4.3 Resistance to attacks . 11
5 Test framework . 11
5.0 Introduction . 11
5.1 Active vs. passive testing . 12
5.2 Active testing by stimulation . 12
5.2.1 Objectives . 12
5.2.2 Testing strategy . 12
5.2.3 Stimulation location . 12
5.2.3.0 Introduction on stimulation location . 12
5.2.3.1 Noise generation . 13
5.2.3.2 Generation of events . 14
5.2.3.3 Generation of the event effects . 15
5.2.3.4 Generation of alerts . 16
5.3 Test methodology . 17
5.3.0 Introduction on test methodology . 17
5.3.1 Test planning . 18
5.3.2 Test identification . 18
5.3.3 Test specification . 19
5.3.4 Test generation . 19
5.3.5 Test adaptation . 19
5.3.6 Test execution . 19
5.3.7 Test results analysis . 19
5.4 Tests side-effects . 19
5.4.0 Introduction on tests side-effects . 19
5.4.1 Production disturbance . 19
5.4.2 Access to personal data . 19
5.4.3 Unwanted personal stress . 20
5.5 Summary of the methodology for the generation of test scenarios . 20
6 Instruments for stimulation (tools & techniques) . 20
6.1 Penetration testing . 20
6.2 Actions with internal participation . 20
6.3 Known-vulnerable systems . 21
6.4 Hacking tools . 21
ETSI

---------------------- Page: 3 ----------------------
4 ETSI GS ISI 005 V1.1.1 (2015-11)
7 Examples of detection tests . 22
7.0 Detection tests specification . 22
7.1 IEX_INT.2: Intrusion on externally accessible servers . 23
7.1.1 Base event . 23
7.1.2 Base event characteristics . 23
7.1.3 Legitimate traffic . 24
7.1.4 T.IEX_INT.2-1 testing . 24
7.1.4.1 Stimulation type selection . 24
7.1.4.2 Test patterns selection . 24
7.1.4.3 Test adaptation . 25
7.1.5 T.IEX_INT.2-2 testing . 25
7.1.5.1 Stimulation type selection . 25
7.1.5.2 Test patterns selection . 25
7.1.5.3 Test adaptation . 25
7.2 IEX_DOS.1: Denial of service attacks on websites . 26
7.2.1 Base event . 26
7.2.2 Base event characteristics . 26
7.2.3 Legitimate traffic . 26
7.2.4 T.IEX_DOS.1-1 testing . 26
7.2.4.1 Stimulation type selection . 26
7.2.4.2 Test patterns selection . 27
7.2.4.3 Test adaptation . 27
7.3 IEX_MLW.3: Malware installed on workstations . 27
7.3.1 Base event . 27
7.3.2 Base event characteristics . 28
7.3.3 Legitimate traffic . 28
7.3.4 T.IEX_MLW.3-1 testing . 28
7.3.4.1 Stimulation type selection . 28
7.3.4.2 Test patterns selection . 28
7.3.4.3 Test adaptation . 29
8 Examples of vulnerability tests . 29
8.0 Introduction . 29
8.1 Abstract vulnerability test patterns . 29
8.2 Use of vulnerability test patterns from existing vulnerability test methods . 29
8.3 Generic vulnerability test patterns . 30
8.3.0 Introduction on vulnerability test patterns . 30
8.3.1 T1 - Test Pattern: Verify audited event's presence. 30
8.3.2 T2 - Test Pattern: Verify audited event's content . 31
8.3.3 T3 - Test Pattern: Verify default-authentication credentials to be disabled on production system . 32
8.3.4 T4 - Test Pattern: Verify presence/efficiency of prevention mechanism against brute force
authentication attempts (active, passive) . 33
8.3.5 T5 - Test Pattern: Verify presence/efficiency of encryption of communication channel between
authenticating parties (active, passive) . 34
8.3.6 T6 - Test Pattern: Usage of Unusual Behaviour Sequences . 34
8.3.7 T7 - Test Pattern: Detection of Vulnerability to Injection Attacks . 35
8.3.8 T8 - Test Pattern: Detection of Vulnerability to Data Structure Attacks . 36
8.4 Vulnerability test patterns based on MITRE . 36
8.4.0 Introduction on vulnerability test patterns based on MITRE . 36
8.4.1 T9 - Attacking a Session Management . 37
8.4.2 T10 - Attack of the authentication mechanism . 38
8.4.3 T11 - Testing the safe storage of authentication credentials . 38
8.4.4 T12 - Open Redirect . 39
8.4.5 T13 - Uploading a malicious file . 39
8.4.6 T14 - Searching for documented passwords . 39
8.4.7 T15 - Impersonating an external server . 40
8.4.8 T16 - Accessing resources without required credentials . 40
8.4.9 T17 - Ensuring confidentiality of sensitive information . 41
8.5 Mapping of vulnerability test patterns with ETSI GS ISI 001-1 indicators. 41
8.5.0 Introduction. 41
8.5.1 Security Incidents (Ixx) . 41
8.5.2 Indicators with vulnerabilities (Vxx) . 42
ETSI

---------------------- Page: 4 ----------------------
5 ETSI GS ISI 005 V1.1.1 (2015-11)
8.5.3 Indicators as regards impact measurement (IMP) . 44
Annex A (informative): Authors & contributors . 45
Annex B (informative): Bibliography . 46
History . 47

List of figures
Figure 1: Positioning the 6 GS ISI against the 3 main security measures . 6
Figure 2: Noise generation .13
Figure 3: Generation of events .14
Figure 4: Generation of the event effects .15
Figure 5: Generation of alerts .16
Figure 6: Test process .17
Figure 7: Summary of the methodology for the generation of test scenarios .20


ETSI

---------------------- Page: 5 ----------------------
6 ETSI GS ISI 005 V1.1.1 (2015-11)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://ipr.etsi.org).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Group Specification (GS) has been produced by ETSI Industry Specification Group (ISG) Information Security
Indicators (ISI).
The present document is included in a series of 6 ISI specifications.
These 6 specifications are the following (see figure 1 summarizing the various concepts involved in event detection and
interactions between all specifications):
- ETSI GS ISI 001-1 [i.8] addressing (together with its associated guide ETSI GS ISI 001-2 [i.12]) information
security indicators, meant to measure application and effectiveness of preventative measures,
- ETSI GS ISI 002 [i.9] addressing the underlying event classification model and the associated taxonomy,
- ETSI GS ISI 003 [i.11] addressing the key issue of assessing an organization's maturity level regarding overall
event detection (technology/process/ people) in order to evaluate event detection results,
- ETSI GS ISI 004 [i.10] addressing demonstration through examples how to produce indicators and how to detect
the related events with various means and methods (with a classification of the main categories of use
cases/symptoms),
- ETSI GS ISI 005 addressing ways to test the effectiveness of existing detection means within an organization,
which is a more detailed and a more case by case approach than ISI 003 [i.11] one and which can therefore be
complementary.
GS ISG ISI Series Summary Definition
Event
reaction
measures
Fake events
(Simulation)
Security
Event
Real Detected
prevention
detection
events events
measures measures
Residual risk
(event model-
centric vision)

Figure 1: Positioning the 6 GS ISI against the 3 main security measures
ETSI

---------------------- Page: 6 ----------------------
7 ETSI GS ISI 005 V1.1.1 (2015-11)
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Introduction
The purpose of the present document is to describe strategies and techniques to test security event detection systems and
to assess the effectiveness of such systems.
The present document also includes few examples of tests scenarios.
ETSI

---------------------- Page: 7 ----------------------
8 ETSI GS ISI 005 V1.1.1 (2015-11)
1 Scope
The present document provides an introduction and guidelines for the development of tests to check the capabilities of
security event detection systems.
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are necessary for the application of the present document.
Not applicable.
2.2 Informative references.
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long term validity.
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ISO 27004:2009: "Information technology - Security techniques - Information security
management - Measurement".
[i.2] ISO/IEC/IEEE 29119-2: "Software and system engineering - Software Testing - Part 2 : Test
process, 2013".
[i.3] IEEE 829™-2008: "Standard for Software and System Test Documentation".
[i.4] Recommendation ITU-T X.294: "OSI conformance testing methodology and framework for
protocol Recommendations for ITU-T applications - Requirements on test laboratories and clients
for the conformance assessment process".
[i.5] ISO/IEC 15408: "Information technology -- Security techniques -- Evaluation criteria for IT
security".
[i.6] Common Weakness Enumeration (CWE).
NOTE: Available at https://cwe.mitre.org.
[i.7] Common Attack Pattern Enumeration and Classification (CAPEC).
NOTE: Available at https://capec.mitre.org.
[i.8] ETSI GS ISI 001-1: "Information Security Indicators (ISI); Indicators (INC); Part 1: A full set of
operational indicators for organizations to use to benchmark their security posture".
[i.9] ETSI GS ISI 002: "Information Security Indicators (ISI); Event Model A security event
classification model and taxonomy".
ETSI

---------------------- Page: 8 ----------------------
9 ETSI GS ISI 005 V1.1.1 (2015-11)
[i.10] ETSI GS ISI 004: "Information Security Indicators (ISI); Guidelines for event detection
implementation".
[i.11] ETSI GS ISI 003: "Information Security Indicators (ISI); Key Performance Security Indicators
(KPSI) to evaluate the maturity of security event detection".
[i.12] ETSI GS ISI 001-2: "Information Security Indicators (ISI); Indicators (INC); Part 2: Guide to
select operational indicators based on the full set given in part 1".
[i.13] DIAMONDS project deliverables.
NOTE: http://www.itea2-diamonds.org/_docs/D3_WP4_T1_v1_0_FINAL_initial_test_patterns_catalogue.pdf.
[i.14] A. Vouffo Feudjio:"A Methodology For Pattern-Oriented Model-Driven Testing of Reactive
Software Systems", PhD Thesis, February 2011.
NOTE: http://opus.kobv.de/tuberlin/volltexte/2011/3103/pdf/vouffofeudjio_alaingeorges.pdf.
[i.15] OWASP-AT-003: "Testing for Default or Guessable User Account".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the terms and definitions given in ETSI GS ISI 001-1 [i.8] and the following
apply.
stimulation: single or sequence of activities in
...