When
applications are deployed and become part of normal IT operations APs can aid the
IT Operations team in several areas.
- Provide some guidance in system testing
- Assist in identifying possible attacks to the system
- Provide security knowledge and awareness to the operations team
Once applications are deployed, they need to periodically be checked to ensure that
they are not subject to any new or unknown types of attacks. Attack Pattern Libraries
(APLs) are living documents that are constantly being updated. This provides an IT operations
team with the ability to review the APL and test their systems against new or existing
attacks.
The other benefit that operations teams can realise from APs and APLs is they can
be applied to potential attacks to identify the attack, as well as provide guidance
in how applications need to be hardened against those types of attacks.
New attack patterns are rarely discovered however, there are new attacks utilizing
old patterns being created quite frequently. This will allow the operations teams
to apply common mitigation strategies to new attacks by understanding the pattern
of the attack itself.
This can either result in the application team developing a patch to handle the
new attack, or an operations level mitigation strategy to thwart the attack.
If the application team has implemented mitigation strategies for the attack category,
then the application should be more resistant to other APs in the same category.
For example, if a newly discovered attack is actually just another form of Cross
Site Scripting which is a type of Injection – Output Corruption attack, and the
application team has implemented a defensive library to handle Injection and Output
Corruption type attacks, then chances are this new version of the Cross Site Scripting
pattern will be mitigated as well. While you can never assume that a mitigation strategy
will always work with new unknown attacks, having a mitigation mechanism in place
can prevent knee-jerk reactions that may cause more harm than the initial attack.
They also provide a base which can be adapted to mitigate
new attacks.
If a framework is in place to dynamically correct software such as the one proposed
by Lin, May and Xie in
[11], APs can be used as a resource by automated systems
to discover mitigations, patches, and corrective actions. This can greatly reduce
the rapid spread of viri in connected computer systems.