ABSTRACT
Organizations owning cyber-infrastructure assets face large scale distributed attacks on a regular basis. In the face of increasing complexity and frequency of such attacks, we argue that it is insufficient to rely on organizational incident response teams or even trusted coordinating response teams. Instead, there is need to develop a framework that enables responders to establish trust and achieve an effective collaborative response and investigation process across multiple organizations and legal entities to track the adversary, eliminate the threat and pursue prosecution of the perpetrators. In this work we develop such a framework for effective collaboration. Our approach is motivated by our experiences in dealing with a large-scale distributed attack that took place in 2004 known as Incident 216. Based on our approach we present the Palantir system that comprises conceptual and technological capabilities to adequately respond to such attacks. To the best of our knowledge this is the first work proposing a system model and implementation for a collaborative multi-site incident response and investigation effort.
- Cyber Storm Exercise Report. National Cyber Security Division, U.S. Department of Homeland Security, September, 2006, 2006.Google Scholar
- T. Ahmed and A. R. Tripathi. Specification and verification of security requirements in a programming model for decentralized cscw systems. ACM Trans. Inf. Syst. Secur., 10(2):7, 2007. Google ScholarDigital Library
- C. Alberts, A. Dorofee, G. Killcrece, R. Ruefle, and M. Zajicek. Defining Incident Management Processes for CSIRTs: A Work in Progress. Technical Report CMU/SEI-2004-TR-015, Software Engineering Institute, Carnegie Mellon University, 2004.Google ScholarCross Ref
- P. Bajcsy, R. Kooper, L. Marini, B. Minsker, and J. Myers. CyberIntegrator: A Meta-Workflow System Designed for Solving Complex Scientific Problems using Heterogeneous Tools. In Proceedings of the Geoinformatics Conference, May 2006.Google Scholar
- V. Baryamureeba and F. Tushabe. The Enhanced Digital Investigation Process Model. Process Model Asian Journal of Information Technology, 2006.Google Scholar
- N. Beebe and J. G. Clark. A hierarchical, objectives-based framework for the digital investigations process. Digital Investigation, 2(2):147--167, 2005. Google ScholarDigital Library
- R. Bobba, J. Muggli, M. Pant, J. Basney, and H. Khurana. Usable secure mailing lists with untrusted servers. In Symposium on Identity and Trust on the Internet (IDtrust), 2009. Google ScholarDigital Library
- M. J. W. Brown, D. Stikvoort, K. P. Kossakowski, K. P. Kossakowski, G. Killcrece, R. Ruefle, and M. Zajicek. Handbook for Computer Security Incident Response Teams (CSIRTs). CMU/SEI-2003-HB-002, April, 2003, 2003.Google Scholar
- N. Brownlee and E. Guttman. Expectations for Computer Security Incident Response. IETF RFC 2350, June 1998. Google ScholarDigital Library
- Y. D. Cai, D. Clutter, G. Pape, J. Han, M. Welge, and L. Auvil. Maids: mining alarming incidents from data streams. In SIGMOD '04: Proceedings of the 2004 ACM SIGMOD international conference on Management of data, pages 919--920, New York, NY, USA, 2004. ACM Press. Google ScholarDigital Library
- B. Carrier and E. H. Spafford. Getting Physical with the Digital Investigation Process. International Journal of Digital Evidence, 2(2), Fall 2003.Google Scholar
- B. Carrier and E. H. Spafford. An Event-Based Digital Forensic Investigation Framework. In DFWRS'04: Proceedings of the 4th Digital Forensics Research Workshop, 2004.Google Scholar
- S. Ó. Ciardhuáin. An Extended Model of Cybercrime Investigations. International Journal of Digital Evidence, 3(1), Summer 2004.Google Scholar
- P. T. Devanbu and S. Stubblebine. Software engineering for security: a roadmap. In ICSE '00: Proceedings of the Conference on The Future of Software Engineering, pages 227--239, New York, NY, USA, 2000. ACM Press. Google ScholarDigital Library
- B. Fraser. Site Security Handbook. IETF RFC 2196, Sept. 1997. Google ScholarDigital Library
- J. Giordano and C. Maciag. Cyber Forensics: A Military Operations Perspective. International Journal of Digital Evidence, 1(2), Summer 2002.Google Scholar
- T. Grance, K. Kent, and B. Kim. Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-61, January 2004.Google Scholar
- R. S. C. Ieong. FORZA - Digital forensics investigation framework that incorporate legal issues. Digital Investigation, 3(Supplement-1):29--36, 2006. Google ScholarDigital Library
- H. Khurana, J. Heo, and M. Pant. From proxy encryption primitives to a deployable secure-mailing-list solution. In ICICS'06: International Conference on Information and Communications Security, pages 260--281, 2006. Google ScholarDigital Library
- H. Khurana, A. J. Slagell, and R. Bonilla. SELS: a secure e-mail list service. In ACM Symposium on Applied Computing (SAC), Security Track, pages 306--313, 2005. Google ScholarDigital Library
- G. Killcrece, K.-P. Kossakowsk, R. Ruefle, and M. Zajicek. Organizational Models for Computer Security Incident Response Teams (CSIRTs). Technical Report Report: CMU/SEI-2003-HB-001, Carnegie Melon University/Software Engineering Institute, 2003.Google ScholarCross Ref
- K. Leune and S. Tesink. Designing and developing an Application for Incident Response Teams. In FIRST'06: Forum for Incident Response Teams Conference, Baltimore, MD, USA, June 2006.Google Scholar
- S. Mitropoulos, D. Patsos, and C. Douligeris. On Incident Handling and Response: A state-of-the-art approach. Computers & Security, 25(5):351--370, July 2006.Google ScholarDigital Library
- G. Palmer. A Road Map for Digital Forensic Research. Technical Report Technical Report DTR-T001-01, Report From the First Digital Forensic Research Workshop (DFRWS), 2001.Google Scholar
- M. Pollitt. Computer Forensics: an Approach to Evidence in Cyberspace. In Proceedings of the National Information Systems Security Conference, volume 2, pages 487--491, 1995.Google Scholar
- M. M. Pollitt. An Ad Hoc Review of Digital Forensic Models. In SADFE '07: Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering, pages 43--54, Washington, DC, USA, 2007. Google ScholarDigital Library
- C. Prosise, K. Mandia, and M. Pepe. Incident Response and Computer Forensics, Second Edition. McGraw-Hill Osborne Media, 2003. Google ScholarDigital Library
- M. Reith, C. Carr, and G. Gunsch. An Examination of Digital Forensic Models. International Journal of Digital Evidence, 1(3), Fall 2002.Google Scholar
- R. L. Rollason-Reese. Incident handling: an orderly response to unexpected events. In SIGUCCS '03: Proceedings of the 31st annual ACM SIGUCCS conference on User services, pages 97--102. ACM Press, 2003. Google ScholarDigital Library
- R. Rowlingson. A Ten Step Process for Forensic Readiness. International Journal of Digital Evidence, 2(3), Winter 2004.Google Scholar
- G. Ruibin, C. Kai, Y. Tony, and M. Gaertner. Case-Relevance Information Investigation: Binding Computer Intelligence to the Current Computer Forensic Framework. International Journal of Digital Evidence, 4(1), Spring 2005.Google Scholar
- S. Schechter, J. Jung, W. Stockwell, and C. McLain. Inoculating SSH Against Address Harvesting. In NDSS'06: The 13th Annual Network and Distributed System Security Symposium, San Diego, CA, February 2006.Google Scholar
- A. Slagell, K. Lakkaraju, and K. Luo. FLAIM: A Multi-level Anonymization Framework for Computer and Network Logs. In LISA'06: 20th USENIX Large Installation System Administration Conference, Washington, D.C., Dec. 2006. Google ScholarDigital Library
- P. Stephenson. Modeling of Post-Incident Root Cause Analysis. International Journal of Digital Evidence, 2(2), Fall 2003.Google Scholar
- J. Vincent, R. Spier, D. Rolsky, D. Chamberlain, and R. Foley. RT Essentials. O'Reilly Media, Aug. 2005. Google ScholarDigital Library
- X. Yin, W. Yurcik, and A. Slagell. VisFlowCluster-IP: Connectivity-Based Visual Clustering of Network Hosts. In 21st IFIP TC-11 International Information Security Conference (SEC '06), May 2006.Google Scholar
Index Terms
- Palantir: a framework for collaborative incident response and investigation
Recommendations
A forensic approach to incident response
InfoSecCD '10: 2010 Information Security Curriculum Development ConferenceAn incident response plan is critical for the detection and removal of information security threats. Incident response involves many aspects other than technical issues. There are management, legal, and social issues that an incident response team needs ...
Applying a forensic approach to incident response, network investigation and system administration using Digital Evidence Bags
This paper questions the current approach to forensic incident response and network investigations. Although claiming to be 'forensic' in nature it shows that the basic processes and mechanisms used in traditional computer forensics are rarely applied ...
Comments