Enhancing Critical Infrastructure Protection with innovative SECurity framework Digital Forensics via AEGIS Visualization toolkit 16/10/2018 Leonidas Kallipolitis, AEGIS The research leading to these results has received funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no 700378.
Introduction - Definitions Computer Forensics: Computer forensics is the scientific examination and analysis of data held on, or retrieved from, computer storage media in such a way that the information can be used as evidence in a court of law. Electronic record: any data that is recorded or preserved on any medium in or by a computer system or other similar device, that can be read or perceived by a person or a computer system or other similar device. It includes a display, printout or other output of that data. Critical Infrastructure: those "systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.” (USA Patriot Act of 2001)
Industrial challenges The statement [1]: “Europe must create conditions to support European start-ups and emerging/promising cyber-technologies like a European SIEM and Forensics Data Analytics” Security data is growing, organizations collect, process, and analyze more than six terabytes of security data monthly [2]. Difficult to keep up with the threat landscape organizations are being overwhelmed by the scaling needs for big data forensics that consider both post-mortem and real-time processing and visualization of evidence [2]. Customers need to analyze security event data in real time for internal and external threat management Collect, store, analyze and report on log data for forensics and regulatory compliance, while maintaining the security and integrity of data. [1] European Cybersecurity Industry Leaders. A report to M. Gunther H. Oettinger European, Commissioner for Digital Economy and Society. Recommendations on Cybersecurity for Europe [2] Enterprise Strategy Group. Cybersecurity Analytics and Operations in Transition. http://esg-global.com/, 2017.
Research challenges (1) Growing size of heterogeneous data results in insufficient response time Growing sophistication of malware and attackers highlights the need for developing post compromise and real-time forensics services Need for advanced visualization methods to combine data from heterogeneous sources and to guide forensics investigators to identify areas warranting further review Intuitive, detailed and user-centric visualizations capable of managing, analyzing and presenting in a user-friendly way large amount of forensics evidence. Existing visualization frameworks drawbacks: utilization of multiple tools is required difficult to take information seen in one visualization tool and obtain a different perspective in another tool many tools do not allow to import information from another tool. significant amount of time to go through all of the tools, collect the data, and then create a coherent report that can potentially be used as evidence in the court of law.
Research challenges (2) Better collection of effective data for post-incident security analysis Current cyber-forensic methodologies are not always fully extensible to traditional control systems architectures Correlation of forensic data collected by disparate cyber-centric security procedures and technologies (Firewalls [FW], Intrusion Detection Systems [IDS], Intrusion Prevention Systems, [IPS], etc.), with device and control systems logging data. Post-incident analysis is often dependent on vendor involvement, and any proactive understanding of device logging is often not required by the end user or incorporated into a defence-in-depth strategy Unforeseen interactions between the forensics tools and control systems Inclusion of real-time forensics tools for active analysis Increase in storage space on hard drives impacts both the performance utilization and the time when carrying out forensics tasks Which brings us to visualization techniques.
Visualization Emphasis on visualization Silver bullet for “active” (live) forensics? Pros: Provides good overview (situational awareness) Allows combining data from different sources Accommodates different views Cons: Clutter may confuse operator Creating the views may cause delays Worse, may lead the operator into wrong assumptions.
AEGIS Forensics Visualisation Toolkit Intuitive, detailed and connected visualisations CI-customised via CIPIs monitoring Innovative Forensic Services Timeline analysis Preconfigured Views
Critical Infrastructure Performance Indicators Key requirement is to define the Critical Infrastructure Performance Indicators (CIPIs) appropriate for the application. Monitoring various CIPIs the forensics system can detect off-nominal behaviour. Examples include: CPU load - Memory utilization Disk size - disk usage (e.g. free space per partition) Number of current processes Authentication event Software installation - installation of new/fresh packages ssh login attempts (over a period of 1 hour) concurrent ssh sessions > 0 concurrent http sessions > 1 Also non-CIPI data are collected, e.g. : Layer 2 connections (Ethernet) Layer 3 connections (IP) Running processes (name, cpu, memory, uid, etc)
Timeline Analysis Event Analysis View allows to scroll forward or backward in time Example: Event occurs at time t0 Operator can use the timeline analysis tool to see events that led to the event compare current event with previous (similar) events tool allows direct comparison of current with historical states. as more data comes in, operator can investigate outcomes.
Timeline of CIPI Visualisations
Preconfigured views Event characterised by affected CIPIs Benefit of AEGIS forensic toolkit is that “knowledge” gained during an analysis can be utilised in future similar incidents Event characterised by affected CIPIs Operator response is stored in the event file Specific views brought up Events selected – highlighted during analysis Etc. Actions can be collected in a “script” to be run when similar event is observed. Benefits: Speeds up incident response Makes event reporting faster – easier Allows operator to concentrate on the analysis rather than bringing up the required views. Should be used only by experienced personnel May lead operator to wrong analysis (fight the last battle).
Disk Analysis Acquire, Authenticate and Analyse data Follow forensic tool guidelines Keep chain of custody FVT securely stores images of disk and offers visualisations of relevant CIPIs
Disk Analysis
Conclusions Visualisation is crucial to active (live) Digital Forensics Analysis The AEGIS visualisation toolkit is customised for the needs of Forensics Analysis for CIs Key FVT Innovations Critical Infrastructure Performance Indicators Timeline Analysis Preconfigured Views Disk Analysis
Thank you Digital Forensics via AEGIS Visualization toolkit 16/10/2018 Leonidas Kallipolitis, AEGIS http://aegisresearch.eu/ The research leading to these results has received funding from the European Union’s Horizon 2020 Research and Innovation Programme, under Grant Agreement no 700378.