Clive Blackwell

A Forensic Framework for Incident Analysis Applied to the Insider Threat

We require a holistic forensic framework to analyze incidents within their complete context. Our framework organizes incidents into their main stages of access, use and outcome to aid incident analysis, influenced by Howard and Longstaff’s security incident classification. We also use eight incident questions, extending the six from Zachman’s framework, to pose questions about the entire incident and each individual stage. The incident analysis using stage decomposition is combined with our three-layer incident architecture, comprising the social, logical and physical levels, to analyze incidents in their entirety, including human and physical factors, rather than from a technical viewpoint alone. We demonstrate the conjunction of our multilayered architectural structure and incident classification system with an insider threat case study, demonstrating clearly the questions that must be answered to organize a successful investigation. The process of investigating extant incidents also applies to proactive analysis to avoid damaging incidents.

A Framework for Digital Forensics and Investigations: The Goal-Driven Approach

Digital forensics investigations are an important task for collecting evidence based on the artifacts left in computer systems for computer related crimes. The requirements of such investigations are often a neglected aspect in most of the existing models of digital investigations. Therefore, a formal and systematic approach is needed to provide a framework for modeling and reasoning about the requirements of digital investigations. In addition, anti-forensics situations make the forensic investigation process challenging by contaminating any stage of the investigation process, its requirements, or by destroying the evidence. Therefore, successful forensic investigations require understanding the possible anti-forensic issues during the investigation. In this paper, the authors present a new method for guiding digital forensics investigations considering the anti-forensics based on goal-driven requirements engineering methodologies, in particular KAOS. Methodologies like KAOS facilitate modeling and reasoning about goals, requirements and obstacles, as well as their operationalization and responsibility assignments. The authors believe that this new method will lead in the future to better management and organization of the various steps of forensics investigations in cyberspace as well as provide more robust grounds for reasoning about forensic evidence.

An Investigative Framework for Incident Analysis

A computer incident occurs in a larger context than just a computer network. Because of this, investigators need a holistic forensic framework to analyze incidents in their entire context. This paper presents a framework that organizes incidents into social, logical and physical levels in order to analyze them in their entirety (including the human and physical factors) rather than from a purely technical viewpoint. The framework applies the six investigative questions – who, what, why, when, where and how – to the individual stages of an incident as well as to the entire incident. The utility of the framework is demonstrated using an insider threat case study, which shows where the evidence may be found in order to conduct a successful investigation.

Towards a Penetration Testing Framework Using Attack Patterns

The problems of system security are well known, but no satisfactory methods to resolve them have ever been discovered. One heuristic method is to use a penetration test with the rationale of finding system flaws before malicious attackers. However, this is a craft-based discipline without an adequate theoretical or empirical basis for justifying its activities and results. We show that both the automated tool and skill-based methods of pen testing are unsatisfactory, because we need to provide understandable evidence to clients about their weaknesses and offer actionable plans to fix the critical ones. We use attack patterns to help develop a pen-testing framework to help avoid the limitations of current approaches.

Using a Goal-Driven Approach in the Investigation of a Questioned Contract

This paper presents a systematic process for describing digital forensic investigations. It focuses on forensic goals and anti-forensic obstacles and their operationalization in terms of human and software actions. The paper also demonstrates how the process can be used to capture the various forensic and anti-forensic aspects of a real-world case involving document forgery.

Using Security Patterns for Modelling Security Capabilities in Grid Systems

We extend previous work on formalising design patterns to start the development of security patterns for Grid systems. We demonstrate the feasibility of our approach with a case study involving a deployed security architecture in a Grid Operating System called XtreemOS. A number of Grid security management capabilities that aid the secure setting-up and running of a Grid are presented. We outline the functionality needed for such cases in a general form, which could be utilised when considering the development of similar large-scale systems in the future. We also specifically describe the use of authentication patterns that model the extension of trust from a secure core, and indicate how these patterns can be composed, specialised and instantiated.

Using Fraud Trees to Analyze Internet Credit Card Fraud

Because of the difficulties inherent in accurately identifying individuals on the Internet, online merchants reduce the risk of credit card fraud by increasing restrictions on consumers. The restrictions are often overly burdensome on consumers and may result in lost sales. This paper uses the concept of a fraud tree, an extension of an attack tree, to comprehensively model online fraud techniques and to suggest defensive obstacles for merchants to counter threats. The fraud tree model can advise merchants about the checks to be performed to reduce risk even in the presence of incomplete knowledge of the circumstances of the transactions. Since fraud cannot be completely avoided, the paper also describes auditing that can be performed to assist merchants in identifying the responsible parties and potentially limiting, if not avoiding, liability due to fraud.

Towards a Conceptual Framework for Security Patterns

We introduce security patterns as the most mature domain within cyberpatterns, and outline a conceptual framework to help understand and develop good security patterns. Security patterns help us move from an improvised craft to engineering discipline because they transfer knowledge about proven solutions in an understandable and reusable format to experienced users and novices alike. Although security patterns are widely known, many questions remain unanswered regarding their conceptual foundation and practical use. We characterise the current pattern schemes using the Zachman Framework for enterprise architecture modelling, which allows us to structure and pose questions about both the problem domain and corresponding solutions provided by security patterns. We propose a parallel security plane overlaying the entire Zachman grid allowing the separate consideration of security within the security plane using the interrogative questions (who, what, where, when, why and how) to evaluate the six aspects. The integration between security and functional concerns is similarly aided by using the correspondence between aspects in the security and functional planes to decompose and examine the relationship between security patterns and problem context. We also briefly discuss security patterns as transformations, and related concepts such as tactics that may usefully be applied to security. We conclude with a set of unsolved challenges for security patterns. This discussion is relevant to other types of cyberpattern such as attack patterns, and may aid the eventual development of a comprehensive framework for cyberpatterns.

A Strategy for Structuring and Formalising Attack Patterns

We have created a framework for modelling security that divides computer incidents into their stages of access, use and effect. In addition, we have developed a three-layer architectural model to examine incidents with the social, logical and physical levels. Our ontology that combines the architectural and incident models provides the basis for a suitable semantics for attack patterns, where the entities and relationships between them can be precisely defined. The current informality of these patterns means that their utility is limited to manual use, so we plan to adapt existing work on formalising design patterns to attack patterns, to aid the detection of attack patterns leading to the possible creation of effective defensive controls. A specification in logic, which is progressively refined into code, is a common method of developing high integrity and secure software, but there are additional issues in system protection, as the system is a diverse set of components housing different and unrelated functionality rather than a single program. The attack patterns form a logical specification, which can be intersected with the model of the defence to determine the corresponding defensive observations and actions to counter the attacks. This would allow convincing reasoning about possible defensive response measures, and holds out the possibility of proving security against certain types of attacks. We outline a roadmap for formulating attack patterns in our ontology and then translating them in logic.

Future Directions for Research on Cyberpatterns

As patterns in cyberspace, cyberpatterns shed light on research on the development of cyber systems from a new angle. They can help us move from an improvised craft to an engineering discipline because they help to transfer knowledge about proven solutions in an understandable and reusable format. They allow innovative applications in cloud, cyber-physical and mobile systems, and novel methods of use with data patterns for observation and analysis of ‘big data’ problems. The ultimate aim of research on cyberpatterns is an overall framework for cyberpatterns integrating all the cyber domains to help develop a better-understood and effective cyberspace. However, there are many research questions in cyberpatterns that remain unanswered regarding both their conceptual foundation and practical use. This chapter concludes the book by exploring some of the most critical and important problems needing to be addressed.