Improving Forensic Triage Efficiency through Cyber Threat Intelligence

The complication of information technology and the proliferation of heterogeneous security devices that produce increased volumes of data coupled with the ever-changing threat landscape challenges have an adverse impact on the efficiency of information security controls and digital forensics, as well as incident response approaches. Cyber Threat Intelligence (CTI)and forensic preparedness are the two parts of the so-called managed security services that defendants can employ to repel, mitigate or investigate security incidents. Despite their success, there is no known effort that has combined these two approaches to enhance Digital Forensic Readiness (DFR) and thus decrease the time and cost of incident response and investigation. This paper builds upon and extends a DFR model that utilises actionable CTI to improve the maturity levels of DFR. The effectiveness and applicability of this model are evaluated through a series of experiments that employ malware-related network data simulating real-world attack scenarios. To this extent, the model manages to identify the root causes of information security incidents with high accuracy (90.73%), precision (96.17%) and recall (93.61%), while managing to decrease significantly the volume of data digital forensic investigators need to examine. The contribution of this paper is twofold. First, it indicates that CTI can be employed by digital forensics processes. Second, it demonstrates and evaluates an efficient mechanism that enhances operational DFR.

[1]  Florian Skopik,et al.  Combating advanced persistent threats: From network event correlation to incident detection , 2015, Comput. Secur..

[2]  Timothy Grance,et al.  Security Considerations in the Information System Development Life Cycle , 2003 .

[3]  Brett A. Becker,et al.  Current Challenges and Future Research Areas for Digital Forensic Investigation , 2016, ArXiv.

[4]  Buks Louwrens,et al.  Digital Forensic Readiness as a Component of Information Security Best Practice , 2007, SEC.

[5]  Nickson M. Karie,et al.  A generic Digital Forensic Readiness model for BYOD using honeypot technology , 2016, 2016 IST-Africa Week Conference.

[6]  Andrew Lonie,et al.  Towards A Systemic Framework for Digital Forensic Readiness , 2014, J. Comput. Inf. Syst..

[7]  Pritika Mehra,et al.  A brief study and comparison of Snort and Bro Open Source Network Intrusion Detection Systems , 2012 .

[8]  Hein S. Venter,et al.  Towards a Digital Forensic Readiness Framework for Public Key Infrastructure systems , 2011, 2011 Information Security for South Africa.

[9]  Wiem Tounsi,et al.  A survey on technical threat intelligence in the age of sophisticated cyber attacks , 2018, Comput. Secur..

[10]  Sebastian Garcia,et al.  THE NETWORK BEHAVIOUR OF MALWARE TO BLOCK MALICIOUS PATTERNS . THE STRATOSPHERE PROJECT : A BEHAVIOURAL IPS , 2016 .

[11]  Linda Volonino Electronic Evidence and Computer Forensics , 2003, Commun. Assoc. Inf. Syst..

[12]  Andrew Lonie,et al.  Digital forensic readiness: Expert perspectives on a theoretical framework , 2015, Comput. Secur..

[13]  Tahar Kechadi,et al.  Network Forensics Readiness and Security Awareness Framework , 2014 .

[14]  M. Malowidzki,et al.  Network Intrusion Detection : Half a Kingdom for a Good Dataset , 2015 .

[15]  Victor R. Kebande,et al.  A Cloud Forensic Readiness Model Using a Botnet as a Service , 2014 .

[17]  Yixin Chen,et al.  A comparison of a graph database and a relational database: a data provenance perspective , 2010, ACM SE '10.

[18]  Henry Dalziel,et al.  Cyber Kill Chain , 2015 .

[19]  Justin J. Miller,et al.  Graph Database Applications and Concepts with Neo4j , 2013 .

[20]  Robert S. Kaplan,et al.  Time-Driven Activity-Based Costing: A Simpler and More Powerful Path to Higher Profits , 2007 .

[21]  Vacius Jusas,et al.  Methods and Tools of Digital Triage in Forensic Context: Survey and Future Directions , 2017, Symmetry.

[22]  Deborah A. Frincke,et al.  Specifying digital forensics: A forensics policy approach , 2007 .

[23]  Robert Rowlingson,et al.  A Ten Step Process for Forensic Readiness , 2004, Int. J. Digit. EVid..

[24]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[25]  Hein S. Venter,et al.  Using time-driven activity-based costing to manage digital forensic readiness in large organisations , 2011, Information Systems Frontiers.

[26]  Vasilios Katos,et al.  Actionable threat intelligence for digital forensics readiness , 2019, Inf. Comput. Secur..

[27]  Hein S. Venter,et al.  Implementation guidelines for a harmonised digital forensic investigation readiness process model , 2013, 2013 Information Security for South Africa.

[28]  Devarshi Mehta,et al.  Paper on Searching and Indexing Using Elasticsearch , 2017 .

[29]  Christos Ilioudis,et al.  The Importance of Corporate Forensic Readiness in the Information Security Framework , 2010, 2010 19th IEEE International Workshops on Enabling Technologies: Infrastructures for Collaborative Enterprises.

[30]  Sebastiaan H. von Solms,et al.  A Framework to Guide the Implementation of Proactive Digital Forensics in Organisations , 2010, 2010 International Conference on Availability, Reliability and Security.