a network black box with splunk for forensic analysis of
play

A Network Black Box with Splunk for Forensic Analysis of Attack - PowerPoint PPT Presentation

Apr 06, 2024 •408 likes •782 views

A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford Brookes University Oxford, United Kingdom CBlackwell@brookes.ac.uk Roadmap Three layer architectural security model Influenced by OSI

  1. A Network Black Box with Splunk for Forensic Analysis of Attack Patterns Clive Blackwell Oxford Brookes University Oxford, United Kingdom CBlackwell@brookes.ac.uk

  2. Roadmap • Three layer architectural security model – Influenced by OSI 7-layer network model and Neumann’s 8-layer security model • Formalising attack patterns in predicate logic – Extending existing work on design patterns – Determine corresponding security and forensic patterns • Beyond signatures – Abductive techniques for discovering incident causes • Lab experiments in forensic analysis – Collecting and merging incident data with Splunk • A network black box with Splunk * Skip to slide 22 if not interested in the conceptual model * 8 July 2011 MSN11 2

  3. 7-layer OSI network model Strong influence on my multilayered model Paths are down through the levels and transmission occurs physically Physical medium is out-of-scope My model explicitly includes people and the physical world 8 July 2011 MSN11 3

  4. Neumann ’ s 8-layer model Scope reduces as the External Environment layers are descended Confuses scope and level User External and internal environment are one level Application with differing scopes Network is not a separate Middleware level, but has extended scope at multiple levels Network Middle layers are part of our logical level Operating System Environment is physical User is social level Hardware Has too many levels for Internal analysis Environment Scope is infinite at all levels in my model 8 July 2011 MSN11 4

  5. Digital forensic framework purpose • We consider incidents within a wider context and from multiple perspectives to aid a broader and deeper investigation • The focus is extended from misused computer systems to their wider social, legal, organizational and physical contexts • The system interaction with the external environment and people provides the wider investigative context to – Examine incident progression and effects – Enable the goals of holding the perpetrator accountable, and – Repairing the damaged system and resources • Purpose of the investigation differs depending on the circumstances – In a legal, regulatory or disciplinary process, it is to collect sufficient reliable evidence to discover the perpetrator and hold them accountable – In incident response, the purpose may be to discover the cause and extent of damage to determine effective system repair measures, fix the exploited weaknesses, limit further harm, and remediate external effects on third party victims and the environment 8 July 2011 MSN11 5

  6. The Layered Security Model • We have a simplified three-layer model – Add sub-layers to recover the greater number of layers in the OSI 7-layer network and other models Social • Social layer at the top includes people and Layer organisations along with their goals and intentions – Legal, organisational, economic, philosophical, political, sociological, and psychological aspects • Logical layer in the middle contains computers, networks, software and data Logical – Has multiple sublevels to recapture the layers of Layer other mainly logical models • Physical layer at the bottom represents the physical existence of all entities in world – Contains tangible objects including buildings, equipment, paper documents and computers Physical – Also contains physical phenomena such as Layer electromagnetic radiation, electricity and magnetism 8 July 2011 MSN11 6

  7. Social layer • The social or conceptual layer is the top layer • Active subjects are abstract representations of organisations, systems and people, including their attributes and behaviour • People ’ s characteristics include their goals, knowledge and beliefs • Can analyze using Parker ’ s SKRAM classification (skills, knowledge, resources, authority and motivation) – D Parker, Fighting Computer Crime, a New Framework for Protecting Information , Wiley, 1998. • The passive objects are abstract representations of lower-layer objects inhabiting the real world, and • Concepts that only make sense at this layer such as trust, motivation, knowledge and information – Information is not understood by computers (Searle’s Chinese room) – Evidence is a special type of information and therefore at the social level • Higher layer entities like people and data have a physical existence as well as a higher layer form – Mind-body duality is extended to logical entities 8 July 2011 MSN11 7

  8. Social layer in our framework • Crucial in incident analysis, as people are ultimately responsible for causing and responding to incidents • Conceptualizes the essential characteristics of people – Their skills, motivation, knowledge, weaknesses and other traits • All deliberate incidents are initiated by people at the social layer and are only effective if they meet a social-level goal – Obtaining money, power, prestige or pleasure • Ultimate effects are also on people and organisations at the social layer – Computers and other logical resources such as information are means to an end, and are not valuable in their own right • Incidents are always executed using lower levels – Interaction between social entities at this level is only conceptual – People cannot operate directly at the logical layer, but use agents such as accounts to act for them • All social and logical actions are ultimately executed at the physical level • Therefore, effective investigation should involve complete analysis spanning all three levels 8 July 2011 MSN11 8

  9. Social layer in investigation • Scope of the incident analysis is at the social level – Within an organization for disciplinary action, industrial sector for regulatory breaches, or legal jurisdiction for criminal activities • Evidence is contained within the social level and forms judgments on activities that happen at lower levels – Social level aspects such as intent must be inferred from lower level actions • Evidence must be relevant and reliable, which requires lifting information about events and states at lower levels – Must use dependable and accepted investigatory processes to give a satisfactory argument within the particular domain – Such as rules of evidence for the law – But, evidence may be incomplete, incorrect or inconsistent • Effective investigation must involve comprehensive analysis at all levels and the relationships between levels 8 July 2011 MSN11 9

  10. Logical layer in our framework • People cannot operate directly at the logical layer, but use agents to act on their behalf – User accounts to issue commands, run programs, execute processes and use resources • This leads to the issue of proving responsibility – Agent may be initiated or taken over by others, or – Act outside its authority if faulty or has been modified • Investigator also cannot directly observe logical functions and data – Examines them indirectly using software – Serious issues regarding its adequacy in collecting, interpreting and presenting digital data as evidence • National Research Council, Strengthening Forensic Science in the United States: A Path Forward , National Academies Press (2009). – A compelling account of the failure to justify scientifically the vast majority of the physical forensic sciences – Analogous questions apply to digital forensics in spades 8 July 2011 MSN11 10

  11. Physical layer in our framework • Higher layer social and logical entities, have a physical existence as well as a higher layer representation – Except pure abstract entities like trust (influenced indirectly by real actions) • Logical entities such as accounts and keys have a different physical existence to the people they represent (key distinction) • But, higher layer entities cannot be understood at the physical layer – Information is ultimately stored physically – But understanding involves knowing its meaning and purpose, which can only be fully appreciated at a higher layer • Effective investigation requires raising data about physical incident events into high-level evidence at the social level • Must also link the physical and digital crime scene evidence – B Carrier and E Spafford, “Getting Physical with the Digital Investigation Process”, International Journal of Digital Evidence, Volume 2, Issue 2, 2003. • Divide physical layer into upper object and lower substance sublevels – Contains intangible wave phenomena such as electromagnetic radiation, as well as material objects with differing size and scope 8 July 2011 MSN11 11

  12. The Multilayered Architecture Supervisory Virtual layer Channel Social Layer Our model is Realisation layer more comprehensive Application Service Virtual Channel Also considers Logical Layer OS Hardware processing, Physical storage and control Object layer Real Channel Physical Layer Incorporates physical actions Substance layer 8 July 2011 MSN11 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About

A Network Forensic Analysis Framework Professor Patrick McDaniel Daniel Krych Fall 2015 About An extensible network forensic analysis framework. Enables rapid development of plugins to support the dissection of network packet captures.

379 views • 36 slides
Communication Issues between the Splunk universal forwarder and the Splunk server 1. As a first

Communication Issues between the Splunk universal forwarder and the Splunk server 1. As a first

Communication Issues between the Splunk universal forwarder and the Splunk server 1. As a first step, we will check and see if Splunk can use a traceroute to communicate between instances. 1.1. To do this, we will open up terminal and enter the

594 views • 4 slides
AWS Agility + Splunk Visibility = Cloud Success Splunk App for AWS Demo Laura Ripans, AWS

AWS Agility + Splunk Visibility = Cloud Success Splunk App for AWS Demo Laura Ripans, AWS

AWS Agility + Splunk Visibility = Cloud Success Splunk App for AWS Demo Laura Ripans, AWS Alliance Manager Disruptive innovation and business transformation starts with data I HAVE BEEN GIVEN AN AWS ACCOUNT!!! 3 Why is Splunk Important

686 views • 15 slides
Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic

Forensic Challenge V2.0 UNAM-CERT RedIRIS Topics * Forensic Challenge V1.0 * Forensic Challenge V2.0 * Conclusions Introduction Why this forensic Challenge ? * To promote and impulse the Forensic Analysis in our Region -- Hispanoamerica--

558 views • 19 slides
Splunk the Sky Adam Ind Splunk Answers - rfds @adamlukeind @RoyalFlyingDoc Royal Flying Doctor

Splunk the Sky Adam Ind Splunk Answers - rfds @adamlukeind @RoyalFlyingDoc Royal Flying Doctor

Splunk the Sky Adam Ind Splunk Answers - rfds @adamlukeind @RoyalFlyingDoc Royal Flying Doctor Service Using Splunk: Aircraft Fleet Tracking Embed & Display Reports Monitoring Medicines & Vaccines Aircraft Performance Monitoring

795 views • 36 slides
Firewall Configuration 1. As a first step, check to see if the Splunk universal forwarder is

Firewall Configuration 1. As a first step, check to see if the Splunk universal forwarder is

Firewall Configuration 1. As a first step, check to see if the Splunk universal forwarder is sending its internal logs to the Splunk indexer. This takes place by default with all Splunk forwarder installations, and will prevent you from going

364 views • 9 slides
Find it with Splunk, Fix it with Resolve: Your Solution for Enterprise-Wide Incident Response and

Find it with Splunk, Fix it with Resolve: Your Solution for Enterprise-Wide Incident Response and

Find it with Splunk, Fix it with Resolve: Your Solution for Enterprise-Wide Incident Response and Resolution Splunk Users Across the Enterprise Are you using Splunk Enterprise? Are you using Splunk Enterprise Security? Are you using Splunk

179 views • 17 slides
EXTENDING SPLUNK WITH GPUS Joshua Patterson @datametrician Keith Kraus @keithjkraus SPLUNK

EXTENDING SPLUNK WITH GPUS Joshua Patterson @datametrician Keith Kraus @keithjkraus SPLUNK

EXTENDING SPLUNK WITH GPUS Joshua Patterson @datametrician Keith Kraus @keithjkraus SPLUNK Industry leading machine data platform Splunk is a software platform to search, analyze, and visualize the machine-generated data gathered from the

705 views • 41 slides
qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University

qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University

qPCR in forensic DNA analysis Johannes Hedman Researcher, Applied Microbiology, Lund University Specialist, Swedish National Laboratory of Forensic Science Forensic science Every contact leaves a trace Edmond Locard (1877 1966) Forensic

1.32k views • 78 slides
Troubleshooting AWS App Workshop Splunk Add-on for AWS 4.3+ Kamilo Amir | Splunk Cloud Architect

Troubleshooting AWS App Workshop Splunk Add-on for AWS 4.3+ Kamilo Amir | Splunk Cloud Architect

Troubleshooting AWS App Workshop Splunk Add-on for AWS 4.3+ Kamilo Amir | Splunk Cloud Architect ______________________________________________________________________________ Table of Contents 4 TROUBLESHOOTING SPLUNK APP / ADD-ON FOR AWS 4 P

296 views • 8 slides
Forensic analysis of a Linux web server 1 www.nbs-system.com Agenda Who are we ? Performing

Forensic analysis of a Linux web server 1 www.nbs-system.com Agenda Who are we ? Performing

Mathieu Deous Julien Reveret Forensic analysis of a Linux web server 1 www.nbs-system.com Agenda Who are we ? Performing forensic analysis on a compromised web server What to search, where, how ? Logs but also dynamic analysis What

603 views • 28 slides
Security Hands-on @ Pavilion Automate Security Operations with Phantom & Splunk Splunk |

Security Hands-on @ Pavilion Automate Security Operations with Phantom & Splunk Splunk |

Security Hands-on @ Pavilion Automate Security Operations with Phantom & Splunk Splunk | Security Markets September 26 | Washington, DC The Leader in Security Automation & Orchestration Phantom Community Growing Larger Each Day

450 views • 8 slides
Splunk implementa-on Our experiences throughout the 3 year journey About us Harvard

Splunk implementa-on Our experiences throughout the 3 year journey About us Harvard

Splunk implementa-on Our experiences throughout the 3 year journey About us Harvard University University Network Services Group Serving over 2500 faculty and more than 18,000 students Jim Donn Management Systems Architect

705 views • 22 slides
Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Why This Workshop? In 2009 the Research Council of the National Academy of Sciences issues a

Specialized Topics in Ethical Forensic Practice, Part 3: Bias in Forensic Evaluations November 18, 2015 Ohio MHAS Forensic Conference Columbus, OH Terry Kukor, Ph.D., ABPP Board Certified in Forensic Psychology Director of Forensic Services Netcare

972 views • 23 slides
Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Challenges in Crime Scene Investigation Technical challenges in forensic STR profiling

Epigenetics a New Perspective for Improving Forensic Science p g Hwan Young Lee, Ph.D. Department of Forensic Medicine Yonsei University College of Medicine Current Forensic DNA Typing Forensic cases -- matching suspect with evidence

247 views • 13 slides
Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

Objectives 1. Articulate the rationale for restructuring forensic evaluation reports 2. Identify

11/5/2015 Specialized Topics in Ethical Forensic Practice, Part 1: Restructured Forensic Reports Presented For OhioMHAS Forensic Conference November 18, 2015 Terry Kukor, Ph.D., ABPP (Forensic) Joy Stankowski, M.D. Aracelis (Liz) Rivera, Psy.D.

451 views • 17 slides
Towards a Forensic Event Ontology to Assist Video Surveillance-based Vandalism Detection 1 Faranak

Towards a Forensic Event Ontology to Assist Video Surveillance-based Vandalism Detection 1 Faranak

Context A Forensic Event Ontology Assisting Video Surveillance-based Vandalism Detection Conclusions Towards a Forensic Event Ontology to Assist Video Surveillance-based Vandalism Detection 1 Faranak Sobhani 1 Umberto Straccia 2 1Queen Mary

222 views • 19 slides
DFIR FILE SYSTEM FORENSICS DEV DUA (@dev0x01) >> whois Dev.Dua # Star Wars fan, clearly.

DFIR FILE SYSTEM FORENSICS DEV DUA (@dev0x01) >> whois Dev.Dua # Star Wars fan, clearly.

DFIR FILE SYSTEM FORENSICS DEV DUA (@dev0x01) >> whois Dev.Dua # Star Wars fan, clearly. # M.Eng. Cybersecurity # JOATMON Full Stack Developer, Security Engineer, Scripting/Automation, Researcher # Twitter: dev0x01 # Web:

1.03k views • 43 slides
Applying Case-Based Reasoning to Spatial- temporal Analysis of Residential Burglary Crime

Applying Case-Based Reasoning to Spatial- temporal Analysis of Residential Burglary Crime

Applying Case-Based Reasoning to Spatial- temporal Analysis of Residential Burglary Crime Investigation: A Cloud Service Prototype Sheng-Ming Wang, PhD Graduate Institute of Interactive Media Design, National Taipei University of Technology,

537 views • 18 slides
Executive Forum Where/When Session 1 Introductions 2 Who Are We? Background and Credentials

Executive Forum Where/When Session 1 Introductions 2 Who Are We? Background and Credentials

Executive Forum Where/When Session 1 Introductions 2 Who Are We? Background and Credentials 3 Housekeeping Seeing? Hearing? Beepers & cell phones off or mute Restrooms Emergency exits Workbooks

729 views • 71 slides
Forensic Interviews: Plan to Succeed Charles L. McGimsey, CPA CFE CFF Numbers Dont Lie

Forensic Interviews: Plan to Succeed Charles L. McGimsey, CPA CFE CFF Numbers Dont Lie

Forensic Interviews: Plan to Succeed Charles L. McGimsey, CPA CFE CFF Numbers Dont Lie CAQ Fraud Case Study: Kendallville Bank Dan Davis Court Appointed Accountant How would you determine why customers left? Fraud

305 views • 16 slides
Assessment of Youth at Risk for Violence Shawn S. Sidhu, F.A.P.A. Disclosures I write CME

Assessment of Youth at Risk for Violence Shawn S. Sidhu, F.A.P.A. Disclosures I write CME

Assessment of Youth at Risk for Violence Shawn S. Sidhu, F.A.P.A. Disclosures I write CME questions for the American Psychiatric Associations journal FOCUS All statistics and graphs taken from the FBIs A Study of Active Shooter Incidents

614 views • 42 slides
'Cyber Forensics' "Cyber" is a prefix used to describe a person, thing, or idea as part

'Cyber Forensics' "Cyber" is a prefix used to describe a person, thing, or idea as part

'Cyber Forensics' "Cyber" is a prefix used to describe a person, thing, or idea as part of the computer and information age. Taken from kybernetes , Greek for "steersman" or "governor," it was first used in

1.91k views • 156 slides
About this presentation : Learning : What is Digital Forensics ? Political : Digital

About this presentation : Learning : What is Digital Forensics ? Political : Digital

An introduction to digital forensics About this presentation : Learning : What is Digital Forensics ? Political : Digital Forensics and Open Sources licensing Tool time : Digital Forensics Framework Presented by Solal Jacob core dev.

444 views • 30 slides

More recommend