Abstract
Cloud forensic investigations involve large volumes of diverse devices and data. Investigations involving advanced persistent threat attacks involve filtering noisy data and using expert knowledge to identify the missing steps in the attacks that typically have long time spans. Under such circumstances, obtaining timely and credible forensic results is a challenge.
This chapter engages a case study to demonstrate how MITRE’s ATT&CK knowledge base and Lockheed Martin’s Cyber Kill Chain methodology can be used in conjunction to perform forensic analyses of advanced persistent threat attacks in cloud environments. ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques developed from real-world observations of attacks. The Cyber Kill Chain methodology describes a series of steps that trace a cyber attack from its early reconnaissance stage to the later data exfiltration stage. Because advanced persistent threat attacks on cloud systems involve the key Cyber Kill Chain phases of reconnaissance, command and control communications, privilege escalation, lateral movement through a network and exfiltration of confidential information, it is beneficial to combine the ATT&CK knowledge base and Cyber Kill Chain methodology to identify and aggregate evidence, and automate the construction of the attack steps.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
B. Bryant and H. Saiedian, A novel kill-chain framework for remote security log analysis with SIEM software, Computers and Security, vol. 67, pp. 198–210, 2017.
Cyber Reboot, The Cyber Attack Chain, In-Q-Tel, Menlo Park, California (www.cyberreboot.org), 2020.
A. D’Amico and K. Whitley, The real work of computer network defense analysts, Proceedings of the Workshop on Visualization for Computer Security, pp. 19–37, 2007.
B. Dolan-Gavitt, B. Payne and W. Lee, Leveraging Forensic Tools for Virtual Machine Introspection, Technical Report GT-CS-11-05, School of Computer Science, Georgia Institute of Technology, Atlanta, Georgia, 2011.
J. Dykstra and A. Sherman, Acquiring forensic evidence from infrastructure-as-a-service cloud computing: Exploring and evaluating tools, trust and techniques, Digital Investigation, vol. 9(S), pp. S90–S98, 2012.
J. Dykstra and A. Sherman, Design and implementation of FROST: Digital forensic tools for the OpenStack cloud computing platform, Digital Investigation, vol. 10(S), pp. S87–S95, 2013.
B. Hay and K. Nance, Forensic examination of volatile system data using virtual introspection, ACM SIGOPS Operating Systems Review, vol. 42(3), pp. 74–82, 2008.
K. Kent, S. Chevalier and T. Grance, Guide to Integrating Forensic Techniques into Incident Response, NIST Special Publication 800-86, National Institute of Standards and Technology, Gaithersburg, Maryland, 2006.
LibVMI Community, LibVMI: LibVMI Virtual Machine Introspection, LibVMI (libvmi.com), 2020.
C. Liu, A. Singhal, R. Chandramouli and D. Wijesekera, Determining forensic data requirements for detecting hypervisor attacks, in Advances in Digital Forensics XV, G. Peterson and S. Shenoi (Eds.), Springer, Cham, Switzerland, pp. 253–272, 2019.
C. Liu, A. Singhal and D. Wijesekera, A probabilistic network forensic model for evidence analysis, in Advances in Digital Forensics XII, G. Peterson and S. Shenoi (Eds.), Springer, Cham, Switzerland, pp. 189–210, 2016.
C. Liu, A. Singhal and D. Wijesekera, Identifying evidence for cloud forensic analysis, in Advances in Digital Forensics XIII, G. Peterson and S. Shenoi (Eds.), Springer, Cham, Switzerland, pp. 111–130, 2017.
C. Liu, A. Singhal and D. Wijesekera, A layered graphical model for cloud forensic mission attack impact analysis, in Advances in Digital Forensics XIV, G. Peterson and S. Shenoi (Eds.), Springer, Cham, Switzerland, pp. 263–289, 2018.
Lockheed Martin Corporation, Gaining the Advantage – Applying Cyber Kill Chain Methodology to Network Defense, Bethesda, Maryland, 2015.
S. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar and V. Venkata- krishnan, HOLMES: Real-time APT detection through correlation of suspicious information flows, Proceedings of the IEEE Symposium on Security and Privacy, pp. 1137–1152, 2018.
MITRE Corporation, ATT&CK Matrix for Enterprise, Bedford, Massachusetts (attack.mitre.org), 2020.
A. Pichan, M. Lazarescu and S. Soh, Cloud forensics: Technical challenges, solutions and comparative analysis, Digital Investigation, vol. 13, pp. 38–57, 2015.
B. Strom, J. Battaglia, M. Kemmerer, W. Kupersanin, D. Miller, C. Wampler, S. Whitley and R. Wolf, Finding Cyber Threats with ATT&CK-Based Analytics, MITRE Technical Report MTR170202, MITRE Corporation, Annapolis Junction, Maryland, 2017.
S. Zawoad and R. Hasan, A trustworthy cloud forensics environment, in Advances in Digital Forensics XI, G. Peterson and S. Shenoi (Eds.), Springer, Cham, Switzerland, pp. 271–285, 2015.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 IFIP International Federation for Information Processing
About this paper
Cite this paper
Liu, C., Singhal, A., Wijesekera, D. (2020). Forensic Analysis of Advanced Persistent Threat Attacks in Cloud Environments. In: Peterson, G., Shenoi, S. (eds) Advances in Digital Forensics XVI. DigitalForensics 2020. IFIP Advances in Information and Communication Technology, vol 589. Springer, Cham. https://doi.org/10.1007/978-3-030-56223-6_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-56223-6_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-56222-9
Online ISBN: 978-3-030-56223-6
eBook Packages: Computer ScienceComputer Science (R0)