Abstract
This chapter covers the added value of forensic analysis in cybersecurity of critical infrastructure. In the context of the current threat landscape, this chapter details the role of forensic analysis in cybersecurity, concentrating on forensic preparedness, incident scope assessment, forensic intelligence, and an agile cycle for iteratively improving security using insights gathered from scrutinizing prior cyberattacks.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Barnum, S.: Enabling effective cyber threat intelligence and information sharing. In: Proceedings of the International Conference on Cyber Security. Fordham University, New York (2013)
CASE: An international standard for sharing cyber-investigation traces. Cyber-Investigation Analysis Standard Expression (2019). https://caseontology.org/
Casey, E.: Digital Evidence and Computer Crime: Forensic Science, Computers and the Internet. Academic, Waltham (2004)
Casey, E.: Investigating sophisticated security breaches. Commun. ACM 49(2), 48–55 (2006)
Casey, E.: Standarization of forming and expressing preliminary evaluative opinions on digital evidence. Digital Investigation 32 (2020)
Casey, E., Daywalt, C., Johnston, A.: Chapter 4 - Intrusion investigation. In: Casey, E., et al. (eds.) Handbook of Digital Forensics and Investigation, pp. 135–206. Academic Press, San Diego (2010)
Casey, E., Back, G., Barnum, S.: Leveraging cybox to standardize representation and exchange of digital forensic information. Digit. Investig. 12, 102–110 (2015)
Casey, E., Barnum, S., Griffith, R., Snyder, J., van Beek, H., Nelson, A.: Advancing coordinated cyber-investigations and tool interoperability using a community developed specification language. J. Digit. Investig. 22, 14–45 (2017)
Casey, E., Ribaux, O., Roux, C.: The kodak syndrome: risks and opportunities created by decentralization of forensic capabilities. J. Forensic Sci. 64(1), 127–136 (2019)
Chaffetz, J., Meadows, M., Hurd, W.: The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation. Committee on Oversight and Government Reform, U.S. House of Representatives, 114th Congress (2016)
CHDS: Department of Defense Cyber Crime Center. Center for Homeland Defense and Security (2019). https://www.hsdl.org/?abstract&did=690826
DC3 Malware Configuration Parser (DC3-MWCP) (2020). https://github.com/Defense-Cyber-Crime-Center/DC3-MWCP
DHS: Automated Indicator Sharing (AIS). U.S. Department of Homeland Security, CISA (2019). https://www.us-cert.gov/ais
DHS/FBI: Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructures Sectors. U.S. Department of Homeland Security, CISA (2018). https://www.us-cert.gov/ncas/alerts/TA18-074A
Elyas, M., Ahmad, A., Maynard, S., Lonie, A.: Digital forensic readiness: expert perspectives on a theoretical framework. Comput. Secur. 52, 70–89 (2015)
Europol: Internet Organized Crime Threat Assessment. Technical Report, European Cybercrime Center (2019). https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2019
Good practice guide forensic readiness. UK National Technical Authority for Information Assurance (2016)
GovCERT.ch: Technical Report About the Espionage Case at Ruag. GovCERT.ch (2016). https://www.govcert.admin.ch/blog/22/technical-report-about-the-ruag-espionage-case
Grispos, G., Glisson, W., Storer, T.: Enhancing security incident response follow-up efforts with lightweight agile retrospectives. Digit. Investig. 22, 62–73 (2017)
Johnston, A., Reust, J.: Network intrusion investigation preparation and challenges. Digit. Investig. 3(3), 118–126 (2006)
Kovacs, E.: Hackers Behind Triton ICS Malware Hit Additional Critical Infrastructure Facility, SecurityWeek (2019). https://www.securityweek.com/triton-hackers-focus-maintaining-access-compromised-systems-fireeye
Lee, R.: The Hunter Strikes Back: The SANS 2017 Threat Hunting Survey. SANS (2017)
Malin, C., Casey, E., Aquilina, J.: Malware Forensics: Investigating and Analyzing Malicious Code. Syngress Press (2008)
MISP: Open Source Threat Intelligence Platform & Open Standards For Threat Information Sharing. Malware Information Sharing Platform (2019). https://www.misp-project.org/index.html
Nikkel, B.: Practical Forensic Imaging. No Starch Press, San Francisco (2016)
NIST: Draft NIST roadmap for improving critical infrastructure cybersecurity version 1.1. National Institute of Standards and Technology (2017). https://www.nist.gov/sites/default/files/documents/2017/12/05/draft_roadmap-version-1-1.pdf
NIST: Framework for Improving Critical Infrastructure Cybersecurity. National Institute of Standards and Technology (2018). https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.04162018.pdf
Pollitt, M., Casey, E., Jaquet-Chiffelle, D.O., Gladyshev, P.: A framework for harmonizing forensic science practices and digital/multimedia evidence. Technical Report, The Organization of Scientific Area Committees for Forensic Science (2018)
Ribaux, O., Walsh, S., Margot, P.: The contribution of forensic science to crime analysis and investigation: Forensic intelligence. Forensic Sci. Int. 156(2), 171–181 (2006)
Roberts, S., Brown, R.: Intelligence-Driven Incident Response: Outwitting the Adversary. O’Reilly Media, Waltham (2017)
Sherstobitoff, R., Malhotra, A.: Operation sharpshooter. Techical Report, McAffee (2018). https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf
Strom, B., Applebaum, A., Miller, D., Nickels, K., Pennington, A., Thomas, C.: MITRE ATT&CK: Design and Philosophy, MITRE Product MP18030 (2019). Project No.: 01ADM105-PI. https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf
SWGDE: Swgde digital multimedia evidence glossary. SWGDE (2016). https://www.swgde.org/documents/CurrentDocuments/SWGDEDigitalandMultimediaEvidenceGlossary
Zhang, E.A.: Indictment: Conspiracy to Damage Protected Computers. U.D.C.S.D (2018). https://www.justice.gov/opa/press-release/file/1106491/download
Acknowledgement
Thanks to Christopher Daywalt for his collaboration and talents investigating sophisticated network intrusions and malware.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Casey, E., Nikkel, B. (2020). Forensic Analysis as Iterative Learning. In: Keupp, M. (eds) The Security of Critical Infrastructures. International Series in Operations Research & Management Science, vol 288. Springer, Cham. https://doi.org/10.1007/978-3-030-41826-7_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-41826-7_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41825-0
Online ISBN: 978-3-030-41826-7
eBook Packages: Business and ManagementBusiness and Management (R0)