Abstract
Using forensics techniques, organizations can uncover vital evidence and information regarding intrusion methods and techniques, what actions an intruder took when inside the system or network and what information was taken. However, anti-forensic techniques are being used by cyber-criminals to remove the traces which can be used to successfully investigate their intrusion or cover the fact that an intrusion has taken place. Many of the modern cyber-security programs that are used to defend networks, and the data held within them, are being used by those who would wish to enter these systems without permission—they are a double-edged sword. Cyber-security applications provide important advantages to security professionals. Nevertheless, these advantages are reduced, or lost, when they are used by cyber-criminals in an anti-forensics manner. This chapter explores how common security techniques and methods, such as system logging, vulnerability scanning, and network monitoring, can be misused by cyber-criminals to hide their presence on the network. It then explores some simple security practices and approaches that can be used by network defenders to reduce the effectiveness of these anti-forensic practices.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Bash shell script is a computer program written in the Bash programming language. A Bash shell script can contain a single command, a very simple list of commands or contain functions, loops, conditional constructs.
- 2.
Spoofing refers to the act of tricking or deceiving a computer system or computer user by hiding one’s identity or pretending to be another user.
- 3.
MACs are time sensitive, making it difficult to spoof log records from a prior time-period. The MAC is calculated for the first time-period and is then used to calculate the MAC for the next time-period. The first MAC is then permanently deleted (Lantz et al. 2006: 45).
- 4.
A zero-day vulnerability refers to an exploitable bug in software that is unknown to the vendor. The security hole may be exploited before the vendor can fix it (Symantec 2016).
- 5.
A CVE is a dictionary of publicly known information about security vulnerabilities and exposures.
- 6.
The vulnerability dataset came from 200 million + successful exploitations across more than 500 CVEs from over 20,000 enterprises in more than 150 countries. Security incidents were collected from SIEM logs, then analysed for exploit signatures, and paired with vulnerability scans of the same environments to create an aggregated picture of exploited vulnerabilities over time.
- 7.
Cyber security hygiene is the establishment and maintenance of an individual’s online safety and encapsulates the daily routines, occasional checks and general behaviours required to maintain a user’s online security. This would typically include the following best practices: updating virus definitions, using a firewall, running security scans, proper password selection, updating software, securing personal data and backing-up data (InfoSec Institute 2015).
- 8.
If they have the encryption key.
References
Apple Inc. (2004) Syslogd.8 [Online]. Available at: https://opensource.apple.com/source/syslog/syslog-64/syslogd.tproj/syslogd.8.auto.html. Accessed 10 July 2017
Bartlett G, Heidemann J, Papadopoulos C (2007) Understanding passive and active service discovery [Online]. Available at: http://conferences.sigcomm.org/imc/2007/papers/imc168.pdf. Accessed 10 July 2017
du Toit J (2015) How network architecture can affect the reliability of your reports [Online]. Available at: https://www.irisns.com/how-network-architecture-can-affect-the-reliability-of-your-reports/. Accessed 10 July 2017
Foreman P (2010) Vulnerability management. Taylor & Francis Group, Boca Raton, p 1
F-Secure (2017) WannaCry, the biggest ransomware outbreak ever [Online]. Available at: https://safeandsavvy.f-secure.com/2017/05/12/wannacry-may-be-the-biggest-cyber-outbreak-since-conficker/. Accessed 10 July 2017
InfoSec Institute (2015) The importance of cyber hygiene in cyberspace [Online]. Available at: http://resources.infosecinstitute.com/the-importance-of-cyber-hygiene-in-cyberspace/#gref. Accessed 10 July 2017
Jepson B, Rothman E, Rosen R (2008) Mac OS X for Unix geeks, 4th edn. O’Reilly Media, Inc, Sebastopol
Jiang T, Liu J, Han Z (2004) Secure audit logs with forward integrity message authentication codes. ICSP’04 proceedings, pp 2655–2658
Juuso A-M, Takanen A (2010) Unknown vulnerability management. Codenomicon whitepaper [Online]. Available at: https://whitepapers.em360tech.com/wp-content/files_mf/white_paper/codenomicon-wp-unknown-vulnerability-management-20101019.pdf. Accessed 10 July 2017
Khan S, Gani A, Wahab AWA, Bagiwa MA, Shiraz M, Khan SU, Buyya R, Zomaya AY (2016) Cloud log forensics: foundations, state of the art, and future directions. ACM Comput Surv 49(1):1–42
Lantz B, Hall R, Couraud J (2006) Locking down log files: enhancing network security by protecting log files. Issues Inf Secur 7(2):45
Lavrova D, Pechenkin A (2015) Applying correlation and regression analysis to detect security incidents in the internet of things. Int J Commun Netw Inf Secur Kohat 7(3):131–137
Maintain (2008) Manage log files [Online]. Available at: http://www.maintain.se/cocktail/help/tiger/files/logs.html. Accessed 10 July 2017
Mao HH, Wu JC, Papalexakis EE, Faloutsos C, Lee KC, Kao TC (2014) MalSpot: Multi2 malicious network behavior patterns analysis. In: Advances in knowledge discovery and data mining. Springer, Berlin, pp 1–14
Mertka B (2017) Security and privacy issues in NG112 [Online]. Available at: http://www.eena.org/download.asp?item_id=234. Accessed 11 July 2017
Orrill J (2017) What is the difference between active & passive vulnerability scanners? [Online]. Available at: http://smallbusiness.chron.com/difference-between-active-passive-vulnerability-scanners-34805.html. Accessed 11 July 2017
Prunckun H (2012) Counterintelligence theory and practice. Rowman & Littlefield, Lanham
Scott C (2008) Covering the tracks on the MAC OS X Leopard. SANS Institute InfoSec Reading Room [Online]. Available at: http://docplayer.net/19125537-Covering-the-tracks-on-mac-os-x-leopard.html. Accessed 11 July 2017
Skoudis E (2001) Defending your log files [Online]. Available at: http://www.phptr.com/articles/article.asp?p=234.64&seqNum=1. Accessed 10 July 2017
Skoudis E (2007) Hacker techniques, exploits, & incident handling. The SANS Institute, Bethesda
Symantec (2016) What is a zero-day vulnerability? [Online]. Available at: http://www.pctools.com/security-news/zero-day-vulnerability/. Accessed 10 June 2017
Trend Micro (2017) Exploit kit [Online]. Available at: http://www.trendmicro.com.au/vinfo/au/security/definition/exploit-kit. Accessed 10 July 2017
Van der Aalst WMP, de Medeiros AKA (2005) Process mining and security: detecting anomalous process executions and checking process conformance. Electron Notes Theor Comput Sci 121:3–21
Verizon (2015) 2015 data breach investigations report [Online]. Available at: http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigation-report_2015_en_xg.pdf. Accessed 10 July 2017
Verizon (2017) 2017 data breach investigation report [Online]. Available at: http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/. Accessed 10 July 2017
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this chapter
Cite this chapter
Irwin, A.S.M. (2018). Double-Edged Sword: Dual-Purpose Cyber Security Methods. In: Prunckun, H. (eds) Cyber Weaponry. Advanced Sciences and Technologies for Security Applications. Springer, Cham. https://doi.org/10.1007/978-3-319-74107-9_8
Download citation
DOI: https://doi.org/10.1007/978-3-319-74107-9_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-74106-2
Online ISBN: 978-3-319-74107-9
eBook Packages: Law and CriminologyLaw and Criminology (R0)