Computer Security Incident Handling Guide

Published Date: 02 Nov 2017

Table Of Contents

Abstract

Incident handling is the process where respective person's response towards the incident happened in the infrastructure. This may involve several phases and experts to get the relevant evidence from the affected system and avoidance from analyzing unnecessary information. Cloud computing is a new phenomenon that most of the organizations are moving into. Current methodology and guideline in the market for incident handling are not meant for cloud computing infrastructure. Thus, some modification is needed. According to the Gartner statistics, by 2016 most of the data will be in the cloud. From the statistic we can predict that, in a few years, it is a challenge for the incident handler to investigate the root cause of the incident. The challenge might involve the third party such as cloud service provider and the infrastructure in terms of asset management. Involvement of many parties may lead to high time consumption to close the case and identify the root cause and also quality of service. Another issue arises is to ensure the data gathered is not being tampered. In resolving incident case it is important to reduce the time of investigation and guarantee the service is not interrupted or intermittent. If the time taken in process of incident handling is too long, the evidence and solution for remediation that incident handler is proposing are not relevant anymore.

Hence, incident handler needs a comprehensive framework to help their investigation process efficient enough, even though they are dealing with a huge data from multiple resources. In this paper we are proposing a comprehensive incident handling framework for cloud computing environment where our limitation is on the service so called Infrastructure as a Service. The simulation will run on Open Stack and also VMware workstation with four instances running on it. Instances will be Windows Server 2008, SuSe, Fedora and Ubuntu. The information such as access log files, intrusion detection log file and firewall logs are then transfers via secure channel to get the identical evidence towards the incident detected. After the digital evidence send to the specific server, all the information will put into a cluster to specify the type of incident and after all apply a defence strategy to make sure the incident is not spreading to other instances or a server in the cloud infrastructure. For this propose method, we hope that it can reduce the time taken for detecting, analysing logs and applying defence strategy as remediation towards affected system. In a meanwhile the service is running as usual and not being interrupted.

Keywords: Cloud Computing, Infrastructure as a services, Incident handling process

Introduction

In this paper we will propose a comprehensive framework for incident handling in cloud computing environment that impose from NIST (National Institut Of Standard and Technology) framework. As far what we have concern the phase introduced by NIST is almost can be apply in cloud computing environment. However a slight modification should be carried out to make sure the process are relevant enough. Cloud computing services is the most demanding technology that attract organization.

We will organize this paper into section. Throughout this paper, we will reviewing all existing frameworks and literature as a way to determine requirement that need to be improved in traditional investigation frameworks so that it can fit with the obstacle in cloud environment. From the draft guidance proposed by (Federal CIO Council,2011,p.12) mention that "incident response and computer forensics in a cloud environment require fundamentally different tools, techniques and training." In this case we are going to comprehend the existing framework. Here we define computer forensic as scientific discipline towards the collection, analysis and interpretation of digital data that link to computer security incident (Mandia et al) . It is actually a subset to incident handling process (Kent, Chevalier, Grance, & Dang, 2006). All the way of this paper we will define incident as a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices (Tim, Ken, & Kin, 2012). Despite we already known incident handling is one of the process of detecting, analysing incident and also limiting the incident effect, we also use a definition given by (Incident Handling. (n.d.). Glossary of Key Information Security Terms. Retrieved January 11, 2013, from website: http://www.expertglossary.com/definition/.)

as the mitigation of violations of security policies and recommended practices.

Section 1 will brief on the incident handling, cloud computing infrastructure also detection and analysis. Somehow we will discuss the existing method using by previous researcher. Section 2 is a conclusion and a gap analysis on the literature review.

Incident Handling

Referring to MS ISO/IEC 27001:2006 which is in Information Security Management System standard, Management of Information security incidents is one of the control objectives and controls in Annex A (13.2). It shows that handling a security incident is a must in all organization. From the literature review we found that the first model of incident investigation process is proposed by Politt in 1984. At that moment the stages just includes acquisition, identification, evaluation and admission. The latest framework that in line with it is proposed by US National Institute of Standard And Technology NIST (Kent et al.,2012). The stages includes Preparation, Detection & Analysis, Containment Eradication & Recovery and Post Incident Activity. Computer security incident response has become an important component of information technology (IT) programs. Albeit, performing incident response effectively is a complex undertaking, establishing a successful incident response capability requires substantial planning and expert resources (Tim, Ken & Kin 2012).

Two of the most widely used and accepted forensic frameworks McKemmish (1999) and NIST ((Cichonski & Scarfone, 2012)) are then reviewed to identify the required changes to current forensic practices needed to successfully conduct cloud computing investigations. We propose a comprehensive conceptual cloud computing incident handling framework that will impose on NIST (Cichonski & Scarfone, 2012) existing framework, which emphasises on detection and analysis phase. We found that there is need an enhancement on detection phase to make sure the collected data for analysis is preserve.

From the previous researchers [1],[4],[5],[6],[7],[8],[15],[17] they are agree that preservation involves the search, recognition, documentation, and collection of electronic-based evidence. Consecutively to make sure the evidence is relevant, either for legal procedure or technical aspect, the evidence should be preserved. Seizure to preserve evidence in its original state could jeopardize an entire investigation, potentially losing valuable information about an incident permanently.

Since 1984 Polit already proposed a framework for incident investigation. Many researcher use this framework as their base work for developing new framework [1],[6],[7]. During this time he named it as Computer Forensic Investigation Process which involves 4 stages. Acquisition, Identification, Evaluation and Admission are the basic step for investigation. Investigator need to gain the data, then identify why the incident happened. From the identification step, they need to evaluate the evidence and then approve the finding in admission step. We can see from these basic stages, the stage keep growing tremendously to make sure the framework is appropriate for the current environment and ease for the investigator.

Investigations and incidents are handled in various ways depends on the circumstances of the incident, the significance of the incident, the readiness and experience of the investigation team. Basically "Incident Response Methodology" [23] propose the following phases when encountering an incident or performing a digital investigation. From the table each step has been clarified in detail to perform and incident handling. Thus, we find out that detection techniques on how to detect suspect activities are not really clear to cater specific type of attacks. This framework they design for mobile device especially for PDA forensic in 2004.

No

Phase

Action

1

Pre-incident preparation

Through training and education, gain an understanding on how to respond to an incident.

2

Detection of incidents

Develop techniques on how to detect suspect activities

3

Initial Response

Confirm that an incident has occurred and obtain volatile evidence.

4

Response strategy formulation

Respond to incident based upon knowledge of all known facts collected from the Initial Response phase

5

Duplication (forensic backups)

Based upon the scenario, either create a physical forensic image or do alive retrieval of evidence

6

Investigation

Determine what happened, who did itand how the incident can be

prevented in the future

7

Security measure implementation

Apply security measures to isolate and contain

infected systems

8

Network monitoring

Monitor network traffic on real time or additional attacks

9

Recovery

Restore the affected system to a secure, operational state

10

Reporting

Document all of the details and investigative steps taken throughout the incident.

11

Follow-up

Learn from the incident by reviewing how and why it happened and make necessary adjustments

Table 1 : Incident Response Methodology (Jansen & Ayers, 2004)

Figure 1 : Computer Security Incident Handling Guide ((Tim et al., 2012))

The latest framework for incident handling is by (Tim et al., 2012) from National Institute of Standard and Technology. Computer Security Incident Handling Guide still remains 4 steps that introduce by Polit in 1984 but there is an improvement. It also has an iteration process from one step to another. Initial phase involves establishing and training an incident response team, and acquiring the necessary tools and resources. During preparation, the organization also attempts to limit the number of incidents that will occur by selecting and implementing a set of controls based on the results of risk assessments. However, residual risk will inevitably persist after controls are implemented. Detection of security breaches is thus necessary to alert the organization whenever incidents occur. In keeping with the severity of the incident, the organization can mitigate the impact of the incident by containing it and ultimately recovering from it. During this phase, activity often cycles back to detection and analysis for example, to see if additional hosts are infected by malware while eradicating a malware incident. After the incident is adequately handled, the organization issues a report that details the cause and cost of the incident and the steps the organization should take to prevent future incidents. This section describes the major phases of the incident response process preparation, detection and analysis, containment, eradication and recovery, and post-incident activity in detail. Figure 2-1 illustrates the incident handling life cycle.

Identifying security incidents in cloud environments isn't easy, but there are steps companies can take to ease the process and to prevent future incidents. There numbers of method that been proposed by the researcher since 1984 (Yusoff, Ismail, & Hassan, 2011). Research on this subject matter are still on going with the changing times and technology. Overall as shown in Table 2-2 the model is becoming more detail and comprehends. But then it generally shared the common investigation steps. The dissimilarities are the explanation of each step. Perhaps, in different scenario they need different level of investigation.

No

Model

Description

1

Computer Forensic Investigation Process (1984)

The model was first proposed by Politt in 1984 as a methodology for handling digital evidence investigation. The stages includes; Acquisition, Identification, Evaluation and Admission

2

Computer Forensic Analysis Guidelines (1999)

For example, Farmer and Venema outline some basic steps in their Computer Forensics Analysis Class notes [Farmer99]. Their guidelines include steps such as "secure and isolate, record the scene, conduct a systematic search for evidence, collect and package evidence, and maintain chain of custody"[Farmer99].

3

McKemmish (1999, p.1)

identifying, preserving, analysing and presenting digital evidence

4

Digital Forensic Research Workshop Investigative Model (2001)

5

Abstract Digital Forensic Model (ADFM-2002)

6

Integrated Digital Investigation Process (2003)

7

Hierarchical Objective-Based Framework (HOBF)

8

Generic Computer Forensic Investigation Model (2011)

9

US National Institute of Standard and Technology

NIST (Kent et al., 2012)

Table 1 : Summary Of Computer Forensic Investigation

Of all the Incident Handling Framework , McKemmish (1999, p.1) given a definition to digital forensics as: "the process of identifying, preserving, analysing and presenting digital evidence in a manner that is legally acceptable". There are four key elements in McKemmish’s digital forensics framework noted as, the identification, preservation, analysis and presentation of digital evidence. Each of the key elements are being describe as below :

Identification of digital evidence

Defines the requirement for evidence management, knowing it is present, its location and its type and format. Cloud computing, for example, adds new requirements for investigation. Identification of cloud services used on a seized device may become a critical part of the standard incident identification process for seized suspect equipment.

Preservation

Concerned with ensuring evidential data remains unchanged or changed as little as possible.

Analysis

Transforms the bit level data collected in the earlier two phases into evidence presentable to a court of law. In a cloud computing environment, however, the data stored on the cloud (including network data that could be collected when communicating between the client(s) and the cloud and any data stored on the client such as cache data) needs to be analysed.

Presentation

Concerned with presenting evidence to the courts in terms of providing expert testimony on the analysis of the evidence. This element is mostly concerned with legal presentation and is generally unchanged regardless of the computing platform being analysed.

From the analysis we find out that there are similarity in some of the phases between NIST’s(Tim et al., 2012) framework and McKemmish (1999)’s.

No

Similarities

1

Collection discusses identifying relevant data, preserving its integrity and acquiring the data;

2

Examination uses automated and manual tools to extract data of interest while ensuring preservation

3

Analysis is concerned with deriving useful information from the results of the examination; and

4

Reporting is concerned with the preparation and presentation of the forensic analysis (Kent et al., 2012, p.ES-1).

Table 1 : The four phases and definitions in NIST’s framework share some similarities with McKemmish (1999)’s

From the above method we can conclude that, most of the process is focusing on the analysis phase. In cloud, the term preservation are most important to make sure the evidence are there and not being tampered.

1.2 Cloud Computing

Cloud computing is currently one of the main trends in the information and communications technologies (ICT) sector. The 2011 Gartner hype cycle, referred to cloud computing as the "most hyped concept in IT" (Smith, 2011, p.3). "Cloud Computing" has been a trending search on Google since 2009 with continued interest (Google, 2011). On the other hand Gartner report suggested that cloud computing could be a US$149 billion market by 2014 and by 2016 could have 100% penetration in Forbes list of the Global 2000 companies (McGee, 2011). From the statistic given, it can be reasonably assumed that many of those top 2000 companies will provide some level of online access via cloud computing to their internal users and their customers. Hence, by 2016 one third of user data will be in cloud (http://www.gartner.com/it/page.jsp?id=2060215)

Year by year the government sector is eager to implement cloud computing in their ICT infrastructure. When we discuss about servers in the cloud, it can be physical machines or virtual machines. Cloud computing is a new terminology that being used by the industrial and researcher. Cloud computing describes a computing concept where software services, and the resources they use, operate as (and on) a virtualised platform across many different host machines, connected by the Internet or an organization’s internal network. From a business or system user’s point of view, the cloud provides, via virtualisation, a single platform or service collection in which it can operate (Taylor, Haggerty, Gresty, & Lamb, 2011). National Institute of Standards and Technology (NIST) categorized the cloud computing technology in three types of services. They are Software as a Service (SaaS) where by software applications are provided and managed in the cloud by Cloud Service Provider. As example Microsoft Online Services that hosted versions of Microsoft Exchange and Microsoft SharePoint. Henceforth is Platform as a Service (PaaS). Using Platform as a Service, Cloud Service Provider deliver the underlying infrastructure, including OS and storage, that allows organizations to build and run applications using languages and tools provided and supported by the Cloud Service Provider. This can be shown in Microsoft Windows Azure Platform. The third type of service is Infrastructure as a Service (IaaS), in which a Cloud Service Provider gives and organization access to basic IT infrastructure (network, hardware, core operating system, and virtualization software) on which the organization can deploy its own applications and data in a virtualized environment, applications at were developed using languages and tools not provided or supported by the Cloud Service Provider. Examples of this service are Amazon’s EC2 and Rackspace’s Cloud Servers. This cloud model promotes availability and is composed of five essential characteristics (On-demand self-service, broad network access, Resource pooling, Rapid elasticity, Measured Service). In all the services offered, there are also four deployment models exist in cloud computing. Essentially each model are describe in Table 1-1 :

No

Model

Description

1

Private Clouds

Operated by or for a single organization

2

Community Clouds

Operated for groups of organizations with similar service requirements

3

Public Clouds

One general SLA for all; data resides on shared resources

4

Hybrid Clouds

Connect public and private clouds sharing services and data among them

Table 1 : Deployment Models ((Mell & Grance, 2011))

Figure 1 : NIST Visual Model of Cloud Computing Definition adapt from (Mell & Grance, 2011)

Between SaaS, PaaS and IaaS, IaaS is, arguably, the most established cloud service model, already offering a wide variety of products and advanced capabilities: automated scalability, pay-per-use, and on-demand provisioning are some of the most relevant.

Virtualization is at the core of any cloud computing initiative, regardless of delivery model or deployment method. Service providers, or internal enterprise private cloud managers, use virtualization technology to realize efficiencies and flexibility offered by cloud computing [15]. It covers the risks and considerations around cloud computing virtualization security, including how to manage and ensure secure multi tenancy of virtual machines on a single host, security risks and threats by Web-based hackers to the hypervisor, and how to handle data management and data governance. Virtualization also compounds the complexity of evidence preservation, given the layered abstractions upon which potential evidence could be resident. It entails than even greater and more specific skill have to be imbibed and utilized to ensure that no compromise or alteration is affected to digital evidence in a virtual machine environment. It will be important to point at this stage that a level of connectivity and otherwise relationship is maintained between each one layer and the next, hence, inter-layer interactions are very much imminent. As an example, the host operating system in one layer communicates with hardware and also with the virtual machine monitor which is called hypervisor. Any interaction between the virtual machine monitor and physical hardware is efficiently mediated by the host operating system. The guest operating system which is virtual machine remains a different level of abstraction. In such that its interaction with the outside domain in cooperate hardware and services are made possible by the help of the virtual machine monitor/hypervisor. VMware workstation in this perspective ensures efficient communication with the host operating system to enable its guest platform to access and utilize hardware resources.

1.3 Detection And Analysis

Detection is the basic but very important role for successful incident handling. So do with analysis phase. Analysis is the process where we breaking a complex topic or substance into smaller parts to gain better understanding of it. Despite all these, cloud computing presents both challenges and opportunities when comes to incident handling. As what we all know, cloud computing is also exposed to malicious attacks by cyber criminals, who may be able to hijack and use them for criminal purposes, hence, adding to the challenge of growing volumes of digital evidence in each specific case under investigation. In addition, cloud services can be used as a launching pad for new attacks or to store and distribute.

These can hinder incident handler and potentially prevent law enforcement and national security agencies from acquiring digital evidence and analysing digital content in a timely manner. This can also lead to unintended consequence. As for all the detection and analysis will be the core part in handling the incident in cloud environment. Most of the researcher agree that in cloud infrastructure, investigator need to involve with third party. So, this is the hardest part when we need the information or data to perform an analysis.

In a cloud computing environment, detection taken from the moment that misuse or criminal activity is suspected can have a profound impact on both the amount of digital evidence available and the extent to which it will be acceptable in future legal proceedings. When digital evidence is required from a public cloud service provider there may also be the issue of continuity of service for other users of the cloud services. (Mark Taylor, Haggerty, Gresty, & Lamb, 2011). The spreading use of distributed systems is forcing the development of increasingly varied investigative procedures in digital forensics, for both the ‘target’ and the ‘analysis’ platforms. A target platform is one that has been attacked or used to perpetrate some policy or criminal violation, while an analysis platform is the one supporting the forensic workstation. Forte, D. (2005).

Detection phase is crucial phase where need preservation. The main objective here is to make sure that the scene of the crime is left intact so as not to preclude any future investigation or analytical measures. Establishing proper incident detection guidelines, allowing for quick detection of computer security incidents. Normally occurs whenever a person or security mechanism suspects an unauthorized or unlawful action involving a computer system or network. Suspicion of an incident can come from a lot of different sources, e.g. end users, security personnel, Intrusion Detection Systems, or system administrators Log file integrity problem based on RFC 3164 which is The BSD syslog Protocol are fallen into three categories which are transmission related problems, message integrity problems and message authenticity problem.

Since Infrastructure As Services in cloud computing is using virtualization, method of combining VM images and traditional hardisk images into a virtual electric evidence library system can be easier for the investigator for getting the digital evidence. The researcher is using VM image as key data on the cloud (Zhou, G., Cao, Q., & Mai, Y. (2011). The main concern here is the transmission of the digital evidence, because we notice that there need a secure method in data access. Developing such as Cloud Intrusion Detection Prevention System also could be the best partner in detection phase (Patel, A., Taghavi, M., Bakhtiyari, K., & Celestino Júnior, J. (2012). It can reduce the percentage of successful attempt from outsider. Therefore by using automatic computing, ontology, risk management and fuzzy theory it could detect the incident in timely response. By specifying certain attack of scenario it also can help the server shield themselves from being victim such as bots and botnet (Choi, S. S., Chun, M. J., Lee, Y. S., & Lee, H. R. (2010)). Using a method such as centralized it into sinkhole server to divert the attack from attacking the real server. This method also can integrate with incident handling in detection phase.

Conclusions

In a nutshell, existing studies on individual adoption have focused on investigating the intention to use the existing framework of incident handling framework in cloud computing environment while less attention on detecting the incident in real time without being tampered by intruders and the time consuming while getting and analyzing the evidence. (Martini, B., & Choo, K. K. R. (2012), Ruan, K., Carthy, J., Kechadi, T., & Crosbie, M. (2011)). This is evident in current research context whereby most of the studies explored had focused on the challenges doing incident handling in cloud computing environment (Wentao Liu(2012), Poisel, R., & Tjoa, S. (2012), Biggs, S., & Vidalis, S. (2009), Birk, D., & Wegener, C. (2011, May). Ruan, K., Carthy, J., Kechadi, T., & Crosbie, M. (2011). The existing literature has posited that there are number of challenges in handling an incident in cloud environment such as in legal aspect, technical and organization. (Grobauer, B., & Schreck, T. (2010, October); Zhou, G., Cao, Q., & Mai, Y. (2011). ; Ahmed, S., & Raja, M. Y. A. (2010, December). ; Birk, D., & Wegener, C. (2011, May). However not many studies has explored the effectiveness of transferring the logs(event logs) from multiple sources. This is the most important part in detection and analysis process. (Marty, R. (2011)). Taylor, M., Haggerty, J., Gresty, D., & Lamb, D. (2011) – identified different set of evidence have an impact on the amount of digital evidence available and the extent to which it will be acceptable in future legal proceedings. Marty, R. (2011).– potential data obtained from the live system might be subject to subversion by locally active malware, or an attacker. Guo, H., Jin, B., & Shang, T. (2012).– Incident handling especially in detection and analysis may be more complex when data may be stored or processed in different jurisdictions on Internet-based cloud computing systems. Thus, this research will highlight the comprehensive incident handling in cloud computing focusing on detection and analysis process which focusing on capturing the event logs from multiple sources.