ABSTRACT
In the cybersecurity domain, the level of standardization and interoperability among cybersecurity products from different vendors, including open-source ones, is fairly low. Although understandable from a business perspective, this deficiency makes it difficult and expensive for analysts to put together custom solutions and to have visibility across their entire IT infrastructure. It also hampers the adoption of custom data analytics and AI solutions, and slows down the exchange of threat detection and mitigation solutions.
Recently, the Nugget domain specific language (DSL) has been proposed as a solution to the integration of digital forensics computations. The essential idea is to use a data flow language, somewhat similar to SQL, and an extensible run-time environment to decouple the specification of forensic computations from their implementation.
In this paper, we study the integration of Nugget with security monitoring tools; specifically, we integrate Google's GRR incident response framework, and the de facto standard for log aggregation: Splunk. We demonstrate the utility of this type standardization to both tool developers and end-user analysts/IT administrators. We discuss potential implications of having such a DSL becoming widely adopted across the entire domain of cybersecurity.
- M.I. Cohen, D. Bilby, and G. Caronni. 2011. Distributed forensics and incident response in the enterprise. Digital Investigation 8 (2011), S101 -- S110. The Proceedings of the Eleventh Annual DFRWS Conference. Google ScholarDigital Library
- Michael Cohen, Simson Garfinkel, and Bradley Schatz. 2009. Extending the advanced forensic format to accommodate multiple data sources, logical evidence, arbitrary information and forensic workflow. Digital Investigation 6 (2009), S57 -- S68. The Proceedings of the Ninth Annual DFRWS Conference. Google ScholarDigital Library
- Andreas Ekelhart, Elmar Kiesling, and Kabul Kurniawan. 2018. Taming the logs - Vocabularies for semantic security analysis. Procedia Computer Science 137 (2018), 109--119. Proceedings of the 14th International Conference on Semantic Systems 10th âĂŞ 13th of September 2018 Vienna, Austria.Google Scholar
- Google. 2019. Google Rapid Response. https://github.com/google/grr https://github.com/google/grr.Google Scholar
- Xie Ming. 2016. Remote live forensics for Android devices. In 2016 IEEE Conference on Communications and Network Security (CNS). IEEE, IEEE, 374--375.Google ScholarCross Ref
- MITRE. 2014. CCE - Common Event Expression. http://cee.mitre.org/. Accessed: 2019-03-25.Google Scholar
- Andreas Moser and Michael I. Cohen. 2013. Hunting in the enterprise: Forensic triage and incident response. Digital Investigation 10, 2 (2013), 89--98. Triage in Digital Forensics. Google ScholarDigital Library
- Peter Sommer. 2010. Forensic science standards in fast-changing environments. Science & Justice 50, 1 (2010), 12--17. Special Issue: 5th Triennial Conference of the European Academy of Forensic Science.Google ScholarCross Ref
- Splunk. 2019. Splunk Log Management. https://www.splunk.com/ https://www.splunk.com/.Google Scholar
- Christopher Stelly and Vassil Roussev. 2018. Nugget: A digital forensics language. Digital Investigation 24 (2018), S38 -- S47.Google ScholarCross Ref
- Johannes StÃijttgen and Michael Cohen. 2014. Robust Linux memory acquisition with minimal target impact. Digital Investigation 11 (2014), S112 -- S119. Proceedings of the First Annual DFRWS Europe.Google ScholarCross Ref
Recommendations
Enhancing credibility of digital evidence through provenance-based incident response handling
ARES '19: Proceedings of the 14th International Conference on Availability, Reliability and SecurityDigital forensics are becoming increasingly important for the investigation of computer-related crimes, white-collar crimes and massive hacker attacks. After an incident has been detected an appropriate incident response is usually initiated with the ...
A forensic approach to incident response
InfoSecCD '10: 2010 Information Security Curriculum Development ConferenceAn incident response plan is critical for the detection and removal of information security threats. Incident response involves many aspects other than technical issues. There are management, legal, and social issues that an incident response team needs ...
Comments