Attack Graphs for Proactive Digital Forensics

1. Attack Graphs for Proactive Digital Forensics Tara L. McQueen Delaware State University Research Alliance in Math and Science Computational Sciences and Engineering Division Mentor: Louis P. Wilder http://wiki.ornl.gov/sites/rams09/t_mcqueen/Pages/default.aspx • Purpose • Increase cyber security and protection • Identify possible cyber attacks as they occur • Examine Universal Serial Bus (USB) exploits • Create attack graph of USB exploit • Explore event logs and registry data • Investigate theoretical proactive design • Splunk • Analyzes/monitors IT infrastructure • Records and indexes data • Logs • Configurations • Scripts • Alerts • Messages • Operates in real-time • Search, navigate, graph and report data • Attack Graphs • Communicate information about threats • Display combinations of vulnerabilities • Show vulnerabilities as vertices • Express hierarchical constraints via edges • USB Exploits • Take milliseconds to initiate (in and out) • Collect confidential documents • Send worm through network • Execute applications automatically • Easy to develop, retrieve and unleash • Occur unknowingly • Cyber Security • Maintaining confidentiality, availability and access of information • Identifying legitimate • Users • Requests • Tasks • Preserving information integrity • Mending network vulnerabilities Fig. 3 Splunk • Theoretical Proactive Design • All computers/nodes on network use Splunk • Splunk’s additional behavior configurations stem from • attack graphs • Attack graphs designed for all known exploits • Plug-in device triggered • Real-time alerts sent after trigger • Instant in depth recording of “suspicious” activity USB Exploit Attack Graph • Cyber Protection • Growing need as fraudulent activity increases • Affecting industries dependent on • Networks • Computer Systems • Internet • Hacking • Gaining unauthorized • Access • Control • Data • Using technical knowledge and exposed information • Cleaning tracks • Preventing is difficult and expensive Fig. 4 Proactive Digital Forensic Design • Splunk with Attack Graphs • Targets specific attacks paths • Allows unlimited attack types • Provides systematic and • proactive approach Fig. 1 USB exploit attack graph • Event logs and Registry • Standard on Windows • Monitors events • Application • Security • System • Identifies operations and information • Essential for Attack Graph • Proactive Digital Forensics • Anticipating hacker/exploit path • Detecting hacker/exploit in progress • Collecting proper data immediately for judicial efforts • Enhancing security • Future work • Create plug-in • Implement design on test network • Run trial exploit • Research and prepare other exploits/attacks Fig. 2 Windows XP Event Viewer The Research Alliance in Math and Science program is sponsored by the Office of Advanced Scientific Computing Research, U.S. Department of Energy. The work was performed at the Oak Ridge National Laboratory, which is managed by UT-Battelle, LLC under Contract No. De-AC05-00OR22725. This work has been authored by a contractor of the U.S. Government, accordingly, the U.S. Government retains a nonexclusive, royalty-free license to publish or reproduce the published form of this contribution, or allow others to do so, for U.S. Government purposes. I would like to thank Louis P. Wilder and Dr. Joseph Trienfor the opportunity to work on this projectand for their continued support.