CyberCrime Investigator: Forensic Use of SIEM Tools
Wikipedia states that Network Forensics is “…proven techniques to collect, fuse, identify, examine, correlate, analyze, and document digital evidence from multiple, actively processing and transmitting digital sources for the purpose of uncovering facts related to the planned intent, or measured success of unauthorized activities meant to disrupt, corrupt, and or compromise system components as well as providing information to assist in response to or recovery from these activities…”
This business case requires a number of different tools, the most important of which is an enterprise-class Security Information and Event Management (SIEM) tool, which becomes the epicenter of all investigations and workflow. The SIEM must have some mandatory features which I will cover later in this article. But first, I would like to tell you how it’s done without SIEM.
In a previous job as a Network Security Specialist, I was in charge of tapping the wire for employee investigations and handling the data with chain-of-custody. This served as a daunting task as I would start my data captures with Open-Source software and use the spread-sheet kung-fu method of mapping all of the user activity and log data into digitally-signed archives, pending possible litigation. I established all of the guidelines and processes with support from our Legal and Corporate Fraud teams and built the procedures around the following processes:
Request and Triage of Investigations – HR managers requesting employee investigations filled out an online web form that would email the Security Operations Strategy (SOS) team and CC’d HR VPs, requesting their approval before any investigations were started.
- Classification – The SOS team determined the classification of the investigation and each classification had a protocol of what methods of surveillance would be used during the investigation. The classification of corporate investigations were: Employment Fraud (EF), Resource Misconduct (RM), Policy Violations (PV), Anonymous Electronic Abuse (AEA), Counter-Surveillance (CS), Employee Sabotage (ES), Property Theft (PT), Data Leakage (DL) and Network Behaviour Anomaly (NBA).
- Legal Approval – Law enforcement involvement (especially with AEA and PT), Privacy concerns, possible litigation and SOS procedures were discussed with corporate Legal liaison versed in Canadian Cyber-Law who provided written approval to proceed. If law enforcement was required they were contacted prior to the investigation to manage the intercept and chain-of-custody.
- Preparation – The first step in the SOS surveillance was to understand the employees profile: manager, department, workstation ID, roles and responsibilities, work hours, collaborators, network behaviour, HR record, past employment and whether they have been investigated for any misconduct in the past. This information was used to establish how and when we were going to intercept their network activity. This was usually done with an interview of both their HR representative and their manager.
- Collection of Evidence – Once I had classified the investigation and profiled an employee for surveillance I would determine the control point and demarcation for interception. I had Snort probes that only the SOS team could access spanned of off 6 strategic cores through the global network and I had templates for signatures based on the various classifications. In some cases I visited employees workstations at 2 in the morning to install a wireless hardware-based keylogger plug, especially if we wanted to intercept encrypted communications.
- Analysis – Massive volumes of data would be collected (especially with payload dumps) and I used traditional bash tools (GREP, AWK, SED), MySQL, BASE and spreadsheets to conduct static analysis and I would document every step taken and then establish and maintain a chain-of-custody which included encrypting the data and digitally signing the archives, which would then be placed on a protected network share. All final reports and supporting documentation would be digitally signed as well.
- Reporting – The final report would be emailed with encryption to the investigation team as a digitally-signed PDF and then a final meeting will be conducted to orally report my findings.
- Testimony – In some cases, I was interviewed by law enforcement to provide a statement (never had to go to court) and in most cases I was present during the meeting with the suspected employee to provide testimony on how the investigation was conducted, so as to differ any doubts or attempts to call HR’s bluff.
What SIEM offers:
- Focus on Network Forensic and Digital Surveillance use cases with event sources such as WireShark, Ettercap, Snort, Firewalls, Netflow, Niksun, HoneyNet, Network Flight Recorder, Sourcefire RNA, NetScout, dSniff and tcpdump (to name a few).
- Conventional analysis console tools such as ping, nslookup, whois, etc and the ability to integrate with packet capture, vulnerability scanners and third-party forensic tools for “on-demand” tools that will allow an investigator to easily capture all network traffic and supporting recon for any IP, hostname, username or network service.
- Ability to capture audit data from a wide range of network devices, databases, applications and even physical access devices with the ability to integrate with any unsupported devices using an easy to use API.
- Unified graphical interface features such as Google-like forensic queries of terabytes worth of log data, graphical archive restoration tool, and real-time capture, monitoring and reporting to support Lawful Intercept.
- Integrated case management with optimized storage for case attachments.
- Secure workflow allows annotation, alerts and case routing to supporting technology teams without compromising investigation details.
- Graphical log data extraction, allowing investigators to restore case event and annotation data as well as download and view all case attachments.
- Localization with RBAC associated with a user in a region and automatic enforcement of local privacy laws that are listed in a knowledgebase.
- System supports Role-Based Access Control (RBAC), checksums / hashing / field-based obfuscating / Chain-of-Custody / digital signing / separation of duties.
- Lawful Intercept device is true “blackbox” that can only be managed via SSL certificate and can receive, tap and aggregate payload capture and usually placed in demarcations and “sinkholes”.
Only one solution comes to mind that can do all of these things from within the same analysis console – but I am trying to keep this blog generic and non-biased. Email me if you want to know more about the ultimate SIEM tool – netcerebral(at)gmail(dot)com.