What is it about?
In this study, (1) the technology trends for cyber incident response technologies such as SIEM [4] and CTI (Cyber Threat Intelligence) [5] were investigated, and (2) data enrichment performed in the existing framework and technology, (3) comparative analysis of data supplementation process applied to the existing SIEM framework, and (4) use of the improved accident analysis framework prototype in the design and implementation process in the future. It is expected that the reliability of the cyber incident analysis process based on digital forensics can be further improved when a heterogeneous network-based intelligent cyber-attack occurs.
Featured Image
Photo by Markus Spiske on Unsplash
Why is it important?
Security threats are spreading more rapidly in large-scale networks, and new threats are constantly being discovered. As the number of mobile users, remote locations, and network access devices increases, the number of endpoint network entry points (Edge Nodes) is also rapidly increasing. In particular, the number of security vulnerabilities in the large- scale network increases due to the connection of new devices such as IoT devices and interworking with new applications, providing the root cause of the occurrence of new types of attacks.
Perspectives
this study analyzed the commonalities and singularities of the data reinforcement process performed by TheHive, Splunk, and Elastic security systems, respectively, and comprehensively analyzed data reinforcement properties for each of the eight frameworks. Identification/filtering and extraction processes were performed targeting artifacts collected from various EndPoints and devices, and the Data Enrichment process was applied to proceed with the improved artifact analysis process. Through this, it was possible to finally acquire digital evidence and generate digital forensic analysis results. After selecting artifact collection targets, data enrichment process was performed on artifacts (centered on non-volatile artifacts) collected from various devices and endpoints. Then, preprocessing/normalization was performed for each data field by applying Feature Engineering. In addition, after performing the process of extracting the main fields that are the target of data enrichment, the data enrichment modeling process was carried out. Through this, a prototype was designed and implemented so that the extended elements required in the incident management framework could be extracted/created and accumulated in the form of JSON-based Meta-Data.
Hyung-Woo Lee
Hanshin University
Read the Original
This page is a summary of: Analysis of Digital Forensic Artifacts Data Enrichment Mechanism for Cyber Threat Intelligence, February 2023, ACM (Association for Computing Machinery),
DOI: 10.1145/3587828.3587857.
You can read the full text:
Contributors
The following have contributed to this page
