Forensic Analysis of Advanced Persistent Threat Attacks in Cloud Environments
Changwei Liu, Anoop Singhal, Duminda Wijesekera
Due to the increasing cyber-activities and the use of diverse devices offered on cloud environments, post-attack cloud forensic investigations must deal with data in diverse formats and quantities from emerging attackable interfaces. The process of forensic investigation in a cloud environment involves filtering away noisy data and using expert knowledge to make up the missing attack steps because recoverable evidence, in particular the one from advanced persistent threats (APT) attacks that have a long time span, is often disorganized and incomplete. We show how MITRE's ATT&CK framework and Lockheed Martin's cyber kill chain can be used to identify forensically valuable data, aggregate and correlate them to construct attack steps. ATT&CK is a globally accessible knowledge base of adversary tactics and techniques that is based on real-world observations that emulate cyber-attacks, which makes it a good tool to perform the post-attack analysis to identify the evidence. Because most APT attacks on cloud systems consist of a successful reconnaissance, command and control communication, privilege escalation, lateral movement through the network, exfiltration of confidential information that are also the key phases of a cyber kill chain, we investigate using cyber kill chains to organize the evidence and construct the attack steps.
Advances in Digital Forensics XVI
January 6-8, 2020
New Delhi, -1
Sixteenth IFIP 11.9 International Conference on Digital Forensics
, Singhal, A.
and Wijesekera, D.
Forensic Analysis of Advanced Persistent Threat Attacks in Cloud Environments, Advances in Digital Forensics XVI, New Delhi, -1, [online], https://doi.org/10.1007/978-3-030-56223-6_9
(Accessed May 14, 2021)