7
Category 4—Deterring Would-Be Attackers and Penalizing Attackers
The goal of requirements in Category 4—Deterring would-be attackers and penalizing attackers, is that of deterring would-be attackers from taking actions that could result in the compromise of a system or network and penalizing attackers who do take such actions. This broad category in the committee’s illustrative research agenda includes legal and policy measures that could be taken to penalize or impose consequences on cyberattackers and technologies that support such measures. In principle, this category could also include technical measures to retaliate against a cyberattacker.
The rationale for this category is that in the absence of legal, technical, economic, or other punitive measures against attackers, would-be attackers have few incentives to refrain from launching attacks. (The same rationale applies, of course, in the physical world, where would-be criminals are deterred from criminal activity by the threat of punishment and consequence.) In a penalty-free world, an attacker pays no penalty for failed attacks and can therefore continue attacking until he or she succeeds or quits.
Research in this category thus serves two important but complementary goals. First, such research seeks to develop more effective methods for imposing some kind of penalty on attackers, whether or not they have been successful in their attacks. Second, the availability of such methods increases the likelihood that an attacker will in fact suffer a penalty for hostile actions, and thus the availability of these methods presumably decreases the likelihood that a would-be attacker will initiate such
actions. With fewer attackers, the cybersecurity task becomes easier to undertake.
A key characteristic of deterrence is that penalties can be directed at the proper party. Category 2 (Enabling accountability) research supports this goal by focusing on ways to ensure that actions in cyberspace can be associated with specific actors, but that research does not presume that actors will seek to conceal their actions. Malefactors in cyberspace will usually seek to do so, and thus investigators and other interested parties will need forensic tools that allow them to re-establish any deliberately broken bindings between actions and identity.
The following discussion presents illustrative topics within this category.
7.1
LEGAL ISSUES RELATED TO CYBERSECURITY
As noted above, cybersecurity is not just a technical domain. In cybersecurity, as in other areas of life in which security concerns arise, it is not unreasonable to conclude that the tools available to promote and enhance cybersecurity should include a legal dimension. For example, consider the notion of recourse for victims of cybercrime. In most areas other than those involving cyberspace, individuals who are victims of criminal activity can appeal to law enforcement and the courts to punish the perpetrators. But a victim of cybercrime—whether a private citizen, a business, or an organization—often or even usually has little practical recourse.
In principle, of course, cyberattackers can be held accountable for actions that cause harm in cyberspace through criminal or civil penalties. Such action requires a good characterization of what constitutes behavior that warrants criminal penalties, as well as the ability to identify the party responsible (see Section 5.1) and a legal framework that enables prosecutions to take place across all of the political boundaries that may have been crossed in the course of the punishable misbehavior. Many cybercrime perpetrators are outside of U.S. jurisdiction, and the applicable laws may not criminalize the particulars of the crime perpetrated. Even if they do, logistical difficulties in identifying the perpetrator across national boundaries may render him or her practically immune to prosecutions.
Harmonization of national laws (as provided for in the 2001 Council of Europe Convention on Cybercrime) is a good first step toward ensuring the availability of recourse, but there remains substantial legal and policy research to further the cause of harmonization more broadly and to reduce the logistical difficulties entailed in tracking, identifying, and prosecuting cybercriminals across national boundaries. Considerable efforts are underway today at the regional intergov-
ernmental and international governmental level, as discussed in “The International Landscape of Cyber Security.”1
A second example involves relationships between law enforcement and technology/service vendors. Internet service providers (ISPs) are used by cybercriminals as conduits of their crimes (and sometimes ISPs are willing accomplices). However, law enforcement authorities often have little leverage to persuade or compel ISPs to cut off access to suspicious users or to supply provenance or to trace data for forensics examination. From a law enforcement perspective, data-retention practices for most ISPs are inadequate to support investigative needs. However, providing additional authorities to law enforcement to compel various kinds of cooperation from ISPs (e.g., to enforce longer data-retention periods) has implications for civil liberties and is thus controversial. Legal, policy, and technical research is needed to find ways to protect due process and civil liberties without placing undue barriers in the way of legitimate law enforcement activities.
7.2
HONEYPOTS
The term honeypot in computer security jargon refers to a machine, a virtual machine, or other network resource that is intended to act as a decoy or diversion for would-be attackers. A honeynet refers to a collection of honeypots on a network. Honeypots or honeynets intentionally contain no real or valuable data (and hence receive no legitimate traffic) and are kept separate from an organization’s production systems. Indeed, in most cases, systems administrators want attackers to succeed in compromising or breaching the security of honeypots to a certain extent so that they can log all the activity and learn from the techniques and methods used by the attacker. This process allows administrators to be better prepared for attacks on their real production systems. Honeypots are very useful for gathering information about new types of attacks, new techniques, and information on how things like worms or malicious code propagate through systems, and they are used as much by security researchers as by network security administrators.
Honeypots are usually of two main types: (1) a more basic, “low-interaction” implementation that emulates or gives the appearance of a real system or real machines in place; or (2) a more complex, “high-interaction” system containing real tools and applications designed to
gather as much information about attacker activity as possible.2 Honeypots of the first type can be quite simple to install and manage, although the information they provide on attackers may be limited, and the nature of the honeypot itself may be more susceptible to discovery by a skilled attacker. Honeypots of the second type are considerably more complicated, requiring much more skill to set up and manage, although the richness of information that they are capable of gleaning about attackers and techniques also increases, while the true nature of these honeypots may also be more difficult for attackers to discover.
There are also other, more focused types of honeypots. For example, spam honeypots—basically, vulnerable mail servers set up to attract the notice of those sending out illegitimate e-mail—have been quite useful in helping administrators generate spam “blacklists” for their own real mail servers. Wireless honeypots have also proven useful in detecting and learning from how attackers exploit wireless resources.
Another useful tool along these lines is the honeytoken. A honeytoken, like a honeypot, has no legitimate purpose other than to uncover illegitimate activity, so any use or access of a honeytoken can be considered suspicious. For example, consider the following scenario:
A bogus medical record called “John F. Kennedy” is created and loaded into the database. This medical record has no true value because there is no real patient with that name. Instead, the record is a honeytoken…. If any employee is looking for interesting patient data, this record will definitely stand out. If the employee attempts to access this record, you most likely have an employee violating patient privacy [policies].3
In any case, just as systems administrators and researchers learn about attackers from honeypots, attackers themselves can learn how to detect honeypots and honeynets as well, thereby avoiding them and maintaining some secrecy regarding the techniques they use. Indeed, one recent paper on the subject likens the relationship between attackers and honeypot administrators to a continual arms race.4 As one can imagine, as soon as an attacker determines that he or she is actually working with a honeypot, useful interactions are likely to cease. However, even then, researchers and administrators can learn things about how the attacker
2 |
For additional information on the variety of honeypots in use today and related issues, see the Honeynet Project’s home page at http://www.honeynet.org/. |
3 |
Lance Spitzner, “Honeytokens: The Other Honeypot,” SecurityFocus, July 7, 2003; available at http://www.securityfocus.com/infocus/1713. |
4 |
Thorsten Holz and Frederic Raynal, “Detecting Honeypots and Other Suspicious Environments,” Proceedings of the 2005 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, N.Y., June 15-17, 2005. |
discovered the nature of the honeypot and how the attacker might try to hide his or her tracks (e.g., altering log files, attempting to damage or crash the honeypot, and so on).
One significant open question with honeypots and honeynets (indeed, this is a broader question within cybersecurity itself) is whether or not one should use honeypot-type resources to strike back at or otherwise affect the resources of an attacker.5 (This point is discussed further in Section 9.4, Cyber-Retaliation.) In many cases, administrators could use information learned through an attacker’s interaction with a honeypot to lessen the danger that the attacker poses to real systems or other machines in the future (e.g., either by “hacking back” at the attacker or even removing or crippling zombie software from the attacking machine).
Another question for some in the computing community involves the ethics of deploying and using honeypots—some consider it a form of entrapment (although U.S. law would seem to argue otherwise).6
7.3
FORENSICS
Cyberforensics involves the science and technology of acquiring, preserving, retrieving, and presenting data that have been processed electronically or have been stored in electronic form.7 Forensic identification is a necessary (though not sufficient) condition for prosecution or of retaliation against parties that take harmful actions. (An essential complement to forensic identification is the existence of a legal framework than allows actions to be taken against cyberattackers; both are foundational elements in a strategy of deterrence that complements defense in supporting cybersecurity.)
Forensics is necessary because, among other things, attackers often seek to cover their tracks. For example, mechanisms for providing provenance (see Chapter 5, “Category 2—Enabling Accountability”) are unlikely to work perfectly, suggesting that after-the-fact identification of a perpetrator may be necessary (and may in fact be a somewhat easier task than undertaking real-time identification).
5 |
For more perspective on passive versus active defense, see National Research Council, Realizing the Potential of C4I: Fundamental Challenges, National Academy Press, Washington, D.C., 1999, p. 143; available at http://newton.nap.edu/html/C4I/. |
6 |
See Michelle Delio, “Honeypots: Bait for the Cracker,” Wired News, March 7, 2001; available at http://www.wired.com/news/culture/0,1284,42233,00.html. |
7 |
Michael G. Noblett, Mark M. Pollitt, and Lawrence A. Presley, “Recovering and Examining Computer Forensic Evidence,” Forensic Science Communications, October 2000, Vol. 2, No. 4; available at http://www.fbi.gov/hq/lab/fsc/backissu/oct2000/computer.htm. |
Much of the cyberforensics field has developed largely in response to a demand for service from the law enforcement community to help it deal with the reality that criminals are making more effective and more extensive use of information technology just like the rest of society. Indeed, greater societal use of information technology has expanded the scope of possible opportunities for criminals.
In 1984, the Federal Bureau of Investigation established its Computer Analysis and Response Team to address the needs of investigators and prosecutors to examine computer evidence in a structured and programmatic manner. What was then called computer forensics has evolved to include any evidence in digital form (e.g., audio, video, and data) from digital sources (e.g., computers, faxes, cellular telephones, and so on).8 Digital forensics is now an integral part of legal investigations, with widespread recognition of its growing importance occurring during the 1990s.9
The support for forensic analysis provided by federal agencies such as the Department of Justice and the National Institute of Standards and Technology (NIST) is further recognition of its growing importance. For instance, NIST now maintains the National Software Reference Library, which consists of a collection of digital signatures of known, traceable software applications. By comparing any given file’s signature to this collection, investigators can determine if that file is already known—if so, it need not be collected as evidence.10 NIST’s Computer Forensics Tool Testing Program seeks to ensure the reliability of computer forensic tools produce consistent, accurate, and objective results.11
Cyberforensics research has moved beyond the initial focus on law enforcement and digital evidence for use in criminal prosecution to include military and business operations. For instance, business needs include forensics for purposes of the investigation of employee wrongdoing and the protection of intellectual property. Practitioners in these areas have different primary objectives (although they may share prosecution as a secondary objective), which affect their analysis and decision-making processes and also affect their perspectives about requirements
8 |
Carrie Morgan Whitcomb, “An Historical Perspective of Digital Evidence: A Forensic Scientist’s View,” International Journal of Digital Evidence, Spring 2002, Vol. 1, No. 1. |
9 |
George Mohay, “Technical Challenges and Directions for Digital Forensics,” Proceedings of the First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE’05), IEEE Computer Society, 2005. |
10 |
A description of the National Software Reference Library is available at the program Web site: http://www.nsrl.nist.gov/. |
11 |
See the Computer Forensics Tool Testing Program Web site for details: http://www.cftt.nist.gov. |
for digital forensic research.12 Meeting statutory standards for evidence creates criteria different from those for producing results in the shortest possible time so that they can be acted on to maintain operations and availability of service, and to protect assets. Moreover, cyberforensics requirements will likely evolve over time, along with the increasingly pervasive use of IT.
One recent example of new forensic requirements is in corporate governance to meet regulatory requirements such as those imposed by the Sarbanes-Oxley Act of 2002.13 Another factor affecting research requirements is the temporal environment required for forensic analysis—whereas law enforcement’s primary focus is on after-the-fact forensics, military and business operations often need real-time or near-real-time forensics. Cyberforensics research must necessarily cover the broad scope of problems that arise from this wide range of requirements.
One working definition of digital forensic science, which reflects this broad scope, was offered by the 2001 Digital Forensic Research Workshop: “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”14
Formalization of the field as the scientific discipline of digital forensic science is still in the early stages, with one of the first formal research papers in the field appearing in 1992.15 A recent needs analysis survey that focused on law enforcement requirements notes that the national and international judiciary has begun to question the scientific validity of the ad hoc procedures and methodologies applied to digital forensics and is increasingly demanding proof of theoretical foundation and scientific
rigor.16 This foundation is required in order to mandate and interpret the standards applied to digital evidence and to establish the qualifications of digital forensics professionals through a certification process.17 Military and business forensics needs range across a broad spectrum, from traffic analysis tools and instrumentation of embedded systems to handling massive data volume and network monitoring, and they require a similar foundation to deal with increasing complexity and broader application.18
The embedding of computational resources in other devices, for instance, seems likely to increase the complexity of digital forensics and the extent of its usefulness. Two examples are the recovering and reconstructing of detail from Global Positioning System units built into cars to determine recent movements of a suspect auto, and the recovery of phone books, notes, and call information from cellular telephones. Accordingly, a number of research areas within this expansive view of digital forensics have been identified:19
-
Building a framework for digital forensic science. This research area includes three elements: definitional work to provide a lexicon with clear terminology, a useful process model for the digital investigation process, and the development of an understanding of the academic and vocational expertise necessary, followed by curriculum development. For example, several models have been developed with increasing levels of abstraction and generalization of the digital investigation process.20 Definitional work has progressed in the form of ontological models for defining layers of specialization across the areas employing forensic analysis, identifying the necessary elements of a certification process, and domain-specific educational requirements.21
-
Issues of integrity in digital evidence. This research would address the need to ensure the integrity of digital evidence, which is inherently fragile and almost always suspect. Several important legal issues arise when seeking to submit digital evidence, affecting whether and what is admissible in court.22 These include establishing the authenticity, lack of tampering in all of the systems through which the evidence has passed, reliability of computer-generated records (e.g., the possibility that the same digital signature could have resulted from different texts), and authorship. Legal distinctions also arise with differences between human-entered data and computer-generated data. Specific research areas include the development of antitampering methods, the creation of baseline standards of correctness in digital transform technology, and procedural standards for proper laboratory protocols. For example, several methods are in use today—checksum, one-way hash algorithms, and digital signatures—to help to demonstrate that the integrity of evidence has been preserved.23 Each of these has advantages and drawbacks, ranging from the ease with which they can be applied and maintained to the level of confidence in them and what they prove (i.e., who, when, what). Some work has also been done to understand what requirements cyberforensic analysis tools must meet in order to establish and maintain evidentiary trust: usability by the human investigator (abstracting data to a level that can be analyzed), comprehensiveness (inculpatory and exculpatory evidence), accuracy, determinism, and verifiablility.24
-
Detection and recovery of hidden data. This research area would focus on creating discovery mechanisms that detect and extract digital evidence in all its forms. Specific research areas include the categorization of places and mechanisms for hiding data, mechanisms for the detection of original material, and methods for extracting and recovering hidden data.25 This line of research would search for ways to identify the who, what, when, where, and how for digital evidence. Merely obtaining data poses a wide variety of technical challenges. For example, the diversity of devices on which
22 |
Orin S. Kerr, “Computer Records and the Federal Rules of Evidence,” United States USA Bulletin, Vol. 49, No. 2, U.S. Department of Justice, March 2001. |
23 |
Chet Hosmer, “Proving the Integrity of Digital Evidence with Time,” International Journal of Digital Evidence, Vol. 1, No. 1, 2002. |
24 |
Brian Carrier, “Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers,” International Journal of Digital Evidence, Vol. 1, No. 4, 2003. |
25 |
One description of the challenges involved in this area can be found in Paul A. Henry, “Anti-Forensics,” April 2006; available at http://layerone.info/2006/presentations/Anti-Forensics-LayerOne-Paul_Henry.pdf. |
-
potentially relevant information may be stored means that new protocols and tools must be developed for each device. Relevant information may be buried amidst large volumes of other irrelevant information and may be distributed across many different devices or locations. Information may not even be stored on persistent media (for example, it might be stored in dynamic random access memory [DRAM] and disappear when the system on which it is stored is powered down). The recovery of encrypted data has been a particular concern of both practitioners and researchers.26 In addition, systems can be designed to support forensic investigation and thereby increase the quantity and quality of forensic information available.27 Automating the collection process and performing targeted searches using techniques such as data mining could also improve the detection and recovery of useful data.28 These are aspects of what has been termed “forensic readiness,” the extent to which activities and data are recorded in a manner sufficient for forensic purposes.29 Another aspect of the detection and recovery of data addresses the science and technology of acquiring, preserving, retrieving, and presenting data that have been processed electronically or have been stored in electronic form but in a nonevidentiary context. Outside of this context, the evidentiary requirements of forensic investigation are relaxed. Thus, for example, statistical likelihood, indirect evidence, and hearsay fall within the scope of nonevidentiary forensics.
-
Digital forensic science in networked environments (network forensics). This research area focuses on the need to expand digital forensics beyond its roots in computer forensics, which focused heavily on stand-alone, media-intensive sources. Specific research areas include understanding the similarities and relationships between computer and network forensics, methods for applying digital forensic analysis in real time, and the development of trusted collection processes and criteria for trusted agents outside of law
-
enforcement (e.g., intelligence, network operators) to collect forensic evidence. For example, network geolocation technology would provide a means for determining the physical location of a logical network address. Tools for monitoring and mapping network traffic would allow real-time network management.30 Related is traffic analysis, which calls for understanding the source and nature of certain kinds of attack and requires techniques, equipment, and legal tools to characterize the huge traffic flows on public and private networks that accompany those kinds of attack. Extracting information about interconnections (e.g., traffic volume, communicating pairs, and network topology as functions of time) can help hunt down enemies and understand interrelationships. Finally, research is needed on the formalization of policies to support network forensics, including systematic application and data retention, logging of system and network information, attack response planning, and network forensic training.31
While this and other research marks a clear beginning toward the goal of establishing a discipline of digital forensic science, further progress is possible in all of the areas. Much of the required research is technical in nature, and in many cases the techniques and problems are similar to other technical research areas (e.g., software debugging, data provenance, intrusion-detection, and malware analysis), although such synergies remain largely unexplored. However, there are also legal, economic, and policy research issues. For instance, there are likely economic constraints owing to the lack of incentives for both technology vendors and users related to improving forensic readiness.32
The international aspects of digital forensic investigation in a world of global high-speed networks mean that there are some significant legal issues related to the quality, provenance, analysis, and maintenance of data in different legal jurisdictions that have yet to be fully understood and addressed.
30 |
See, for instance, “Network Geo-location Technology” and “ATM Mapping and Monitoring Tool” at the National Security Agency’s Domestic Technology Transfer Program Web site: http://www.nas.gov/techtrans/index.cfm. |
31 |
Cf. Srinivas Mukkamala and Andrew H. Sung, “Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligent Techniques,” International Journal of Digital Evidence, Vol. 1, No. 4, 2003; Alec Yasinsac and Yanet Manzano, “Policies to Enhance Computer and Network Forensics,” presentation at the Workshop on Information Assurance and Security, United States Military Academy, West Point, N.Y., June 2001. |
32 |
Tyler Moore, “The Economics of Digital Forensics,” presented at the Fifth Annual Workshop on the Economics and Information Security, Cambridge, England, June 26-28, 2006. |
One example of a significant policy issue is that of addressing the tension between forensics and privacy. Concerns about privacy have motivated the development of counter-forensic tools. Some initial work has been done to evaluate the effectiveness of existing commercial counter-forensic tools and the operational implications for digital forensic analysis.33 Yet, policy questions such as understanding and managing the boundary between the legitimate collection and use of digital forensic evidence and the illegitimate monitoring of behavior and activities have barely been asked, let alone answered. Indeed, the question of what is and is not legitimate has still to be answered.34