Web Forensic on Container Services Using Grr Rapid Response Framework

Detecting the latest advanced persistent threats (APTs) using conventional information protection systems is a challenging task. Although various systems have been employed to detect such attacks, they are limited by their respective operating systems. Furthermore, they are developed as closed platforms and cannot be customized to meet user environments. To overcome these limitations, open-source endpoint detection and response (EDR) techniques are needed. In this study, we construct one that integrates opensource security frameworks combining GRR (Google Rapid Response) and osquery. A threat-detecting case study is conducted to validate the feasibility of the proposed open-source EDR system. Additionally, APT coverage for the proposed EDR system is analyzed using MITRE's Adversarial Tactics, Techniques, and Common Knowledge model. The assessment result shows that APT tactics having high levels of threat detection using non-customized osquery configurations comprise 28.5 % of all detections, which is lower than the other response levels. The performance of open-source EDR can be increased by customizing osquery for specific purposes and environments. Open-source EDR combining GRR and osquery has the potential to provide the detection-coverage efficient threat detection system and has the advantage of flexible integration with other applications; it can also be developed for evolving system environments such as cloud and internet of things.INDEX TERMS advanced persistent threat, behavior-based detection, cyber-attack, detection criteria, remote live forensics, open source based EDR.

show abstract

“…References [14]- [17] applied a GRR to several domains to collect data and attempted forensic analysis. Ref.…”

Section: Related Workmentioning

confidence: 99%

“…Refs. [15]- [17] highlighted the need for digital forensics for web servers operating in containers (e.g., Docker and Kubernetes) and used some to respond to distributed denial-ofservice attacks. In these studies, the method of recognizing a DDoS attack by checking the web server log and IP address was used.…”

Section: Related Workmentioning

confidence: 99%

Performance Evaluation of Open-Source Endpoint Detection and Response Combining Google Rapid Response and Osquery for Threat Detection

et al. 2022

View full text Add to dashboard Cite

show abstract

“…The forensic analysis then carried out using forensic methodology from NIST, which has four stages, namely: Preservation, Acquisition, Examination & Analysis, and Reporting. Preservation conducted by made a logical backup of evidence followed with Acquisition where WA artefact s will be identified and extracted from logical backup files [25]. Examination & analysis then carried out to find proof followed by Reporting.…”

Section: Fig 3 Forensic Analysis Stagesmentioning

confidence: 99%

Mobile Forensic Tools Validation and Evaluation for Instant Messaging

Zamroni¹,

Riadi²

2020

Int. J. Adv. Sci. Eng. Inf. Technol.

Self Cite

View full text Add to dashboard Cite

Mobile technology is experiencing rapid development from year to year. Various types of models and operating systems are available on the market, followed by the development of applications for mobile devices. Behind the development of mobile technology, mobile devices are often used for crime. To handle a case related to a mobile device, an investigator needs to use forensic methodologies. Investigator also needs to know which tools are capable of handling mobile forensics of a specific artefact or mobile devices since each forensic tool has its limitation. The rapid development of mobile technology and the lack of understanding of forensic tools sometimes become an obstacle for an investigator in handling a case. This research conducted a forensic analysis of WhatsApp (WA) application on the Samsung Galaxy S4 and Samsung A3 using the logical acquisition of 3 forensic tools, namely: WA Key/DB Extractor, Oxygen Forensics, and Magnet AXIOM. National Institute of Standards and Technology (NIST) forensic tool parameters and additional parameters related to WA artefact s were used to evaluate forensic tools which will then be calculated to find acquisition capability index for each forensic tool. Acquisition capability index is expected to provide an overview and recommendations regarding forensic tools for conducting WA forensic analysis. Based on the acquisition capability index, Magnet AXIOM has advantages over Oxygen Forensics, and WA Key/DB Extractor in conducting forensic analysis of WA artefact s on Samsung Galaxy S4 and Samsung A3 with 77.77%. Thus it can be concluded that Magnet AXIOM is recommended to be used in handling WA artefacts.

show abstract

“…The information system is an application used in an organization that supports transaction management and makes reporting easier [1,2]. An information system improves usability, maintainability, and security through standardization and development of best practices [3,4]. Authentication is the main gateway in an information system to get authorization to access the account [5].…”

Section: Introductionmentioning

confidence: 99%

“…Information security is an important aspect that needs to be considered in building a system [10]. As the main gate of the system, has gaps and vulnerabilities, including sending and receiving the payload from the server as plain text, because it should be encrypted in sending the payload to maintain the payload's anonymity [11,12,13].…”

Section: Introductionmentioning

confidence: 99%

Block-hash of blockchain framework against man-in-the-middle attacks

Riadi

Umar

Busthomi

et al. 2021

regist. j. ilm. teknol. sist. inf.

Self Cite

View full text Add to dashboard Cite

Payload authentication is vulnerable to Man-in-the-middle (MITM) attack. Blockchain technology offers methods such as peer to peer, block hash, and proof-of-work to secure the payload of authentication process. The implementation uses block hash and proof-of-work methods on blockchain technology and testing is using White-box-testing and security tests distributed to system security practitioners who are competent in MITM attacks. The analyisis results before implementing Blockchain technology show that the authentication payload is still in plain text, so the data confidentiality has not minimize passive voice. After implementing Blockchain technology to the system, white-box testing using the Wireshark gives the result that the authentication payload sent has been well encrypted and safe enough. The percentage of security test results gets 95% which shows that securing the system from MITM attacks is relatively high. Although it has succeeded in securing the system from MITM attacks, it still has a vulnerability from other cyber attacks, so implementation of the Blockchain needs security improvisation.

show abstract

Web Forensic on Container Services Using Grr Rapid Response Framework

Cited by 7 publications

References 10 publications

Performance Evaluation of Open-Source Endpoint Detection and Response Combining Google Rapid Response and Osquery for Threat Detection

Performance Evaluation of Open-Source Endpoint Detection and Response Combining Google Rapid Response and Osquery for Threat Detection

Mobile Forensic Tools Validation and Evaluation for Instant Messaging

Block-hash of blockchain framework against man-in-the-middle attacks

Contact Info

Product

Resources

About