CyberAdviser News Portal

Guidance on digital forensics and protective monitoring specifications for producers of network devices and appliances

admin08 mins

Guidance on Digital Forensics

This guidance has been created with input from collaborating agencies and is part of a series of publications highlighting the significance of cyber security for edge devices.

It has been produced by the UK National Cyber Security Centre (NCSC) in cooperation with the Australian Signals Directorate (ASD), the US Cybersecurity and Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security – part of the Communications Security Establishment (CSE), the US Federal Bureau of Investigation (FBI), and New Zealand’s National Cyber Security Centre (NCSC-NZ).

Context for this guidance

As the number of malicious actors and their capabilities targeting critical infrastructure grows, so does the frequency of breaches involving network devices and appliances. Past incidents have compromised both physical and virtual network devices, including edge perimeter security solutions and storage devices.

Network devices are prevalent targets for malicious actors as they are essential for managing and processing network traffic.

These actors often exploit vulnerabilities and insecure design features to achieve and maintain unauthorized access until detected and expelled from the network.

Devices may be vulnerable due to a lack of security by design, absence of regular firmware updates, weak authentication measures, and limited logging capabilities that hinder the detection of suspicious activities. Improper configurations, inadequate network segmentation, and reliance on outdated or unsupported hardware also heighten their susceptibility to attacks.

Intended Audience for this Guidance

This guidance delineates the minimum requirements for forensic visibility to support network defenders in bolstering organizational security both before and following a security breach. Network defenders should take these features into account when choosing new physical and virtual network devices.

Manufacturers are urged to integrate and enable standard logging and forensic capabilities that are robust and secure by default, enabling easier detection of malicious activities and facilitating investigations post-intrusion.

By adhering to the minimum standards for observability and digital forensic baselines detailed in this guidance, both manufacturers and their customers will improve their ability to identify and respond to malicious activities targeting their solutions. Manufacturers should also leverage this guidance to establish a foundation of essential features to integrate into the architecture of network devices and appliances, enabling effective forensic analysis for network defenders.

Logging Requirements

Whenever feasible, implementing the following features as minimum requirements will enhance threat detection and response for physical and virtual network devices.

Devices and appliances should support the logging/recording of events related to:

  1. Authentication details, including username, method used (e.g., password, SSH key, certificate, multi-factor authentication), source IP address or hostname, and relevant session identifiers for both successful and failed attempts.

  2. Technical support events and interactions requiring vendor-specific tools authenticated with a specialized license key from the network device manufacturer.

  3. Service and application-level logging, e.g., HTTP/HTTPS requests and responses, interactive shell sessions, including client IP addresses, request methods, accessed URIs, protocol versions, user agents, session identifiers, response status codes, and data transfer volumes.

  4. Process creation information, including parent processes, executable paths, usernames, and command arguments.

  5. Process exit codes and termination reasons (e.g., normal exit, crashes, killed by signals).

  6. Dynamic loading and unloading of modules, including module names, versions, file paths, associated process IDs, and user contexts.

  7. File system changes relevant to post-breach investigations, particularly in critical directories like web roots, configuration directories, and system binaries.

  8. DNS queries, including records (A, AAAA, TXT, SOA, NS, MX, PTR), their responses, querying processes, and destination DNS servers.

  9. Firmware or software updates, both successful and failed attempts, including version numbers, update sources, and errors encountered.

  10. Configuration changes, especially for devices connected directly to the internet, logging changed parameters, previous and new values, and the user/process making the change.

  11. Configuration backup and export/download operations.

  12. Attempts to clear, rotate, or manipulate log files.

  13. Diagnostic, recovery, and safety events.

  14. Peripheral insertions, such as USB and SD cards.

Forensic Data Acquisition Requirements

Volatile Data Collection

Devices and appliances should facilitate the collection of volatile data through a privileged interface, capturing the current running state.

This feature should generate logs to assist in automatic analysis and help investigators detect anomalous events.

However, this capability may equally benefit malicious actors, thus it should be designed with security in mind.

When supported, volatile data logging should enable the collection of:

  1. Process information, including relationships and arguments.

  2. Process memory maps.

  3. Dynamically loaded modules, including paths.

  4. Process handles, including files and sockets.

  5. Process environment variables.

  6. Memory, both at kernel and individual process levels.

  7. Firewall and packet processing rules.

  8. Mounted filesystems.

  9. Network connections, detailing source and destination addresses, ports, and protocols.

  10. Current ARP entries mapping IP addresses to MAC addresses.

If vendor information needs redaction for safety or intellectual property reasons, this should be clearly indicated in the documentation.

Non-volatile Data Collection

Devices and appliances should support comprehensive non-volatile storage collection. Owners must be able to decrypt data when necessary, using standard tools while managing security risks.

Proper system configurations may be required, with strong authentication and authorization controls to prevent unauthorized data extraction.

Further Resources

Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/guidance-on-digital-forensics-protective-monitoring

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

Back To Top