This guidance has been created with input from various partnering agencies and forms part of a broader series of publications that highlight the need for robust cybersecurity measures concerning edge devices.
The document has been produced by the UK National Cyber Security Centre (NCSC) in collaboration with the Australian Signals Directorate (ASD), the US Cybersecurity and Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security, the US Federal Bureau of Investigation (FBI), and New Zealand’s National Cyber Security Centre (NCSC-NZ).
Introduction to this guidance
As the threat from malicious actors increases, the risks associated with critical infrastructure and network devices also grow. Past incidents have shown that both physical and virtual network components, including perimeter security solutions and routers, are frequent targets for compromise.
Network devices are attractive targets for attackers as they manage and process traffic critical to organizational operations.
These attackers have utilized vulnerabilities and insecure design features to infiltrate networks, maintaining access until they are discovered.
Vulnerabilities arise when devices are not secured by design, lack regular firmware updates, exhibit weak authentication protocols, or do not provide adequate logging for the detection of suspicious activities. The absence of secure configurations and reliance on outdated hardware can further increase susceptibility to attacks.
Audience and Purpose of this Guidance
This guidance defines the minimum forensic visibility requirements, assisting network defenders in securing their systems before and after any potential breaches. Network defenders should take these features into account when choosing new network devices.
Manufacturers are urged to incorporate and activate robust logging and forensic capabilities by default, facilitating easier detection of malicious activities for network defenders following an incident.
By adhering to the minimum observability and forensic analysis standards outlined within this guidance, both device manufacturers and their clients will be better positioned to identify and mitigate threats. Manufacturers should also utilize these guidelines to define essential features to facilitate forensic analysis for defenders.
Logging Standards
Implementing the following features as minimum standards will enhance threat detection and response capabilities for network devices.
Devices should facilitate logging of the following event types:
- Authentication details including username, method (e.g., password, SSH key, multi-factor authentication), source IP address, and session identifiers for both successful and failed attempts.
- Technical support events and interactions that require vendor-authenticated licensing.
- Service and application-level logs including HTTP/HTTPS requests, responses, and details pertaining to client IPs, methods, session identifiers, and response statuses.
- Process creation details such as parent process, executable path, and associated arguments.
- Logging of process exit codes and termination causes (e.g., normal exit, crash).
- Dynamic updates of modules and libraries, including relevant process information.
- File system changes that could influence post-breach investigations.
- DNS queries with associated records and metadata.
- Firmware and software updates, capturing successful and failed attempts.
- Configuration changes for devices connected to the internet.
- Configuration backup and download operations.
- Attempts to modify log files.
- Diagnostic and safety events.
- Peripheral connections such as USB devices.
Essential Forensic Data Acquisition
Volatile Data Collection
Through a privileged interface, devices should allow for the collection of running state data. This should be logged to aid both automated and manual analysis, assisting in identifying unusual events.
As collecting such information can benefit both defenders and attackers, it is critical to ensure such features are implemented securely.
When feasible, volatile data logging should include:
- Process information with parent-child relationships and arguments.
- Memory maps of processes.
- Dynamically loaded modules.
- Process handle data regarding files and sockets.
- Environment variables of processes.
- Kernel memory as well as individual process memory.
- Packet processing rules and firewall settings.
- Mounted filesystems.
- Network connections data.
- Current ARP entries mapping IP to MAC addresses.
- Content Addressable Memory (CAM) entries in switches.
- Dynamic Host Configuration Protocol (DHCP) lease data.
- Active sessions for both administrative and user interfaces.
- Kernel dynamically loaded modules.
- Volatile filesystem contents.
- Raw volatile filesystems.
- Crash and core dumps.
- All available logs from system and application levels.
Additional Resources
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/guidance-on-digital-forensics-protective-monitoring
