Guidance on digital forensics and protective monitoring specifications for producers of network devices and appliances

This guidance has been developed with contributions from partnering agencies and aims to highlight the significance of cybersecurity measures for edge devices.

Produced by the UK National Cyber Security Centre (NCSC) in collaboration with various international cybersecurity organizations, including the Australian Signals Directorate (ASD), the US Cybersecurity and Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security, the US Federal Bureau of Investigation (FBI), and New Zealand’s National Cyber Security Centre (NCSC-NZ).

Background of This Guidance

The rise in cyber threats has led to an increase in breaches of network devices and infrastructure. Targeted attacks have compromised both physical and virtual devices, including routers and edge perimeter security solutions.

Network devices hold significant importance in managing and processing traffic, making them appealing targets for attackers.

Malicious actors often exploit security vulnerabilities and flawed design elements to gain and maintain unauthorized access, remaining undetected until they are discovered.

These vulnerabilities arise from issues such as inadequate design features, the absence of regular firmware updates, and weak authentication measures, all of which hinder the detection of suspicious activities.

Audience and Purpose of This Guidance

This guidance sets forth the minimum requirements for forensic visibility, providing tools for network defenders to enhance their security both prior to and following an incident. Network defenders are encouraged to consider these attributes when investing in new physical and virtual network equipment.

Manufacturers are urged to incorporate standard logging and forensic capabilities into their devices to enable easier detection of malicious activity and facilitate investigations post-intrusion.

By adhering to the outlined observability and digital forensics standards, manufacturers and customers will improve their capacity to detect malicious actions against their systems.

Logging Requirements

Implementing the following minimum features will enhance threat detection and response capabilities for both physical and virtual network devices:

Authentication details, including username, method used (e.g., password, SSH key), source IP address, and session identifiers for login attempts.
Interactions requiring vendor-specific authentication and licensing key.
Service and application-level logging for HTTP/HTTPS requests, including client IP addresses, request methods, and response status codes.
Process creation information such as parent process, executable path, and arguments.
Code exit and termination details.
Dynamic loading and unloading of modules, including names, versions, and associated user contexts.
File system actions that may assist post-breach investigations.
DNS queries and responses information.
Details of firmware or software updates, including versions and sources.
Configuration changes, especially for internet-connected devices, and method of change.
Backup and export operations.
Log manipulations, including attempts to clear or rotate log files.
Diagnostic and recovery events.
Peripheral device connections, such as USB.

Data Acquisition Requirements

Volatile Data Collection

Devices should enable collection of volatile data through privileged interfaces to ascertain their current operational state.

Implementing a logging mechanism for volatile data aids in anomaly detection and assists in systematic investigations.

The following data should be collectable:

Process details including parent/child relationships.
Process memory allocations.
Dynamically loaded modules.
Network connections and ARP entries.
Breach-related logs from both system and application levels.

Additional Resources

For further guidance on cybersecurity measures and logging practices for network devices, additional resources may be explored to enhance understanding and implementation strategies.