CyberAdviser News Portal

Guidance on digital forensics and protective monitoring specifications for producers of network devices and appliances

admin09 mins

Guidance Overview

This guide has been developed with input from various partnering agencies and is part of a series of publications that highlight the critical need for cybersecurity measures on edge devices.

It is produced by the UK National Cyber Security Centre (NCSC) in collaboration with the Australian Signals Directorate (ASD), the US Cybersecurity and Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security (part of the Communications Security Establishment), the US Federal Bureau of Investigation (FBI), and New Zealand’s National Cyber Security Centre (NCSC-NZ).

Context for this guide

As threats from malicious actors evolve, the number of attacks targeting critical infrastructure continues to rise. Recent incidents have compromised both physical and virtual network devices, including perimeter security solutions and routers, as well as network-attached storage systems.

Network devices are valuable targets for attackers due to their essential role in traffic management and processing.

Attackers typically exploit vulnerabilities and unsecured design features to gain prolonged access, often remaining undetected within networks.

Factors that contribute to the vulnerability of these devices include the absence of secure design features, lack of regular firmware updates, weak authentication protocols, limited logging capabilities, incorrect configurations, inadequate network segmentation, and reliance on obsolete hardware.

Purpose and Audience of This Guide

This guide sets forth the minimum standards for forensic visibility designed to assist network defenders in securing their networks both before and after a compromise occurs. Network defenders are urged to consider these standards when choosing new physical and virtual network equipment.

Manufacturers are encouraged to incorporate and enable essential logging and forensic features as a default, ensuring that network defenders can swiftly detect suspicious activities and effectively respond to breaches.

Adhering to the minimum observability and digital forensics standards outlined in this guide will better equip manufacturers and their clients to identify and respond to malicious actions. Manufacturers should leverage this guidance to establish a foundation of essential features to be integrated into network devices to support forensic analysis.

Logging Requirements

Implementing the following features as baseline requirements can enhance threat detection and response capabilities for both physical and virtual network devices.

Devices and appliances should support the logging/recording of the following events:

  1. authentication events, including usernames, methods used (such as password or multi-factor authentication), source IP addresses or hostnames, and relevant session identifiers for both successful and unsuccessful attempts.

  2. technical support interactions that require authentication via vendor-specific license keys for accessing tools.

  3. service and application-level logging, such as HTTP requests and responses, session control information, including client IP addresses, protocols used, and response statuses.

  4. process creation details, encompassing parent processes, executable paths, usernames, and arguments.

  5. process exit codes and reasons for termination, such as normal closure or unexpected crashes.

  6. dynamic loading and unloading of modules/libraries, including names, file paths, related process IDs, and user context.

  7. file system changes, including creation, modification, or deletion events, particularly in critical directories.

  8. DNS queries for various record types and their associated details to facilitate investigations.

  9. firmware or software update processes, documenting both successful and failed attempts along with relevant metadata.

  10. configuration change logs, especially for devices exposed to the internet, capturing details of what was modified, by whom, and how.

  11. backup or export activity related to device configurations.

  12. any attempts to clear, rotate, or manipulate log files.

  13. records of diagnostic or recovery-related events.

  14. events related to peripheral device insertions such as USB devices.

Forensic Data Acquisition Requirements

Volatile Data Collection

Devices and appliances should facilitate the collection of volatile data through local or remote privileged interfaces. This process must trigger log generation to aid both automatic analysis and human investigators in identifying anomalous events.

While beneficial for defenders, be cautious as this data may also aid attackers. Implementing this feature securely is crucial.

When feasible, volatile data logging should support the gathering of:

  1. process information including parent/child relationships and arguments.

  2. process memory maps.

  3. process-loaded modules along with their paths.

  4. process handles related to both files and network sockets.

  5. environment variables of processes.

  6. memory utilization at both kernel and process levels.

  7. firewall or packet processing rules.

  8. mounted filesystems.

  9. network connections, consisting of addresses, ports, and protocols.

  10. current ARP table entries.

  11. for network switches – CAM tables that link MAC addresses to specific ports.

  12. DHCP lease tables detailing clients’ MAC addresses and allocated IPs.

  13. active administrative and user sessions regardless of the interface in use.

  14. kernel-loaded modules.

  15. volatile filesystem contents such as temporary files hosted in /tmp.

  16. raw volatile filesystems.

  17. crash/core dumps.

  18. comprehensive logs available from a system and application perspective.

Should redaction be necessary to protect intellectual property or security during volatile data collection, it’s vital to clearly mark any sensitive information as *REDACTED* within the logs and document this appropriately.

Non-volatile Data Collection

Devices and appliances should support complete non-volatile storage collection capabilities, ideally through standardized interfaces. System owners must be able to decrypt stored data, which may require support from the vendor, to conduct thorough inspections.

Initial configurations may be necessary to enable this capability, such as ‘bring your own key’. Ensuring key protection and incorporating safeguards in the device’s firmware and hardware against unauthorized data extraction are paramount.

All interfaces used for non-volatile collection must enforce robust authentication and authorization protocols to mitigate the risks of misuse.

Additional Resources

Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/guidance-on-digital-forensics-protective-monitoring

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

Back To Top