This guidance has been developed with contributions from partnering agencies and is part of a series of publications aimed at underscoring the significance of cyber security measures on edge devices.
Authored by the UK National Cyber Security Centre (NCSC) in collaboration with the Australian Signals Directorate (ASD), US Cybersecurity and Infrastructure Security Agency (CISA), the Canadian Centre for Cyber Security—architecture of the Communications Security Establishment (CSE), the US Federal Bureau of Investigation (FBI), and New Zealand’s National Cyber Security Centre (NCSC-NZ).
Context for this guidance
As the number of threat actors targeting essential and systemically crucial infrastructure expands, there is a corresponding rise in the number of compromises involving network devices and appliances. Prior incidents have impacted both physical and virtual network devices, such as edge perimeter security solutions and routers, along with network-attached storage.
Network devices are primary targets for malicious actors due to their vital role in managing and processing traffic.
In their attempts, malicious actors have exploited vulnerabilities and insecure design elements to gain and sustain valuable access. These threats can persist within networks until they are detected and access is denied.
These devices often lack secure design principles, neglect regular firmware updates, or incorporate weak authentication methods while providing inadequate logging capabilities that hinder the detection of suspicious activity. Additionally, poor security configurations, the absence of proper network segmentation, and reliance on unsupported or end-of-life (EOL) hardware further elevate their vulnerability to attacks.
Who should utilize this guidance?
This guidance outlines the minimum requirements for forensic visibility, assisting network defenders in safeguarding organizational networks both before and following compromises. Network defenders are advised to consider these features when selecting new physical and virtual network devices.
Device manufacturers are encouraged to embed and activate standard logging and forensic features that are robust and secure by default, enhancing the ability of network defenders to detect malicious activity and investigate intrusions.
By adhering to the established minimum observability and digital forensic standards outlined in this guidance, device manufacturers and their clients will be better prepared to detect and identify malicious actions against their solutions. Manufacturers should leverage these standards to establish a baseline of necessary features within the architecture of network devices and appliances for effective forensic analysis.
Logging requirements
Implementing the following features as minimum requirements will enhance threat detection and response capabilities for both physical and virtual network devices:
-
Authentication logs, including username, method used (password, SSH key, certificate, multi-factor authentication), source IP address or hostname, and relevant session identifiers for both successful and failed attempts.
-
Technical support interactions requiring authentication through a specialized license key from the network device manufacturer.
-
Service and application-level logging, such as HTTP/HTTPS requests and responses, interactive shell sessions (CLI), and similar services.
-
Process creation logs, including parent process, executable path, username, and arguments.
-
Process exit codes and termination reasons.
-
Dynamic loading and unloading of modules and libraries, indicating names, versions, file paths, process IDs, and user contexts.
-
File system creation, modification, and deletion records in critical directories.
-
DNS query logs with complete record responses.
-
Firmware or software update logs, including all attempts and error messages encountered.
-
Configuration change logs with specific user or process identifiers.
Forensic data acquisition requirements
Volatile data collection
Devices and appliances should facilitate the collection of volatile data through a privileged interface, which generates logs to aid in analysis and detection of abnormal events.
Collection should consider both protective measures and secure design elements.
- Process information, including parent-child relationships and arguments.
- Process memory maps.
- Dynamically loaded modules.
- Process handle information related to files and sockets.
- Environment variables of processes.
- Kernel and process-level memory.
Further resources
Based on an article from ncsc.gov.uk: https://www.ncsc.gov.uk/guidance/guidance-on-digital-forensics-protective-monitoring
