research-article

Palantir: a framework for collaborative incident response and investigation

Authors:

Himanshu Khurana,

Randy ButlerAuthors Info & Claims

IDtrust '09: Proceedings of the 8th Symposium on Identity and Trust on the Internet

Pages 38 - 51

https://doi.org/10.1145/1527017.1527023

Published: 14 April 2009 Publication History

Abstract

Organizations owning cyber-infrastructure assets face large scale distributed attacks on a regular basis. In the face of increasing complexity and frequency of such attacks, we argue that it is insufficient to rely on organizational incident response teams or even trusted coordinating response teams. Instead, there is need to develop a framework that enables responders to establish trust and achieve an effective collaborative response and investigation process across multiple organizations and legal entities to track the adversary, eliminate the threat and pursue prosecution of the perpetrators. In this work we develop such a framework for effective collaboration. Our approach is motivated by our experiences in dealing with a large-scale distributed attack that took place in 2004 known as Incident 216. Based on our approach we present the Palantir system that comprises conceptual and technological capabilities to adequately respond to such attacks. To the best of our knowledge this is the first work proposing a system model and implementation for a collaborative multi-site incident response and investigation effort.

References

[1]

Cyber Storm Exercise Report. National Cyber Security Division, U.S. Department of Homeland Security, September, 2006, 2006.

[2]

T. Ahmed and A. R. Tripathi. Specification and verification of security requirements in a programming model for decentralized cscw systems. ACM Trans. Inf. Syst. Secur., 10(2):7, 2007.

Digital Library

[3]

C. Alberts, A. Dorofee, G. Killcrece, R. Ruefle, and M. Zajicek. Defining Incident Management Processes for CSIRTs: A Work in Progress. Technical Report CMU/SEI-2004-TR-015, Software Engineering Institute, Carnegie Mellon University, 2004.

[4]

P. Bajcsy, R. Kooper, L. Marini, B. Minsker, and J. Myers. CyberIntegrator: A Meta-Workflow System Designed for Solving Complex Scientific Problems using Heterogeneous Tools. In Proceedings of the Geoinformatics Conference, May 2006.

[5]

V. Baryamureeba and F. Tushabe. The Enhanced Digital Investigation Process Model. Process Model Asian Journal of Information Technology, 2006.

[6]

N. Beebe and J. G. Clark. A hierarchical, objectives-based framework for the digital investigations process. Digital Investigation, 2(2):147--167, 2005.

Digital Library

[7]

R. Bobba, J. Muggli, M. Pant, J. Basney, and H. Khurana. Usable secure mailing lists with untrusted servers. In Symposium on Identity and Trust on the Internet (IDtrust), 2009.

Digital Library

[8]

M. J. W. Brown, D. Stikvoort, K. P. Kossakowski, K. P. Kossakowski, G. Killcrece, R. Ruefle, and M. Zajicek. Handbook for Computer Security Incident Response Teams (CSIRTs). CMU/SEI-2003-HB-002, April, 2003, 2003.

[9]

N. Brownlee and E. Guttman. Expectations for Computer Security Incident Response. IETF RFC 2350, June 1998.

Digital Library

[10]

Y. D. Cai, D. Clutter, G. Pape, J. Han, M. Welge, and L. Auvil. Maids: mining alarming incidents from data streams. In SIGMOD '04: Proceedings of the 2004 ACM SIGMOD international conference on Management of data, pages 919--920, New York, NY, USA, 2004. ACM Press.

Digital Library

[11]

B. Carrier and E. H. Spafford. Getting Physical with the Digital Investigation Process. International Journal of Digital Evidence, 2(2), Fall 2003.

[12]

B. Carrier and E. H. Spafford. An Event-Based Digital Forensic Investigation Framework. In DFWRS'04: Proceedings of the 4th Digital Forensics Research Workshop, 2004.

[13]

S. Ó. Ciardhuáin. An Extended Model of Cybercrime Investigations. International Journal of Digital Evidence, 3(1), Summer 2004.

[14]

P. T. Devanbu and S. Stubblebine. Software engineering for security: a roadmap. In ICSE '00: Proceedings of the Conference on The Future of Software Engineering, pages 227--239, New York, NY, USA, 2000. ACM Press.

Digital Library

[15]

B. Fraser. Site Security Handbook. IETF RFC 2196, Sept. 1997.

Digital Library

[16]

J. Giordano and C. Maciag. Cyber Forensics: A Military Operations Perspective. International Journal of Digital Evidence, 1(2), Summer 2002.

[17]

T. Grance, K. Kent, and B. Kim. Computer Security Incident Handling Guide: Recommendations of the National Institute of Standards and Technology. NIST Special Publication 800-61, January 2004.

[18]

R. S. C. Ieong. FORZA - Digital forensics investigation framework that incorporate legal issues. Digital Investigation, 3(Supplement-1):29--36, 2006.

Digital Library

[19]

H. Khurana, J. Heo, and M. Pant. From proxy encryption primitives to a deployable secure-mailing-list solution. In ICICS'06: International Conference on Information and Communications Security, pages 260--281, 2006.

Digital Library

[20]

H. Khurana, A. J. Slagell, and R. Bonilla. SELS: a secure e-mail list service. In ACM Symposium on Applied Computing (SAC), Security Track, pages 306--313, 2005.

Digital Library

[21]

G. Killcrece, K.-P. Kossakowsk, R. Ruefle, and M. Zajicek. Organizational Models for Computer Security Incident Response Teams (CSIRTs). Technical Report Report: CMU/SEI-2003-HB-001, Carnegie Melon University/Software Engineering Institute, 2003.

[22]

K. Leune and S. Tesink. Designing and developing an Application for Incident Response Teams. In FIRST'06: Forum for Incident Response Teams Conference, Baltimore, MD, USA, June 2006.

[23]

S. Mitropoulos, D. Patsos, and C. Douligeris. On Incident Handling and Response: A state-of-the-art approach. Computers & Security, 25(5):351--370, July 2006.

Digital Library

[24]

G. Palmer. A Road Map for Digital Forensic Research. Technical Report Technical Report DTR-T001-01, Report From the First Digital Forensic Research Workshop (DFRWS), 2001.

[25]

M. Pollitt. Computer Forensics: an Approach to Evidence in Cyberspace. In Proceedings of the National Information Systems Security Conference, volume 2, pages 487--491, 1995.

[26]

M. M. Pollitt. An Ad Hoc Review of Digital Forensic Models. In SADFE '07: Proceedings of the Second International Workshop on Systematic Approaches to Digital Forensic Engineering, pages 43--54, Washington, DC, USA, 2007.

Digital Library

[27]

C. Prosise, K. Mandia, and M. Pepe. Incident Response and Computer Forensics, Second Edition. McGraw-Hill Osborne Media, 2003.

Digital Library

[28]

M. Reith, C. Carr, and G. Gunsch. An Examination of Digital Forensic Models. International Journal of Digital Evidence, 1(3), Fall 2002.

[29]

R. L. Rollason-Reese. Incident handling: an orderly response to unexpected events. In SIGUCCS '03: Proceedings of the 31st annual ACM SIGUCCS conference on User services, pages 97--102. ACM Press, 2003.

Digital Library

[30]

R. Rowlingson. A Ten Step Process for Forensic Readiness. International Journal of Digital Evidence, 2(3), Winter 2004.

[31]

G. Ruibin, C. Kai, Y. Tony, and M. Gaertner. Case-Relevance Information Investigation: Binding Computer Intelligence to the Current Computer Forensic Framework. International Journal of Digital Evidence, 4(1), Spring 2005.

[32]

S. Schechter, J. Jung, W. Stockwell, and C. McLain. Inoculating SSH Against Address Harvesting. In NDSS'06: The 13th Annual Network and Distributed System Security Symposium, San Diego, CA, February 2006.

[33]

A. Slagell, K. Lakkaraju, and K. Luo. FLAIM: A Multi-level Anonymization Framework for Computer and Network Logs. In LISA'06: 20th USENIX Large Installation System Administration Conference, Washington, D.C., Dec. 2006.

Digital Library

[34]

P. Stephenson. Modeling of Post-Incident Root Cause Analysis. International Journal of Digital Evidence, 2(2), Fall 2003.

[35]

J. Vincent, R. Spier, D. Rolsky, D. Chamberlain, and R. Foley. RT Essentials. O'Reilly Media, Aug. 2005.

Digital Library

[36]

X. Yin, W. Yurcik, and A. Slagell. VisFlowCluster-IP: Connectivity-Based Visual Clustering of Network Hosts. In 21st IFIP TC-11 International Information Security Conference (SEC '06), May 2006.

Cited By

Kaufhold MRiebe TBayer MReuter C(2024)‘We Do Not Have the Capacity to Monitor All Media’: A Design Case Study on Cyber Situational Awareness in Computer Emergency Response TeamsProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642368(1-16)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642368
Latvala OEmanuilov INiskanen TRaitio PSalonen JSantos DYordanova K(2022)Proof-of-Concept for a Granular Incident Management Information Sharing Scheme2022 IEEE World AI IoT Congress (AIIoT)10.1109/AIIoT54504.2022.9817254(515-520)Online publication date: 6-Jun-2022
https://doi.org/10.1109/AIIoT54504.2022.9817254
Riebe TKaufhold MReuter C(2021)The Impact of Organizational Structure and Technology Use on Collaborative Practices in Computer Emergency Response Teams: An Empirical StudyProceedings of the ACM on Human-Computer Interaction10.1145/34798655:CSCW2(1-30)Online publication date: 18-Oct-2021
https://dl.acm.org/doi/10.1145/3479865
Show More Cited By

Index Terms

Palantir: a framework for collaborative incident response and investigation
1. Security and privacy
2. Social and professional topics
  1. Computing / technology policy
    1. Computer crime

Recommendations

A forensic approach to incident response
InfoSecCD '10: 2010 Information Security Curriculum Development Conference

An incident response plan is critical for the detection and removal of information security threats. Incident response involves many aspects other than technical issues. There are management, legal, and social issues that an incident response team needs ...
Applying a forensic approach to incident response, network investigation and system administration using Digital Evidence Bags

This paper questions the current approach to forensic incident response and network investigations. Although claiming to be 'forensic' in nature it shows that the basic processes and mechanisms used in traditional computer forensics are rarely applied ...
SP 800-61 Rev. 1. Computer Security Incident Handling Guide

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

IDtrust '09: Proceedings of the 8th Symposium on Identity and Trust on the Internet

April 2009

131 pages

ISBN:9781605584744

DOI:10.1145/1527017

Editors:
Kent Seamons
Brigham Young University
,
Neal McBurnett
Internet2
,
Tim Polk
National Institute of Standards and Technology

Copyright © 2009 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

Internet2
The National Institute of Standards and Technology
OASIS IDtrust Member Section
FPKIPA: Federal Public Key Infrastructure Policy Authority

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 14 April 2009

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Office of Naval Research

Conference

IDtrust '09

Sponsor:

FPKIPA

IDtrust '09: 8th Symposium on Identity and Trust on the Internet

April 14 - 16, 2009

Maryland, Gaithersburg, USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

17
Total Citations
View Citations
1,404
Total Downloads

Downloads (Last 12 months)53
Downloads (Last 6 weeks)6

Reflects downloads up to 08 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Kaufhold MRiebe TBayer MReuter C(2024)‘We Do Not Have the Capacity to Monitor All Media’: A Design Case Study on Cyber Situational Awareness in Computer Emergency Response TeamsProceedings of the 2024 CHI Conference on Human Factors in Computing Systems10.1145/3613904.3642368(1-16)Online publication date: 11-May-2024
https://dl.acm.org/doi/10.1145/3613904.3642368
Latvala OEmanuilov INiskanen TRaitio PSalonen JSantos DYordanova K(2022)Proof-of-Concept for a Granular Incident Management Information Sharing Scheme2022 IEEE World AI IoT Congress (AIIoT)10.1109/AIIoT54504.2022.9817254(515-520)Online publication date: 6-Jun-2022
https://doi.org/10.1109/AIIoT54504.2022.9817254
Riebe TKaufhold MReuter C(2021)The Impact of Organizational Structure and Technology Use on Collaborative Practices in Computer Emergency Response Teams: An Empirical StudyProceedings of the ACM on Human-Computer Interaction10.1145/34798655:CSCW2(1-30)Online publication date: 18-Oct-2021
https://dl.acm.org/doi/10.1145/3479865
Seaman JBuggs R(2020)FluentDNA: Nucleotide Visualization of Whole Genomes, Annotations, and AlignmentsFrontiers in Genetics10.3389/fgene.2020.0029211Online publication date: 30-Apr-2020
https://doi.org/10.3389/fgene.2020.00292
Sudhakar Kumar S(2020)An emerging threat Fileless malware: a survey and research challengesCybersecurity10.1186/s42400-019-0043-x3:1Online publication date: 14-Jan-2020
https://doi.org/10.1186/s42400-019-0043-x
Papastergiou SMouratidis HKalogeraki E(2020)Handling of advanced persistent threats and complex incidents in healthcare, transportation and energy ICT infrastructuresEvolving Systems10.1007/s12530-020-09335-4Online publication date: 4-Apr-2020
https://doi.org/10.1007/s12530-020-09335-4
Papastergiou SMouratidis HKalogeraki E(2019)Cyber Security Incident Handling, Warning and Response System for the European Critical Information Infrastructures (CyberSANE)Pädiatrie10.1007/978-3-030-20257-6_41(476-487)Online publication date: 15-May-2019
https://doi.org/10.1007/978-3-030-20257-6_41
Lakhotia ANotani VLeDoux C(2018)Malware Economics and its Implication to Anti-Malware Situational Awareness2018 International Conference On Cyber Situational Awareness, Data Analytics And Assessment (Cyber SA)10.1109/CyberSA.2018.8551388(1-8)Online publication date: Jun-2018
https://doi.org/10.1109/CyberSA.2018.8551388
Jones PThakur SMatthews MCox SStreck SKampe CSrinath PSamatova N(2016)Journaling Interfaces to Support Knowledge Workers in Their Collaborative Tasks and Goals2016 International Conference on Collaboration Technologies and Systems (CTS)10.1109/CTS.2016.0064(310-318)Online publication date: Oct-2016
https://doi.org/10.1109/CTS.2016.0064
Mouhtaropoulos ADimotikalis PLi C(2013)Applying a Digital forensic readiness framework: Three case studies2013 IEEE International Conference on Technologies for Homeland Security (HST)10.1109/THS.2013.6699003(217-223)Online publication date: Nov-2013
https://doi.org/10.1109/THS.2013.6699003
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten