An Overview to Forensic Enterprise Architecture Design
By George Khalil
Attackers usually follow an attack framework in order to breach an organization’s computer network infrastructure. In response, forensic analysts are tasked with identifying files, data and tools accessed during a breach. Attackers follow a systematic approach in order to compromise their targets that begins by gathering information and intelligence. After identifying technology and personnel, they direct their efforts to gaining access to the organization’s internal systems by exploiting vulnerabilities or through spear-phishing. Once the shellcode or malware has executed, it downloads additional components to provide the attacker with the necessary tools to move laterally across the organization and escalates his privileges. The attacker then extends this by collecting and exfiltrating confidential data. Each time a file is created or transferred across the network a detectable forensic signature is left behind. Even memory resident malware must exist as a file or traverse the network prior to being loaded into memory. Advanced persistent threat (APT) agents typically traverse the enterprise infrastructure during their attack and subsequent exfiltration activities. The design of a forensically sound infrastructure permits the identification of current and past malicious communications while network intelligence-gathering methods seek to create an enterprise-wide forensic view to identify the extent of a breach. Early detection of threats requires proper placement of Intrusion detection and prevention systems. File analysis, DLP, Syslog, NetFlow logging and behavior analysis provide visibility of enterprise wide activities from the perspective of multiple systems.