An Overview to Forensic Enterprise Architecture Design

By George Khalil

Attackers usually follow an attack framework in order to breach an organization’s
computer network infrastructure. In response, forensic analysts are tasked with
identifying files, data and tools accessed during a breach. Attackers follow a
systematic approach in order to compromise their targets that begins by gathering
information and intelligence. After identifying technology and personnel, they direct
their efforts to gaining access to the organization’s internal systems by exploiting
vulnerabilities or through spear-phishing. Once the shellcode or malware has
executed, it downloads additional components to provide the attacker with the
necessary tools to move laterally across the organization and escalates his
privileges. The attacker then extends this by collecting and exfiltrating confidential
data. Each time a file is created or transferred across the network a detectable
forensic signature is left behind. Even memory resident malware must exist as a file
or traverse the network prior to being loaded into memory. Advanced persistent
threat (APT) agents typically traverse the enterprise infrastructure during their
attack and subsequent exfiltration activities. The design of a forensically sound
infrastructure permits the identification of current and past malicious
communications while network intelligence-gathering methods seek to create an
enterprise-wide forensic view to identify the extent of a breach. Early detection of
threats requires proper placement of Intrusion detection and prevention systems.
File analysis, DLP, Syslog, NetFlow logging and behavior analysis provide visibility
of enterprise wide activities from the perspective of multiple systems.

Read More

Leave a Reply

Your email address will not be published. Required fields are marked *