(Georgia Institute of Technology, 2023-07-10)
Allen, Joe
When a data breach transpires, forensic investigators swing into action to unravel the adversary's activities within the enterprise network, necessitating the elucidation of attack-induced damages, identification of sensitive resources accessed by the adversary, and formulation of future defense strategies. The rigorous examination often hinges on the organization's audit logs, which provide insights into each stage of the cyber-kill chain. Addressing this, researchers have devised sophisticated auditing systems that record complete system data provenance. However, a notable drawback is the semantic-gap issue, resulting in limited visibility into web-based attacks, a critical flaw considering the increasing prevalence of such attacks, often used by nation-state adversaries for initial penetration and compromise of enterprise networks.
To address this limitation, this thesis presents a web-based attack investigation framework for forensic analysis of web-based attacks, both statically and dynamically, in a postmortem manner. The framework involves a web-based auditor that passively collects audit logs from user browsing sessions at an enterprise level, storing them on a logging server for later analysis. If a data breach occurs, these logs can help determine the root causes and implications of the attack. For static analysis, the logs can be transformed into a causality graph for thorough causality analysis. To demonstrate this, we propose Mnemosyne, a system utilizing audit logs to reconstruct, investigate, and assess the impacts of watering hole attacks. For dynamic analysis, the framework produces replayable causality logs, enabling auditors to identify suspicious events and replay the attack site. To achieve this, we developed WebRR, a novel, OS- and device-independent record-and-replay forensic auditing system for Chromium-based web browsers, allowing an investigator to dynamically analyze the attack through replaying the event postmortem.