Managing Information Security
Chapter 11. Network Forensics
Description:... Today’s cyber criminal investigator faces a formidable challenge: tracing network-based cyber criminals. The possibility of becoming a victim of cyber crime is the number-one fear of billions of people. This concern is well founded. The findings in the annual CSI/FBI Computer Crime and Security Surveys confirm that cyber crime is real and continues to be a significant threat. Traceback and attribution are performed during or after cyber violations and attacks, to identify where an attack originated, how it propagated, and what computer(s) and person(s) are responsible and should be held accountable. The goal of network forensics capabilities is to determine the path from a victimized network or system through any intermediate systems and communication pathways, back to the point of attack origination or the person who is accountable. In some cases, the computers launching an attack may themselves be compromised hosts or be controlled remotely. Attribution is the process of determining the identity of the source of a cyber attack. Types of attribution can include both digital identity (computer, user account, IP address, or enabling software) and physical identity (the actual person using the computer from which an attack originated). Cyber crime has become a painful side effect of the innovations of computer and Internet technologies. With the growth of the Internet, cyber attacks and crimes are happening every day and everywhere. It is very important to build the capability to trace and attribute attacks to the real cyber criminals and terrorists, especially in this large-scale human-built networked environment. In this chapter, we discuss the current network forensic techniques in cyber attack traceback. We focus on the current schemes in IP spoofing traceback and stepping-stone attack attribution. Furthermore, we introduce the traceback issues in Voice over IP, Botmaster, and online fraudsters.
Show description