Efficient Reactive Forensic Investigation Model for Large APT Computer Network Events

Abstract

Forensic investigation is an evidential process that occurs after a computer network security event to ascertain causes, vulnerabilities, and remediation actions. The security problem is establishing evidential providence when Advanced persistent threats (APT) are deceptive, learn new behaviors, and erase evidence of activity. Proactive defense mechanisms such as honey pots, fake files and so on filter many APT attacks but network security also relies on reactive forensic investigation after security events to learn tactics and to harden the system. Root cause analysis of APT activity is frustrated by gaps in the data, similarity of normal and malicious network processes, confusion with other network attacks, and the evasive behavior of an APT. In this research the problem of APT evidential providence in reactive APT investigation is addressed by innovating an APT network forensic investigation model (APT-FIM) solution to differentiate reactive APT evidence from other evidence in a computer network investigation. The APT-FIM is structured from the APT definition using Object Oriented (OO) methods and designed for practical use by a security practitioner on secondary data sources. The contribution of the research is to formulate efficient methods and effective big data guidance for reactive APT investigation. Two use cases are used to assess the model and to identify missing requirements. A practitioner flow chart for use results.