*********************************
There is now a CONTENT FREEZE for Mercury while we switch to a new platform. It began on Friday, March 10 at 6pm and will end on Wednesday, March 15 at noon. No new content can be created during this time, but all material in the system as of the beginning of the freeze will be migrated to the new platform, including users and groups. Functionally the new site is identical to the old one. webteam@gatech.edu
*********************************
Title: Forensics & Auditing for Web-Based Attacks in the Modern Web
Date: Tuesday, December 13, 2022
Time: 1:00 PM -- 2:30 PM EST
Location (remote): Click to join Zoom
Committee:
Dr. Wenke Lee (advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology
Dr. Brendan Saltaformaggio (School of Cybersecurity and Privacy, Georgia Institute of Technology)
Dr. Paul Pearce (School of Cybersecurity and Privacy, Georgia Institute of Technology)
Dr. Alessandro Orso (School of Computer Science, Georgia Institute of Technology)
Abstract:
With the recent rise in enterprise data breaches, it is important that a forensic investigation is carried out to fully understand how an adversary achieved each stage of the cyber-kill chain. In order to improve the quality and efficiency of the forensic analysis, researchers have developed state-of-the-art auditing systems that capture and log whole-system data provenance. These systems typically rely on passively capturing causal relationships between system-level objects (e.g., processes, sockets, and files). Next, when an investigation needs to occur, these causal relationships are used to unravel exactly how an adversary breached a network and what resources they accessed. Unfortunately, a major limitation of all system-level data provenance auditing systems, is that they provide extremely limited visibility into web-based attacks. The issue is that a semantic-gap exists between system-level abstractions (e.g., processes, sockets, files) and the necessary semantics required to investigate web-based attacks (e.g., HTML & javaScript semantics). This limited visibility into web-based attacks has recently become increasingly concerning because web-based attacks are commonly employed by nation-state adversaries to penetrate and achieve the initial compromise of an enterprise network.
To address this issue, this thesis proposes “browser-based” auditing that reimagines the provenance graph in terms of web-based semantics (e.g. DOM elements, HTTP requests, and javaScript execution). First, we propose Mnemosyne, a postmortem forensic analysis engine that relies on browser-based attack provenance to accurately reconstruct, investigate, and assess the ramifications of watering hole attacks (one of the main methods used by adversaries to breach an enterprise network).
Next, we present WebRR, which is an OS- and device- independent web-based auditing framework that allows enterprise organizations to reconstruct web-based attacks using record and replay. While there is a storied history of developing record and replay systems, the majority of prior work is largely focused on developing systems to improve the debugging and testing experience. In contrast, WebRR is an always-on, portable, tamper proof, and deterministic record and replay system that allows a forensic investigator to replay attacks in a post-mortem fashion.
