Title: Forensics & Auditing for Web-Based Attacks
Date: May 17, 2023

Time: 3:00 PM - 5:00 PM

Location (virtual): https://gatech.zoom.us/j/94134931264

Join our Cloud HD Video Meeting

Zoom is the leader in modern enterprise video communications, with an easy, reliable cloud platform for video and audio conferencing, chat, and webinars across mobile, desktop, and room systems. Zoom Rooms is the original software-based conference room solution used around the world in board, conference, huddle, and training rooms, as well as executive offices and classrooms. Founded in 2011, Zoom helps businesses and organizations bring their teams together in a frictionless environment to get more done. Zoom is a publicly traded company headquartered in San Jose, CA.

gatech.zoom.us

Joey Allen

Ph.D. Candidate in Computer Science
School of Cybersecurity and Privacy
Georgia Institute of Technology

Committee:
 

Dr. Wenke Lee (advisor), School of Cybersecurity and Privacy, Georgia Institute of Technology
 

Dr. Brendan Saltaformaggio (School of Cybersecurity and Privacy, Georgia Institute of Technology)
 

Dr. Paul Pearce (School of Cybersecurity and Privacy, Georgia Institute of Technology)
 

Dr. Alessandro Orso (School of Computer Science, Georgia Institute of Technology)
 

Abstract:

With the recent rise in enterprise data breaches, it is important that a forensic investigation is carried out to fully understand how an adversary achieved each stage of the cyber-kill chain. In order to improve the quality and efficiency of the forensic analysis, researchers have developed state-of-the-art auditing systems that capture and log whole-system data provenance. These systems typically rely on passively capturing causal relationships between system-level objects (e.g., processes, sockets, and files). Next, when an investigation needs to occur, these causal relationships are used to unravel exactly how an adversary breached a network and what resources they accessed. Unfortunately, a major limitation of all system-level data provenance auditing systems, is that they provide extremely limited visibility into web-based attacks. The issue is that a semantic-gap exists between system-level abstractions (e.g., processes, sockets, files) and the necessary semantics required to investigate web-based attacks (e.g., HTML & javaScript semantics). This limited visibility into web-based attacks has recently become increasingly concerning because web-based attacks are commonly employed by nation-state adversaries to penetrate and achieve the initial compromise of an enterprise network.

To address this issue, this thesis proposes “browser-based” auditing that reimagines the provenance graph in terms of web-based semantics (e.g. DOM elements, HTTP requests, and javaScript execution). First, we propose Mnemosyne, a postmortem forensic analysis engine that relies on browser-based attack provenance to accurately reconstruct, investigate, and assess the ramifications of watering hole attacks (one of the main methods used by adversaries to breach an enterprise network). 

Next, we present WebRR, which is an OS- and device- independent web-based auditing framework that allows enterprise organizations to reconstruct web-based attacks using record and replay. While there is a storied history of developing record and replay systems, the majority of prior work is largely focused on developing systems to improve the debugging and testing experience. In contrast, WebRR is an always-on, portable, tamper proof, and deterministic record and replay system that allows a forensic investigator to replay attacks in a post-mortem fashion.