National Academies Press: OpenBook

Toward a Safer and More Secure Cyberspace (2007)

Chapter: 7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers

« Previous: 6 Category 3 - Promoting Deployment
Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

7
Category 4—Deterring Would-Be Attackers and Penalizing Attackers

The goal of requirements in Category 4—Deterring would-be attackers and penalizing attackers, is that of deterring would-be attackers from taking actions that could result in the compromise of a system or network and penalizing attackers who do take such actions. This broad category in the committee’s illustrative research agenda includes legal and policy measures that could be taken to penalize or impose consequences on cyberattackers and technologies that support such measures. In principle, this category could also include technical measures to retaliate against a cyberattacker.

The rationale for this category is that in the absence of legal, technical, economic, or other punitive measures against attackers, would-be attackers have few incentives to refrain from launching attacks. (The same rationale applies, of course, in the physical world, where would-be criminals are deterred from criminal activity by the threat of punishment and consequence.) In a penalty-free world, an attacker pays no penalty for failed attacks and can therefore continue attacking until he or she succeeds or quits.

Research in this category thus serves two important but complementary goals. First, such research seeks to develop more effective methods for imposing some kind of penalty on attackers, whether or not they have been successful in their attacks. Second, the availability of such methods increases the likelihood that an attacker will in fact suffer a penalty for hostile actions, and thus the availability of these methods presumably decreases the likelihood that a would-be attacker will initiate such

Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

actions. With fewer attackers, the cybersecurity task becomes easier to undertake.

A key characteristic of deterrence is that penalties can be directed at the proper party. Category 2 (Enabling accountability) research supports this goal by focusing on ways to ensure that actions in cyberspace can be associated with specific actors, but that research does not presume that actors will seek to conceal their actions. Malefactors in cyberspace will usually seek to do so, and thus investigators and other interested parties will need forensic tools that allow them to re-establish any deliberately broken bindings between actions and identity.

The following discussion presents illustrative topics within this category.

7.1
LEGAL ISSUES RELATED TO CYBERSECURITY

As noted above, cybersecurity is not just a technical domain. In cybersecurity, as in other areas of life in which security concerns arise, it is not unreasonable to conclude that the tools available to promote and enhance cybersecurity should include a legal dimension. For example, consider the notion of recourse for victims of cybercrime. In most areas other than those involving cyberspace, individuals who are victims of criminal activity can appeal to law enforcement and the courts to punish the perpetrators. But a victim of cybercrime—whether a private citizen, a business, or an organization—often or even usually has little practical recourse.

In principle, of course, cyberattackers can be held accountable for actions that cause harm in cyberspace through criminal or civil penalties. Such action requires a good characterization of what constitutes behavior that warrants criminal penalties, as well as the ability to identify the party responsible (see Section 5.1) and a legal framework that enables prosecutions to take place across all of the political boundaries that may have been crossed in the course of the punishable misbehavior. Many cybercrime perpetrators are outside of U.S. jurisdiction, and the applicable laws may not criminalize the particulars of the crime perpetrated. Even if they do, logistical difficulties in identifying the perpetrator across national boundaries may render him or her practically immune to prosecutions.

Harmonization of national laws (as provided for in the 2001 Council of Europe Convention on Cybercrime) is a good first step toward ensuring the availability of recourse, but there remains substantial legal and policy research to further the cause of harmonization more broadly and to reduce the logistical difficulties entailed in tracking, identifying, and prosecuting cybercriminals across national boundaries. Considerable efforts are underway today at the regional intergov-

Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

ernmental and international governmental level, as discussed in “The International Landscape of Cyber Security.”1

A second example involves relationships between law enforcement and technology/service vendors. Internet service providers (ISPs) are used by cybercriminals as conduits of their crimes (and sometimes ISPs are willing accomplices). However, law enforcement authorities often have little leverage to persuade or compel ISPs to cut off access to suspicious users or to supply provenance or to trace data for forensics examination. From a law enforcement perspective, data-retention practices for most ISPs are inadequate to support investigative needs. However, providing additional authorities to law enforcement to compel various kinds of cooperation from ISPs (e.g., to enforce longer data-retention periods) has implications for civil liberties and is thus controversial. Legal, policy, and technical research is needed to find ways to protect due process and civil liberties without placing undue barriers in the way of legitimate law enforcement activities.

7.2
HONEYPOTS

The term honeypot in computer security jargon refers to a machine, a virtual machine, or other network resource that is intended to act as a decoy or diversion for would-be attackers. A honeynet refers to a collection of honeypots on a network. Honeypots or honeynets intentionally contain no real or valuable data (and hence receive no legitimate traffic) and are kept separate from an organization’s production systems. Indeed, in most cases, systems administrators want attackers to succeed in compromising or breaching the security of honeypots to a certain extent so that they can log all the activity and learn from the techniques and methods used by the attacker. This process allows administrators to be better prepared for attacks on their real production systems. Honeypots are very useful for gathering information about new types of attacks, new techniques, and information on how things like worms or malicious code propagate through systems, and they are used as much by security researchers as by network security administrators.

Honeypots are usually of two main types: (1) a more basic, “low-interaction” implementation that emulates or gives the appearance of a real system or real machines in place; or (2) a more complex, “high-interaction” system containing real tools and applications designed to

1

Delphine Nain, Neal Donaghy, and Seymour Goodman, “The International Landscape of Cyber Security,” Chapter 9 in Detmar W. Straub, Seymour Goodman, and Richard Baskerville (eds.), Information Security: Policies, Processes, and Practices, M.E. Sharpe, New York, forthcoming 2008.

Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

gather as much information about attacker activity as possible.2 Honeypots of the first type can be quite simple to install and manage, although the information they provide on attackers may be limited, and the nature of the honeypot itself may be more susceptible to discovery by a skilled attacker. Honeypots of the second type are considerably more complicated, requiring much more skill to set up and manage, although the richness of information that they are capable of gleaning about attackers and techniques also increases, while the true nature of these honeypots may also be more difficult for attackers to discover.

There are also other, more focused types of honeypots. For example, spam honeypots—basically, vulnerable mail servers set up to attract the notice of those sending out illegitimate e-mail—have been quite useful in helping administrators generate spam “blacklists” for their own real mail servers. Wireless honeypots have also proven useful in detecting and learning from how attackers exploit wireless resources.

Another useful tool along these lines is the honeytoken. A honeytoken, like a honeypot, has no legitimate purpose other than to uncover illegitimate activity, so any use or access of a honeytoken can be considered suspicious. For example, consider the following scenario:

A bogus medical record called “John F. Kennedy” is created and loaded into the database. This medical record has no true value because there is no real patient with that name. Instead, the record is a honeytoken…. If any employee is looking for interesting patient data, this record will definitely stand out. If the employee attempts to access this record, you most likely have an employee violating patient privacy [policies].3

In any case, just as systems administrators and researchers learn about attackers from honeypots, attackers themselves can learn how to detect honeypots and honeynets as well, thereby avoiding them and maintaining some secrecy regarding the techniques they use. Indeed, one recent paper on the subject likens the relationship between attackers and honeypot administrators to a continual arms race.4 As one can imagine, as soon as an attacker determines that he or she is actually working with a honeypot, useful interactions are likely to cease. However, even then, researchers and administrators can learn things about how the attacker

2

For additional information on the variety of honeypots in use today and related issues, see the Honeynet Project’s home page at http://www.honeynet.org/.

3

Lance Spitzner, “Honeytokens: The Other Honeypot,” SecurityFocus, July 7, 2003; available at http://www.securityfocus.com/infocus/1713.

4

Thorsten Holz and Frederic Raynal, “Detecting Honeypots and Other Suspicious Environments,” Proceedings of the 2005 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, N.Y., June 15-17, 2005.

Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

discovered the nature of the honeypot and how the attacker might try to hide his or her tracks (e.g., altering log files, attempting to damage or crash the honeypot, and so on).

One significant open question with honeypots and honeynets (indeed, this is a broader question within cybersecurity itself) is whether or not one should use honeypot-type resources to strike back at or otherwise affect the resources of an attacker.5 (This point is discussed further in Section 9.4, Cyber-Retaliation.) In many cases, administrators could use information learned through an attacker’s interaction with a honeypot to lessen the danger that the attacker poses to real systems or other machines in the future (e.g., either by “hacking back” at the attacker or even removing or crippling zombie software from the attacking machine).

Another question for some in the computing community involves the ethics of deploying and using honeypots—some consider it a form of entrapment (although U.S. law would seem to argue otherwise).6

7.3
FORENSICS

Cyberforensics involves the science and technology of acquiring, preserving, retrieving, and presenting data that have been processed electronically or have been stored in electronic form.7 Forensic identification is a necessary (though not sufficient) condition for prosecution or of retaliation against parties that take harmful actions. (An essential complement to forensic identification is the existence of a legal framework than allows actions to be taken against cyberattackers; both are foundational elements in a strategy of deterrence that complements defense in supporting cybersecurity.)

Forensics is necessary because, among other things, attackers often seek to cover their tracks. For example, mechanisms for providing provenance (see Chapter 5, “Category 2—Enabling Accountability”) are unlikely to work perfectly, suggesting that after-the-fact identification of a perpetrator may be necessary (and may in fact be a somewhat easier task than undertaking real-time identification).

5

For more perspective on passive versus active defense, see National Research Council, Realizing the Potential of C4I: Fundamental Challenges, National Academy Press, Washington, D.C., 1999, p. 143; available at http://newton.nap.edu/html/C4I/.

6

See Michelle Delio, “Honeypots: Bait for the Cracker,” Wired News, March 7, 2001; available at http://www.wired.com/news/culture/0,1284,42233,00.html.

7

Michael G. Noblett, Mark M. Pollitt, and Lawrence A. Presley, “Recovering and Examining Computer Forensic Evidence,” Forensic Science Communications, October 2000, Vol. 2, No. 4; available at http://www.fbi.gov/hq/lab/fsc/backissu/oct2000/computer.htm.

Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

Much of the cyberforensics field has developed largely in response to a demand for service from the law enforcement community to help it deal with the reality that criminals are making more effective and more extensive use of information technology just like the rest of society. Indeed, greater societal use of information technology has expanded the scope of possible opportunities for criminals.

In 1984, the Federal Bureau of Investigation established its Computer Analysis and Response Team to address the needs of investigators and prosecutors to examine computer evidence in a structured and programmatic manner. What was then called computer forensics has evolved to include any evidence in digital form (e.g., audio, video, and data) from digital sources (e.g., computers, faxes, cellular telephones, and so on).8 Digital forensics is now an integral part of legal investigations, with widespread recognition of its growing importance occurring during the 1990s.9

The support for forensic analysis provided by federal agencies such as the Department of Justice and the National Institute of Standards and Technology (NIST) is further recognition of its growing importance. For instance, NIST now maintains the National Software Reference Library, which consists of a collection of digital signatures of known, traceable software applications. By comparing any given file’s signature to this collection, investigators can determine if that file is already known—if so, it need not be collected as evidence.10 NIST’s Computer Forensics Tool Testing Program seeks to ensure the reliability of computer forensic tools produce consistent, accurate, and objective results.11

Cyberforensics research has moved beyond the initial focus on law enforcement and digital evidence for use in criminal prosecution to include military and business operations. For instance, business needs include forensics for purposes of the investigation of employee wrongdoing and the protection of intellectual property. Practitioners in these areas have different primary objectives (although they may share prosecution as a secondary objective), which affect their analysis and decision-making processes and also affect their perspectives about requirements

8

Carrie Morgan Whitcomb, “An Historical Perspective of Digital Evidence: A Forensic Scientist’s View,” International Journal of Digital Evidence, Spring 2002, Vol. 1, No. 1.

9

George Mohay, “Technical Challenges and Directions for Digital Forensics,” Proceedings of the First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE’05), IEEE Computer Society, 2005.

10

A description of the National Software Reference Library is available at the program Web site: http://www.nsrl.nist.gov/.

11

See the Computer Forensics Tool Testing Program Web site for details: http://www.cftt.nist.gov.

Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

for digital forensic research.12 Meeting statutory standards for evidence creates criteria different from those for producing results in the shortest possible time so that they can be acted on to maintain operations and availability of service, and to protect assets. Moreover, cyberforensics requirements will likely evolve over time, along with the increasingly pervasive use of IT.

One recent example of new forensic requirements is in corporate governance to meet regulatory requirements such as those imposed by the Sarbanes-Oxley Act of 2002.13 Another factor affecting research requirements is the temporal environment required for forensic analysis—whereas law enforcement’s primary focus is on after-the-fact forensics, military and business operations often need real-time or near-real-time forensics. Cyberforensics research must necessarily cover the broad scope of problems that arise from this wide range of requirements.

One working definition of digital forensic science, which reflects this broad scope, was offered by the 2001 Digital Forensic Research Workshop: “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”14

Formalization of the field as the scientific discipline of digital forensic science is still in the early stages, with one of the first formal research papers in the field appearing in 1992.15 A recent needs analysis survey that focused on law enforcement requirements notes that the national and international judiciary has begun to question the scientific validity of the ad hoc procedures and methodologies applied to digital forensics and is increasingly demanding proof of theoretical foundation and scientific

12

Gary Palmer (ed.), “A Road Map for Digital Forensic Research: Report from the First Digital Forensic Research Workshop (DFRWS),” DTR-T001-01 Final, November 6, 2001, p. 3. Table 1, Suitability Guidelines for Digital Forensic Research, captures differences in these areas.

13

George Mohay, “Technical Challenges and Directions for Digital Forensics,” Proceedings of the First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE’05), IEEE Computer Society, 2005.

14

Gary Palmer (ed.), “A Road Map for Digital Forensic Research: Report from the First Digital Forensic Research Workshop (DFRWS),” DTR-T001-01 Final, November 6, 2001, p. 16.

15

Eugene H. Spafford and Stephen A. Weeber, “Software Forensics: Can We Track Code to its Authors?,” 15th National Computer Security Conference, pp. 641-650, October 1992. A more recent paper that outlines some of the scientific issues in the field is Eugene H. Spafford, “Some Challenges in Digital Forensics,” in Research Advances in Digital Forensics—II, M. Olivier and S. Shenoi (eds.), Springer, 2006.

Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

rigor.16 This foundation is required in order to mandate and interpret the standards applied to digital evidence and to establish the qualifications of digital forensics professionals through a certification process.17 Military and business forensics needs range across a broad spectrum, from traffic analysis tools and instrumentation of embedded systems to handling massive data volume and network monitoring, and they require a similar foundation to deal with increasing complexity and broader application.18

The embedding of computational resources in other devices, for instance, seems likely to increase the complexity of digital forensics and the extent of its usefulness. Two examples are the recovering and reconstructing of detail from Global Positioning System units built into cars to determine recent movements of a suspect auto, and the recovery of phone books, notes, and call information from cellular telephones. Accordingly, a number of research areas within this expansive view of digital forensics have been identified:19

  • Building a framework for digital forensic science. This research area includes three elements: definitional work to provide a lexicon with clear terminology, a useful process model for the digital investigation process, and the development of an understanding of the academic and vocational expertise necessary, followed by curriculum development. For example, several models have been developed with increasing levels of abstraction and generalization of the digital investigation process.20 Definitional work has progressed in the form of ontological models for defining layers of specialization across the areas employing forensic analysis, identifying the necessary elements of a certification process, and domain-specific educational requirements.21

16

Marcus K. Rogers and Kate Seigfried, “The Future of Computer Forensics: A Needs Analysis Survey,” Computers and Security, 23: 12-16, 2004.

17

Matthew Meyers and Marc Rogers, “Computer Forensics: The Need for Standardization and Certification,” International Journal of Digital Evidence, Vol. 3, No. 2, 2004.

18

George Mohay, “Technical Challenges and Directions for Digital Forensics,” Proceedings of the First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE’05), IEEE Computer Society, 2005.

19

Gary Palmer (ed.), “A Road Map for Digital Forensic Research: Report from the First Digital Forensic Research Workshop (DFRWS),” DTR-T001-01 Final, November 6, 2001, pp. 33-39. The categories and specific research areas noted are drawn from this paper.

20

Cf. Mark Reith, Clint Carr, and Gregg Gunsch, “An Examination of Digital Forensic Models,” International Journal of Digital Evidence, Vol. 1, No. 3, Fall 2002; Brian Carrier and Eugene H. Spafford, “Getting Physical with the Digital Investigation Process,” International Journal of Digital Evidence, Vol. 2, No. 2, 2003.

21

Cf. Ashley Brinson, Abigail Robinson, and Marcus Rogers, “A Cyber Forensics Ontology: Creating a New Approach to Studying Cyber Forensics,” Digital Investigation, 3S: 37-43, 2006.

Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
  • Issues of integrity in digital evidence. This research would address the need to ensure the integrity of digital evidence, which is inherently fragile and almost always suspect. Several important legal issues arise when seeking to submit digital evidence, affecting whether and what is admissible in court.22 These include establishing the authenticity, lack of tampering in all of the systems through which the evidence has passed, reliability of computer-generated records (e.g., the possibility that the same digital signature could have resulted from different texts), and authorship. Legal distinctions also arise with differences between human-entered data and computer-generated data. Specific research areas include the development of antitampering methods, the creation of baseline standards of correctness in digital transform technology, and procedural standards for proper laboratory protocols. For example, several methods are in use today—checksum, one-way hash algorithms, and digital signatures—to help to demonstrate that the integrity of evidence has been preserved.23 Each of these has advantages and drawbacks, ranging from the ease with which they can be applied and maintained to the level of confidence in them and what they prove (i.e., who, when, what). Some work has also been done to understand what requirements cyberforensic analysis tools must meet in order to establish and maintain evidentiary trust: usability by the human investigator (abstracting data to a level that can be analyzed), comprehensiveness (inculpatory and exculpatory evidence), accuracy, determinism, and verifiablility.24

  • Detection and recovery of hidden data. This research area would focus on creating discovery mechanisms that detect and extract digital evidence in all its forms. Specific research areas include the categorization of places and mechanisms for hiding data, mechanisms for the detection of original material, and methods for extracting and recovering hidden data.25 This line of research would search for ways to identify the who, what, when, where, and how for digital evidence. Merely obtaining data poses a wide variety of technical challenges. For example, the diversity of devices on which

22

Orin S. Kerr, “Computer Records and the Federal Rules of Evidence,” United States USA Bulletin, Vol. 49, No. 2, U.S. Department of Justice, March 2001.

23

Chet Hosmer, “Proving the Integrity of Digital Evidence with Time,” International Journal of Digital Evidence, Vol. 1, No. 1, 2002.

24

Brian Carrier, “Defining Digital Forensic Examination and Analysis Tools Using Abstraction Layers,” International Journal of Digital Evidence, Vol. 1, No. 4, 2003.

25

One description of the challenges involved in this area can be found in Paul A. Henry, “Anti-Forensics,” April 2006; available at http://layerone.info/2006/presentations/Anti-Forensics-LayerOne-Paul_Henry.pdf.

Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

potentially relevant information may be stored means that new protocols and tools must be developed for each device. Relevant information may be buried amidst large volumes of other irrelevant information and may be distributed across many different devices or locations. Information may not even be stored on persistent media (for example, it might be stored in dynamic random access memory [DRAM] and disappear when the system on which it is stored is powered down). The recovery of encrypted data has been a particular concern of both practitioners and researchers.26 In addition, systems can be designed to support forensic investigation and thereby increase the quantity and quality of forensic information available.27 Automating the collection process and performing targeted searches using techniques such as data mining could also improve the detection and recovery of useful data.28 These are aspects of what has been termed “forensic readiness,” the extent to which activities and data are recorded in a manner sufficient for forensic purposes.29 Another aspect of the detection and recovery of data addresses the science and technology of acquiring, preserving, retrieving, and presenting data that have been processed electronically or have been stored in electronic form but in a nonevidentiary context. Outside of this context, the evidentiary requirements of forensic investigation are relaxed. Thus, for example, statistical likelihood, indirect evidence, and hearsay fall within the scope of nonevidentiary forensics.

  • Digital forensic science in networked environments (network forensics). This research area focuses on the need to expand digital forensics beyond its roots in computer forensics, which focused heavily on stand-alone, media-intensive sources. Specific research areas include understanding the similarities and relationships between computer and network forensics, methods for applying digital forensic analysis in real time, and the development of trusted collection processes and criteria for trusted agents outside of law

26

Eoghan Casey, “Practical Approaches to Recovering Encrypted Digital Evidence,” International Journal of Digital Evidence, Vol. 1, No. 3, 2002.

27

Florian Buchholz and Eugene Spafford, “On the Role of File System Metadata in Digital Forensics,” Digital Investigation, 1(4): 297-308, December 2004.

28

Brian D. Carrier and Eugene H. Spafford, “Automated Digital Evidence Target Definitions Using Outlier Analysis and Existing Evidence,” 2005 Digital Forensic Research Workshop (DFRWS), New Orleans, La., August 17-19, 2005.

29

George Mohay, “Technical Challenges and Directions for Digital Forensics,” Proceedings of the First International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE’05), IEEE Computer Society, 2005; Eugene H. Spafford, “Some Challenges in Digital Forensics,” in Research Advances in Digital Forensic—II, M. Olivier and S. Shenoi (eds.), Springer, 2006.

Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

enforcement (e.g., intelligence, network operators) to collect forensic evidence. For example, network geolocation technology would provide a means for determining the physical location of a logical network address. Tools for monitoring and mapping network traffic would allow real-time network management.30 Related is traffic analysis, which calls for understanding the source and nature of certain kinds of attack and requires techniques, equipment, and legal tools to characterize the huge traffic flows on public and private networks that accompany those kinds of attack. Extracting information about interconnections (e.g., traffic volume, communicating pairs, and network topology as functions of time) can help hunt down enemies and understand interrelationships. Finally, research is needed on the formalization of policies to support network forensics, including systematic application and data retention, logging of system and network information, attack response planning, and network forensic training.31

While this and other research marks a clear beginning toward the goal of establishing a discipline of digital forensic science, further progress is possible in all of the areas. Much of the required research is technical in nature, and in many cases the techniques and problems are similar to other technical research areas (e.g., software debugging, data provenance, intrusion-detection, and malware analysis), although such synergies remain largely unexplored. However, there are also legal, economic, and policy research issues. For instance, there are likely economic constraints owing to the lack of incentives for both technology vendors and users related to improving forensic readiness.32

The international aspects of digital forensic investigation in a world of global high-speed networks mean that there are some significant legal issues related to the quality, provenance, analysis, and maintenance of data in different legal jurisdictions that have yet to be fully understood and addressed.

30

See, for instance, “Network Geo-location Technology” and “ATM Mapping and Monitoring Tool” at the National Security Agency’s Domestic Technology Transfer Program Web site: http://www.nas.gov/techtrans/index.cfm.

31

Cf. Srinivas Mukkamala and Andrew H. Sung, “Identifying Significant Features for Network Forensic Analysis Using Artificial Intelligent Techniques,” International Journal of Digital Evidence, Vol. 1, No. 4, 2003; Alec Yasinsac and Yanet Manzano, “Policies to Enhance Computer and Network Forensics,” presentation at the Workshop on Information Assurance and Security, United States Military Academy, West Point, N.Y., June 2001.

32

Tyler Moore, “The Economics of Digital Forensics,” presented at the Fifth Annual Workshop on the Economics and Information Security, Cambridge, England, June 26-28, 2006.

Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×

One example of a significant policy issue is that of addressing the tension between forensics and privacy. Concerns about privacy have motivated the development of counter-forensic tools. Some initial work has been done to evaluate the effectiveness of existing commercial counter-forensic tools and the operational implications for digital forensic analysis.33 Yet, policy questions such as understanding and managing the boundary between the legitimate collection and use of digital forensic evidence and the illegitimate monitoring of behavior and activities have barely been asked, let alone answered. Indeed, the question of what is and is not legitimate has still to be answered.34

33

Matthew Geiger, “Evaluating Commercial Counter-Forensic Tools,” 2005 Digital Forensic Workshop, New Orleans, La., August 17-19, 2005.

34

Eugene H. Spafford, “Some Challenges in Digital Forensics,” Research Advances in Digital Forensics—II, M. Olivier and S. Shenoi (eds.), Springer, 2006.

Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 169
Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 170
Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 171
Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 172
Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 173
Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 174
Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 175
Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 176
Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 177
Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 178
Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 179
Suggested Citation:"7 Category 4 - Deterring Would-Be Attackers and Penalizing Attackers." National Research Council and National Academy of Engineering. 2007. Toward a Safer and More Secure Cyberspace. Washington, DC: The National Academies Press. doi: 10.17226/11925.
×
Page 180
Next: 8 Category 5 - Illustrative Crosscutting Problem-Focused Research Areas »
Toward a Safer and More Secure Cyberspace Get This Book
×
Buy Paperback | $67.00 Buy Ebook | $54.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

Given the growing importance of cyberspace to nearly all aspects of national life, a secure cyberspace is vitally important to the nation, but cyberspace is far from secure today. The United States faces the real risk that adversaries will exploit vulnerabilities in the nation’s critical information systems, thereby causing considerable suffering and damage. Online e-commerce business, government agency files, and identity records are all potential security targets.

Toward a Safer and More Secure Cyberspace examines these Internet security vulnerabilities and offers a strategy for future research aimed at countering cyber attacks. It also explores the nature of online threats and some of the reasons why past research for improving cybersecurity has had less impact than anticipated, and considers the human resource base needed to advance the cybersecurity research agenda. This book will be an invaluable resource for Internet security professionals, information technologists, policy makers, data stewards, e-commerce providers, consumer protection advocates, and others interested in digital security and safety.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!