Establishing forensics capabilities in the presence of superuser insider threats

摘要

Insider threats are paving ways to the headlines of security articles and reports across the globe. It's a common practice across organizations to have designated employees as administrators with complete administrative or superuser capabilities for the IT infrastructure. In this paper, we argue that superusers with all the administrative and access control capabilities may escape from the scrutiny of forensic investigation and may also become a major obstacle in the process of evidence collection. Through this work, we open a discussion on forensic aspects of insider threats with a particular focus on superuser forensics. We identify the anti-forensic administrative privileges of the superusers and discuss the sheer forensic repercussions with the help of four generic insider threat cases. As our primary contribution, we identify and define the four important requirements for a superuser-immune solution. These requirements include denying and logical access to the potential forensic artifacts, timely synchronization and integrity of evidential artifacts, and ensuring the execution of legitimate code/service and notifi-cation capabilities. Based on the identified requirements, we propose a forensic compliant mechanism, "Log-of-logs server" to countermeasure the inherent anti-forensic capabilities of the superuser. We showcase that the proposed framework effectively helps in establishing forensic capabilities for super users. We also present the security analysis of our framework and discuss its forensic feasibility. (c) 2021 Elsevier Ltd. All rights reserved.