IT disaster recovery, cloud computing and information security news

New Refinable Attack Investigation (RAIN) systems enables rapid assessment of cyber attacks

Until now, assessing the extent and impact of network or computer system attacks has been largely a time-consuming manual process. A new software system being developed by cyber security researchers at the Georgia Institute of Technology will largely automate that process allowing investigators to quickly and accurately pinpoint how intruders entered the network, what data they took and which computer systems were compromised.

Known as Refinable Attack INvestigation (RAIN), the system will provide forensic investigators a detailed record of an intrusion, even if the attackers attempted to cover their tracks. The system provides multiple levels of detail, facilitating automated searches through information at a high level to identify the specific events for which more detailed data is reproduced and analyzed.

"You can go back and find out what has gone wrong in your system, not just at the point where you realized that something is wrong, but far enough back to figure out how the attacker got into the system and what has been done," said Wenke Lee, co-director of Georgia Tech's Institute for Information Security & Privacy.

Existing forensic techniques can provide detailed information about the current status of computers and networks; from that information, investigators can then attempt to infer how attacks unfolded. Digital logs maintained by the systems provide some information about attacks, but because of concerns about data storage issues, usually don't record enough detail. Other programs provide snapshots in time, but those snapshots may miss important details of an attack.

The RAIN system continuously monitors a system and logs events that it recognizes as potentially interesting. That ability to selectively record information likely to be useful later allows a trade-off between realistic overhead - in terms of system performance and data storage - and useful levels of detail. The system "effectively prunes out unrelated processes and determines attack causality with negligible false positive rates," the researchers state.

In addition to its selectivity in recording events, RAIN creates a multi-level review capability that is coarse at first, then more detailed when specific events of interest are identified. Timing of the activities - the inputs, environment and resulting actions - are also synchronized to help investigators understand a complex sequence of activities.



Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

   

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.