The National Institute of Standards and Technology issued recently their Interagency Report, titled 'Forensics Web Services (FWS)'. It explains their idea of creating Web sevices that would monitor interactions between Web applications and subsequently help third-party investigators in case of breach.
Anoop Singhal and his colleagues start by giving a picture of the current process of investigating application breaches. In short, there is no actual way of finding data that would be valid in a court of law. Of course, many applications log different types of information, which can be of some use to identify intrusion or other issues. But "Web services, owned by organizations, have equal rights in the court of law when any dispute arises between parties." This is why Singhal and the others are speaking of an external, neutral service to log and investigate.
An important aspect to understand about this proposal is it applies to attacks commited through automated processes, mostly over multiple layers of Web services and servers. It is not intended as a way to identify a physical attacker, but a means of identifying which company or application is responsible for letting the attack go through.
The NIST report uses the example of a (fictitious) Cross-Site Scripting (XSS) attack which targets the users of a weather Web site. Users could blame the Web site for infecting them, but it would not necessarily be its fault. For instance, a hacker could infect a meteorology Web service that is used by a more important weather Web service, which in turn is used by the Web portal where users got infected. In such a situation, the system proposed by NIST could analyse the Web transactions that have been made between the different services and determine the actual origin of the breach. Otherwise, the portal could claim the breach was the weather service's fault, while it was the underlying meteorology service's.
In short, NIST's "design shows how collected logs can provide the capability to produce a collection of digital evidence to expose the attack from its logs." While this appears to currently be much more of a concept than anything else, from what we can gather the prospect of having such a tool would make identifying the source of Web services problems much easier. But of course, the best way to simplify cyber crime investigation remains to prevent this sort of crime from happening in the first place.
|
