A new cybersecurity system developed by researchers at the Georgia Institute of Technology and known as Refinable Attack INvestigation (RAIN) will provide forensic investigators a detailed record of an intrusion, even if the attackers attempted to cover their tracks. Image shows a schematic of how the system prunes information about system operation. (Credit: Georgia Institute of Technology)

If you came home to find that an intruder had broken into your house, the first thoughts you might have are: How did they get in? What did they take? and Did they do any damage?

These are the same questions someone might have if they turned on their computer to find that a hacker had infiltrated their system. Answering those questions is important in knowing what to do going forward, but can be time consuming and difficult; you might not even know where to start.

A new system currently in development by a team of researchers at Georgia Institute of Technology seeks to help with forensic investigations of cyber intrusions by monitoring a system continuously before an attack happens, and making it easy to search through all of that information once an event occurs.

“Most of the current logging schemes—they are not complete,” explained Wenke Lee, co-director of Georgia Tech’s Institute for Information Security & Privacy, in an interview with Forensic Magazine. “The best way to analyze the history: you record a complete history. Everything that has happened on a computer is recorded—every single thing. But that would require a huge amount of storage space and also a huge amount of overhead.”

Lee and his team, who presented their work at the 2017 ACM Conference on Computer and Communications Security on Oct. 31, sought to solve the problem of incomplete, inefficient logging by developing a new system called Refinable Attack INvestigation (RAIN), which logs only the most important information, conserving storage space and overhead while still providing the information needed to solve the important questions of how the attacker got in, what they accessed and what harm they might have caused.

Lee explained that the RAIN system’s continuous monitoring is both more complete and more efficient than current logging systems, and much more helpful than a “snapshot” taken of an affected system after the fact.

“Can you, from this current, detailed snapshot, go back and reconstruct history? That’s not easy. That’s actually very hard,” Lee said. The RAIN system instead “replays” all the information leading up to an attack, like a surveillance camera constantly recording versus just a photograph of the aftermath.

RAIN “effectively prunes out unrelated processes and determines attack causality with negligible false positive rates,” the team’s paper states, so it uses a realistic amount of overhead, and the information it records can be stored for as little as $50 per year, according to the researchers.

And, even if RAIN itself is compromised by a cyberattack, the information it recorded beforehand can still be used for forensic purposes—including information about its own downfall. Lee compares it to a surveillance camera lens being spray painted.

“From that point on you cannot record anymore, but at least the actin of somebody spray painting before that point was captured,” Lee said.

In the future, RAIN could be used by enterprises and individuals to more quickly respond to an attack on their systems, and to continually improve their security in an informed manner as attempted intrusions occur. Because it can tell a user which “door” an intruder came in through, so to speak, it can help identify exploits and vulnerabilities that were unknown to the user before.

The Georgia Tech team is in the third year of its four-year project, which is funded by the Defense Advanced Research Projects Agency (DARPA).

“We are really trying to make the system run very efficiently, and so the last three years of work, we try to essentially make it ready for practical deployment,” Lee said. “There’s some enduring work that remains to be done to make our system more efficient, and also, from an architecture point of view, easier to deploy, let’s say in a cloud environment and so on. So that’s the work that we are going to focus on in the remaining year.”