Identification and Triage of Compromised Virtual Machines
Abstract
The increasing volume and sophistication of cyber-attacks, the adoption of virtualization technology, and the slow incorporation of new software on Navy networks has created a unique situation. The status quo has left those responsible for administering and defending Navy networks at a distinct disadvantage. They are unable to leverage current triage tools available to assist in the identification, classification, and recovery aspects of incident response on a computer network. At the same time, their adversaries have no such limitations. This capstone report explores the use of native operating system tools along with mirrored domains in a virtualized environment as a possible strategy to provide these capabilities. For this project, we created a generalized virtual network with mirrored domains. In this environment, we developed a toolkit, comprised of software already available to administrators, and a method for deploying it. We then demonstrated its efficacy in detecting a compromise by inserting malware into a computer in the environment. Finally, we used the mirrored domains within the environment to provide a means for an accelerated recovery. Used together, this native toolset and recovery strategy provide a possible solution for the detection of and response to incidents on a network.
Document Details
- Document Type
- Technical Report
- Publication Date
- Sep 01, 2014
- Accession Number
- ADA620480
Entities
People
- Chukwuemeka Agbedo
- John Paulenich
- Kenneth Rea
Organizations
- Naval Postgraduate School