Distilling blockchain requirements for digital investigation platforms

Abstract

When handling a security incident, there is a lot of information that needs to be stored, processed, and analyzed. As a result of the volume of information and the necessity to deal with a security incident investigation promptly, different forensic tools have been developed to provide cyber threat intelligence and security incident response management platforms and solutions. These platforms enable responders to effectively collaborate in identifying and investigating incidents, manage their work on a case from creation until resolution or completion, and automate incident response tasks with the external threat information. Since incident response services are a growing priority at organizations, there is a pressing need for a trustworthy and transparent way to maintain the authenticity and integrity of investigative actions that is independently verifiable. Generally, security incident case management allows a security analyst to add related logs. Asides from the possibility of a log being deleted, it is difficult to audit the log for traceability and provenance if a user decides to be malicious. To address this problem, we propose utilizing a blockchain ledger for security investigative actions and associated metadata by extracting requirements for cybersecurity incident response from the models gathered through the analysis of an open-source incident management platform. We demonstrate the applicability of the proposed techniques and methods by investigating a case scenario of evidence actions within TheHive security incident response platform (SIRP).