Palantir: A framework for collaborative incident response and investigation

Himanshu Khurana; Jim Basney; Mehedi Bakht; Mike Freemon; Von Welch; Randy Butler

doi:10.1145/1527017.1527023

Palantir: A framework for collaborative incident response and investigation

Himanshu Khurana
, Jim Basney
, Mehedi Bakht
, Mike Freemon
, Von Welch
, Randy Butler

National Center for Supercomputing Applications (NCSA)

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

Organizations owning cyber-infrastructure assets face large scale distributed attacks on a regular basis. In the face of increasing complexity and frequency of such attacks, we argue that it is insufficient to rely on organizational incident response teams or even trusted coordinating response teams. Instead, there is need to develop a framework that enables responders to establish trust and achieve an effective collaborative response and investigation process across multiple organizations and legal entities to track the adversary, eliminate the threat and pursue prosecution of the perpetrators. In this work we develop such a framework for effective collaboration. Our approach is motivated by our experiences in dealing with a large-scale distributed attack that took place in 2004 known as Incident 216. Based on our approach we present the Palantir system that comprises conceptual and technological capabilities to adequately respond to such attacks. To the best of our knowledge this is the first work proposing a system model and implementation for a collaborative multi-site incident response and investigation effort.

Original language	English (US)
Title of host publication	IDtrust 2009 - Proceedings of the 8th Symposium on Identity and Trust on the Internet
Editors	Kent Seamons, Neal McBurnett, Tim Polk
Publisher	Association for Computing Machinery
Pages	38-51
Number of pages	14
ISBN (Electronic)	9781605584744
DOIs	https://doi.org/10.1145/1527017.1527023
State	Published - Apr 14 2009
Event	8th Symposium on Identity and Trust on the Internet, IDtrust 2009 - Gaithersburg, United States Duration: Apr 14 2009 → Apr 16 2009

Publication series

Name	ACM International Conference Proceeding Series
Volume	Part F128834

Other

Other	8th Symposium on Identity and Trust on the Internet, IDtrust 2009
Country/Territory	United States
City	Gaithersburg
Period	4/14/09 → 4/16/09

Keywords

Digital investigation
Incident response
Multi-site collaboration

ASJC Scopus subject areas

Software
Human-Computer Interaction
Computer Vision and Pattern Recognition
Computer Networks and Communications

Online availability

10.1145/1527017.1527023

Library availability

Discover UIUC Full Text

Cite this

Khurana, H., Basney, J., Bakht, M., Freemon, M., Welch, V., & Butler, R. (2009). Palantir: A framework for collaborative incident response and investigation. In K. Seamons, N. McBurnett, & T. Polk (Eds.), IDtrust 2009 - Proceedings of the 8th Symposium on Identity and Trust on the Internet (pp. 38-51). (ACM International Conference Proceeding Series; Vol. Part F128834). Association for Computing Machinery. https://doi.org/10.1145/1527017.1527023

Palantir: A framework for collaborative incident response and investigation. / Khurana, Himanshu; Basney, Jim; Bakht, Mehedi et al.
IDtrust 2009 - Proceedings of the 8th Symposium on Identity and Trust on the Internet. ed. / Kent Seamons; Neal McBurnett; Tim Polk. Association for Computing Machinery, 2009. p. 38-51 (ACM International Conference Proceeding Series; Vol. Part F128834).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Khurana, H, Basney, J, Bakht, M, Freemon, M, Welch, V & Butler, R 2009, Palantir: A framework for collaborative incident response and investigation. in K Seamons, N McBurnett & T Polk (eds), IDtrust 2009 - Proceedings of the 8th Symposium on Identity and Trust on the Internet. ACM International Conference Proceeding Series, vol. Part F128834, Association for Computing Machinery, pp. 38-51, 8th Symposium on Identity and Trust on the Internet, IDtrust 2009, Gaithersburg, United States, 4/14/09. https://doi.org/10.1145/1527017.1527023

Khurana H, Basney J, Bakht M, Freemon M, Welch V, Butler R. Palantir: A framework for collaborative incident response and investigation. In Seamons K, McBurnett N, Polk T, editors, IDtrust 2009 - Proceedings of the 8th Symposium on Identity and Trust on the Internet. Association for Computing Machinery. 2009. p. 38-51. (ACM International Conference Proceeding Series). doi: 10.1145/1527017.1527023

Khurana, Himanshu ; Basney, Jim ; Bakht, Mehedi et al. / Palantir : A framework for collaborative incident response and investigation. IDtrust 2009 - Proceedings of the 8th Symposium on Identity and Trust on the Internet. editor / Kent Seamons ; Neal McBurnett ; Tim Polk. Association for Computing Machinery, 2009. pp. 38-51 (ACM International Conference Proceeding Series).

@inproceedings{7213fccfd9574eb7871a785a692c6696,

title = "Palantir: A framework for collaborative incident response and investigation",

abstract = "Organizations owning cyber-infrastructure assets face large scale distributed attacks on a regular basis. In the face of increasing complexity and frequency of such attacks, we argue that it is insufficient to rely on organizational incident response teams or even trusted coordinating response teams. Instead, there is need to develop a framework that enables responders to establish trust and achieve an effective collaborative response and investigation process across multiple organizations and legal entities to track the adversary, eliminate the threat and pursue prosecution of the perpetrators. In this work we develop such a framework for effective collaboration. Our approach is motivated by our experiences in dealing with a large-scale distributed attack that took place in 2004 known as Incident 216. Based on our approach we present the Palantir system that comprises conceptual and technological capabilities to adequately respond to such attacks. To the best of our knowledge this is the first work proposing a system model and implementation for a collaborative multi-site incident response and investigation effort.",

keywords = "Digital investigation, Incident response, Multi-site collaboration",

author = "Himanshu Khurana and Jim Basney and Mehedi Bakht and Mike Freemon and Von Welch and Randy Butler",

note = "This work was funded by the Office of Naval Research under award number N00014-06-1-1108; 8th Symposium on Identity and Trust on the Internet, IDtrust 2009 ; Conference date: 14-04-2009 Through 16-04-2009",

year = "2009",

month = apr,

day = "14",

doi = "10.1145/1527017.1527023",

language = "English (US)",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery",

pages = "38--51",

editor = "Kent Seamons and Neal McBurnett and Tim Polk",

booktitle = "IDtrust 2009 - Proceedings of the 8th Symposium on Identity and Trust on the Internet",

address = "United States",

}

TY - GEN

T1 - Palantir

T2 - 8th Symposium on Identity and Trust on the Internet, IDtrust 2009

AU - Khurana, Himanshu

AU - Basney, Jim

AU - Bakht, Mehedi

AU - Freemon, Mike

AU - Welch, Von

AU - Butler, Randy

N1 - This work was funded by the Office of Naval Research under award number N00014-06-1-1108

PY - 2009/4/14

Y1 - 2009/4/14

N2 - Organizations owning cyber-infrastructure assets face large scale distributed attacks on a regular basis. In the face of increasing complexity and frequency of such attacks, we argue that it is insufficient to rely on organizational incident response teams or even trusted coordinating response teams. Instead, there is need to develop a framework that enables responders to establish trust and achieve an effective collaborative response and investigation process across multiple organizations and legal entities to track the adversary, eliminate the threat and pursue prosecution of the perpetrators. In this work we develop such a framework for effective collaboration. Our approach is motivated by our experiences in dealing with a large-scale distributed attack that took place in 2004 known as Incident 216. Based on our approach we present the Palantir system that comprises conceptual and technological capabilities to adequately respond to such attacks. To the best of our knowledge this is the first work proposing a system model and implementation for a collaborative multi-site incident response and investigation effort.

AB - Organizations owning cyber-infrastructure assets face large scale distributed attacks on a regular basis. In the face of increasing complexity and frequency of such attacks, we argue that it is insufficient to rely on organizational incident response teams or even trusted coordinating response teams. Instead, there is need to develop a framework that enables responders to establish trust and achieve an effective collaborative response and investigation process across multiple organizations and legal entities to track the adversary, eliminate the threat and pursue prosecution of the perpetrators. In this work we develop such a framework for effective collaboration. Our approach is motivated by our experiences in dealing with a large-scale distributed attack that took place in 2004 known as Incident 216. Based on our approach we present the Palantir system that comprises conceptual and technological capabilities to adequately respond to such attacks. To the best of our knowledge this is the first work proposing a system model and implementation for a collaborative multi-site incident response and investigation effort.

KW - Digital investigation

KW - Incident response

KW - Multi-site collaboration

UR - https://www.scopus.com/pages/publications/85016936853

UR - https://www.scopus.com/pages/publications/85016936853#tab=citedBy

U2 - 10.1145/1527017.1527023

DO - 10.1145/1527017.1527023

M3 - Conference contribution

AN - SCOPUS:85016936853

T3 - ACM International Conference Proceeding Series

SP - 38

EP - 51

BT - IDtrust 2009 - Proceedings of the 8th Symposium on Identity and Trust on the Internet

A2 - Seamons, Kent

A2 - McBurnett, Neal

A2 - Polk, Tim

PB - Association for Computing Machinery

Y2 - 14 April 2009 through 16 April 2009

ER -

Palantir: A framework for collaborative incident response and investigation

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Online availability

Library availability

Related links

Fingerprint

Cite this