Howthe difficulty of obtaining intrusion artifacts can influence threat modeling : An experiment that shows how IT forensics can be used preventingly

Abstract: IT system intrusions are a problem today and the belief that all you need is a strong outer defense has faded. Today continuous monitoring of the IT infrastructure is widespread and alerts are continuously investigated. The clarity of what caused the alert will vary from a clear brute-force attempt to something more sophisticated that could be perceived as normal activity. The investigation of these alerts can bring clarity or in the worst case dismiss a legit intrusion as some system event or user action. The risk should vary depending on how easy or hard an intrusion is to detect, investigate, and for how long the artifacts will remain on a system. By investigating if different attacks carry different risks it should be possible to use this in a tool like threat modeling. The detection risk that different attacks carry can affect where a defender should spend their resources and provides awareness of the types of attack that they are especially vulnerable to. An environment is set up where an attacker targets a victim with chosen attacks and each attack step is forensically investigation with open-source tools. In this forensic investigation logs, files, active tasks, and network connections are investigated. In the end, the results indicate that it is possible to conclude that different attacks carry different risks. Three grading parameters are suggested based on this work, and these parameters could be used in a threat modeling implementation.