Saturday, February 17, 2007

Routine Activity Theory

In the 1970's Cohen and Felson developed a theory that attempted to explain environmental criminology. They called it Routine Activity Theory or RAT. RAT states that crimes are committed because of three main reasons.

1) Motivated offenders
I think this speaks for itself. There is something motivating the
offenders, be it money, power, ego, etc.

2) Suitable targets
In a criminalistic point of view, this would be the single female
walking in an unlit area, or a target of opportunity i.e, a person
being in the wrong place at the right time.

3) Lack of proper guardianship (lack of security and safety measures)
Again this speaks for itself. Tourists walk around unaware and
unprotected, people don't carry mace or tazers etc..

Let's apply this to incident investigations shall we? But before we dig right in...we should look at the proposed solution to the reasons listed above. The solution provided as part of the theory is something called target hardening. The idea is to make the target of the crime so unappealing that the criminal looks elsewhere to commit the crime. Sounds a little like IT security doesn't it?

This is commonly what IT security folks refer to as "defense in depth". Defense in depth or onion security is the idea that one layer of security will always fail to protect your systems, so you should create several layers of security to protect your critical and sensitive assets.

When it comes to incident response and forensics RAT is what may allow us to analyze our "crime scene". I tend to think we can use RAT to help identify the root cause of the incidents.

1) motivated offenders...
What would have motivated someone to compromise your system or network?
Establishing a motive is not only important to a case, but it can help establish the M.O. of the attacker. This could allow an investigator to profile the attacker in an attempt to apprehend them, or to locate other victim systems on a network. Is it an internal threat or external? Do they appear to know what they are doing?

2) Suitable targets
What makes a suitable target when it comes to computer systems? This is where threat modeling comes in to play. If organizations actually prepared themselves for incidents, our job as investigators wouldn't be as hard as it is. Threat modeling in my opinion should be a part of every organizational attempt to prepare for incidents. Know your weak spots, know what dominoes are likely to fall as a result of the first getting tipped over.

For the incident responder, when establishing likely attack vectors we don't need to conduct a full threat model(unless of course you have the time to), instead why not do what cops do? Establish relationships between the systems. What systems communicate with each other? How? Is there a routine to the communications? Is anything predictable?

Establishing relationships between the computers in an organization can help locate suitable targets. It could be that outdated apache server that's supposed to be protected by a firewall, or the MySQL server that allows remote root access. Regardless of what the root cause is, locating the potential source of an incident is the key to preventing it from happening again.

3) Lack of proper guardianship
This factor in the RAT theory can be used by incident responders to identify the locations with little to no, or completely wrong type of protection mechanism in a network. Is that firewall actually blocking anything? Are the antivirus clients up to date? Often times when called in to an incident we're given very little information about the specific configurations of a network or system. Typically, IT staff either don't know or won't tell because they are trying to protect their jobs. As incident responders we need to ascertain just what level of protection existed for suspected victim systems before they became victims or before they become victims in the future.

Routine Activity Theory, does it apply to Incident Response or Forensics? Thoughts?