Exploring DTrace as an Incident Response Tool for Unix Systems

Abstract

Critical National Infrastructure (CNI) is often the target of sophisticated and sustained cyber attacks perpetrated by advanced threat actors with considerable resources. These attacks can lead to interruptions in core services such as energy and water supplies, transportation, healthcare, and telecommunications. The effective and swift remediation of such attacks is contingent on the respective Digital Forensics and Incident Response (DFIR) professionals possessing the appropriate tooling and resources for the target environments. However, the Unix systems which often run critical infrastructure are poorly accommodated in comparison to their Windows and Linux counterparts. This paper seeks to expand the options available to DFIR analysts on Unix systems by exploring the potential for DTrace to serve as an Incident Response utility. DTrace is included in many Unix operating systems by default, while also having support for Linux, Windows and macOS, making it a useful pre-packaged solution. We explore the utility of DTrace, and the visibility it provides into the OS and kernel, through a variety of proof-of-concept case studies based on tactics and techniques in the MITRE ATT&CK framework. We find that DTrace’s functionality lends itself well to a real-time monitoring and probing solution for Unix systems, which could potentially form the basis of an Endpoint Detection and Response (EDR) solution to revolutionise Incident Response on such platforms.