No Logs Investigation / Incident Response — IPDR to rescue

3 min readJun 4, 2023

Fundamental principle any quality hacking attempt is to not leave any traces in the environment. For such situations, IR or root cause analysis exercises becomes very difficult.

Counter to that, In many of compromise incidents in India; majority of organizations have not adequately invested in SIEM, Firewall, log preservation etc. Here too where there is a cyber attack; lets say Ransomware attack; absence of logs is a challenge.

IPDR is extremely useful in the “No Log” scenario.

1. Directions by Government to maintain IPDR

Department of Telecommunications has issued directions to the Internet Service Providers (All classes) to preserve the Internet Protocol Detail Record (IPDR) or in simple terms IP logs for pre-defined parameters from 31.01.2023. IPDR typically contains your network traffic activity information like which website was accessed (IP), through which port, for how much time (Session). In case of broadband connection, it is also termed as DSL-DR by Telecos.

https://dot.gov.in/sites/default/files/Compliance%20of%20IPDR.pdf (Annexure 3)

Eight Major parameters have to be stored & preserved by the Internet Service Provider as shown in the above direction. This data is very rich source of investigation and is very useful to investigate wide range of cyber attacks. Lets explore how.

2. Ransomware Attack | Data Exfiltration

Lets take a case where an infrastructure is impacted by ransomware and now it has to be proved whether there was any C2 connections or data exfiltration.

In case there is any fully functional SIEM with Next gen firewall, log servers, Anti APT solutions etc, there won’t be an issue. But here we are investigation a “No Log” environment where firewall is configured but logs are not stored beyond couple of days, No sys log server, SIEM etc. In this case, an IPDR will help.

IPDR provides “Destination IP” and Port which would be super helpful in identification of C2. Most of ISPs also have total data transferred column against each session of IPDR. This can be used to prove data exfiltration.

Below is a sample layout of Broadband IPDR from a leading ISP.

Important Fields & its Use in Root Cause Analysis:

Session Time. — to establish the chain of events (timeline analysis)
Duration — to establish persistance
Data Transferred — Use to establish exfiltration
Destination IP and Port — Use to establish C2 connectivity.

Thus IPDR can be used for Ransomware Investigation, IR & Root cause analysis.

Similarly, other attacks like Bot Infection, Backdoor, Data leak, Unauthorized Remote Access can also be identified IPDR Analysis

3. Where to get IPDR

IPDR is a sensitive record and hence access to it is restricted. Code of Criminal Procedure gives power to Judiciary and Police (clause 2) to seek for IPDR. If there is a breach in any organization; proceed with filing a complaint with any cyber cell / police station and using that as a reference, Police may seek data from ISP of IPDR.

4. Does your ISP preseve IPDR?

Organisations may in their agreement with ISP / service provider check if they are saving logs in compliance with DoT guidelines. Post agreement, a readiness check may also be conducted to ensure logs are being stored in set format at regular intervals.

5. Tools ?

Handling an IPDR is a tricky task. Sometimes it may be a huge file and manual analysis is bit difficult. To make work faster; bulk IP lookup features of ipinfo.io (available after login) or simply bulk ip lookup websites can be used to analyze the IPDR.

There is always a way out. Only need is Unwaivered Intention