Network Forensics Optimization
Network Forensics: How to Optimize Your Digital Investigation
Introduction
Cybersecurity Breach Statistics: In the last twelve months, 90 percent of businesses fell victim to a cyber security breach at least once. The typical cost of cyber attacks is approximately $682,000, which includes:
Lost productivity
Loss of data
Lost revenue
Loss of customer trust
Regulatory fines
Theft of money or goods
Shift of Attack Techniques: Attackers are transitioning from splash attacks to stealth approaches, which may go unnoticed, potentially causing the loss of critical data.
Importance of Network Forensics: Traditionally used for troubleshooting and fine-tuning network performance, network forensics is now crucial for capturing "attack fingerprints" and conducting post-attack analyses for security exploits.
Definition by Marcus Ranum: "Network forensics is the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents."
Need for Rapid Data Sifting: Organizations need the capability to sift through various data using multiple parameters (source/destination IP address, port, time, date, protocol, etc.) for effective analysis and to shorten response times to incidents.
Basic Elements in a Network Forensic Solution
Four Basic Capabilities:
Capturing Data:
Ability to capture and store multiple terabytes of data from high-throughput networks (e.g., 10 Gigabit) without losing packets.
Each network forensic solution has limitations like sustainable throughput, packets per second, data management, and search functions. These should be assessed through practical lab tests.
Recording Data:
Data storage on suitable media to enable access for future analysis.
Discovering Data:
Mechanisms to filter recorded data focusing on specific items of interest (e.g., IP address, application).
Analyzing Data:
Built-in tools for examining patterns and anomalies in the discovered data, aiding in identifying recorded actions within captured packets.
Typical Situations in Network Forensics
Two Primary Situations:
Existing Cases: You may have a lead from a firewall or IPS log necessitating access to captured packets for deeper analysis.
Searching for Abnormalities: If no obvious case exists, network forensics can help identify abnormal or suspicious activity in the traffic.
Methods to Identify Abnormal Activity:
Communication Matrix: Offers a quick overview of communications, helpful in discovering DDoS attacks, worm attacks, and other anomalies.
Top Stations and Protocols: Listings can indicate a network's health. Active servers generally top the list, while protocols reveal ongoing activities.
Suspicious Events Discovery: Utilizing expert modules (e.g., from OmniPeek Distributed Analysis Suite) to detect potential attack activities across the OSI layers.
Phases of Digital Investigation
Data Discovery and Data Analysis: Critical elements, especially with vast amounts of captured traffic.
Common Steps in a Digital Investigation:
Separating network data for focused analysis and ensuring thorough investigations.
Data Discovery: Separate Network Data
Forensic analysts should automatically extract or fetch network data based on suspicious activities using multiple parameters (e.g., source/destination IP address, port, time, etc.).
Comprehensive Features of OmniPeek:
Search expressions (IP, MAC, Protocol, Port, etc.) either individually or in combination using operators (and, or, not, Group).
Applying Filters: Analysts can apply filters to specified data files, especially in cases with multiple data collection points.
Isolating Data by Connection: Techniques to assemble sessions into flows for targeted investigations.
Data Analysis: Perform Packet Drill-Down
After acquiring suspicious packets, analysts must perform the following during data analysis:
Packet Decode:
Analyze packet details like bits, flags, and payload for comprehensive understanding.
Packet Sequence Analysis:
Useful for troubleshooting connections and critical in identifying attacks (e.g., session hijacking).
Multi-segment Analysis:
Understand packet behavior across different network devices.
Extract Stream by IP/Protocol/Application:
Critical for a targeted analysis of specific conversations.
Data Analysis: Enumerate the Data
Needs to extract and reconstruct captured traffic into readable formats (work documents, PDFs, emails, web pages).
Good solutions allow analysts to develop modules for proprietary analyses.
OmniPeek’s feature set includes the assembly of conversations for whole-payload presentations.
Capability to reconstruct emails from captured traffic into user-friendly formats (similar to Outlook).
WildPackets Network Forensics Solutions
Described as a "network time machine," allowing organizations to trace intermittent performance issues, data leaks, HR violations, or security breaches.
Data Collection:
All relevant traffic is centralized rather than distributed, captured in a common format for easier analysis.
Supports real-time analysis at the point of capture without needing extensive data transfers.
Benefits of WildPackets Solutions:
24x7 data availability, enhancing Mean-Time-To-Resolution (MTTR) by enabling immediate problem analysis without duplicating issues.
Ensuring compliance with service-level agreements and policies through comprehensive capture and audit records.
Learning More
Suggested readings include in-depth exploration of network forensics applications and optimization strategies, available on the WildPackets website.
Conclusion
The crucial role of network security in the digital era is emphasized, as data leakage poses severe threats both financially and to national security. Proper forensic solutions are vital for identifying zero-day attacks and preventing reoccurrences.