Network Forensics for Attack Mitigation

Abstract

The network forensics market is set to dramatically expand as increasing numbers of organizations become the victims of malware attacks. Limiting the damage from these incursions, and avoiding potentially crippling losses, are key motivators for businesses of any size. And network forensics offers a powerful set of tools to help companies achieve those goals.

Sample

For many organizations, network traffic has increased to the point where supporting speeds of 10G or more is commonplace. They're finding that traditional Security Information and Event Management (SIEM) network analysis is simply inadequate. As a result, these companies are relying on a combination of vendor-based security solutions or custom algorithms, forensics specialists, and their own approaches to identify and mitigate threats.

Network forensics can best be defined as the monitoring, recording, and analysis of network traffic and events. Technicians perform network forensics to discover the source of security incidents, attacks, or other potential problems.

Choosing the right forensics tool enhances defense capabilities by providing security warnings, detection, and response. It can also be used to collect and retain raw network data for restructuring, playback, and information retrieval. While not foolproof, employing a solution along with the right approach to network forensics can help reassure C-level executives and the entire workforce that an effective defense is in place.

Frequently, network forensics are employed for things other than security. These include low-performance network segment analysis, analyzing VoIP quality, and checking network transactions. In this white paper, we explore the importance of network forensics for system monitoring and attack mitigation. We also examine other possible use cases and the general effectiveness of network forensics in these areas.

Today's Data Center: Faster Networks, More Data, and Advanced Threats

As 40G and 100G deployments soon become the norm, network forensics will play an increasingly critical role for gaining visibility into a range of problems. Some of the factors which contribute to the growing amount of data that networks routinely handle include online communications (video, VOIP, etc.), mobility, and IoE connections.

Since its inception in the 1990s, network forensics has gradually increased in sophistication. In addition to firewalls and intrusion detection systems (IDS), it offers a formidable set of tools to mitigate attacks. Such tools enable companies to be more versatile when responding to intrusions, and to conduct more effective investigations once an attack has occurred.

Choosing not to employ these tools when data theft occurs can be compared to ignoring security camera footage taken at the scene of a crime. In fact, more and more companies are using network forensics to resolve other related issues.

Network forensics can also be used to:

- Verify/troubleshoot questionable transactions

- Analyze overall network performance

- Identify low-performing segments

- Verify VOIP or video traffic problems

- Validate compliance

In general, specific solutions have been developed to collect and retain raw data or to record all transactions for later playback and evaluation. Tools also exist to help identify specific types of security attacks or information leakage. In addition to enhancing preexisting defense capabilities (firewalls, etc.), forensics can provide security warnings and real-time analysis.

Once a network forensics system is in place, an IT professional can work with security experts to analyze traffic and quickly determine the cause of a network event based on hard evidence.

In many cases, simply looking at data logs around the time an attack occurred is unlikely to uncover the source. Knowing what to look for and using the data queries developed by a specialist can help to focus a search. However, it's not just investigating residual data on the storage media from a system or a device, but an ability to analyze transient communications that continue to occur. In the end, successfully mitigating and investigating an attack often depends on a number of components, and having a good forensics solution in place is key.

Network Forensics: Basic Approaches

Post-incident response investigations rely on effective command-and-control and data extraction channels. Whether an administrator or engineer can accomplish a genuine forensic investigation depends on taking certain steps: effectively capturing data, a thorough review across a network for signs of compromise, and performing a forensic post-capture analysis.

After an incident, one approach might consist of retrieving a list of key security datasources, including logs and IDS/IPS systems. These sources contain the forensic evidence that will be important later on when establishing the particular methods used for a network intrusion.