Your worst nightmare just became a reality. It’s 3:00 a.m., and your boss is on the phone telling you your company
just suffered a major data breach. You’re needed in the office to help put things back together again. What’s the first thing you do when you arrive at your desk? Dissect the incident, and that means network forensics. Network forensics is one of the most challenging tasks facing information security professionals. Analysts often find themselves searching for the needle in the digital haystack, hoping intruders left behind some small telltale sign of their presence that will provide forensic evidence of their identity, motivation and/or activities. But where do you start? This tip will provide important information on enterprise network forensic analysis. Network forensic analysis: Live traffic captures are king The most valuable information you can gather in the course of a forensic investigation is captured raw network traffic. If you have even the slightest suspicion that the attack is still in progress, don’t waste any time before firing up a packet-capture tool (such as the open source tool Wireshark) and capturing packets on the wire to disk. Live traffic captures provide you with the detailed contents and header information for every packet that crosses your collection point during the capture period. If you manage to capture traffic related to the intrusion, you will be able to go back and dissect that traffic to assist in reconstructing the attacker’s activity on your network. Network forensic analysis: Go with the flow Unfortunately, it’s not always possible to capture network traffic related to an intrusion. Often, your forensic investigation won’t begin until well after the attack is complete, and it’s simply not possible to continuously capture all of the traffic on your network due to the massive amount of storage it would require. There is, however, a space-conscious alternative: network traffic flow data. Collected using the industry standard IPFIX protocol, network flow data can be captured from routers and provides .connection-level information on traffic that passes through a router. While you won’t be able to reconstruct actual packet contents, you will know source and destination IP addresses, along with the amount of data passed between the two hosts, and other information. Flow data can be quite valuable in reconstructing the activity of an intruder. While you won’t be able to virtually peer over the intruder’s shoulder, as you might be able to do with a raw traffic capture, you will be able to get a sense of what took place. You can use flow data to trace an intruder’s path through your network and also identify the amount of information transferred out of your organization. I’ve seen many cases where companies were able to ease their fear that large, sensitive files were stolen when they found that flow records indicated data transfer rates insufficient to export the files. Network forensic analysis: Comb your logs Don’t forget to comb through the voluminous logs produced by network and security devices. If you’ve configured logging properly, these records can be a treasure trove of information, revealing data about how the attack took place, possibly including the vulnerability exploited to gain access to your network. If you’re not capturing network flow data from your routers, you may find firewall logs contain similar information that can be just as useful. Once you have one or more IP addresses associated with the attack, you can quickly search through your logs for any records associated with that address and begin to assemble the bigger picture of the intruder’s activity. Of course, sorting through logs manually can be quite tedious and time consuming. If you’re not already doing so, you may wish to consider implementing a centralized logging tool, or even a commercial log management or SIEM product, to provide you with consolidated log retention and analysis capabilities. Forensic analysis of network activity can be an exciting treasure hunt as you trace the trail of an intruder’s activity. You can pave the way for successful forensics in the future by enabling network flow monitoring, tuning application and device logging settings, implementing centralized logging and having a standby system ready to perform live packet capture in the event of an attack. Best wishes for a successful investigation!
About the author:
Mike Chapple, CISA, CISSP, is an IT security professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity.com, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.