Network traffic analysis for incident response (IR): What incident responders should know about networking
In this article, we’ll discuss the various things that incident responders must know about the operation of a network and how this can help improve how their security teams respond to incidents.
We’ll look at common attacks that organization networks suffer today and how they can be mitigated against. We’ll also discuss some network devices and what they do, the OSI layer and what is important for incident responders, different ports and protocols. Finally, we’ll explore the structure of a data packet, as well as common tools that can be used to perform incident response by IR teams.
Overview of incident response
Incident response involves responding to security breaches and handling them in a manner that contains the damage and eradicates the primary cause of the incident. “The demand for cyber security incident responders remains high,” says Debbie Henley, president and co-founder of Redbud, an information security recruitment firm.
The main importance of incident response within your organization is to enable you to:
- Reduce losses
- Restore processes and services
- Mitigate exploited vulnerabilities
Once an incident is contained, the affected organization can prevent catastrophic outcomes resulting from the potential beach. This is usually done establishing of best practices, which in turn prevent cyberattacks before they can be executed again.
Incidence response and networking
Enterprises should be aware that a successful network attack is most certainly going to take place and is usually a matter of “when” and not “if.” According to Sean Mahoney, a partner at K&L Gates, “The more connected you are, the more risk you have. There’s no way around it.”
What follows are some of the things that incident responders should know in relation to networking and how they influence the organization.
Acceptable risk within the network and crown jewels
Incident responders need to be aware of acceptable risk and the crown jewels of the organization.
Acceptable risk, in this case, defines the amount of loss that can be tolerated by the organization in the event of a security breach. Some organizations may allow the existence of certain software or devices within their network for a while before acquiring more secure ones, feeling that the level of risk in the time until the upgrade is unlikely to cause trouble.
Crown jewels in this case refers to the most treasured assets within the network and organization. Incident responders need to be aware of what assets lie on the network and how delicate they are, both physically and in terms of the data that resides within them. In addition, incident responders need to know whether it is necessary to monitor these assets.
The following are some protocols and potential risks that incident responders are familiar with:
- RDP: Malicious hacker groups will greatly abuse this protocol when performing persistence within the network. Accounts with RDP enabled should be strictly monitored for suspicious activity
- SMB: This protocol has been widely targeted by most malware and attackers. Its related traffic must therefore be monitored. Incident response teams should monitor files accessed as well as permissions granted
- SSH: Incident responders must be aware of allowed remote SSH connections (and accounts). How is SSH traffic allowed into the network? What are the user accounts and privileges allowed? This information should be monitored
- SNMP: This protocol is notorious for revealing too much information about hosts within the network. Incident responders should be able to handle devices that use this protocol and determine whether this is acceptable traffic.
- FTP: The File Transfer Protocol is one of the insecure protocols that exist within most organizations. Normally, the presence of this protocol allows the hosting and accessing of commonly accessed files. These files should not be sensitive
According to Christopher Perretta, executive vice president and CIO of State Street Corp, “You’re constantly looking at risk, and you’re constantly accepting residual risk.” U.S. Homeland Security Secretary Michael Chertoff also notes that many organizations get breached repeatedly. As he asked during a keynote at the ACSC conference, “How do you deal with the fact that you are going to be breached?”
An incident response plan recognizes that even if the best measures are put in place, your organization is still likely to get breached. This is not to say that there is no need for proper redundancy. Redundancy — availability of data backups and backup power generators — is important in disaster recovery and compliance and public relations.
Technologies within the network
Incident responders should be able to differentiate between normal and acceptable traffic and unacceptable (abnormal) traffic within the network. This calls for an understanding of the devices and technologies within the network, as network devices will generate different types and amounts of traffic. Incident responders should be able to determine the normal bandwidth of these devices in order to tell whether a breach has been suffered or not.
Incident responders must be familiar with the following devices:
- Hubs: These devices are used to connect multiple network hosts and can perform data transfers. This enables them to distribute a packet into their connected ports and have the destination host claim it. The disadvantage of these devices is that they are not secure. Duplicating packets also makes these devices slow down traffic within the network
- Switches: Switches are more intelligent than the hubs above in that they are capable of filtering traffic. They contain a forwarding table that tells them which destination a packet is intended for
- Routers: These devices are capable of routing traffic to the right network, which can be private, public or even both
- Bridges: These devices connect two different sub-networks. They can be considered mini-routers, since they perform the activities of a router but at a much smaller scale
- Repeaters: These are devices that amplify received signals and re-transmits them to cover longer distances. This makes it possible to transmit a signal at a greater distance than was initially possible
- Gateways: These devices connect different autonomous networks, each with different technologies (routing algorithms, protocols, domain name service and so on). They provide translation between networking technologies such as OSI and TCP/IP
The devices above are involved in the building up of a network and may be targeted by malware and/or malicious actors. Incident responders should be aware of normal and abnormal traffic emanating from them and be able to classify the risk.
As Rob Sherman, a security professional at Flowers Foods, says, “I have learned many technologies [since] the beginning of my career, and slowly morphed into what I believe is a ‘coaching leader’ style. When I work with my team I believe it is as important to lead as well as dig in when necessary.”
Analyzing vast amounts of network traffic can be strenuous, so an understanding of automation is also important: it greatly reduces the effort that goes into responding to incidents.
There are a couple of steps that incident responders can take to mitigate against network-based attacks:
- Equipping firewall rules: These rules will enable incident responders to filter out unwanted traffic from the network, allowing only what is acceptable. An understanding of firewall operation and effective configuration is thus very important
- Creating IoCs: Indicators of Compromise help incident response teams to protect their organizations and others through the ability to determine known attack patterns. Incident responders must know how to create IoCs and be on the lookout for new ones
- Unplugging suspicious devices: Attackers can sometimes plug unauthorized or malicious devices into the network in order to act as an attack platform. Incident responders need to be able to discover these as soon as possible and remove them from the network
- Placing honeypots in the network: Incident responders should also ensure that they have installed proper defensive measures within the network, to prevent any future offensive attacks
Incident responders should also be aware of common technologies used within organizations such as Active Directory (AD) and how a properly configured AD should look. Most attacks target such commonly used technologies.
Protocol and packet analysis using tools
Incident responders need to be able to make use of packet capture and analysis tools. These tools can help incident responders capture and analyze traffic. The following are some of the tools that incident responders should be familiar with:
- tcpdump: This is a tool for packet capture and analysis
- Tshark: Another tool for packet capture and analysis
- Wireshark: Still another packet capture and analysis tool
- Editcap: This tool removes any duplicates that are encountered
- passiveDNS: This can be used for DNS logging
- Nfdump: This is a suite of tools that can be used for netflow
- Snort: This is a tool that is used for intrusion detection
- Exiftool: This is a tool for analyzing artifacts
- Websense: This tool allows incident responders to search for new threats
The tools above are not the only available ones. However, the familiarity of these tools can greatly assist in how one executes incident response. Some of these tools are open-source, while others are commercial.
The biggest challenge with open-source tools is the steep learning curve, even with solving common problems. They do not come with quick support and thus one would need to be ready to do some troubleshooting.
Common attacks and methods
Incident responders should be aware of the common attack methods affecting organization networks today and the possible defences that can be put in place to defend against these. Some of the common attacks today include:
- Advanced Persistent Threats (APT): These are attacks where the adversary breaches the network of an organization and dwell within it, collecting intelligence for a later attack. Incident responders need to be aware and alert of the state of the network
- Ransomware: This is perhaps one of the most notorious attacks that an organization can face today. Incident responders need to be able to identify such attacks and prevent them before they can cause havoc and great destruction
- Phishing attacks: Phishing is one method that attackers breach organizations. Incident responders must be able to identify potential malicious emails before they can prove harmful within an organization
Incident responders should be able to identify these attacks and prevent them from occurring in future. A lot will rely on automated tools due to the massive amount of data that streams through the network.
In this article, we’ve discussed the various things that incident responders need to be aware of as they manage the security of their networks. We have also listed some tools, discussed common attack methods that are used against networks today and seen the importance of having an incident response function within your organization.
As a fast-changing discipline, incident response requires having basic knowledge of many different related tech and security disciplines, as your ability to craft solutions is tied to the number of different ways you can approach a problem.
- The Three Elements of Incident Response: Plan, Team, and Tools, Exabeam
- What it takes to be a security incident responder, CSO
- Network Security Must Focus On Incident Response, Network Computing
- RedSeal and network incident response, RedSeal
- Basic Network Attacks in Computer Network, GeeksforGeeks
- Different Networking Devices And Hardware Types — Hub, Switch, Router, Modem, Bridge, Repeater, Fossbytes