Digital forensics

The need for Network Forensics

Most medium to large sized organizations use some sort of security monitoring in their enterprise environments. Security monitoring includes several components and network forensics is one of the most important components of it to detect attacks and respond to alerts. This article discusses why Network forensics is an important skill in a forensic investigators arsenal. 

Network Forensics

Network forensic investigations generally includes various steps which include recording and analyzing activities taking places in a network and use analysis tools and techniques to investigate and answer several questions as follows:

When the attack has happened?

Is the attack still on-going? 

What data has been exfiltrated?

Who are all the users who might have been compromised?

What are all the servers that might have been compromised?

What is the root cause of the attack or how the intruder managed to gain foothold?

Note that these are some of the questions among many that network forensic investigators may have to answer. 

The need for Network Forensics

Now, let us see what is the need for Network Forensics. 

Most organizations expanded their networks with high speed ports and more devices. Corporate Networks in older days used to have computers only. With the evolution of smartphones and IoT devices, networks these days accommodate way more devices than what they used to do. With more devices added to the networks, the attack surface increases. In addition to it, modern threats are more subtle and more sophisticated. Modern attacks are heavily targeted and attackers spend a lot of time on evading detection. Data exfiltration in most cases does not trigger alerts as most of the time it happens in low volumes and encrypted fashion. These facts make detection and response much harder for forensics investigators and matured tools and skilled investigators are needed to adequately investigate attacks. 

Network forensics gives great visibility into the traffic being passed within the organization. This provides investigators a way to search the network and dig deeper into specifics. This is usually a two step process. The first step is data collection. Data on the network should be collected and meta data should be extracted and indexed from it so various search tools can be used to search for specific information. The second step is to actually search for the data of our interest. 

Organizations require intelligent monitoring and analysis on an ongoing basis. Be it a targeted attack or a planned red teaming activity, there can be unusual activities within the network that require analysis. Like we mentioned earlier, these activities often happen stealthily and waiting for alerts from automated tools may not always work. Active hunting by monitoring the network traffic for unusual patterns is often required. Assume there is an unusual domain a machine is connecting to everyday for the past few days and there is a spike in the amount of data being sent to this domain. This is a red flag and analysis may be needed. Detecting this type of activities within the network is not easy in practice as the malicious traffic blends into the normal network which can be in large volumes. Discovering malicious traffic in such cases requires intelligent analysis skills, where the investigator is required to use targeted search queries to extract data that can be used to draw some conclusions. This whole process requires network forensics capabilities.

Majority of attacks require investigation of network traffic and logs at various locations in the network. Imagine a situation where attackers gain control on some of the critical systems in the network through a targeted spear phishing attack on some of the employees related to a specific department. While this sounds like a simple attack, it requires investigation at various points in the network to draw conclusions. This may include email gateway, Web proxy, firewalls, IDS/IPS, Active Directory logs, logs from the servers, event logs from the workstations and more.  

Following are some of the key components for organizations planning to have inhouse network forensics capabilities:

Data Capturing capability

Hunting for threats in large enterprise networks is practically not an easy task. This requires a great data capturing solution that captures and stores multiple terabytes of data from high-throughput networks, including 10G and even 40G, without dropping or missing any packets.

Metadata extraction and indexing

Once data is captured and stored on the storage media, the captured data should be used to extract the metadata to  provide a means of filtering particular items of interest, for example, by IP address, application, context, etc. Forensic analysts often rely on discovery tools for searching through terabytes of data to find specific network conversations or individual packets.

Data Analysis

Capturing data, metadata extraction and indexing is only the first step. The real value of this step comes from intelligent analysis. This phase involves both automated and manual analysis to identify malicious traffic patterns in the network. 

Conclusion

Network forensics is one of the key components in a defense team’s arsenal. Network forensics can help draw several conclusions during an investigation. With the modern day complex networks, data volumes and intelligent attackers network monitoring for security attacks can be very hard and network forensics teams surely play a crucial role.

 

Sources

1. https://www.fireeye.com/blog/executive-perspective/2014/07/network-forensics-use-cases-in-the-enterprise.html
2. https://netspeed.co.za/White%20Paper%20-%20network_forensics_ebook.pdf
3. Network Forensics by Sheriff Davidoff, Jonathan Ham - https://www.amazon.com/Network-Forensics-Tracking-Hackers-Cyberspace/dp/0132564718