Web Traffic Analysis
Introduction: Significance and Impact
In 2018 DayTrek Corp, a broadband and data communications company in the UK discovered a cross-site request-exploit on their routers. Attackers would hack into the routers and create faulty DNS entries that reroute traffic to forged sites. In these sorts of events, attackers tend to favor unconfigured routers and other low-security devices used to interface with appliances.
These low-security devices are commonly known as the “Internet of Things” (IoT).
In 2018, Symantec Security Response Team set up an IoT honeypot. With this setup, Symantec recorded, on average, 5,200 attacks per month. However, one does not need an expansive honeypot to detect these intrusions. The detection and mitigation of these attacks are readily available in many modern web browsers.
This article focuses on web traffic analysis as a means to detect intrusions, monitor malicious activity and create a response.
Overview: What is web traffic analysis?
Steel sharpens steel: Analysis versus forensics
Creating a response to cybersecurity events requires both forensics and analysis techniques. Specifically, forensics focuses on gathering information after an incident for investigation, while analysis focuses on using the information to improve a system. Put more plainly, forensics informs analysis to strengthen cybersecurity.
As a real-world example, consider Google Chrome. Google regularly produces a “blacklist” of unsafe sites, culled from various forensics cases after cybersecurity events. This list informs the Google Chrome Browser’s Safe Browsing API and Web Risk API. Further, these APIs are used by developers to inform their cybersecurity solutions. While one informs the other, forensics and analysis are not interchangeable terms. The rest of this article focuses on analysis forensics to improve cybersecurity.
Web traffic analysis forensics: Subdivision of network forensics
Network forensics is “the capture, recording, and analysis of network events in order to discover the source of security attacks or other problem incidents.” Like all network forensics techniques, web traffic analysis allows cybersecurity specialists to:
- Detect intrusions
- Detect and monitor malicious activity (e.g., embezzlement, abuse of resources, fraudulent activity)
The other types of network forensics can be categorized by where they occur on the TCP/IP model. Some examples of network forensics and analysis include:
- Email analysis (transportation layer): This analysis focuses on email headers to detect intrusions
- Ethernet and wireless analysis (internet layer): This approach uses sniffers to analyze live traffic as it occurs on a port
Specifically, web traffic analysis is on the process layer, as it uses aspects of HTTP and HTTPs to analyze web browsing activity. Cybersecurity specialists glean browser activity from analyzing cookies and analyzing browsing history.
Implementation: Web analysis techniques
An HTTP cookie, also referred to just as a “cookie,” is a small piece of data used to track user browser activity. These features help front-end developers with session management, user tracking and implementing site personalization. For example, cookies help front-end user experience developers construct the “logged in/logged out” states that users now expect.
- Have a set time to live: This feature informs forensic investigations
- Have a specific purpose: E.g., session cookies that allow users to remain “logged in” to a site
- Cannot be shared between domains: Analysts use this domain specificity feature to verify where a user was browsing
However, cookies have no way of confirming the identity of the user with the cookie. This feature has been exploited by attackers to compromise networks. These attacks include:
- Man-in-the-middle attack: Attackers obtain session cookies and trick a site into divulging the victim’s private information
- Cross-site scripting attack: Attackers manipulate sites into giving out a victim’s authentication cookie
- Cross-site request forgery: Attackers manipulate the browser into sending victims to a malicious site to get their information
In one specific example of cross-site request forgery, attackers find a reproducible link that executes a specific action on the target page. If the victim logged into the target site, the fraudulent link could trick users into submitting their personal information. These sorts of attacks are difficult to investigate because any logged information would only give the IP address and actions of the victim with little trace of the attacker. To begin a forensic investigation of these attacks requires:
- A snapshot of the affected site
- A snapshot of the browser during the attack
Cybersecurity specialists can obtain these items by using browser analysis.
Web forensics: Browser analysis
Many modern browsers have many admin tools that allow forensics to track users’ activity on the web. The browser stores cookies as well as other session-storing implements like persistent and session web storage. This activity can also serve as snapshots of the browser state through browser history and browser cache.
The browsing history is a list of whom the browser is communicating with through IP addresses and DNS entries. This information is very similar to cookie analysis, providing the “who and where” of incident reports. Similar to cookie analysis, it can be challenging to validate the identity of the user. While many modern browsers have user accounts that could provide some insight, malefactors can easily hijack these accounts.
The browser cache, meanwhile, stores pages in a forward web cache. A forward cache is a cache on the client computer. Some corporate outfits have an established cache on the network just for monitoring user activity. An example of this is a SQUID cache manager. Outside the web browser, SQUID is an open-source cache management software. It can sit on a device to serve stored content locally or as a reverse cache connected to the hosting server.
Unlike the cookie analysis or browsing history analysis, cybersecurity analysts use the cache to recreate snapshots of the website — specifically, the different elements on the website. For example, SQUID has many security features, including a content blacklist and a “squidview” feature. Squidview allows you to review the cache log and view cache content.
However, this information can only produce where and when an attack occurred. Attacks such as man-in-the-middle, cross-site scripting and cross-site request forgery, browsing logs would only have the documented actions of the user. To reveal attackers and the exploits they use, cybersecurity specialists can obtain snapshots of the affected websites the browser cache.
- Security Advisory: CSRF & DNS Attacks, DrayTek
- ISTR 2019: Internet of Things Cyber Attacks Grow More Diverse, Symantec
- Safe Browsing APIs (v4), Google Safe Browsing
- Safe Browsing Lists, Google Safe Browsing
- Emmanuel S. Pilli, R.C. Joshi, Rajdeep Niyogi, “Network forensic frameworks: Survey and research challenges,” Digital Investigation, October 2010
- Window.sessionStorage, MDN web docs
- Jeffrey Erman, Re Gerber, Mohammad T. Hajiaghayi, Dan Pei, Oliver Spatscheck, “WWW 2009 MADRID! Track: Performance, Scalability and Availability / Session: Performance Network-Aware Forward Caching“
- squidview, rillion.net