In the face of sophisticated attacks, which may morph quickly from one attack to another, forensics is rapidly becoming critical both during and after a cyber attack.
Today, organizations are looking at forensics to increase security and ensure compliance. Jay Botelho, director of product management at WildPackets, told IFSEC Global:
Although forensics is an after-event thing, we are seeing that very often attacks move from one to another very quickly. Catching an attack when it is relatively new is the only way to figure out what has transpired on the network.
WildPackets offers products that measure network performance, to let organizations analyze, troubleshoot, optimize, and secure their wired and wireless networks.
Today, network forensics should be part of the arsenal to protect against zero-day attacks. An intrusion prevention system may provide a front line of defense, but if the system doesn’t catch a new malware, forensic tools offer a way to figure out which machines have been infected. Botelho warns:
If an attack happens internally, or is caused by the poor judgment of an employee working behind the firewall, many typical security solutions, which watch the firewall connection, won’t catch them.
Solid forensics can be broken down into three basic steps:
- Create a network baseline. Successful forensics depends on good network practices prior to an attack. Organizations should be aware of the typical baseline performance of the network. This baseline allows the IT department to spot an unusual spike in network traffic or on a node of the network, which may be the sign that an attack has occurred.
- Look for network spikes. When an anomaly is spotted, the IT department can use forensics to isolate a particular time period, event, or user/computer on the network, or period of time. “With network forensics, you can dial in that period of time with a graphical format and see the statistics for a specific spike,” says Botelho.
- Analyze traffic at the packet level. Once a problem has been isolated to a specific period or set of events, it’s important to do deep packet inspection to examine the IP conversation, the users, the type of traffic, etc. “This is the hardest step because cybercriminals are typically smart and try to obfuscate what they are doing,” Botelho explains. “It may be difficult to discover the source of the breach, but you can tell what kind of damage the attack is doing and react to that.”
As the level of sophistication in attacks increases, forensics may be the best way to address the newest threats. Especially as botnets, malware, and other threats work to stay under the radar, organizations need to take a proactive approach to spotting and managing threats.
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
It is funny to realized that there are 100s of actions being performed on users’ computers everday but only few can be observed on the UI. Last week, one of our security team members in charge of monitoring malware on users’ computers was able to find a malware running on the computer of one of our employees. He quickly was able to contact the person to use the antivirus software on the computer to clean that up. With such forensics, the user would never know of this until a damage is caused. Great article and it happens everyday.
It does happen everyday, I didn’t see it mentioned in the article but another way these types of malware are caught are by with they attempt to communicate outside of the network, it is important for a IDS to not only be up to date but to be scanning departing activity as well as incoming. The idea of a network baseline is great, however I suspect that like my work place many businesses will go through periods where activity is heavier than others so it may be important to be sure you are comparing the appropriate baseline.
I think our network activity was up this week with people streaming Maggie Thatcher’s funeral. Naughty naughty! Yes, agreed, a baseline would give an organisation a great place to spot malware activity from.
True Kjoeandy. Today’s malware is designed to live under the radar. It’s kind of like bed bugs. You won’t see it unless you look at, and when you look, you realize it’s a huge problem. To take it further you can’t address it until you really understand that small clues may point a huge problem.
All you say is true, Jonathan. IDS systems can spot anomolies based on what’s being sent out. A regular baselining has a number of advnatages. It gets the organizations accustomed to thinking about these issues. While there are spikes that are normal, looking at anomolys behavior is a good starting point to spot problems.
Agreed. A lot of malware works this way. In fact, it reminds me of the incident where a guy was caught outsourcing his work to some contractor in China. It’s not malware, but they caught him when they noticed that someone from outside the country was accessing their network.
I like your analogy, Hailey. It’s only when you start to itch that you realize there is a problem after all. Underlying as it may be, it needs to be addressed pronto before things get worse.