In the face of sophisticated attacks, which may morph quickly from one attack to another, forensics is rapidly becoming critical both during and after a cyber attack.
Today, organizations are looking at forensics to increase security and ensure compliance. Jay Botelho, director of product management at WildPackets, told IFSEC Global:
Although forensics is an after-event thing, we are seeing that very often attacks move from one to another very quickly. Catching an attack when it is relatively new is the only way to figure out what has transpired on the network.
WildPackets offers products that measure network performance, to let organizations analyze, troubleshoot, optimize, and secure their wired and wireless networks.
Today, network forensics should be part of the arsenal to protect against zero-day attacks. An intrusion prevention system may provide a front line of defense, but if the system doesn’t catch a new malware, forensic tools offer a way to figure out which machines have been infected. Botelho warns:
If an attack happens internally, or is caused by the poor judgment of an employee working behind the firewall, many typical security solutions, which watch the firewall connection, won’t catch them.
Solid forensics can be broken down into three basic steps:
- Create a network baseline. Successful forensics depends on good network practices prior to an attack. Organizations should be aware of the typical baseline performance of the network. This baseline allows the IT department to spot an unusual spike in network traffic or on a node of the network, which may be the sign that an attack has occurred.
- Look for network spikes. When an anomaly is spotted, the IT department can use forensics to isolate a particular time period, event, or user/computer on the network, or period of time. “With network forensics, you can dial in that period of time with a graphical format and see the statistics for a specific spike,” says Botelho.
- Analyze traffic at the packet level. Once a problem has been isolated to a specific period or set of events, it’s important to do deep packet inspection to examine the IP conversation, the users, the type of traffic, etc. “This is the hardest step because cybercriminals are typically smart and try to obfuscate what they are doing,” Botelho explains. “It may be difficult to discover the source of the breach, but you can tell what kind of damage the attack is doing and react to that.”
As the level of sophistication in attacks increases, forensics may be the best way to address the newest threats. Especially as botnets, malware, and other threats work to stay under the radar, organizations need to take a proactive approach to spotting and managing threats.
Free Download: The Video Surveillance Report 2023
Discover the latest developments in the rapidly-evolving video surveillance sector by downloading the 2023 Video Surveillance Report. Over 500 responses to our survey, which come from integrators to consultants and heads of security, inform our analysis of the latest trends including AI, the state of the video surveillance market, uptake of the cloud, and the wider economic and geopolitical events impacting the sector!
Download for FREE to discover top industry insight around the latest innovations in video surveillance systems.
