Network recorders - It's not enough to know you were a cyber-attack victim

While 2009 ended with cyber security dominating headlines with the Wall Street Journal reporting hackers had stolen tens of millions from Citigroup, TechCruch reporting about Twitter getting hacked, and the New York Times reporting President Obama naming Howard A. Schmidt as the U.S.'s Chief of Cybersecurity, 2010 picked up right where 2009 left off. Google has been hit, likely via an inside job at their office in China, by a cyber-attack on its network that resulted in theft of its intellectual property.

There's a lot more malware-related issues brewing under the surface, as Nemertes senior VP and Network World columnist Andreas M. Antonopoulos points out, "While no new major malware outbreaks made huge headlines, the silent spread of stealthy keyloggers, trojans and botnets continued. As predicted, more computers fell prey to these silent threats while the lack of headlines is broadly and incorrectly seen as 'success' against malware."

It's not enough to know you were the victim of a cyber-attack. With today's network forensic technologies, organizations should be able to answer the following questions:

1. Who was the intruder?

2. How did the intruder penetrate security?

3. What damage has been done?

4. Did the intruder leave anything behind?

5. Did the organization capture sufficient information to effectively analyze and reproduce the attack?

In the past, classic forensic technologies typically provided an incomplete diagnosis because of incomplete reconstruction. In other words, when an attack bypassed a firewall, only partial attack data was processed using the IDS / IPS system, yielding incomplete data and leaving many of the key questions unanswered. Methods are changing. Today, when an attack bypasses the firewall, a network recorder records and aggregates data throughout the attack, supplementing the partial attack data processing of the IDS. With this approach, post-event analysis reveals answers to the aforementioned questions and exposes attacker, method, and damage; with the entire attack recorded the fingerprint is captured and it never needs to happen again.

While data recorders will not prevent a zero-day cyber-attack, the information they provide can lead to an informed and efficient security posture within the organization, allowing accurate attack fingerprinting and rapid retooling of security technology and processes to deter similar attacks.