Warding Off Espionage with Network Forensics

There’s a chance you could have a spy. Watching your every move, just waiting for the perfect time to attack and hijack your precious information.

A recent InfoWorld blog serves as a wake up call to those companies who have not taken the increasing threat of electronic espionage and network security seriously. According to the blog, a growing number of companies are being spied on electronically by sources in other countries. This isn’t the first we’ve heard about this though, back in January, hackers from China had broken into several companies’ computer networks including Google to steal information about Chinese dissidents as part of “Operation Aurora,” which was one of the largest cyber-attacks ever.

These incidents keep occurring because companies believe that their current security software is good enough or they’ve just simply ignored the issue. The truth is that in order to have protection from these types of stealth spies you have to collect packet history within the network. And the only way to receive this information is by performing forensic analysis.

Network forensics is the capture, recording, and analysis of network events. All pertinent network traffic is collected in a single location, rather than scattered across the network. Data is captured in a common data format and does not need to be transferred or translated in any way for analysis. Using network forensics data mining tools, security teams can reconstruct the sequence of events that occurred at the time of a network breach or cyber attack and get the complete picture. Forensic analysis exposes attackers, methods, and damages. Lucky for us, new and more powerful network forensic products are out there to help defend against electronic spying threats. Even though there is a vast array of network forensic technologies to choose from, organizations should know that there are really only three basic elements to any general-purpose network forensic solution:

1. Data capture and record – This is the ability to capture and store multiple gigabytes of data at high network throughput (for example, 10 Gigabit) without dropping or missing any packets. Every network forensic solution has its limitations, including sustainable throughput, packets per second, data management, search functions, etc. These limitations can and should be determined through practical lab tests, and the results should be repeatable and documented. This includes both wired and wireless networks.

2. Data discovery – Once data are recorded on the storage media, the solution should provide a mechanism to filter particular items of interest, for example, by IP address, application, context, etc.

3. Data analysis – Finally, you want some built-in assistance for examining the patterns and anomalies found during the discovery process to help you determine what actions were recorded in the captured packets.

The information forensic analysis provides can lead to an informed and efficient security posture within an organization to deter similar attacks in the future. As criminals get smarter and savvier, being able to detect and characterize attacks is crucial. Information leakage not only results in monetary losses but also can be a serious threat to national security. Having the right network forensic solution in place can help to discover and eliminate possible threats in your network and to provide lawful interception capabilities when needed.

Leave a Reply