With the RSA Conference next week, network forensics will be on the minds of many. Network forensics, or post-incident analysis, is the capture, recording, and analysis of network events. Imaging having a time machine that you can use to go back in time and replay network activity – answering what, how, and who questions. What happened? How did it happen? Who was responsible? That’s what Network Forensics makes possible, and the applications in the security area are fairly obvious.
Typically, network forensics solutions employ simple and complex filters to mine stored data to reveal anomalies along with what caused them and what their impacts were, including things like the magnitude of a security breach, the entry points, the impact on network performance, etc.
It’s easy to see why the industry typically associates network forensics with network security. Who doesn’t love a good whodunit? Who can resist a car chase? But to view network forensics as a weapon for combating cyber attacks is to give it short shrift.
Everyone should view network forensics as a friendly companion or aid. Network forensics is your faithful bloodhound, your handy reading glasses, and more. Here’s why; unless you’re capturing, recording, and analyzing your network on an ongoing basis, you’ll be scrambling when an incident arises. And by incident I don’t just mean an attack.
Below are three other incidents where network forensics can be extremely helpful:
1. Pinpointing the source of intermittent performance issues
On a practical level, here’s where network forensics tools really come in handy — capturing and isolating intermittent network problems, especially problems that occurred hours or days ago. Traditional “reactive” ad hoc troubleshooting is completely inadequate for dealing with intermittent issues. If the issue is intermittent, by definition you don’t know when it’s going to occur, and odds are you have little else to go on in attempting to reproduce the issue. In a reactive mode you just wait around for it to happen again, and just hope you’re paying attention the next time around. With network forensics, you already have a record of the intermittent event because you’re always capturing all of the traffic on the network segment. Simply use the built-in user interface to scan back in time, and when there’s an indication of problems simply drill into that time period and begin analyzing. The time saved in not having to reproduce the problem is huge! That’s often where most time is spent in troubleshooting problems like intermittent network performance.
2. Business transaction analysis
For transactions that take place in clear text like SQL, HTTP requests, FTP, or telnet, network forensics allows the network administrator to create the ultimate audit trail for business transactions. Not just server activity, but entire business transactions enacted by clients and servers, including network timing, which can be critical in analyzing financial transactions. Additionally, with network forensics you can troubleshoot transaction problems that server logs miss.
3. Monitoring User Activity
Social networking sites like Facebook and Twitter have been shown to zap productivity in the workplace. As a result, many organizations have user policies that prohibit, or at least curtail such activities. Additionally, policies prohibiting non-work related “bandwidth sucking” download activities (music, videos, games, etc) are common. Lastly, to skirt corporate usage policies, users may attempt to use a proxy server, opening up the network to various malware. Network forensics allows all these “rogue” activities to be monitored, revealing details as to who broke policy, what policy infraction was committed, and at what time it occurred.
Isn’t it time we expand of our view of network forensics? To learn more about network forensics, check out our Network Forensics 101: Finding the Needle in the Haystack white paper.