Advanced persistent threats (APT) have been the method of attacks used in some of the most highly publicized security breaches this year: RSA, Google and Sony. Yet, there are many simple defense strategies both large and small companies can take to avoid these types of situations, as detailed in this recent article from ComputerWeekly. One major staple mentioned is network forensics.
Historically network forensics has been for post-incident troubleshooting and fine-tuning network performance. For example, network forensics can provide information about why the network is performing badly: an overloaded router, DNS server, etc. However, network forensics can also be used to capture, record and analyze network events to discover the source of security attacks.
There are two common situations where network forensics is used for security purposes:
- First, you already have a case to work on. This could be a lead from your firewall or IPS log that requires you to access the captured packets for further analysis.
- Second, you are trying to look for something abnormal or suspicious in all the traffic that you have recorded.
In the second case, network forensics can really help in quickly pointing you in the right direction.
A key feature in network forensics is the ability to see important statistics in real-time, while continuing to record abnormal or suspicious traffic on the network. Seeing statistics in real-time provides assurance that you truly are on the right track.
Real-time stats provide assurance, but the crux of network forensics is drilling into the data, providing detailed information for discovering DDoS attacks, worm attacks or other abnormal activities.
Suspicious Events Discovery:
Expert modules, such as those that are embedded in the OmniPeek Distributed Analysis Suite, can detect potential attack activities or problems in any of the OSI 7 layers.
It is important to have a network forensic solution that continuously captures and records your data, can separate network data (i.e., must be able to automatically extract or fetch network data using one or multiple parameters), and performs packet drill down to completely fix the problem. Having this in place, as well as the suggestions in ComputerWeekly, will help keep you safe against APT and other attacks.