How to Clean Up After a Security Breach with WildPackets

As a network administrator there is no greater nightmare than a security breach. Your network has just been under siege, and you have an extremely limited amount of time to discover the attack, report the incident, find the holes in your system, and understand what damage has been done or might continue to occur on your network. This task needs to be done quickly as solving these problems fast will reduce the overall impact and cost.

Here at WildPackets, we recognize that no amount of security can protect all of your data all of the time. New vulnerabilities are discovered daily, and exploits are quickly available in security test tools such as Metasploit. Joshua Corman, Director of Security Intelligence at Akamai, humorously calls this HD Moore’s Law (after Metasploit’s creator, HD Moore). If your security doesn’t protect against a casual attacker using the latest common attack tools, it’s not really secure. Yesterday’s security isn’t enough to stop today’s attack.

Fortunately, there are actions you can take to minimize the damage of attacks. Think of how companies secure their buildings, using multiple layers of physical security to protect their assets. The locked doors are designed to prevent intrusion. Those doors also have sensors to detect that they’ve been opened. Companies that are serious about their security also have cameras to watch and record what intruders are doing. As a final layer, security guards are there to listen for alarms, watch the cameras, and catch what the automated systems don’t.

WildPackets software and appliances use a practice known as Network Forensics to act like security cameras for your network. Continuous capture makes sure that security events are recorded as they occur. Additionally, live statistical views and Expert analysis provide real-time visibility, so the NOC can monitor the network like security guards. The NOC can even single-click to download the packets, escalating the event to the security team for in-depth Network Forensic analysis.

The basic elements that a Network Forensics solution should include are:

  • Data Capture and Recording: This is the ability to capture and store multiple terabytes of data from high-throughput networks (for example, 10 Gigabit) without dropping or missing any packets.
  • Detailed Inspection Capabilities: Once data is recorded on the storage media, the solution should provide a mechanism to filter particular items of interest, for example, by IP address, application, timeframe, context, etc.
  • In Depth Data Analysis: Finally, you want some built-in assistance for examining the patterns and anomalies found during the discovery process to help you track the attacker’s actions in the captured packets.

Network Forensics depends on catching events as they occur, so you need a network recorder and analyzer. WildPackets makes a variety of recorders, from single-server OmniEngine Desktop software probes, to multi-gigabit Omnipliances, all the way up to the 10G wire-speed TimeLine network recorder. All of these distributed capture solutions report in real time back to OmniPeek Enterprise, which acts as a central console for complete network visibility.

The TimeLine network recorder has been especially popular with WildPackets customers looking for a Network Forensics preventative solution. Its ability to capture traffic at high speeds from multiple locations, such as transit VLANs on core switches or links between the Internet and the internal network, make it a technically and financially compelling solution for converged packet capture. With its live IP packet data capture and deep packet inspection technology, every single packet and conversation is recorded, visualized for real-time NOC monitoring, and stored in a central location for on-demand analysis. Using TimeLine’s Network Forensics data mining capabilities, security teams can reconstruct the sequence of events that occur at the time of a network breach or cyber attack and get the complete picture.

Timeline view

TimeLine is designed so you can take the necessary steps to extract information from the network data, and solve the problem.

When was the breach detected?
One of the most difficult aspects of a breach is simply discovering it. WildPackets complements traditional security detection systems, such as IDS and log monitoring. Additionally, the OmniPeek console can generate alerts about traffic captured on any connected network recorder, based on Expert analysis or arbitrarily complex filters, then send traps, send emails, or export its log messages to a SIEM. The additional analysis and visibility improves the chances of detecting breaches as they happen.

If the breach is discovered right away, the Timeline view feature in OmniPeek provides zoomable visualization and statistics for remote packet capture. NOC can use the Timeline view to perform initial investigation of anomalies by zooming into the suspect timeframe and examining the mix of protocols and top talkers at that point in time. OmniPeek then works with NOC escalation procedures with the single-click “Download Packets” button for a high-resolution snapshot of the network during that timeframe. The packet capture file can then be attached to a ticket for dispatch to the security team.

If the breach isn’t discovered right away, or if a larger investigation is needed, the security team can use the Forensic Search feature to find packets from that timeframe, with arbitrarily complex filter ability. Given that high speed networks transmit a lot of data, all WildPackets network recorders support complex capture filters to increase the length of time for recorded traffic storage.

Who was the intruder?
Once a breach has been detected, the first step is to identify the source. Depending on how the breach was detected, you may already have the remote IP address. If you don’t have this information, WildPackets network recorders allow you to drill down into the network traffic. Which server was affected? What were the connections to that server during the time frame? OmniPeek’s Expert views will display all flows and connections in the capture, with a straightforward organization by protocol, server, and client. If the breach happened via a web server, as is most common, the Web views will organize the information in multiple different ways, including by page request. Viewing by web page request has the benefit that common client requests will all be grouped together, making uncommon requests – such as inline SQL injection – much easier to identify.

How far did they get into my system?
With the location on the network determined, the next step is to find out how far the intruder breached your network defences. What you’re looking for initially is connections from the attack IP to other systems in your network. OmniPeek makes this easy with the “Peer Map” feature, which visually displays connections between IP addresses. From there, it’s a good idea to filter on those connections. Filtering is simple with the “Select Packets” feature: right-click just about anywhere in the program, click “Select Packets” by the attacker IP, and OmniPeek will open a new tab pre-filtered on just that traffic. In that new tab, all of the Expert analysis, statistics, etc., are also filtered to look just at that traffic.

While some breaches are smash-and-grab connections to a single server, others are multi-hop attacks, where an intruder compromises a DMZ server, and from there attacks an internal server. Full investigation of the extent of the attack may take some time and effort, especially if the packet analyser only supports a single filter at a time. OmniPeek reduces the complexity of breach-tracing with its multi-tab architecture. Applying a filter optionally creates a new tab, allowing the kind of in-depth analysis that simply isn’t possible when limited to a single view of packets. Tracing activity among multiple servers is a manageable task with OmniPeek.

What can I do to prevent this next time?
The final step in incident response is learning what you’ve applied. The forensic investigation will likely uncover forgotten firewall rules, unpatched servers, and maybe even bugs in your internally-developed code.

While OmniEngine can’t adjust your firewall rules and TimeLine can’t fix your bugs, your WildPackets network recorder infrastructure can still help you prepare for the next attack. During the forensic investigation, tracking the scope of the breach likely required you to create several new, fine-tuned advanced filters. Those filters can be saved and re-used for triggers and alerts on your live network monitoring. What you learned during this attack can improve your reaction time to the next one.

Network Forensics is an essential, but often overlooked, part of any comprehensive security strategy and with WildPackets Network Forensics solutions, data is always available for reconstruction and easy analysis of performance issues, cyber attacks, or data breaches. Our network forensics data mining tools can be powerful weapons in the fight against cybercrime and policy violations, but the key is to have a solution in place now – before you have a need for post-incident analysis.

To learn more about the benefits of employing a Network Forensics solution, check out our webinar, “Cyber Security – IDS/IPS Is Not Enough” and White Paper, “Network Forensics: How to Optimize Your Digital Investigation.”

One thought on “How to Clean Up After a Security Breach with WildPackets

Leave a Reply