Real World: Network Forensics

While network attacks are increasing in frequency, sophistication and cost — the 2013 Cost of Cyber Crime Study by HP and the Ponemon Institute found that cybercrime cost large enterprises $11.56 million on average, up 78 percent from 2009 — the time it takes IT organization to resolve attacks rose even more over the same period, increasing 130 percent. Why is this?

Over the last several years, network speeds have increased by a factor of 10. Now, networks are too fast for legacy network analysis tools, which are no longer able to achieve detailed packet-level analysis–the type of analysis that’s essential for characterizing new stealthy attacks. The result: IT is doing more, but seeing less.

The solution: Network Forensics.
Today, traffic flies by much too quickly for IT engineers to accurately monitor and analyze in detail using real-time dashboards alone. Network forensics provides IT engineers with the ability to analyze captured traffic – the only way to fully understand what has taken place on a high-speed network, which problems, if any, are occurring, and how they might be solved.

Following are three real-world examples of the results that detailed, packet-based network forensics can provide:

From Vague Alert to Containment and Remediation
Network forensics can be used to identify compromised systems when attacked. Here’s one such example:

One of our customers received an alert about unusual activity on a server. IT then discovered that the server on their enterprise network had been compromised. Unfortunately, the security tool provided no further information about the attack, such as who the culprit was and which other systems, if any, had also been compromised. To answer these questions, the team turned to their network forensics system. Using network forensics the team was able to see that the compromised system had initiated a spike in Common Internet File System (CIFS) traffic shortly after the attack had began.


Because the network forensics appliance had recorded all network traffic around the time of the spike, the team was able to examine network activity in detail to explore this burst of traffic and its consequences.

Next, the team filtered traffic to show communications only from the compromised server. This made it easy to identify the three other systems that the compromised server had communicated with after the attack. Now the IT team had the information they needed to contain the attack and reverse its effects.


Compliance and Leaked Data
Today, IT teams often use network forensics to ensure that traffic complies with regulation and to demonstrate that compliance to auditors.

Using tools like the Peer Map below, IT engineers can monitor and record traffic patterns, demonstrating to auditors which users have access to which resources, and which devices are talking to which other devices.


Using filters, network forensics can quickly identify any network traffic that includes strings that look like an SSID, a phone number, a credit card, etc., that are sent in clear text. Since these filters only look for the specific packets with the personal data, you hope to never capture a packet. If the filters do find matches, the network forensics solution alerts the IT team immediately so IT engineers can review the data and prevent additional loss of data.

Transaction Verification for Troubleshooting and Customer Service
Because network forensics captures all aspects of network traffic, including the IP addresses of senders and receivers and all data transmitted between them, companies can use it to verify when transactions – especially those of a financial nature – are called into question.

This proves to be a valuable capability for one of the world’s leading online gambling groups with more than 10 million customers — when specific online gaming sessions are called into question by customers. You can just imagine the reasons – it wasn’t me, my credit card was stolen, etc.

In response, the online gambling company uses network forensics to verify that the IP address and other characteristics of the traffic for the sessions in question match previous activity for the user with them. . This provides them with all the data they need to refute the claims and collect all funds that are due.

Network analysis for the future
The network analysis tools that organizations have invested in over the past decade are simply not able to keep up with today’s high-speed networks. New tools and IT practices are necessary to keep new networks running as smoothly and securely as old ones. Network forensics enables organizations to realize the full benefits of 10G and 40G networks: high performance with the control and security IT organizations take for granted on 1G networks.

Leave a Reply