In the aftermath of the eBay breach, there have been numerous articles in the media examining what eBay could have done to prevent the breach, better ways that they could have reacted to the breach, and recommendations for eBay users who think they may have been affected by the breach. But as we learn more about the fallout from the eBay attack, one thing is clear – network forensics could have played a crucial role in answering some of the still unanswered questions about the breach.
One of the more interesting pieces of information to come out of the eBay breach was that it occurred in late February or early March, but wasn’t detected by the company until earlier this month. For a large Internet corporation sitting on an abundance of customer data, this is a long time to respond. How could eBay have figured out details of the breach sooner? One tactic would have been deploying network forensics.
Network forensics allows for the capture, storage, and analysis of all network events – including any and all activity on the network, from initial access to data transfers to application usage. With network forensics, eBay — or any victim of a security breach or vulnerability — could monitor packet-level data. Packet-level forensics provides a complete recording of all network activity, down to each and every bit that gets transmitted and communicated on a network. With packet-based analysis, you can quickly verify security alerts, determining if they are false positives, or real. If real, you can take action immediately, reducing your response time to minutes or hours vs. weeks and months. If the alert is merely a false positive, you’ll have definitive analysis to validate your assumptions, and detailed data to use in tuning your security systems to reduce the number of false positives and increase the validity of future security alerts.
We don’t know for certain what kind of forensics solution eBay is using, but one thing we do know is that a comprehensive, high performance packet capture forensics solution could have played a large role in answering some of the questions that remain following the eBay attack.