All small to large-sized organizations use some kind of security monitoring in their enterprise environments. Security monitoring includes several components, and network forensics is one of the essential components to recognize attacks and respond to alerts.
Network Forensics
Network forensic investigations generally include various steps, which include recording and analyzing activities taking spot in a network and use analysis tools and techniques to investigate and answer several questions as follows:
When has the attack happened?
Is the attack still ongoing?
What data has been exfiltrating?
Who are all the users who might have been compromising?
What are all the servers that might have been compromising?
What is the root cause of the attack, or how the intruder managed to gain a foothold?
The requirement of Network Forensics in Organization:
Network forensics gives excellent visibility into the traffic passed within the organization’s network. Through, this approach investigators have a way to search the network and dig deeper into specifics. There is usually a two-step process. The first step is data collection. Data on the network should be collected, and metadata should be extracted and indexed so various search tools can be used to search for specific information. The second step is to search for the data of our interest.
Organizations require intelligent monitoring and analysis on an ongoing basis. Be it a targeted attack or a planned red teaming activity, unusual activities within the network require analysis. As we mentioned earlier, these activities often occurred stealthily, and waiting for alerts from automated tools may not always work. Therefore, active hunting by monitoring the network traffic for unusual patterns is often required. For example, assume there is an unusual domain machine connecting to every day for the past few days, and there is a spike in the amount of data sent to this domain. Thus, this is a red flag, and analysis may be needed. Detecting this type of activity within the network is not easy in practice as the malicious traffic blends into the regular network in large volumes. Discovering malicious traffic in such cases requires intelligent analysis skills, where the investigator is required to use targeted search queries to extract data that can be used to draw some conclusions. This whole process requires network forensics capabilities.
Although most attacks require investigation of network traffic and logs at various locations in the network, imagine a situation where attackers gain control of some of the critical systems in the network through a targeted spear-phishing attack on some of the employees related to a specific department. While this sounds like a simple attack, it requires investigation at various points in the network to conclude.
Network Forensics Process include
- Identifying incident
- Preserving the evidence
- Recording the evidence
- Systematic research of evidence
- Analysis and reporting of evidence
Advantages of Network Forensic
- Network Performance Benchmarking
- Network Troubleshooting
- Transactional analysis
- Security Analysis
The Tools that could be used for intrusion Detections:
There are several tools that could be beneficial to detect abnormal behaviour over the network traffic. These tools might be helpful to detect attackers and their activities as well. The intrusion Detections based tools and techniques such as:
- HoneyPot
- Wireshark
- Snort
- A log-based intrusion detection system (LIDS)
- HoneyNetCloud investigation model