Network Forensics. Concepts and fundamentals behind the new paradigm in network analysis

Size: px

Start display at page:

Download "Network Forensics. Concepts and fundamentals behind the new paradigm in network analysis"

Scot Henderson
7 years ago
Views:

1 Network Forensics Concepts and fundamentals behind the new paradigm in network analysis ELEXO 20 Rue de Billancourt Boulogne-Billancourt Téléphone : 33 (0) Télécopie : 33 (0) Courriel : info@elexo.fr TVA : FR

2 Summary Understanding network forensics Network forensics implications Resolution methods Example Security Example Compliancy Example Troubleshooting

3 What is network forensics? Network forensics is the idea of being able to resolve network problems through captured network traffic Previous methods focused on recreating the problem New technologies eliminate the time-consuming task of having to recreate the issue Allows IT professionals to go immediately to problem resolution mode

4 Why Network Forensics? Internal and governmentally mandated compliancy Provides enforcement of acceptable use policies Helps fight industrial espionage Assists with Sarbanes Oxley compliance Security Provides pre-intrusion tracking and identification Helps deliver a post-intrusion paper-trail Network Troubleshooting Performs root-cause analysis Allows for historical problem identification

5 Compliancy - Internal With internal compliancy, some of the most common issues are Acceptable Use Internal organizational policy that applies to use of all company systems, including and Internet access Challenge organizations cannot adequately enforce these policies Industrial espionage In today s competitive world, espionage is a continuous threat Challenge With the advent of and IM, perpetrating acts of espionage has become far easier than ever before.

6 Compliancy - Governmental IT administrators can assist SOX (Sarbanes-Oxley) compliancy in a number of ways SOX requires documentation of information flowing to and from devices which store company information Network forensics can be used to track all communication to and from any device or segment of interest (SOX ACT, section 302) SOX references the COSO (Committee of Sponsoring Organizations of the Treadway Commission), and their framework which helps businesses to assess and align their IT governance policies with SOX One frameworks focuses on network monitoring Network forensics can ensure real-time and continued network monitoring

7 Compliancy - Governmental Health Insurance Portability and Accountability Act HIPAA (Healthcare industry) Requires that patient data be protected from unauthorized access This means ensuring that the data is secure as it traverses the network Should a security breach happen, regulations provide for large fines of the organization UNLESS they can prove that no data was transferred Network forensics can record all transactions occurring over the wire and thus prove if data transfer took place

8 Compliancy Example The Situation: At a large financial organization, an employee is being reviewed for possible termination by HR. Among the offenses the employee is accused of is browsing inappropriate websites on company equipment. IT has been tasked with researching these possible offenses. However, providing only domain names or URLs is not acceptable according to the HR policy. The offense has to have been documented in some way that will reflect the activity the employee perpetrated.

9 Compliancy - Example The Challenge Traditional methods of tracking web user activity can provide domain names and URL but cannot show what exact content was being displayed at the time If those sites suddenly cease to exist or update their content, providing adequate documentation is impossible The Solution To record the traffic, in its entirety, and offer the ability to not only view the transactions, but also to reconstruct the original stream of data.

10 Compliancy - Example Using the Network Instruments GigaStor control panel, the timeframe of suspected activity is selected, and statistics about the timeframe are displayed Time slice of suspected activity Statistics

11 Compliancy - Example Next, users of interest are selected, and their traffic patterns graphed to display periods of excessive activity from the systems in question Selecting the right station

12 Compliancy - Example Recreating captured Internet traffic using stream reconstruction Selecting the HTML file Displays the stored HTML page

13 Security - Example With so many security solutions, where does forensics fit in? Why is there a need? Perimeter defenses can be penetrated Internal attacks can negate the sophisticated external security systems Many security deployments look for existing or known vulnerabilities, missing new threats. Even more advanced technology with the intent of detecting malicious behavior which doesn t conform to known lists can be inaccurate.

14 Security - Example User s home wireless network has been attacked, VPN profile has been pulled off the the user s corporate laptop User was unaware of attack for some period of time Since the user had widespread access across the network, the loss of their VPN profile has made the entire network suspect Existing security systems did not detect any security breaches

15 Identify abnormal traffic patterns based on network trends gathered prior to the breach. Security - Example

16 Watch for deviation in normal usage times for key systems Security - Example

17 Security - Example Identify every file touched and every command initiated by the intruder on the network Intruder accessing the directory structure of a Window File Server

18 With proper analysis tools, you track the entire path the intruder took across the network, identifying all infrastructure systems which were potentially compromised Security - Example

19 Daily Troubleshooting - Example Helpdesk received notice of poor call quality from a specific user s VoIP phone. All other phones are not experiencing issues, and aggregate statistics show that overall VoIP quality is high. The user reported that the issue is sporadic. A quick check of network stats shows that while some links have been periodically high, overall network usage appears within the norm. Timeline: 8:45 Helpdesk receives call of poor voice quality 9:10 After troubleshooting, Helpdesk escalates the call to Tier-3 support 9:50 Tier-3 investigates the issue, only to find that the problem has disappeared

20 Troubleshooting - Example Traditional Troubleshooting Methodology: Ignore it, hope the problem goes away Check a few network statistics, and then pull cables until it seems like the issue has been resolved Reallocate analyzer resources to monitor the problem, and hope that it happens again so that you will have the information needed to troubleshoot. (If the problem does not reappear, see option a)

21 Troubleshooting The Network Forensics way: Step 1) Isolate the timeframe of the issue Step 2) Select the User of Interest Step 3) Let the expert do the work

22 Troubleshooting - Example Isolate the time the problem took place Drill down to the correct user who reported the problem Time slice User Info

23 The short period of time representing the user s attempt to make a VoIP call is selected Troubleshooting - Example

24 Troubleshooting - Example Expert Analysis Info

25 In Summary To perform network forensics you need a method of capturing everything that traverses your network links This ability speeds troubleshooting in a number of ways Assist internal compliancy efforts Document acceptable use policies Maintain internal security Let an Expert system with time slice navigation do the heavy lifting

Network Security Forensics

Network Security Forensics As hacking and security threats grow in complexity and organizations face stringent requirements to document access to private data on the network, organizations require a new