Upload
others
View
11
Download
0
Embed Size (px)
Citation preview
ELEXO20 Rue de Billancourt
92100 Boulogne-BillancourtTéléphone : 33 (0) 1 41 22 10 00Télécopie : 33 (0) 1 41 22 10 01
Courriel : [email protected] : FR00722063534
Network ForensicsConcepts and fundamentals behind the new
paradigm in network analysis
Summary
Understanding network forensics
Network forensics implications
Resolution methodsExample – SecurityExample – Compliancy Example – Troubleshooting
What is network forensics?
Network forensics is the idea of being able to resolve network problems through captured network traffic
Previous methods focused on recreating the problem
New technologies eliminate the time-consuming task of having to recreate the issue
Allows IT professionals to go immediately to problem resolution mode
Why Network Forensics?
Internal and governmentally mandated compliancyProvides enforcement of acceptable use policiesHelps fight industrial espionageAssists with Sarbanes Oxley compliance
SecurityProvides pre-intrusion tracking and identificationHelps deliver a post-intrusion “paper-trail”
Network TroubleshootingPerforms root-cause analysisAllows for historical problem identification
Compliancy - Internal
With internal compliancy, some of the most common issues are…
Acceptable Use Internal organizational policy that applies to use of all company systems, including e-mail and Internet accessChallenge – organizations cannot adequately enforce these policies
Industrial espionageIn today’s competitive world, espionage is a continuous threatChallenge – With the advent of e-mail and IM, perpetrating acts of espionage has become far easier than ever before.
Compliancy - Governmental
IT administrators can assist SOX (Sarbanes-Oxley) compliancy in a number of ways…
SOX requires documentation of information flowing to and from devices which store company information
Network forensics can be used to track all communication to and from any device or segment of interest (SOX ACT, section 302)
SOX references the COSO (Committee of Sponsoring Organizations of the Treadway Commission), and their framework which helps businesses to assess and align their IT governance policies with SOX
One frameworks focuses on network monitoringNetwork forensics can ensure real-time and continued network monitoring
Compliancy - Governmental
Health Insurance Portability and Accountability Act HIPAA (Healthcare industry)
Requires that patient data be protected from unauthorized accessThis means ensuring that the data is secure as it traverses the networkShould a security breach happen, regulations provide for large fines of the organization UNLESS they can prove that no data was transferredNetwork forensics can record all transactions occurring over the wire and thus prove if data transfer took place
Compliancy – Example
The Situation:
At a large financial organization, an employee is being reviewedfor possible termination by HR. Among the offenses the employee is accused of is browsing inappropriate websites on company equipment.
IT has been tasked with researching these possible offenses. However, providing only domain names or URLs is not acceptable according to the HR policy. The offense has to have been documented in some way that will reflect the activity the employee perpetrated.
Compliancy - Example
The Challenge
Traditional methods of tracking web user activity can provide domain names and URL but cannot show what exact content was being displayed at the timeIf those sites suddenly cease to exist or update their content, providing adequate documentation is impossible
The Solution
To record the traffic, in its entirety, and offer the ability to not only view the transactions, but also to reconstruct the original stream of data.
Compliancy - Example
Using the Network Instruments GigaStor control panel, the timeframe of suspected activity is selected, and statistics about the timeframe are displayed
Statistics
Time slice of suspected activity
Compliancy - Example
Next, users of interest are selected, and their traffic patterns graphed to display periods of excessive activity from the systems in question
Selecting the right station
Compliancy - Example
Selecting the HTML file
Recreating captured Internet traffic using stream reconstruction
Displays the stored HTML page
Security - Example
With so many security solutions, where does forensics fit in? Why is there a need?
Perimeter defenses can be penetratedInternal attacks can negate the sophisticated external security systemsMany security deployments look for existing or known vulnerabilities, missing new threats. Even more advanced technology with the intent of detecting malicious behavior which doesn’t conform to known lists can be inaccurate.
Security - Example
User’s home wireless network has been attacked, VPN profile has been pulled off the the user’s corporate laptopUser was unaware of attack for some period of timeSince the user had widespread access across the network, the loss of their VPN profile has made the entire network suspectExisting security systems did not detect any security breaches
Security - Example
Identify abnormal traffic patterns based on network trends gathered prior to the breach.
Security - Example
Watch for deviation in
normal usage times for key
systems
Security - Example
Identify every file touched and every command
initiated by the intruder on the network
Intruder accessing the directory structure of a Window File Server
Security - Example
With proper analysis tools, you track the entire path the intruder took across the network, identifying all infrastructure systems which were potentially compromised
Daily Troubleshooting - Example
Helpdesk received notice of poor call quality from a specific user’s VoIP phone. All other phones are not experiencing issues, and aggregate statistics show that overall VoIP quality is high. The user reported that the issue is sporadic.
A quick check of network stats shows that while some links have been periodically high, overall network usage appears within the norm.
Timeline:8:45 – Helpdesk receives call of poor voice quality9:10 – After troubleshooting, Helpdesk escalates the call to Tier-3 support9:50 – Tier-3 investigates the issue, only to find that the problem has disappeared
Troubleshooting - Example
Traditional Troubleshooting Methodology:
Ignore it, hope the problem goes away
Check a few network statistics, and then “pull cables” until it seems like the issue has been resolved
Reallocate analyzer resources to monitor the problem, and hope that it happens again so that you will have the information needed to troubleshoot. (If the problem does not reappear, see option a)
Troubleshooting
The Network Forensics way:
Step 1) Isolate the timeframe of the issueStep 2) Select the User of InterestStep 3) Let the expert do the work…
Troubleshooting - Example
Isolate the time the problem took place
Drill down to the correct user who reported the problem
Time slice
User Info
Troubleshooting - Example
The short period of time representing the user’s attempt to make a VoIP call is selected
Troubleshooting - Example
Expert Analysis Info
In Summary
To perform network forensics you need a method of capturing everything that traverses your network links
This ability speeds troubleshooting in a number of ways
Assist internal compliancy effortsDocument acceptable use policiesMaintain internal security
Let an Expert system with time slice navigation do the heavy lifting