ELEXO20 Rue de Billancourt

92100 Boulogne-BillancourtTéléphone : 33 (0) 1 41 22 10 00Télécopie : 33 (0) 1 41 22 10 01

Courriel : info@elexo.frTVA : FR00722063534

Network ForensicsConcepts and fundamentals behind the new

paradigm in network analysis

Summary

Understanding network forensics

Network forensics implications

Resolution methodsExample – SecurityExample – Compliancy Example – Troubleshooting

What is network forensics?

Network forensics is the idea of being able to resolve network problems through captured network traffic

Previous methods focused on recreating the problem

New technologies eliminate the time-consuming task of having to recreate the issue

Allows IT professionals to go immediately to problem resolution mode

Why Network Forensics?

Internal and governmentally mandated compliancyProvides enforcement of acceptable use policiesHelps fight industrial espionageAssists with Sarbanes Oxley compliance

SecurityProvides pre-intrusion tracking and identificationHelps deliver a post-intrusion “paper-trail”

Network TroubleshootingPerforms root-cause analysisAllows for historical problem identification

Compliancy - Internal

With internal compliancy, some of the most common issues are…

Acceptable Use Internal organizational policy that applies to use of all company systems, including e-mail and Internet accessChallenge – organizations cannot adequately enforce these policies

Industrial espionageIn today’s competitive world, espionage is a continuous threatChallenge – With the advent of e-mail and IM, perpetrating acts of espionage has become far easier than ever before.

Compliancy - Governmental

IT administrators can assist SOX (Sarbanes-Oxley) compliancy in a number of ways…

SOX requires documentation of information flowing to and from devices which store company information

Network forensics can be used to track all communication to and from any device or segment of interest (SOX ACT, section 302)

SOX references the COSO (Committee of Sponsoring Organizations of the Treadway Commission), and their framework which helps businesses to assess and align their IT governance policies with SOX

One frameworks focuses on network monitoringNetwork forensics can ensure real-time and continued network monitoring

Compliancy - Governmental

Health Insurance Portability and Accountability Act HIPAA (Healthcare industry)

Requires that patient data be protected from unauthorized accessThis means ensuring that the data is secure as it traverses the networkShould a security breach happen, regulations provide for large fines of the organization UNLESS they can prove that no data was transferredNetwork forensics can record all transactions occurring over the wire and thus prove if data transfer took place

Compliancy – Example

The Situation:

At a large financial organization, an employee is being reviewedfor possible termination by HR. Among the offenses the employee is accused of is browsing inappropriate websites on company equipment.

IT has been tasked with researching these possible offenses. However, providing only domain names or URLs is not acceptable according to the HR policy. The offense has to have been documented in some way that will reflect the activity the employee perpetrated.

Compliancy - Example

The Challenge

Traditional methods of tracking web user activity can provide domain names and URL but cannot show what exact content was being displayed at the timeIf those sites suddenly cease to exist or update their content, providing adequate documentation is impossible

The Solution

To record the traffic, in its entirety, and offer the ability to not only view the transactions, but also to reconstruct the original stream of data.

Compliancy - Example

Using the Network Instruments GigaStor control panel, the timeframe of suspected activity is selected, and statistics about the timeframe are displayed

Statistics

Time slice of suspected activity

Compliancy - Example

Next, users of interest are selected, and their traffic patterns graphed to display periods of excessive activity from the systems in question

Selecting the right station

Compliancy - Example

Selecting the HTML file

Recreating captured Internet traffic using stream reconstruction

Displays the stored HTML page

Security - Example

With so many security solutions, where does forensics fit in? Why is there a need?

Perimeter defenses can be penetratedInternal attacks can negate the sophisticated external security systemsMany security deployments look for existing or known vulnerabilities, missing new threats. Even more advanced technology with the intent of detecting malicious behavior which doesn’t conform to known lists can be inaccurate.

Security - Example

User’s home wireless network has been attacked, VPN profile has been pulled off the the user’s corporate laptopUser was unaware of attack for some period of timeSince the user had widespread access across the network, the loss of their VPN profile has made the entire network suspectExisting security systems did not detect any security breaches

Security - Example

Identify abnormal traffic patterns based on network trends gathered prior to the breach.

Security - Example

Watch for deviation in

normal usage times for key

systems

Security - Example

Identify every file touched and every command

initiated by the intruder on the network

Intruder accessing the directory structure of a Window File Server

Security - Example

With proper analysis tools, you track the entire path the intruder took across the network, identifying all infrastructure systems which were potentially compromised

Daily Troubleshooting - Example

Helpdesk received notice of poor call quality from a specific user’s VoIP phone. All other phones are not experiencing issues, and aggregate statistics show that overall VoIP quality is high. The user reported that the issue is sporadic.

A quick check of network stats shows that while some links have been periodically high, overall network usage appears within the norm.

Timeline:8:45 – Helpdesk receives call of poor voice quality9:10 – After troubleshooting, Helpdesk escalates the call to Tier-3 support9:50 – Tier-3 investigates the issue, only to find that the problem has disappeared

Troubleshooting - Example

Traditional Troubleshooting Methodology:

Ignore it, hope the problem goes away

Check a few network statistics, and then “pull cables” until it seems like the issue has been resolved

Reallocate analyzer resources to monitor the problem, and hope that it happens again so that you will have the information needed to troubleshoot. (If the problem does not reappear, see option a)

Troubleshooting

The Network Forensics way:

Step 1) Isolate the timeframe of the issueStep 2) Select the User of InterestStep 3) Let the expert do the work…

Troubleshooting - Example

Isolate the time the problem took place

Drill down to the correct user who reported the problem

Time slice

User Info

Troubleshooting - Example

The short period of time representing the user’s attempt to make a VoIP call is selected

Troubleshooting - Example

Expert Analysis Info

In Summary

To perform network forensics you need a method of capturing everything that traverses your network links

This ability speeds troubleshooting in a number of ways

Assist internal compliancy effortsDocument acceptable use policiesMaintain internal security

Let an Expert system with time slice navigation do the heavy lifting