Comment: Network Forensics – Beyond Activity Monitoring

Network forensics can be a powerful tool in your security strategy, says Botelho
Network forensics can be a powerful tool in your security strategy, says Botelho

Network forensics is an essential, but often overlooked, part of any comprehensive security strategy. Most strategies are focused on keeping threats outside the network from coming in, but what about threats from inside the network?

With the increase in breaches from within the network, analysis and prevention can only be achieved if you have a complete view of your own network activity. This requires the ability to capture, record, and analyze complete network conversations both in real-time and post-incident, which can then be used to investigate breaches and fine-tune security policies to prevent a future event.

Network forensics goes beyond simple network activity monitoring. An activity monitoring solution may flag a suspicious incident, but it requires sorting through possibly thousands of packets of data – which can include IP address, source/destination port, time, date, protocol, string and more – to find that one incident again. This is a “needle in the haystack” problem. Network forensics solves this problem by continuously capturing, recording and analyzing network events, and then storing this data in a single location so that the incident can be easily pinpointed, rather than scattered across the network.

Additionally, data is captured in a common format that does not need to be translated for analysis. With all of the data in a central location and in a format that can be easily analyzed, security teams can quickly locate the source of a virus or monitor for specific virus ‘fingerprints’ to avoid a major infection. They can also use this captured data to reconstruct a particular sequence of events in a network breach to get the complete picture, whether the event occurred days or hours ago.

This level of insight is even more essential with the growing number of on-the-go users within a company. A breached mobile device or infected personal laptop brings outside threats inside the network, undetected by most IDS/IPS. The ability to recognize a breach and pinpoint the source prevents a compromise of the entire network. In addition, network forensics can be used to identify rogue or unauthorized devices trying to access the network, preventing a potential hack.

Typically, a company faces two situations – retracing and reviewing network activity after a breach to determine the source, and trying to detect abnormal or suspicious traffic in recorded data to avoid a potential breach. In the second case, network forensics can be leveraged to detect this suspicious activity in three ways:

Real-time Statistics: A key feature in a good network forensics solution is the ability to see important statistics in real-time, while continuing to record abnormal or suspicious traffic on the network. Seeing statistics in real-time provides assurance that you truly are on the right track.

Detailed Analysis: Real-time statistics provide assurance, but the crux of network forensics is drilling into the data, providing detailed information for discovering DDoS attacks, worm attacks, or other abnormal activities.

Suspicious Events Discovery: Expert modules can detect potential attack activities or problems in any of the OSI 7 layers. Additionally, network forensics can reduce time by filtering particular items of interest; for example, by IP address, application, context, etc.

Network forensics can be a powerful tool in your security strategy, but the key to network forensics is to have a solution in place now – before you have a need for incident analysis or data for an attack investigation.


Jay Botelho is the director of product management at WildPackets, a provider of network analysis solutions. Botelho holds an MSEE, and is an industry veteran with over 25 years of experience in product management, product marketing, program management and complex analysis. From the first mobile computers developed by GRiD Systems to modern-day network infrastructure systems, he has been instrumental in setting corporate direction, specifying requirements for industry-leading hardware and software products, and growing product sales through targeted product marketing.

What’s Hot on Infosecurity Magazine?