According to Gartner, enterprises spend just over $10 billion on prevention and detection methods such as anti-virus software, firewalls and detection intrusion systems. Yet, enterprises are fighting a losing battle. IT teams need enhanced weapons, in the form of better intelligence, for the battle ahead. That insight can come from remediation in the form of network forensics.
Similar to a crime scene investigation, forensics provides network security teams with the “DNA” clues of an attack. Network forensics is about inspecting the malware and understanding how it works, its key characteristics, exploits, and attack vectors. Forensics and remediation provide the intelligence to prevent new attacks.
Malware exhibits particular patterns of application behaviour and network forensics that would have spotted SMB traffic on the network and the version being used - for example, WannaCry exploited SMB v1.
Capturing the right data
Forensics allow enterprise security teams to observe evasive adversaries by looking directly to the wire, or packet data. Packets contain a wealth of information that even a cyber-criminal cannot alter. This strategy of conducting analytics of the packets traversing the network is akin to scrutinizing malware with a CCTV camera. Packets never lie and that is why it is even admissible in court as evidence.
CM logs may provide information, but that data is limited in scope and intelligence. Network forensics from packets can reveal intricate detail about malware and allows enterprises to answer the: who, what, where, and when of an attack. Organizations not only get a high-level view of the threat, forensics allow security teams to troubleshoot, isolate, and identify problems affecting the network. It can reveal propagation mechanisms, attack vectors, and type of breach, while pinpointing the exfiltration path of stolen data even when it is encrypted.
According to a SANS Institute study on security spending and IT budgets, 72% of respondents spend on protection and prevention compared to 31% for discovery and forensics. Typically larger companies with advanced monitoring systems deploy network forensics, these types of companies are mainly in the financial services sector – banking, trading, insurance – and manufacturing.
The need is driven by three factors: highly valued intellectual property (customer data, product secrets); compliance (laws and regulations that protect customers and/or mandate disclosure in case of breaches) and a PR disaster if there was a serious compromise.
How can enterprises use the forensics gleaned from packet?
1. Get to ground zero: Packet analysis allows enterprises to identify the first computer attacked. By studying how and why it was compromised, security teams can gather intelligence to track the malware and fine tune firewalls and endpoint security.
2. Set security parameters: Packets allow security teams to set alerts for SMBs and protocols that carry commands with requests to delete large quantities of files. Packet analysis would have detected Petya/NotPetya’s elusive maneuvers.
3. Know your ‘normal’ network conditions: Some enterprises are not aware of what “normal” traffic patterns on their network look like. Abnormal traffic behaviour should set off alarm bells and raise concerns of a breach. For example, a company could spot a threat by seeing whether they have any SMB traffic (and the version) on the network.
4. Flush out the enemy: The 2017 Mandiant M-Trends report highlighted that the median time for attackers to stay undetected from breach to discovery was 99 days. With packet analysis, security teams can retrospectively analyze the data from the time of an incident to track the breach – and then search and destroy the malware faster.
5. Manage the data deluge: Some security teams at enterprises and data centers find it close to impossible to pinpoint malware, owing to the astronomically high volumes of data traveling on their networks. With the help of appliances, security teams can capture and store even up to a petabyte of data for forensics and identity the exact moment a problem occurred to troubleshoot network issues.
According to industry analysts, companies spent $200 million on remediation and network forensics. That might sound like a lot, but that is 50 times less than what companies spend on anti-virus software, firewalls and detection intrusion systems. The current approach, highly focused on prevention and detection alone, is inadequate for the fight ahead.
The focus is on stopping threats, but no one wants to admit that a certain percentage of threats will circumvent even the best prevention or detection toolsets and methodologies. No one wants to admit defeat.
With the majority of people using signature-based prevention and detection methods, circumvention is a reality whenever a new attack or exploit is introduced. With that, companies need to focus increased efforts on incident response. Security teams need to focus on how long it takes to identify and remediate new threats, and establish processes for identifying, investigating and neutralising threats.
That’s where collaboration between IT teams like the network and security teams to automate threat identification and post-event investigation is critical. There is a pressing need for forensics in the cyber battlefield.