Book Image

Learning Network Forensics

By : Samir Datt
Book Image

Learning Network Forensics

By: Samir Datt

Overview of this book

We live in a highly networked world. Every digital device—phone, tablet, or computer is connected to each other, in one way or another. In this new age of connected networks, there is network crime. Network forensics is the brave new frontier of digital investigation and information security professionals to extend their abilities to catch miscreants on the network. The book starts with an introduction to the world of network forensics and investigations. You will begin by getting an understanding of how to gather both physical and virtual evidence, intercepting and analyzing network data, wireless data packets, investigating intrusions, and so on. You will further explore the technology, tools, and investigating methods using malware forensics, network tunneling, and behaviors. By the end of the book, you will gain a complete understanding of how to successfully close a case.
Table of Contents (17 chapters)
Learning Network Forensics
About the Author
About the Reviewers

Understanding network security

We live in a wired world (could be wireless too), which is increasingly interconnected. These interconnected networks are privy to most of the world's data, which is at great risk.

Today, the more interconnected we are, the more at risk we are. With attacks of increasing sophistication becoming automated, easily available, and usable by most low-grade criminals, the threat to our resources is at an all-time high. Evolved and sophisticated detection-evasion techniques help in making things even more complicated. Criminals too have learned to follow the money. Attacks are more focused and targeted with a preponderance of effort being directed towards the targets that could result in a monetary payoff.

Let's take a look at the type of threats that exist.

Types of threats

When we connect our network to the outside world (I know, I know, we have to!), we introduce the possibility of outsiders attempting to exploit our network, stealing our data, infecting our systems with viruses and Trojans, or overloading our servers, thus impacting and impeding our performance.

However, if our network were disconnected from the outside world, threats would still exist. In fact, most surveys and studies (as mentioned earlier) point to the indisputable fact that most of the threats (over 50%) are caused by intentional or unintentional activities performed by insiders.

While it is rarely possible to isolate or air gap a business network from the outside world, even if we were to do so, there is no guarantee that it would ensure network security.

Based on this understanding, we must consider both internal and external threats.

Internal threats

Looking back at the history, we will see many notable examples of entire kingdoms being lost due to the actions of the insiders. Valuable information such as hidden routes to reach behind an army (backdoors), type, strengths & weaknesses of the defenses (scans & vulnerabilities), and access codes and passwords (open sesame) when leaked to the enemy can cause irreparable loss. Kingdoms and corporations can fall. Sun Tzu, the ancient Chinese strategist and general, in his martial treatise, The Art of War, strongly recommends the use of insiders to win battles. His opinion on the best way to win a battle is without firing a single shot.

Threats that originate from within the network tend to be way more serious than those that originate outside.

Just like an unknown enemy within the walls of a citadel can be lethal; similarly, the insider within your network can be very damaging unless identified and contained very quickly.

Insiders usually have plenty of knowledge about the network, its available resources, and structure. They already have been granted a certain level of access in order to be able to do their job. Network security tools such as firewalls, intrusion prevention systems (IPS), intrusion detection system (IDS), and so on are deployed at the periphery of the network and are usually outward facing and such insiders are under the radar in this context.

An insider can steal information in many low-tech ways. Simply inserting a USB drive and copying data off the network is a very common way of stealing data. Burning a DVD with the organization's intellectual property and walking off the premises with this stuck inside a laptop's DVD drive happens quite often. Some smart guys copy the data onto a USB stick and then delete it so that when checked, they can demonstrate that the USB device is empty and once they get home, they can then recover the data using free recovery tools.

A single insider can be quite dangerous; however, when there are multiple insiders working in tandem, the situation can be quite grave. These threats need to be addressed and mitigated quickly in order to prevent substantial damage.

External threats

Usually, external attackers do not have in-depth knowledge of your network. When they start out, they do not have login or access credentials to get into the network.

Once a potential target is identified, the first step is to carry out a reconnaissance on the network. To do this, they perform a ping sweep. This helps in identifying the IP addresses that respond to the pings and are accessible from the outside. Once these IP addresses are identified, a port scan is performed. The objective is to identify open services on these IP addresses. The operating system (OS) is fingerprinted to understand the make, model, and build deployed. This helps the attacker in identifying the possible unpatched vulnerabilities. An outsider will identify and exploit a known vulnerability to compromise any one of the earlier discovered services on the host. Once the attacker has gained access to the host, the attacker will work at escalating the privileges, covering tracks, and creating backdoors for future unmonitored access. They will then use this system as a platform to attack and compromise other systems in this network and the world at large.