Scribd
Upload
71 views26 pages

Network Forensics and Cybersecurity Insights

Uploaded by

averylayneoneill
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
71 views26 pages

Network Forensics and Cybersecurity Insights

Uploaded by

averylayneoneill
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 26

Basic Cyber

Forensics
Vinny Lima
Oct 24
Module 10 –
Network
Forensics
Network Forensics Overview (1
of 2)
• Network forensics is the process of collecting and analyzing raw
network data and tracking network traffic
• The purpose is to ascertain how an attack was carried out or how
an event occurred on a network

• Intruders leave a trail behind


• Knowing your network’s typical traffic patterns is important in
spotting variations in network traffic

• It can also help you determine whether a network is truly under


attack
Network Forensics Overview (2
of 2)
• Vulnerabilities can come from a variety of issues, including the
following:
• Misconfigured servers
• Open ports – particularly port 23, the default port for Telnet
• Settings and validation options used when installing additional
servers, such as a database server

• Auditing network logs is the key to network forensics


• Tools that can digest large volumes of data is needed
Network Forensics Standard
Procedures
• Network forensics examiners must establish standard procedures
for how to acquire data after an attack or intrusion
• It is essential to ensure that all compromised systems have
been found, brought offline, and restored as quickly as
possible

• Procedures must be based on an organization’s needs and


complement the network infrastructure

• NIST created the “Guide to Integrating Forensic Techniques into


Incident Response” to address these needs
Securing a Network (1 of 2)
• A layered network defense strategy sets up layers of protection
to hide the most valuable data at the innermost part of the network

• Defense in depth (DiD) is a similar approach developed by the


NSA
• DiD has three modes of protection:
• People (Eg.: high qualified professionals)
• Technology (Eg.: strong network architecture, with IDS)
• Operations (Eg.: patches, software, and OS up to date)
“Cyber-security firm CrowdStrike has admitted that the problem was caused by an
update to its antivirus software, which is designed to protect Microsoft Windows
devices from malicious attacks.”
Securing a Network (2 of 2)
• Testing networks is as important as testing servers

• Digital forensics investigators need to be up to date on the latest


methods intruders use to infiltrate networks
• As well as methods internal employees use to sabotage
networks

• Small companies of fewer than 10 employees often don’t


consider security precautions against internal threats necessary
• Can be more susceptible to problems caused by employees
revealing proprietary information to competitors
Developing Procedures and Models
for Network Forensics (1 of 2)
• Network forensics can be a long, tedious process

• A standard procedure often used in network forensics is as


follows:
• Always use a standard installation image for systems on a
network
• Fix any vulnerability as quickly as possible after an attack
• Attempt to retrieve all volatile data
• Acquire all compromised drives and make a forensic image of
it
Developing Procedures and Models
for Network Forensics (2 of 2)
• In digital forensics
• You can work from the image to find most of the deleted or
hidden files and partitions

• In network forensics
• You have to restore the drive to see how malware that
attackers have installed on the system works
Effectively Reading Network
Logs
• Network logs record traffic in and out of a network
• Network servers, routers, and firewalls record activity and
events that move through them

• The tcpdump command and Wireshark are good tools for examining
network traffic
• Wireshark can generate top 10 lists of websites visited as well as
the top 10 internal users

• Network logs can identify patterns, such as an employee


transmitting data to or from a particular IP address frequently
tcpdump

Wireshar
k
Exploring Common Network
Forensics Tools
• A variety of tools are available for network administrators to
perform remote shutdown, monitor device use, and more

• Examples of network forensics tools include the following:


• Splunk
• Spiceworks
• Nagios
• Cacti
Packet Analyzers
• A packet analyzer is a device or software that monitors network
traffic
• Most work at layer 2 or 3 of the OSI model

• Most tools follow the pcap (packet capture) format

• Some packets can be identified by examining the flags in their


TCP headers

• To take advantage of the strengths of different tools, many


investigators do a capture with tcpdump and then analyze the
capture in Wireshark
Packet Analyzers

TCP header
2018 GitHub DDoS attack
Packet Analyzers
• Other network forensics tools include the following:
• Tcpslice
• Tcpreplay
• Etherape
• Netdude
• Argus
• Wireshark: rebuilds sessions.
Packet Analyzers

Figure 10-2 Wireshark


opening screen
Packet Analyzers

Following a UDP stream in


Wireshark
Packet Analyzers

Sample capture file in


Wireshark
Packet Analyzers

Exploring in
Wireshark
Intrusion Detection and Intrusion
Prevention Tools
• Snort is one of the more powerful network tools
• It is an intrusion detection and intrusion prevention tool that can also
be used for network forensics

• It is Linux based and open source

• Snort looks at incoming packets and compares them against set


rules

• It also looks for malware, does network analysis, and inspects for port
scanners

• Snort has three modes: sniffer, packet logger, and intrusion detection
Investigating Virtual Networks
• A virtual switch is a little different from a physical switch
• There’s no spanning tree between virtual switches

• Additional complications include the following:


• Hypervisors can assign MAC addresses to virtual devices
• Devices can have the same MAC address on different virtual networks
• Cloud service providers host networks for several to hundreds of
companies

• Tools that can analyze virtual network are Wireshark and Network
Miner
Researching and Investigating
Types of Attacks (1 of 2)
• The Honeynet Project was developed to make information widely
available in an attempt to thwart Internet and network attackers
• Provides information about attacks methods and how to protect
against them

• Objectives are awareness, information, and tools

• Distributed denial-of-service (DDoS) attack is a type of attack in


which online machines are used, without the owners’ knowledge
• Hundreds or even thousands of machines (zombies) can be used
in a DDoS attack
Researching and Investigating
Types of Attacks (2 of 2)
• Zero-day attacks is another major threat
• Attackers look for holes in networks and OSs and exploit these weaknesses before
patches are available

• A honeypot is a computer, set up to look like any other machine on a network, that
lures attackers to it

• A honeywall is a computer set up to monitor what is happening to honeypots on


your network and record what attackers are doing

• A honeynet is a network (usually virtual) of honeypots set up to attract cyber


attackers

• Honeypots and honeywalls are used to attract intruders and see what they are
attempting to do on a network
Questions?
https://forms.gle/psXXdFUvdpRMeja58

You might also like