Welcome to the world of spies, glamor, high technology, and fast...
Wait a minute!
Are you sure you are reading the right book? Wasn't this book supposed to be about network forensics?
Yes, you are reading the right book!
Let me put you at ease. This is about network forensics. That said it also is a glamorous world full of high-tech spies and fast data (no cars, unfortunately). This is a world where the villains want to own the world (or at the very least, your digital world) and if they can't own it, they would like to destroy it.
This world needs a hero. A person who can track down spies, identify stolen secrets, beat the villains at their own game, and save the world in the bargain.
A tech-savvy, cool, and sophisticated hero! A digital 007! Come on, admit it, who doesn't fancy themselves as James Bond? Here's your chance, an opportunity to become a network 007.
Interested? Read on…
In this chapter, we will build an understanding of what we need to know in order to venture in the area of network forensics. We will cover the following topics here:
007 characteristics in the network world
Identifying threats to the enterprise
Data breach surveys
Defining network forensics
Differentiating between computer forensics and network forensics
Strengthening our technical fundamentals
Understanding network security
Network security goals
This could be reactive or proactive.
As part of its defense-in-depth defense strategy, an organization's network is protected by a number of preventive and detective (monitoring) controls. A trigger could be considered reactive in the case of an organization realizing that their competitors seem to be getting inside information, which is limited in circulation and extremely confidential in nature.
Similarly, a proactive trigger could be the result of an organization's authorized penetration testing and vulnerability assessment exercise.
Subsequent to a trigger event, a preliminary information-gathering exercise is initiated, which culminates in a briefing to the 007 (the investigator), outlining all the currently-known details of the breach/incident. Certain hypotheses are floated based on the information gathered so far. Possible cause and effect scenarios are explored. Likely internal and external suspects may be shortlisted for further investigation.
The investigator initiates a full-fledged information/evidence collection exercise using every sort of high-end technology available. The evidence collection may be done from network traffic, endpoint device memory, and hard drives of compromised computers or devices. Specialized tools are required to achieve this. This is done with the view of proving or disproving the hypotheses that were floated earlier. Just like a closed-circuit television (CCTV) camera or a spy cam that is used to collect information in real life, on a network, network traffic is collected using tools such as Wireshark, volatile memory data is collected by tools such as Forensic Toolkit (FTK) Imager, and media images are collected by tools such as EnCase.
The information collected is carefully and painstakingly analyzed with a view to extract evidence relating to the incident to help answer questions, as shown in the following diagram:
An attempt is made to answer the following critical questions:
Who is behind the incident?
What actually happened?
When did it happen?
Where was the impact felt? Or which resources were compromised?
Why was it done?
How was it done?
Based on the analysis result, a conclusion is drawn and certain recommendations are made. These recommendations result in an action. The action may include remediation, strengthening of defenses, employee/insider termination, prosecution of suspects, and so on based on the objectives of the investigation. The following flow diagram neatly sums up the complete process:
Network forensic investigations can be very time consuming and complex. These investigations are usually very sensitive in nature and can be extremely time critical as well. To be an effective network forensics Bond, we need to develop the following characteristics:
Preparation: The preparation stage is essential to ultimately arrive at a satisfactory conclusion of a case. A calm thought-out response with a proper evidence-collection process comes from extensive training and the knowledge of what to do in the event of the occurrence of most likely scenarios that are happening in the real world. Practice leads to experience, which leads to the ability to innovate and arrive at out-of-the-box investigative insights for solving the case. A situation where the investigator is unable to identify a compromised system could lead to years of data theft, resulting in bleeding of the organization and its ultimate and untimely demise. A scenario where an investigator is able to identify the problem but is unable to decide what action to take is equally bad. This is where preparation comes in. The key is knowing what to do in most situations.
A clear-cut incident response plan needs to be in place. Trained personnel with the necessary tools and processes should be available to tackle any contingency. Just as organizations carry out fire drills on a regular basis, incident response drills should be institutionalized as part of the organization policy.
Information gathering/evidence gathering: A comprehensive system to monitor network events & activity, store logs, and back them up is essential. Different inputs are generated by different event logging tools, firewalls, intrusion prevention & detection systems, and so on. These need to be stored and/or backed up at a secure location in order to prevent incidental or intentional tampering.
Understanding of human nature: An understanding of human nature is critical. This helps the investigator to identify the modus operandi, attribute a motive to the attack, and anticipate and preempt the enemy's next move.
Instant action: Just as Bond explodes into action at the slightest hint of danger, so must an investigator. Based on the preparations done and the incident response planned, immediate action must be taken when a network compromise is suspected. Questions such as should the system be taken off the network? or should we isolate it from the network and see what is going on? should be already decided upon at the planning stage. At this stage, time is of essence and immediate action is required.
Use of technology: An investigator should have Bond's love of high technology. However, a thorough knowledge of the tools is a must. A number of hi-tech surveillance tools play an important role in network-based investigations. Specialized tools monitor network traffic, identify and retrieve hidden and cloaked data, analyze and visualize network logs and activities, and zero in on in-memory programs and malicious software and tools used by the bad guys.
Deductive reasoning: A logical thought process, the ability to reason through all the steps involved, and the desire to see the case to its rightful conclusion are the skills that need to be a part of a network 007's arsenal. Questioning all the assumptions, questioning the unquestionable, understanding cause and effect, examining the likelihood of an event occurring, and so on are the hallmarks of an evolved investigator.
There is a considerable overlap between incident response and network forensics in the corporate world, with information security professionals being tasked with both the roles. To help simplify the understanding of the process, we have come up with the easy-to-remember TAARA framework:
Acquire: This is the process that is set in motion by the trigger—this is predefined as a part of the incident response plan—and it involves identifying, acquiring, and collecting information and evidence relating to the incident. This includes getting information related to the triggers, reasons for suspecting an incident, and identifying and acquiring sources of evidence for subsequent analysis.
Analysis: All the evidence that is collected so far is collated, correlated, and analyzed. The sequence of events is identified. Pertinent questions such as whether the incident actually occurred or not; if it did, what exactly happened; how it happened; who was involved; what is the extent of the compromise; and so on are answered. Based on the information that is gathered during this stage, it may be necessary to go back to the acquire stage in order to gather additional evidence. Analysis is then initiated on the newly acquired evidence.
This is pictorially represented in the following image:
Typically, such threats involve an insider with a mala fide intention, insider knowledge and/or access. This insider is looking to steal, misuse, modify, corrupt, or destroy enterprise resources. Quite naturally, the insider has no intention of getting caught and hence, makes every attempt to cover their tracks. However, as we will see later in this chapter, every interaction with the crime scene leaves a trace as per Locard's exchange principle.
Weak and ill-defined rules, network policies, security systems, and so on aid and abet such insiders. Unlimited and unmonitored access of network resources and data by the users are a sure recipe for disaster. Improperly implemented controls, random permissions, unsecured physical access to server rooms, and poor password hygiene contribute to serious threats to the network resources.
External threats are those that originate from outside the perimeter of the network. This could be from individuals, groups, or even governments. A spate of network attacks world-wide have been traced to state actors such as China, North Korea, and even the USA. Revelations by Snowden have opened everyone's eyes to the real threat of state-sponsored surveillance.
External threats come in all shapes and sizes. Just like internal threats, these can be intentional or unintentional. There are all sorts of people out there who want to get into your network. Some want to do it to get the information you store, some do it to shut down your network, some do it as they did not like the statement your company's CEO gave out last Wednesday, and some want to do it just because they can. Let's leave motivations aside for the moment. I say for the moment as a part of our network forensics investigations requires answering the Why part of the equation at a later date.
Any outsider wanting access to your network has to carry out a number of concrete steps before they can gain access of any sort. It's best to be disabused of the notion that, like in the movies, a hacker sits before his computer, starts typing, and has Administrator-level access within a couple of minutes. That is unadulterated fiction.
The first step any attacker has to take is to reconnoiter the target. Just as any good or accomplished thief will case the neighborhood to identify the potential targets, locate their weak spots, plan the right time to break in, and figure out a way to get in; any criminal with the intent to get into the network has to undergo a similar process. This process is called footprinting. This consists of a number of steps followed by scanning for open UDP & TCP ports, which can be exploited. An attempt is then made to try and get the password via multiple means such as social engineering, password lists, brute forcing, or rainbow tables. This mode of password discovery is the most difficult method of getting into the network. Another example would be to exploit the weakness such as unpatched OS and run programs that exploit a vulnerable software leading to open access, followed by privilege escalation to administrator level.
Once in, the accomplished spy will not do anything to give away the fact that they have administrator-level access. It is only script kiddies or publicity-hungry hackers that go ahead to deface websites to earn their two minutes of fame or notoriety.
The next objective is to create a backdoor for uninterrupted access and take every precaution to cover their tracks.
It can be months and, in some cases, years before an intrusion of such sort can be discovered or detected. That is the holy grail of the attacker. Spying undetected! Forever!
However, that is exactly where you come in, Mr. 007. You have to figure out what's going on in the network. At times, this needs to be done extremely covertly. Once the data breach is detected, you need to go into your licensed to kill mode to identify such intrusions and gather all the evidence of the related processes!
Insider data theft
Assistance to outsiders
Sexual harassment within the enterprise
Tampering with sensitive data
Accidental assistance to outsiders
Inadvertently letting malicious software loose on the network
Unintentional use of compromised software on bring your own device (BYOD)
Insiders social engineered to give away information such as passwords and so on
Targeted phishing or spear phishing to extract confidential information
Denial of Service attacks
An outsider accidentally stumbling onto sensitive data because of a flaw/vulnerability in the network
Accidental power outage
An unsuspecting user's system can be taken over and used as part of a bot herd
Network threat examples
From a reference perspective, you may want to visit a few references on the net, listed as follows:
The Verizon Data Breach Investigations Report: http://www.verizonenterprise.com/DBIR/
PwC UK— INFORMATION SECURITY BREACHES SURVEY 2014: http://www.pwc.co.uk/assets/pdf/cyber-security-2014-exec-summary.pdf
The Ponemon Institute's Cost of Data Breach Survey: http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis
KPMG Cybercrime survey report: https://www.kpmg.com/IN/en/IssuesAndInsights/ArticlesPublications/Documents/KPMG_Cyber_Crime_survey_report_2014.pdf
The InfoWatch Global Data Leakage Report, 2014: http://infowatch.com/sites/default/files/report/InfoWatch_Global_data_leak_report_2014_ENG.pdf
All of them point to a single unassailable fact—data breaches are becoming increasingly expensive and will continue to be so.
Some of the points brought up by most of them are:
The cost of a data breach is on the rise.
Post a breach—customers loose confidence and tend to change service providers. This is particularly common in the financial services industry.
For many countries, malicious or criminal attacks are at the top spot as the root cause of the data breaches.
In over 50% of the cases, insiders were involved in one way or the other.
What does this mean for us? It just means that we are in the right place at the right time. There will always be a very strong demand for the Sherlocks of the net. Professionals who can detect, collect, collate, analyze, and investigate will find themselves on the must hire list of most large-scale corporates.
Let's get started with the underlying principle of forensics of any sort.
No study of digital investigations can be considered well begun without an understanding of the underpinning of the science. Locard's exchange principle is the foundation on which scientific investigation methodologies are built.
Dr Edmond Locard (1877-1966) was a French scientist who worked with the French Secret Service in the First World War. He was a pioneer in forensic science and criminology. He developed a methodology to identify the nature and cause of death of French soldiers and prisoners by examining the wounds, damage stains, and other marks on the body.
He was known as the Sherlock Holmes of France.
He is often credited with saying every contact leaves a trace!
He speculated that anybody or anything that enters or leaves the crime scene (interaction with the crime scene) either leaves something behind or leaves with something from it (inadvertently or intentionally) and this can be used as forensic evidence. Let's consider a murder. Anybody that walks into a murder spot may leave the evidence of their presence in the form of footprints, fingerprints, and so on. Similarly, when someone leaves the crime scene, they may take specks of blood with them, local dust may adhere to their shoes, and so on.
How does this translate into the network world?
Essentially, every attempt to communicate with a device on the network leaves a trace somewhere; this could be at firewalls, intrusion detection systems, routers, event logs, and so on. Similarly, any attempt by an internal miscreant to access unauthorized resources will also leave a trace. This is depicted in the following image:
Let's take the example of a phishing attack. As we are all aware, it begins with an innocuous mail with a massively appealing subject. The phishing mail may carry a payload in the form of an attachment (for example, a Trojan) or have a link that leads to a similar result. In this case, according to Locard's exchange principle, the two entities interacting would be the affected computer and the computer sending out the phish. Some of the evidence in this case would be the e-mail itself, Trojan horse/malware/keylogger, stolen passwords, changed passwords, attempts to cover tracks, and so on. The backdoor, once discovered, could reveal a lot of details and the IP addresses of devices that control it or receive the stolen data would also count as evidence. The command and control center for the phishing operation (if identified) would also be a goldmine of evidence.
As a network 007, it is our job to figure out what is going on and draw our conclusions accordingly.
As per National Institute of Standards and Technology (NIST), Digital forensics, also known as computer and network forensics, has many definitions. Generally, it is considered the application of science to the identification, collection, examination, and analysis of data while preserving the integrity of the information and maintaining a strict chain of custody for the data.
Refer to http://csrc.nist.gov/publications/nistpubs/800-86/SP800-86.pdf for more information.
Capture (capture packets)
Identify (identify packets based on certain filtering criterion, such as date and time)
Analyze (both known and unknown packets to understand what's going on)
The following image illustrates this:
Broadly speaking, network forensics is the subset of digital forensics that deals with the investigation of events and activities related to digital networks. This involves monitoring and capturing network traffic and its related data from devices on the network with the objective of gathering evidence in a manner that is acceptable in the court of law.
Network forensics is a branch of digital forensics. That said; it is significantly different from conventional forensic investigations. It is necessary to highlight the differences so that things are a lot clearer in the network investigator's mind.
Unlike other areas of digital forensics, network forensic investigations deal with volatile and dynamic information. Disk or computer forensics primarily deals with data at rest. The simplified normal process is to identify the media that to be investigated, create and authenticate a forensic image, identify the different artifacts to be investigated, carry out an in-depth analysis, and follow it up with a report highlighting the findings. Usually, these can include deleted, misnamed, and hidden files and artifacts; registry entries; password-protected files; e-mail communications; carved data; and so on. However, all these represent the state of the system at the time of the collection and imaging. This is what we call a post-mortem investigation (this does not include live-memory forensics, which, as the name suggests, is very much alive).
Network forensics by its very nature is dynamic. In fact, it would not be possible to conduct a network forensic investigation if prior arrangements were not made to capture and store network traffic. It is not possible to analyze what transpired with the network flow without having a copy of it. This is similar to having a CCTV footage for a particular incident. In its absence, one can only surmise what happened based on other circumstantial evidence. When the actual footage is available, as long as the investigator knows what to look for, the complete incident can be reconstructed and it becomes a lot easier to identify the perpetrator.
Additionally, network forensics involves the analysis of logs. This can be a bit of art as well as science.
Usually various network devices, applications, operating systems in use, and other programmable and intelligent devices on the network generate logs. Logs are time-sequenced. They can be quite cryptic in nature and different devices will address the same event in different ways. Some operating systems will call a login action as a login; whereas, another device may call it a log on and a third may call it a user authentication event. The message content and syntax of logs are vendor-specific. It may also vary from application to application.
Disk forensics does not have these sorts of intricacies. While logs exist and do vary across applications and operating systems, the level of dependency on logs in the case of disk forensics is not as high as that of network forensics.
That said, all disk, network, and memory forensics go hand in hand. Most investigations may involve at least a few, if not all, of the disciplines of digital forensics in any case of a reasonable magnitude.
In fact, a case where disk forensics is not used in an investigation could be considered equivalent to a conventional case where CCTV evidence has been overlooked.
A network, in general parlance, is a group of computers/devices that are connected to each other. The connection could be wired or wireless. Every device on the network has a unique network address. This can be temporary (session specific) or permanent. Addresses are numeric quantities that are easy for computers to work with; however, they are not for humans to remember. These are known as IP addresses. For example
18.104.22.168. Consider the following diagram:
To make these numeric addresses easy for humans to remember, they are stored as textual addresses as Domain Name Server (DNS) records. DNS servers are responsible for translating textual Internet addresses into numeric Internet addresses.
While numeric IP addresses identify a specific host machine working on a network, a numeric port number is used to identify specific processes that are running on a host machine. The number of ports is not functionally limited. Some of the common ports are as follows:
When devices are connected to each other; they can communicate. The mode of communication between devices is via exchange of data. Data is transferred using packet switching. Messages are broken into packets and transmitted over the network. Each of these packets have a specified maximum size, and are split in to a header and data area. As each packet is being sent from a source computer to a destination computer or device, their addresses and the information that is necessary to properly sequence the packets at the reconstruction stage is included in the header.
Protocols define the following:
Addressing of messages
Routing of messages
This is also known as the seven-layer model.
Layer 1: This is called the physical layer. This is the actual physical infrastructure over which the data travels. This consists of the cables, hubs, and so on. This is the electronics that ensures the physical transmission and reception of raw and unstructured bits and bytes.
Layer 2: This is called the data link layer. This layer is responsible for the data encapsulation in the form of packets and their interpretation at the physical layer. This will initiate and terminate a logical link between two nodes on a network. Layer 2 is responsible for error-free transfer of data over the physical layer.
Layer 3: This is called the network layer. This layer is in charge of a packet's transmission from a source to its destination. This layer decides the route, mapping of the logical and physical addresses, and data traffic control.
Layer 4: This is called the transport layer. The transport layer is in charge of the delivery of the packets from a source to a destination. This ensures that the message is delivered in a sequence without duplication or loss and is error-free.
Layer 5: This is called the session layer. The session layer manages the network access. It establishes sessions among the processes running on different nodes via different logical ports. Layer 5 also handles session establishment, maintenance, and termination.
Layer 6: This is called the presentation layer. The role of the presentation layer is to format the data transmitted to applications, data conversion, compressing/decompressing, encrypting, and so on. This allows access to end user for various Windows services such as resource sharing, remote printing, and so on.
As the data travels between layers, each layer adds or removes its header to the data unit. At the destination, each added header is removed one-by-one until the receiving application gets the data that is intended for it.
This is responsible for applications and processes running on the network
This provides end-to-end data delivery
This makes datagrams and handles data routing
This allows access to the physical network
Network layer: The network (or network interface layer, as it is also known) is the bedrock of the TCP/IP model. This drives the signals across the network. It transmits and receives bits over the network hardware such as co-axial or twisted pair copper cable. This exists over the physical layer and includes the following protocols:
Internet layer: The Internet layer is at the heart of the TCP/IP model. This packages the data into IP datagrams and performs routing for these datagrams based on the source and destination information in the header. The protocols used at this layer include the following:
Internet Protocol (IP)
Internet Control Message Protocol (ICMP)
Address Resolution Protocol (ARP)
Reverse Address Resolution Protocol (RARP)
Transport layer: This layer manages the communication session between the host computers. During the data transportation process, this defines the level of service and the connection status. The transport layer uses the following protocols:
Transmission Control Protocol (TCP)
User Datagram Protocol (UDP)
Real-time Transport Protocol (RTP)
Application layer: The application layer combines the functions of the OSI application, presentation, and session layers. This layer defines how the host programs interface with transport layer services as well as their related application protocols. Some of the protocols in this layer are as follows:
Simple Mail Transfer Protocol (SMTP)
Simple Network Management Protocol (SNMP)
Trivial File Transfer Protocol (TFTP)
This threw up a unique problem of having to define a common interconnection protocol on top of the local protocols. The Internet Protocol (IP) plays this role by defining unique addresses for a network device and host machines. The following diagram depicts this interconnection of devices using IP routing:
Whenever we see a stranger that we want to speak to, it always helps if we speak the same language. In computer world, the language of communication is called a protocol. IP is one of the languages that multiple computers use to communicate with each other as a part of the layered architecture model.
On top of the IP, there are TCP, UDP, and some others.
There are two versions of the IP being used, as follows:
Splitting the data stream into standard size packets at the source and then putting them together again in the correct order at the destination.
Guiding or routing a packet through a number of intermediary networks, starting from the source device IP address to the destination device IP address.
How does it work?
It splits or breaks up the initial data (that is to be sent) into datagrams. Each datagram will have a header, including the IP address and the port number of the destination. Datagrams are then sent to selected gateways, that is, IP routers. These routers are connected to the local network and to an IP service provider network at the same time. These routers start the relay process, wherein datagrams are transferred from gateway to gateway until they arrive at their final destination.
Whenever two hosts communicate with each other using the Internet Protocol, there is no need for a continuous connection. One host sends the data to another via a data packet. Each packet header contains the source destination addresses as well as the sequence number and is treated as an independent unit of data. The TCP is responsible for reading the packet headers and putting the packets in the correct sequence so that the message is readable.
Today, the most widely used version of IP is the IPv4. However, IPv6 is also beginning to be supported. IPv6 was introduced when it was realized that IPv4 addresses were running out. The exponential increase in the number of devices connected to the Internet resulted in the anticipation of IPv4 address exhaustion. IPv6 provides for much longer addresses and also the possibility of many more Internet users. IPv6 includes the capabilities of IPv4 and any server that can support IPv6 packets can also support IPv4 packets.
The IP's functionality and limitations are defined by the fields at the beginning of the packet. This is called the frame header.
The source and destination address fields have 32 bits allocated to encode their data.
Various additional information, such as the total packet length in bytes, is encoded in 16 bytes in the remainder of the header.
Normally, the application layer sends the data that is to be transmitted to the transport layer. The transport layer adds a header and sends it to the Internet layer. The Internet layer adds its own header to this and sends it to the network layer for physical transmission in the form of an IP datagram. The network layer adds its own frame header and footer and then physically transmits it over the network.
At the other end, when the datagram is received, this process is reversed and the different headers are stripped as the data moves from layer to layer. The following diagram represents how headers are added and removed as we move from layer to layer:
Safe data transmission
Assurance that data is received in the correct order
Before sending the data, TCP requires the computers that are communicating to establish a connection with each other:
Whereas IP is limited to sending 64-kb data streams, large data streams can be sent as one big stream of data using TCP. TCP does this by breaking up the data stream into separate data packets. Each packet is numbered and its sequence number is stored in the header. On arrival, these disparate packets are reassembled using sequence and sequence acknowledgement numbers. TCP specifies the port numbers. This improves the capabilities over IP. Every TCP/IP machine can communicate using 65,536 different ports or sockets.
All data in a TCP packet is accompanied by a header. The header contains information related to the source port, destination port, sequence number, sequence acknowledgement number, and some miscellaneous header data.
Similar to the TCP, the UDP is also built on top of the IP. It has the same packet-size limit (64 kb) as IP; however, it allows specifying port numbers. This provides 65,536 different ports, which is the same as TCP. Therefore, every machine has two sets of 65,536 ports: one for TCP and the other for UDP.
The difference between the two is that UDP is a connection-less protocol, without any error detection facility. It only provides support for data transmission from one end to other without any verification. As it does not do any further verification, UDP is very fast. This is its main feature and it is extremely useful in sending small and repetitive data at a very high speed. Some examples of this are audio and video streaming, games, time information that is continuously streamed, and so on.
On top of the TCP/IP layers is the application layer. The Internet Engineering Task Force (IETF) definition document for the application layer in the Internet protocol suite is RFC 1123. The application layer's role is to support network applications by the means of application protocols.
Some of the application protocols include the following:
Telnet: This is a text input-based protocol that allows the user to perform a remote login on another computer
SMTP: This is for the transportation of electronic mail
DNS: This is for the networking support
SNMP: This is for the remote host management
Newer applications can also spawn additional application protocols such as BitTorrent, Bitcoin, eDonkey, and so on.
Today, the more interconnected we are, the more at risk we are. With attacks of increasing sophistication becoming automated, easily available, and usable by most low-grade criminals, the threat to our resources is at an all-time high. Evolved and sophisticated detection-evasion techniques help in making things even more complicated. Criminals too have learned to follow the money. Attacks are more focused and targeted with a preponderance of effort being directed towards the targets that could result in a monetary payoff.
Let's take a look at the type of threats that exist.
When we connect our network to the outside world (I know, I know, we have to!), we introduce the possibility of outsiders attempting to exploit our network, stealing our data, infecting our systems with viruses and Trojans, or overloading our servers, thus impacting and impeding our performance.
However, if our network were disconnected from the outside world, threats would still exist. In fact, most surveys and studies (as mentioned earlier) point to the indisputable fact that most of the threats (over 50%) are caused by intentional or unintentional activities performed by insiders.
While it is rarely possible to isolate or air gap a business network from the outside world, even if we were to do so, there is no guarantee that it would ensure network security.
Based on this understanding, we must consider both internal and external threats.
Looking back at the history, we will see many notable examples of entire kingdoms being lost due to the actions of the insiders. Valuable information such as hidden routes to reach behind an army (backdoors), type, strengths & weaknesses of the defenses (scans & vulnerabilities), and access codes and passwords (open sesame) when leaked to the enemy can cause irreparable loss. Kingdoms and corporations can fall. Sun Tzu, the ancient Chinese strategist and general, in his martial treatise, The Art of War, strongly recommends the use of insiders to win battles. His opinion on the best way to win a battle is without firing a single shot.
Threats that originate from within the network tend to be way more serious than those that originate outside.
Just like an unknown enemy within the walls of a citadel can be lethal; similarly, the insider within your network can be very damaging unless identified and contained very quickly.
Insiders usually have plenty of knowledge about the network, its available resources, and structure. They already have been granted a certain level of access in order to be able to do their job. Network security tools such as firewalls, intrusion prevention systems (IPS), intrusion detection system (IDS), and so on are deployed at the periphery of the network and are usually outward facing and such insiders are under the radar in this context.
An insider can steal information in many low-tech ways. Simply inserting a USB drive and copying data off the network is a very common way of stealing data. Burning a DVD with the organization's intellectual property and walking off the premises with this stuck inside a laptop's DVD drive happens quite often. Some smart guys copy the data onto a USB stick and then delete it so that when checked, they can demonstrate that the USB device is empty and once they get home, they can then recover the data using free recovery tools.
A single insider can be quite dangerous; however, when there are multiple insiders working in tandem, the situation can be quite grave. These threats need to be addressed and mitigated quickly in order to prevent substantial damage.
Usually, external attackers do not have in-depth knowledge of your network. When they start out, they do not have login or access credentials to get into the network.
Once a potential target is identified, the first step is to carry out a reconnaissance on the network. To do this, they perform a ping sweep. This helps in identifying the IP addresses that respond to the pings and are accessible from the outside. Once these IP addresses are identified, a port scan is performed. The objective is to identify open services on these IP addresses. The operating system (OS) is fingerprinted to understand the make, model, and build deployed. This helps the attacker in identifying the possible unpatched vulnerabilities. An outsider will identify and exploit a known vulnerability to compromise any one of the earlier discovered services on the host. Once the attacker has gained access to the host, the attacker will work at escalating the privileges, covering tracks, and creating backdoors for future unmonitored access. They will then use this system as a platform to attack and compromise other systems in this network and the world at large.
In today's high-speed, always-on-the-go world, no man is an island. The same is the case with corporate networks. Constant communications and contact with the outside world, cloud-based applications, cloud and offsite storage of data, and BYOD lead to an increasingly connected network environment. A global economy that thrives on information, advanced technology that enables seamless transactions, and the constant human need to access information that is online are the factors leading to higher security risks.
Today, one can safely assume that most corporate networks are interconnected with other networks.
These networks run standards-based protocols.
These networks will also have a number of applications, which may have proprietary protocols. As such applications are bespoke, the focus of the developers is more on functionality and less on security. Further, there is no regular system of patching vulnerabilities in these applications.
The multitude of connected devices and diverse applications in corporate networks are quite complex and their volume is constantly increasing.
This entails restricting physical access to the networked devices and components as well as logical access to the node data and network traffic.
To do this, network administrators set up firewalls and intrusion detection & prevention systems. Access control lists (ACL) prevent unauthorized access to the network resources. Encrypted network traffic prevents any data leakage caused by traffic interception by an attacker. Specific credentials, such as usernames and passwords, are required to access the network resources.
Networks have data in motion. Should an attacker gain access to a network, they would have the ability to silently modify/tamper with the traffic that would cause, at the very least, a misunderstanding between the people communicating and at the other end of the spectrum, it could cause irreparable harm to the people and organizations.
The examples of network security violations that affect the integrity goal include the following:
Interception of communications related to electronic payments, modifying them to reflect different bank details, and diverting the payment from the unsuspecting remitter. This is a common problem that is being observed these days, especially between small-scale exporters and their buyers.
A government taxation entity had their website compromised. The attacker very carefully only modified the section relating to tax rates. These were substantially reduced. As a result, the government lost substantial revenues as most of the remittances were made as per the rates posted on the website.
A number of organizations deploy a data integrity solution to perform origin authentication and verify that the traffic is originating from the source that should be sending it.
Data at rest and in transit is actually performing a task for the organization. As long as this data or information is accessible to authorized and authenticated users, the task can be performed. The moment an incident interrupts the access, preventing the users from performing their tasks, the availability goal of network security is breached.
There have been a number of high-profile examples of availability compromise in the past, as shown in the following:
On April 26, 2007, Estonia, a small Baltic state experienced a wave of denial-of-service (DoS) attacks. These cyber attacks were launched as a protest against the Estonian government's removal of the Bronze Soldier monument in Tallinn. This was erected in 1947 as a Soviet World War II war monument. The effect was felt on a number of institutions, including banks, government, and universities, taking the network resources offline. This attack lasted for three weeks and shook the whole country. In fact, one of the repercussions of this attack was the formation of the US government's policy on cyber war.
A very popular example was demonstrated in the movie Die Hard 4—Live Free or Die Hard—where super cop, John McClane took on an Internet-based terrorist, who worked at systematically attacking and shutting down the United States government, transport, and economy. This movie is widely credited for adding the word Fire Sale to the vocabulary of the common man in a cyber context.
Today, some of the most common attacks compromising the availability goal are flood attacks, logic/software attacks, mail bombing, DoS attacks, accidental DoS attacks, and distributed denial-of-service (DDoS) attacks.
Just as all humans have weaknesses, networks too have weaknesses. These are known as vulnerabilities. Vulnerability, in an information system, is a weakness that an attacker leverages to gain unauthorized access to the system or its data.
The usual modus operandi to take advantage of a network vulnerability is to write a program that does this. These kind of programs are called exploits. Most exploits are malicious in nature. As the name suggests, an exploit is meant to exploit the system's weakness.
Vulnerabilities can be of many types. Some examples are shown as follows:
Physical vulnerabilities or natural disasters (such as, the tsunami in Southeast Asia)
Network design vulnerabilities
Network configuration vulnerabilities
Targeted vulnerabilities such as malicious software
Standard operating procedure/controls vulnerabilities
Physical security vulnerabilities
As we are all aware, a chain is only as strong as its weakest link. In the case of network security, the weakest link is usually human. Statistics show that an insider usually launches the most amount of attacks against information assets. Thus, most organizations set up controls to prevent insider abuse.
For a moment, let's flashback to the Locard's exchange principle section. To reiterate, it basically expounds that every contact leaves a trace. What this means, in the digital context, is that all interactions with the digital system/network will leave some sort of an artifact/data behind as evidence of this event. These artifacts are known as digital footprints. They are of the following two types:
Passive digital footprints are created by the system without the knowledge of the user, such as in the case of pasting passwords from a file to an application evidence or copies can be found in the volatile memory. Cookies are another example of this.
The user creates active digital footprints deliberately, such as in the case of a Facebook post, sending an e-mail, or storing and transmitting pictures.
These will usually exist and can be recovered from the following:
Disk space including logs
Network traffic capture
Our journey into the realm of network forensics has begun. We started out by identifying the characteristics that would make us 007 in the network forensics world. This was followed by learning about the TAARA methodology for investigations. We also learned about the various threats to an enterprise while strengthening our technical fundamentals. By the end of the chapter, we deepened our understanding of network security as well as network forensics.
In the next chapter, we will learn how to identify the different sources of evidence that are essential for a network forensic investigation. We will also learn how to collect and safely handle the evidence. So...let's get started!!!