Using Network Forensics To Track A Security Breach; Using Network Forensics To Track Acceptable Use Or Compliance - Network Instruments GigaStor User Manual

Field

Using network forensics to track a security breach

It goes without saying that you have a firewall and other perimeter defenses in place to ward off intruders. But
sometimes those can be defeated by unique attacks from the outside, and they do not fend off any internal
attacks. Existing security deployments look for known threats or vulnerabilities and miss the new, unknown
threats. Use the Forensic Analysis tab to find all of these and to research and identify sources of "zero-day
attack."
Imagine the following scenario: Over the weekend seemingly random security anomalies began to attack your
DMZ. Your intrusion protection system (IPS) detected and repelled these attacks. During the same time frame
and unknown to the IPS/IDS, a brute force attack occurred and was successful against the default "Admin"
account on your VPN concentrator. After they were beyond your perimeter, which was accomplished using a
created VPN account, Trojan applications installed remote control utilities and keystroke loggers. Subsequent
malicious activity using these utilities occurred against other internal systems.
How do you identify what happened and when it happened? How do you identify who was affected?
1. Isolate the time frame over the weekend where you noticed the attacks against your DMZ. Collect all of the
internal activity over the next few days. Select the time in the Detail Chart of the GigaStor Control Panel from
where you noticed the attacks and the next few days. Change the time resolution, if necessary, to zoom out
(or in) so that you have the data highlighted. See
2. Using current Snort rules, click the Analyze button. See
3. Search the decoded packets for possible exploits, internal denial-of-service attacks, and key logging.
4. If you find anything suspicious, navigate into the individual frames to isolate data that was transferred under
false pretenses.
5. Use Connection Dynamics in Observer to track the path that the intruder took across your network. Identify
all infrastructure systems that were affected and potentially compromised.

Using network forensics to track acceptable use or compliance

Note:
Stream reconstruction (including VoIP) is illegal in some jurisdictions and may be disabled by Network
Instrumentsto comply with those laws.
Your company likely has an "acceptable use" policy for its network. As a network administrator, you may be
asked to track a specific person's internet use. The challenge of tracking web user activity is that it can provide
50 | GigaStor™ (pub. 25.Apr.2014)
Description
addresses and ports. You can edit variable definitions by double-clicking on the
variable you want to edit.
The VRT Rule Set variable settings (and those of most publicly-distributed rule
sets) will work on any network without modification, but you can dramatically
improve performance by customizing these variables to match the network being
monitored. For example, the VRT rules define HTTP servers as any, which results in
much unnecessary processing at runtime.
Address variables can reference another variable, or specify an IP address or class,
or a series of either. Note that unlike native Snort, Observer can process IPv6
addresses.
Port variables can reference another variable, or specify a port or a range of ports.
To change a variable, simply double-click the entry. The Edit Forensic Variable
dialog shows a number of examples of each type of variable which you can use as
a template when changing values of address and port variables.
Selecting a time frame to analyze.
Importing Snort rules.