Using network forensics to track a security breach
It goes without saying that you have a firewall and other perimeter defenses in place to ward off intruders. But sometimes those can be defeated by unique attacks from the outside, and they do not fend off any internal attacks. Existing security deployments look for known threats or vulnerabilities and miss the new, unknown threats. Use the Forensic Analysis tab to find all of these and to research and identify sources of “zero-day attack.”
Imagine the following scenario: Over the weekend seemingly random security anomalies began to attack your DMZ. Your intrusion protection system (IPS) detected and repelled these attacks. During the same time frame and unknown to the IPS/IDS, a brute force attack occurred and was successful against the default “Admin” account on your VPN concentrator. After they were beyond your perimeter, which was accomplished using a created VPN account, Trojan applications installed remote control utilities and keystroke loggers. Subsequent malicious activity using these utilities occurred against other internal systems.
How do you identify what happened and when it happened? How do you identify who was affected?
1. Isolate the time frame over the weekend where you noticed the attacks against your DMZ. Collect all of the internal activity over the next few days. Select the time in the Detail Chart of the GigaStor Control Panel from where you noticed the attacks and the next few days. Change the time resolution, if necessary, to zoom out (or in) so that you have the data highlighted. See Selecting a time frame to analyze.
2. Using current Snort rules, click the Analyze button. See Importing Snort rules.
3. Search the decoded packets for possible exploits, internal denial-of-service attacks, and key logging.
4. If you find anything suspicious, navigate into the individual frames to isolate data that was transferred under false pretenses.
5. Use Connection Dynamics in Observer to track the path that the intruder took across your network. Identify all infrastructure systems that were affected and potentially compromised.