We've all been there, running into a problem in the network that requires a network forensics analysis. But what do you do if you don't know where to start? Or, to be more precise, what hardware do you need to capture the information on a network line, and what do you look for when analyzing that data? Not knowing the answers to these could result in security breaches or other anomalies appearing in the network.
Performing a forensic analysis is a type of specialized work that requires years of expertise. You can compare it with a physician who diagnoses an illness by quickly reading the symptoms.
As a security analyst, you need to be able to quickly detect anomalies in the network by looking for the right symptoms. This, of course, comes with years of practice and the right network forensics tools.
For a correct assessment of the situation, it is important to see ALL the information that you can get. Because even the best physician, or, for that matter, a highly-skilled network engineer, cannot correctly assess the situation without 100% visibility of what is happening over the network. However, that is a topic for another article, and, if you are reading this, you probably already know which tools are needed for complete visibility into your network.
After choosing the right tools, the next step is monitoring and analyzing. Here are a few (important) malicious activities (event timings, cyber checks, etc.) that you should look for when performing a network forensics analysis.
Check Event Timing
Event timings, meaning the time between events, are critical to identifying whether there is malicious activity going on in your network. Events rolling out in short time spans, let’s say a few hundred milliseconds or even a few seconds, indicates that these events are being generated by bots or malware, and not by a human.
The range of these short time spans, milliseconds to seconds, depends on the nature of activity which a network administrator should generally have an idea about.
For example, receiving dozens of DNS requests for a single website from the same source IP within few milliseconds, or receiving several DNS requests for a single website from multiple source IPs within few milliseconds, are some examples indicating that these requests could be generated from automated scripts initiated by bots or malware.
Check DNS Traffic
Since DNS is the primary handler of all requests going out to the internet, you should check for traffic activity of your DNS server. If there is a rogue system or a network worm in your network that is interested in making outbound connections to the internet, then you could detect its malicious activities on the DNS server.
Using Wireshark, for example, you are able to filter all packets for your DNS server’s IP address and check for requests received by your DNS server in specific time windows. If you see an unusually high number of connection requests in a short time span, say a few hundred milliseconds, from the same source IP, then you should suspect this is a malicious activity and dig deeper into the packet headers to investigate further.
In case your DNS server is being bombarded with a high number of requests, chances are that it is under a DoS attack (more details ahead).
Check for Man-in-the-Middle Attacks
This is one of the most common attacks executed in an enterprise network. Man-in-the-Middle (MitM) attacks are those in which an attacker tries to access the network by acting as one of the trusted systems within that network. In a MitM attack, a rogue system intervenes between two trusted systems and hijacks their conversation channel to divert all traffic through itself. The two trusted systems believe they are communicating directly with each other, whereas, in reality, they are communicating via the rogue system.
This allows the rogue system to not only listen to the entire conversation, but also modify it. The most common method to execute an MitM attack is through ARP spoofing, also known as ARP cache poisoning. In this technique, the attacker broadcasts false ARP messages in a LAN to associate its MAC address with the IP address of a trusted system in the LAN, e.g. the default gateway, the DNS server, or the DHCP server, depending on the attack plan.
Using the filter option of your monitoring software, filter all the packets to view only ARP packets. If you see a large quantity of ARP traffic (broadcasts and replies), then this is something suspicious. In a running network where all trusted systems usually have the MAC-to-IP mapping in their cache, you should not see a long list of ARP messages. Dig into the source and destination addresses in the packet headers and investigate further to find out if an MitM attack is taking place.
Check for DoS (DDoS) Attacks
This is also one of the most common virtual attacks these days, conducted either internally within a network, or externally from outside the network. The aim of a DoS (Denial of Service) attack is to make the resources of a machine or network become so consumed, that they eventually are unavailable to its actual users. DoS attacks are commonly made on Web servers to suspend the web services as the server is connected to the internet.
During a DoS attack, the rogue system bombards the target server with TCP/SYN messages requesting to open a connection, but the source address is either a false or forged one. If the source is false, the server is unable to respond with the TCP/SYN-ACK message since it is unable to resolve the MAC address of the source.
If the source is forged, the server responds with a TCP/SYN-ACK message and waits for the final ACK message to complete the TCP connection.
But since the real source never initiated this connection, the server never received the final response and keeps waiting for a half-open connection. In either case, the server is ‘flooded’ with TCP/SYN requests resulting in an unusually high number of incomplete connections, therefore saturating the number of connections a server can possibly make.
To quickly identify if a DoS attack is happening, filter to view TCP packets in your preferred software analysis tool. Use the option for viewing the packet-sequence graph which illustrates the flow of TCP connections with arrows between the source and destination systems. If you see a large number of TCP/SYN packets being bombarded from a single source IP to the destination server IP, and either no reply back from the server IP or only the SYN-ACK message but no ACK reply from the source, then you are most probably viewing a DoS attack in action.
In case you see a long stream of TCP/SYN requests being pushed from multiple source IPs to a destination server IP, then this is a DDoS (Distributed Denial of Service) attack in which multiple rogue systems attack a target server, this being even more lethal than a DoS attack. More about how monitoring tools can help you prevent DDoS attacks here.
In any case, as we mentioned in the beginning of this article, your cybersecurity team needs...
... the right network forensics tool to have full access to the network in order to properly assess the situation and act accordingly. An industry favorite is our range of ProfiShark portable network TAPs. Loved for its compact design, ease of use, and high performance, a ProfiShark is an asset for anyone performing network analyses.
Interested in finding why cybersecurity is such a challenge these days? Then read this article.