Data Forensics: A New Frontier in Malware Prevention and Detection

Companies devote around 90 percent of their cybersecurity resources to prevention and detection. Through regular patching and other basic prevention measures, network and security teams are keeping the world’s malware at bay and detecting ransomware before it wreaks serious havoc. Good job, team.


That’s not the case, is it? If only it were so! Organizations are spending the lion’s share of their time and resources on prevention and detection, but there has not been a commensurate decrease in cyber attacks. Network teams now spend 80 percent more time on security than ever before. However, in 2016, the Microsoft Security Intelligence Report found that within a year, high-complexity vulnerabilities had more than doubled. That’s before any mention of WannaCry and Petya/NotPetya, arguably the most notable global attacks in 2017. It is no wonder enterprises feel as though they are fighting a losing battle.

The other 10 percent of security spending goes to what is referred to as remediation. It includes network forensics that provide information about the “DNA” of an attack and addresses any impact that attack may have had on the network. By looking directly to the wire or packet data, enterprises can learn a surprising amount about the state of their network, but it is an often-overlooked area. Packets contain a wealth of information that even a cybercriminal cannot alter. Packets never lie and that is why it is even admissible in court as evidence.

In practice, data forensics can sound an early warning that something is amiss. It gives network teams the insight and ammunition to seek and destroy attacks at the source. Of course, all network security approaches need to work in tandem with basic cybersecurity measures including updating patches and exercising caution with suspicious looking emails, websites and attachments. With the recent Equifax breach, we learned the company had two months to patch the critical Apache Struts bug that ended up costing 143 million U.S. consumers their personal data. Hackers began targeting the vulnerability within 72 hours of disclosure.

The advantage of data forensics over the more traditional prevention and detection measures is that it can help detect previously unknown attack vectors and signatures. When cybercriminals concoct the latest piece of malware packed with new exploits, they effectively bypass the systems enterprises put in place to trip them up.

Network forensics from packets can reveal incredible detail about malware and allows enterprises to answer the who, what, wher, and when of an attack. Organizations not only get a high-level view of the threat, but packets allow security teams to troubleshoot, isolate and identify problems affecting the network. Information that packets reveal includes propagation mechanisms, attack vectors and type of breach, while pinpointing the exfiltration path of stolen data even when it is encrypted.

Data forensics offers a next-generation approach to catching out the cybercriminals. What can enterprises learn from packets?

  1. Trace back to source: Packet analysis allows enterprises to identify the first computer attacked. By studying how and why it was compromised, security teams can gather intelligence to track the malware and fine tune firewalls and endpoint security.
  2. Set rules: Did you know that packet analysis would have detected Petya/NotPetya’s elusive maneuvers? Packets allow security teams to set alerts for SMBs and protocols that carry commands with requests to delete large quantities of files, which is exactly how WannaCry and Petya managed to infect so many machines without detection.
  3. Know your ‘normal’: Abnormal traffic behavior should set off alarm bells and raise concerns of a breach. The more you know about the network, the more you can be protected, proactive and prepared.
  4. Nowhere to hide: The 2017 Mandiant M-Trends report highlighted that the median time for attackers to stay undetected from breach to discovery was 99 days. The good news is that the year before it was 146 days. With packet analysis, security teams can retrospectively analyze the data from the time of an incident to track the breach—and then search and destroy the malware faster.
  5. Manage the data deluge: Some security teams at enterprises and data centers find it close to impossible to pinpoint malware, owing to the astronomically high volumes of data traveling on their networks. With the help of appliances, security teams can capture and store even up to a petabyte of data and identity the exact moment a problem occurred to troubleshoot network issues.

There’s one other option seriously being considered and that is whitelisting, which only allows traffic, based on packet profiles, from known sources. Unidentified traffic would need to go through a checkpoint of sorts to sandbox it and obtain permission before it would be allowed to enter the network. This high-level security approach is complex and could be deployed with the help of packet analysis.

Currently, most prevention and detection tools adopt a blacklist strategy to block known threats. However, with malware evolving faster than enterprises can keep up, a whitelist strategy could prove much more effective.

One thing is clear: The current strategy needs to change. The focus on prevention and detection has left enterprises in a vicious circle trying to keep up with known attacks while new ones are constantly unleashed. What’s more—and perhaps as a result of team resources being diverted in this way—basic housekeeping measures are not being carried out, further compromising networks. Isn’t it time organizations examined how data forensics could help them in the fight against malware?

Doug Roberts

Avatar photo

Doug Roberts

Doug Roberts is the Vice President and General Manager for the Enterprise and Cloud Business Unit at Viavi Solutions, instrumental in developing the next generation of network and application performance products for the company. He brings more than 23 years of IT experience to Viavi’s leadership team, having served in various technical management, business transformation, and product innovation roles. Prior to joining Viavi, Roberts was Associate Vice President, Enterprise Products, at Netscout. Roberts concluded his undergraduate work in both Computer Engineering and Business Management at The Georgia Institute of Technology and Mercer University. He also holds an MBA from Mercer University, and is completing his PhD work through the University of Liverpool.

doug-roberts has 1 posts and counting.See all posts by doug-roberts