SBN

Network traffic analysis for incident response

Introduction

Sophisticated cybercriminals understand the techniques and tools that they need to employ to move undetected throughout a victim network until they are able to find their intended targets. From their initial point of entry through to their privilege escalation and finally to exfiltrating their bounty, attackers know how to blend their activity in with legitimate traffic. 

In their wake, organizations are left performing incident response and forensic investigations to understand how the attack unfolded. And, today, any investigation is going to involve a network traffic analysis component. Without it, it is just like the police failing to look at security camera footage to track down a criminal. In other words, if one knows where and how to search, network traffic often provides a unique view into the incident: providing evidence, uncovering the footprint of attackers and identifying the extent of the damage that was caused.

Network traffic analysis and incident response

Previously, when networks spanned multiple physical locations and connected dozens, if not hundreds of hosts, enterprises were able to easily examine and analyze data travelling between them without much of a challenge. Today, networks have grown to such a scale that identifying which endpoints are vulnerable, which connections are questionable and which activity is threatening has become so complex that an entire discipline was born: network traffic analysis.

As attacks have evolved, so too has network traffic analysis, forming its own key role among incident response and investigative activities and bringing with it a suite of commercial and open source tools. An enterprise’s ability to use the data from all kinds of network devices and these tools — to identify attacks, piece together evidence of a breach, and identify the vector and possibly even the criminal — is key to being able to address the threats of (Read more...)

*** This is a Security Bloggers Network syndicated blog from Infosec Resources authored by Patrick Mallory. Read the original post at: http://feedproxy.google.com/~r/infosecResources/~3/X2djmKigFa8/