10 - Network Forensics

Notes:

By the end of this module, you should be able to:

Network forensics is the process of collecting and analyzing raw network data and tracking network traffic
- The purpose is to ascertain how an attack was carried out or how an event occurred on a network
Intruders leave a trail behind
- Knowing your network's typical traffic patterns is important in spotting variations in network traffic
Locard's Exchange Principle (Dr. Edmond Locard (1877-1966) was a pioneer in forensic science who became known as the Sherlock Holmes of Lyon, France.)
- It can also help you determine whether a network is truly under attack
Vulnerabilities can come from a variety of issues, including the following:
- Misconfigured servers
- Open ports - particularly port 23, the default port for Telnet
- Settings and validation options used when installing additional servers, such as a database server
Auditing network logs is the key to network forensics
- Tools that can digest large volumes of data is needed

Notes:

Port: entry/exit port of information
Most programs run on certain ports by default
How many ports are there? around 65000
- 0 - 1024 are restricted ports, after that we can start picking and choosing ports

Network forensics examiners must establish standard procedures for how to acquire data after an attack or intrusion
- It is essential to ensure that all compromised systems have been found, brought offline, and restored as quickly as possible
Procedures must be based on an organization's needs and complement the network infrastructure
NIST created the "Guide to Integrating Forensic Techniques into Incident Response" (NIST SP800-86) to address these needs

A layered network defense strategy sets up layers of protection to hide the most valuable data at the innermost part of the network
Defense in depth (DiD) is a similar approach developed by the NSA
- DiD has three modes of protection:
  - People
  - Technology
  - Operations

Network forensics can be a long, tedious process
A standard procedure often used in network forensics is as follows:
- Attempt to retrieve all volatile data (e.g. memory)
- Acquire all compromised drives and make a forensic image of it
- Fix any vulnerability as quickly as possible after an attack
- Compare files on the forensic image to the original installation image and exclude any that are unchanged.
- Also: start looking at log files
In digital forensics
- You can work from the image to find most of the deleted or hidden files and partitions
In network forensics
- You have to restore the drive to see how malware on the system works

Network logs record traffic in and out of a network
- Network servers, routers, and firewalls record activity and events that move through them
The tepdump command and Wireshark are good tools for examining network traffic
- Wireshark can generate top 10 lists of websites visited as well as the top 10 internal users
Network logs can identify patterns, such as an employee transmitting data to or from a particular IP address frequently

A variety of tools are available for network administrators to perform remote shutdown, monitor device use, and more
Examples of network forensics tools include the following:
- Splunk
- Spiceworks
- Nagios
- Cacti

A packet analyzer is a device or software that monitors network traffic
Most tools follow the pcap (packet capture) format
Some packets can be identified by examining the flags in their TCP headers
To take advantage of the strengths of different tools, many investigators do a capture with tcpdump and then analyze the capture in Wireshark
Other network forensics tools include the following:
- Tcpslice
- Tcpreplay
- Etherape
- Netdude
- Argus

Notes:

Snort is one of the more powerful network tools
- It is an intrusion detection and intrusion prevention tool that can also be used for network forensics
It is Linux based and open source
Snort looks at incoming packets and compares them against set rules
It also looks for malware, does network analysis, and inspects for port scanners
Snort has three modes: sniffer, packet logger, and intrusion detection

The Honeynet Project was developed to make information widely available in an attempt to thwart Internet and network attackers
- Provides information about attacks methods and how to protect against them
Objectives are awareness, information, and tools
Distributed denial-of-service (DDoS) attack is a type of attack in which online machines are used, without the owners' knowledge
- Hundreds or even thousands of machines (zombies) can be used in a DDoS attack
Zero-day attacks is another major threat
- Attackers look for holes in networks and OSs and exploit these weaknesses before patches are available
A honeypot is a computer, set up to look like any other machine on a network, that lures attackers to it
A honeywall is a computer set up to monitor what is happening to honeypots on your network and record what attackers are doing
Honeypots and honeywalls are used to attract intruders and see what they are attempting to do on a network

Notes:

A honeypot is sweet and juicy for attackers
It is a very good tool to see what people are doing and how they are trying to attack your network
Zero-day attack: A vulnerability that has not been disclosed yet (the owner does not know about it)

SQL Injection
- Username: johndoe': DROP users --
Buffer Overflow
- Usually when you use C or C++ on the backend
- Rust is a little bit safer
Source Code Vulnerabilities
Outdated or Unpatched Software
Security Misconfigurations
Broken\Weak Authentication