Chapter 11: Networks

OVERVIEW

As information systems become cheaper and cheaper, companies are rapidly automating not only their overhead processes such as purchasing, payables, hiring, and payroll, but also their value by adding processing such as marketing and sales. The result of this rush to automate and, with the explosion of the Internet, a rush to publish, is the highest level of dependency on information systems corporate America has ever seen. With this dependency comes a vulnerability: The ability of corporations to conduct their business is dependent on technology that was designed to be as open as possible and that only a minority of engineers and scientists understand.

When netted out, what managers need to do is create barriers that deter cyber-based or internal perpetrators from attacking their systems. The first way to do this is to analyze corporate resources for know vulnerabilities. That is, systems need to be checked that they are correctly configured and have the most up-to-date security patches in place. This is what security scanners do. Next, one needs to find out the perpetrator’s methods of operation and alert when those methods are sensed. This is what intrusion detectors do. Next, one needs a mechanism to filter out suspected malicious activity, once it is identified. This is what firewalls do. However, even with all of these systems in place, there is a vulnerability to attacks that use new or unknown methods of attack.

What current Intrusion Detection Systems (IDS) do is monitor the network and watch for specific patterns. Once a pattern is recognized, IDS can alert the systems administrator, close the connection via the firewall, or record the activity for further analysis. However, if an attacker uses a method not previously known to the IDS, it will transpire unnoticed, the corporate Web site will be defaced, employee records will be retrieved, or client lists will be extracted. When the malicious act is discovered, the question immediately comes to mind: How did they do this? And sometimes: What did they do?

This chapter introduces a solution to this dilemma: network forensics. Network forensics is the principle of reconstructing the activities leading to an event and determining the answer to “What did they do?” and “How did they do it?” Instead of matching observed activities on a LAN to database of known patterns of malicious intent, it records all activity on a LAN and provides centralized tools to analyze the activity in real time, for surveillance, and historically, for damage assessment and prosecution. Because the system is network-based, it is impregnable to circumvention. If a resource is accessible via a LAN for exploitation, it is observable by a network forensics agent.

Now, let’s take a look at network forensics scenario. What do you do when a high-profile computer system has been compromised?