What is network forensics?
Taking a closer look at how cyber threats are investigated at a network level
With the frequency and severity of cyber incidents on the rise, organisations need to ramp up their efforts and wider strategies. While responding to hacking threats when they do occur is essential, it's not good enough in today's age to simply rely on a reactive approach.
One of the key routes to infiltrating organisations and compromising sensitive data is through breaching a network. Given that cyber attacks are likely, if not inevitable, safeguarding the infrastructure that comprises the network is vital to protecting your business from attack. Specifically, your systems are, at some stage, more likely than not to be oversaturated with attempts at data theft, or inundated with traffic in an attempt to take your web services offline.
Adopting a strategy that's fool-proof and considered, and routinely reviewing and updating security practices, will go a long way towards ensuring your defences are up to scratch, and that a network is as safeguarded as possible. This first layer of defence is essential, as overcoming this barrier could lead to an attacker spreading through the network, to individual endpoints or localised storage systems.
In the event an attack against your organisation lands successfully, it's important to conduct an assessment as to how it happened, the potential culprits, why the defences and protections were breached, as well as the scale of damage caused. It's also important to understand what lessons your organisation can take from the incident, and how to successfully prevent such an attack next time.
It is here that network forensics come into play, helping IT teams and cyber security experts discover vulnerabilities in their organisation's network and ultimately the IT infrastructure as a whole.
What is network forensics?
Essentially, network forensics is a sub-branch of the practice of digital forensics itself a branch of forensic science - whereby experts and law enforcement look into technology or data that may contain evidence of a crime or attribute evidence to suspects, cross-reference statements or check alibis.
Network forensics, unsurprisingly, refers to the investigation and analysis of all traffic going across a network suspected of use in cyber crime, say the spread of data-stealing malware or the analysis of cyber attacks.
Law enforcement will use network forensics to analyse network traffic data harvested from a network suspected of being used in criminal activity or a cyber attack. Analysts will search for data that points towards human communication, manipulation of files, and the use of certain keywords for example.
With network forensics, law enforcement and cyber crime investigators can track communications and establish timelines based on network events logged by network control systems.
Outside of criminal investigations, network forensics are commonly used to analyse network events in order to track down the source of hack attacks and other security-related incidences.
This can involve looking at suspect areas of the network, collecting information on anomalies and network artefacts, and uncovering incidents of unauthorised network access.
There are two methods of overarching network forensics, the first being the "catch it as you can" method, which involves capturing all network traffic for analysis, which can be a long process and requires a lot of storage.
The second technique is the "stop, look and listen" method, which involves analysing each data packet flowing across the network and only capture what is deemed as suspicious and worthy of extra analysis; this approach can require a lot of processing power but does not need as much storage space.
Unlike digital forensics, network forensics are more difficult to carry out as data is often transmitted across the network and then lost; in computer forensics data is more often kept in disk or solid state storage making it easier to obtain.
It is worth noting that privacy and data protection laws restrict some active tracking and analysis of network traffic without explicit permission, so if you are planning to apply network forensics tools be aware that you must comply with privacy laws.
Network forensics can also be used in a proactive fashion to dig out flaws in networks and IT infrastructure, thereby giving IT administrators and information security officers the scope to shore up their defences against future cyber attacks.