Network Forensics - by Markus Winkler

Last updated: July 26, 2022

A white paper for IT executives and managers

Corporate networks are changing. They’re becoming faster than ever and are central to every business. However, they’re also more vulnerable to attacks. IT managers need to make strategic decisions about which network and security technologies to focus on to ensure comfortable and secure business operations.

This white paper introduces the technologies and practices used by network forensics and explains why they’re now indispensable, especially for companies moving to networks of 10G or faster.

Summary

In recent years, three major changes have taken place in corporate networks. They’re faster than ever before and have many more connected devices, which is partly because many employees carry multiple mobile devices with them.

Wasting Money - Photo from Jp Valery

Most of all there’s more network traffic than ever due to rich media such as VoIP and video, which are extremely sensitive to network delays.

In addition to the higher speed and number of connections and voice and video requirements, protecting networks and troubleshooting network problems has become more difficult. This is partly due to today’s networks are 10G¹ or faster, which means they can easily carry too much data. Therefore, traditional tools for network monitoring and troubleshooting can’t collect and analyse reliable data.

To overcome this, analysis tools often rely on traffic samples and generalised statistics. Unfortunately these samples and statistics are lacking in essential details and are don’t have the corroboratory information that’s critical for IT professionals to quickly resolve IT problems and evaluate attacks.

Network outages are costly. Approximately half of all organisations report that troubleshooting performance problems takes on average an hour. Taking into account all the financial aspects, all these 1 hour periods cost a company about 4,320,000 US Dollars.²

Expensive downtime is not the only problem. An “opaque” network weakens an organisation’s protective IT mechanisms, especially when attacks penetrate internal networks and steal confidential data. Privacy violations encourage fraud and damage reputation, leading to a company losing millions in fines and losing their competitive advantage.

The only way for companies to make their vulnerable networks fast and transparent again is by using network forensics. Network forensics records, stores and analyses network traffic, providing a complete record of network communications. It also provides powerful search and analysis tools to evaluate traffic and obtain critical information that’s been stored.

Network forensics provides companies
with the following important benefits:

  • Faster problem solving, reducing downtime and increasing employee productivity
  • Faster identification and resolution of security incidents
  • Better use of network resources through better reports and planning
  • Thorough search for traces of evidence on the network
  • Carries out a system analysis after a hack or cyber attack

Leadership teams must understand that network forensics has become an indispensable IT skill, which must be in place for each network. It ensures complete, around the clock transparency for business operations and network performance at each point.


1 10G is 10 gigabits per second, which corresponds to approximately 1.25 GB/s or ten times the amount of data that “fast” networks were carrying about 10 years ago.
2 TRAC Research

Introduction

We created this whitepaper to provide business and IT decision-makers with a clear and precise insight into some important aspects of today’s business networks. It’s also intended to support the role of network forensics in understanding how to deal with network security and availability problems.

First, let’s look at corporate networks.

Modern Corporate Networks

To what extent do today’s networks differ from those that were around just a few years ago? There are three main differences, as today’s networks are:

  • Faster than ever
    For several years now, companies have been expanding their networks by purchasing network ports, routers and other devices to support an exponentially growing, larger bandwidth. Just a few years ago, 1G networks were the norm. Now, most companies are investing in 10G networks: a total of 75% of all high-speed port (10G+) purchases are 10G. The rest is split between 40G, 100G, 200G and 400G ports.
  • More devices and devices of different types are connected
    Ten years ago, mostly desktop PCs and servers were connected to corporate networks. In the current era of BYOD (Bring Your Own Device), almost all employees carry mobile devices. And these are not just one or two. Already in 2012, the average of these devices per user was 2.93.
    Traffic to and from the desktop PC has now become traffic to and from a smartphone, a tablet and a notebook using different operating systems (usually a combination of Windows, OS X, iOS and Android). Normally, all these devices also access public networks such as WiFi hotspots.
    At the end of 2021, the share of mobile devices in internet traffic was already 54% and has risen to 59% by Q2 2022. PCs are thus now in the minority. 4
  • Rich media transfer
    Video content now accounts for more than 75% of total internet traffic and various forecasts predict a further increase in the coming years. Youtube is the second largest search engine worldwide and young people are increasingly using Tiktok to search for information.

3   http://nakedsecurity.sophos.com/2013/03/14/devices-wozniak-infographic/
4   https://www.statista.com/statistics/277125/share-of-website-traffic-coming-from-mobile-devices…
5   https://petapixel.com/2022/07/13/google-says-young-people-using-instagram-and-tiktok-to-search/

The 3 Major Problems

The company’s IT is more impressive and more powerful than ever. 1G, 10G and faster networks transmit rich media, web services and more, allowing us to connect to the company data and with colleagues using smartphones, tablets and notebooks. 

However, managers including IT managers have to deal with three major problems associated with these fast, hyper-connected networks.

The Cost of IT Failure

Network problems and failures can be extremely expensive for businesses using networks. Increasing the network speed makes it harder to monitor traffic and also increases the amount of traffic that can be affected by a failure.

Consider the MTTR (Mean Time to Resolution or average time to solve problems) that is specified by most IT organisations according to a TRAC research survey:

  • 48% of all companies need more than 60 minutes per case to diagnose network problems.
  • Companies suffering a network outage lose on average 72,000 dollars per minute.
  • When a network problem causes a failure, this along with finding a solution takes up an hour and the company concerned loses an average of 4,320,000 US dollars. Even if it only costs half this amount, considering the productivity lost and other effects, this is a good reason why many IT organisations look for better ways to solve network problems.

Companies lose an average of 72,000 dollars per minute when they experience a network failure, according to TRAC Research.

Increasing security threats

About a decade ago, the most common security threats to networks were masses of spam and malware in the form of worms and ransomware, which overloaded networks or brought IT operations to a complete standstill.

Today the threats are much more subtle, more sophisticated and more dangerous by far. Instead of simply interrupting services or sending advertisements for dodgy pharmaceuticals, attacks now focus on an undetected intrusion into networks, spending days or weeks picking up data such as product plans or customer data. This data is then filtered out slowly and steadily in small doses to an external data centre, which can be anywhere abroad. Modern attackers won’t settle for mere “cyber vandalism”. Instead they try to steal intellectual property that can be sold on the black market and confidential information that’s useful for identity theft and financial fraud.

Recent statistics6 on safety throw a gloomy light on IT security:

  • Cybercrime rose up 600% due to COVID-19 Pandemic
  • It is estimated that, worldwide, cyber crimes will cost $10.5 trillion annually by 2025.
  • On average, a malware attack costs a company over $2.5 million (including the time needed to resolve the attack.
  • Ransomware is 57x more destructive in 2021 than it was in 2015.
  • Over 66% of all SMB’s in the US had at least 1 incident between 2018-2020.
  • The average cost of a data breach to small business can range from $120,000 to $1.24 million.
  • Over 50% of all cyber attacks are done on SMB’s.

How can IT organisations obtain detailed information, leading to an improvement of network analysis and problem solving so that problems can be quickly detected and eliminated, ending vulnerability? If summary statistics are unable provide the information needed for detailed analysis, what type of solution can do this? The answer is network forensics.

According to Verizon’s Data Breach Investigations Report, 66% of cases took months or even longer to discover an intrusion. 
IT companies seem to be missing the necessary tools to adequately investigate and suppress these types of threats and their cost to the company including the risk of losing competitive advantage.

6   https://purplesec.us/resources/cyber-security-statistics/…

Poor Visibility

Ironically, just when companies are investing more than ever in their networks, most IT organisations don’t have a complete insight into their network activity. They can still use overview statistics based on general trends and application flows. However, they can’t delve into the details needed to deal with problems or to detect security breaches.

The problem can be traced back to the flow rate. Most traditional network traffic monitoring tools that IT technicians have used so far for detailed IP packet analysis can’t keep up with traffic on high bandwidth networks of 10G and faster. This applies even when these networks are working at only half their theoretical capacity. Because they can’t keep up they release data packets and distort their reporting results.

Many IT departments are aware of these issues. In a recent study by TRACS Research, 59% of IT technicians who took part in a survey expressed concern that their network monitoring tools dropped packets instead of reliably recording high-speed traffic for analysis. 51% of all respondents also questioned the accuracy of the data provided by their network monitoring tool.

In conclusion, networks cost a lot more but the quality of IT is lacking

Poor visibility can have costly consequences for businesses. Limitations in network performance cause declining employee productivity. It can be difficult for IT technicians to optimise application services without sufficient network transparency.

Network Forensics: Transparency at Every Single Point
in the network at any Time and at any Speed

Network Forensics: A Definition

Network forensics is used to monitor high-speed networks, reducing network shortcomings and failures and providing evidence of attacks.

Companies need to drastically improve
the transparency of their networks to:

  • Monitor and troubleshoot those networks that are 10G, 40G, 100G, 200G and 400G and are too fast for traditional monitoring tools.
  • Minimise costly performance limitations and network failures
  • Uncover covert attacks so that they can be understood and prevented. To achieve this level of transparency, companies need to invest in network forensics.

Network forensics deals with network traffic recording, storage and analysis. A network forensics solution captures network traffic and stores it in a searchable repository. IT technicians use filters to browse through stored data, analyse it and identify anomalies. With the help of network forensics, IT security specialists can discover the cause of anomalies as well as their impact on IT services and equipment such as servers and databases.

You can compare network forensics to a time machine that can reproduce traffic so you can check and analyse it in detail, identify performance problems and discover the origins of attacks.

How far back can the time machine go? It depends on how much space you provide and how much bandwidth your network traffic has used. Best practice is to record data over several days so that an attack that began Friday night can still be identified on Monday morning and analysed in detail.

"Data packet monitoring provides definitive, comprehensive data performance results for network management and troubleshooting." 

– Jim Frey 
Managing Research Director 
Enterprise Management Associates, Inc.

The importance of data analysis at packet level

Network forensics provides you with more than just a simple summary overview of network events. It provides you with the actual traffic including each data packet that’s crossed the network. This is achieved using a variety of tools and filters so that you can explore data using different methods and accurately identify important data packets.

Application scenarios for network forensics

Using LiveAction (formerly Savvius/Wildpackets) network forensics you can perform various types of forensic examinations:

  • Network Performance Benchmarking for detailed reports on network performance, business activities, resource allocation and other purposes.
  • Network Troubleshooting for solving various network problems, particularly those that occur sporadically.
  • Transactional analysis to provide the “ultimate audit trail” across all types of connections, including Web and database. When server logs and other server-based evidence provide insufficient data to classify a transaction, network forensics helps an IT technician to find and study the precise content and time of a suspicious connection.
  • Safety analysis allows security officers and IT security staff to detect and limit any damage if an attack overcomes a network’s security. Network forensics allows the person in charge of the investigation to find evidence of an attack and determine its impact on IT resources.

Performance analysis and troubleshooting

  • Recording and analysing sporadic network problems
  • Correcting previous problems that have occurred hours or days earlier
  • Finding patterns that are overlooked during ad hoc or reactive troubleshooting

Transactional Analysis

  • Creates the ultimate audit trail for transactions – not only server activity but all client and server business transactions
  • Resolves the transaction problems that can’t be found in the server log

Attack Analysis

  • Flags up attacks whether they’ve just started or took place days ago so your IT technicians and privacy teams can understand them and stop them.
  • Puts filters in place to isolate malicious behaviour
    • Provides your IT network team with a powerful incident response tool

Case Study: The use of network forensics to reveal an attack

This is a true story about network forensics and how it helped a company’s IT team to determine the scope and modus operandi of an attack.

A network security tool showed some unusual activity on a server, triggering an alarm. As the IT team investigated and found the server had been compromised by an attack. Unfortunately the security tool wasn’t able to provide any further information about the attack such as the perpetrator and what other systems could still be affected. This superficial type of alarm is quite common. The security tool did detect an anomaly but to fully understand what kind of attack it was and what goal had been, the IT technicians needed to investigate the incident in more detail.

The team used its network forensics system to carry out research using the traffic recordings before, during and after the attack. Using a dashboard (in this case LiveAction Compass) the team noticed that shortly after the attack began, the compromised system showed a peak in the CIFS traffic (Common Internet File System traffic. CIFS is a network protocol used by Windows-based computers to manage access to files and printers). To learn more about the systems involved in the CIFS peak, the team opened a peer map, which is a graphical representation all of recorded network communication that’s taken place during the period in question.

The peer-map confirmed that the compromised server had communicated with various other systems.

Figure 1. A peer map represents all network communications over a specified time frame.

Next, the team filtered traffic to only show communications coming from the compromised server. This allowed them to identify three further systems that the compromised server had communicated with after the attack.

Figure 2. The filters within the peer map made it easy to determine the addresses of the systems with which the compromised server had communicated. Network forensics provided critical information that had been overlooked by the security tools.

The IT team now knew which server to concentrate on to effectively curb the attack and find a remedy for its effects. In addition to quarantining and repairing the server that was attacked at the start, the team also quarantined three more infected servers.

Starting with a rather vague security alarm, the team were able to use network forensics to identify the systems that needed to be quarantined and where to concentrate to resolve the damage caused by the attack. Network forensics allowed the team to secure evidence from the attack and reproduce its impact.

A checklist for network forensics solutions

Solution components

A network forensics solution normally consists of:

  • A Network TAP, where data is mirrored without disturbing the active network. A network TAP copies the data and is invisible to attackers on the network because it operates on OSI Layer 1. What’s more, using a TAP ensures data integrity.
  • A network capture appliance, a capture application to accurately record network data, ideally equipped with an FPGA network card and a timestamping function with an accuracy of more than 10 ns.
  • A network analyser, a powerful software application that provides search, filter and analysis tools for recorded traffic. Ideally, a network analyser should be able to export the data for reporting purposes and help various IT experts to liaise in network performance or security problem solving.

Many manufacturers offer a combination of a network capture appliance and network analyser in a single piece of hardware. A network TAP should be added to these to ensure the data for analysis is intact.

Network Forensics and Data Capturing
Use Case: Network TAP, Network Packet Broker and Network Forensics Appliance

The functionality of a network forensics solution

A network forensics solution must deliver powerful, accurate and cost-effective features for all aspects of network forensics:

  • Data recording: The solution should be able to record traffic (all data packets from all flows and all network protocols, not just summary statistics) in a reliable way for speeds up to 20G, the equivalent of a 10G full-duplex connection. Above all data packets must not be lost and statistics must always be accurate, even if individual network segments are under high load. The solution should support multiple, parallel, individual data recordings that are triggered by policies, so that traffic is automatically recorded under certain conditions.
  • Data Storage: The solution must record traffic speeds up to 20G, the equivalent of a 10G full-duplex connection without any losses. As the data is written to the storage media no data packets can be dropped, even if individual network segments are working to capacity. The system should be easily scalable, supporting hundreds of terabytes of stored traffic. It should also support the ad hoc use of external storage systems, such as SANs or JBODs.
  • Fast data analysiseasy to use and intuitive search and filter tools are indispensable. Capturing and storing data is meaningless if the IT technician can’t browse through this data (which is likely to be hundreds of terabytes) quickly and efficiently in order to identify the causes of problems, uncover attacks and perform other forensic investigations.

Best practices

Network forensics provides your IT team, your HR department and your legal and compliance departments with extensive evidence to investigate anomalies and manage crises. When you adhere to the best practices below you can ensure your organisation gets the maximum benefit from network forensics.

Best Practice Tip # 1: Use a network recorder that can record your network traffic reliably over several days

It’s a good idea to benchmark a network recorder before you use it. Some manufacturers promise high-speed performance but fail when it comes to reliably recording of traffic when reaching bandwidths of 10G or higher.

Best Practice Tip # 2. Record traffic across all locations

IT technicians should record traffic at all points, not only the network core, to help with network problem solving and improve network security and compliance. 
Consider a large company that fell victim to an attack at one of its branches. The attack spread from the branch office to headquarters. Without a detailed analysis of the traffic at the branch, the IT department wouldn’t be able to identify the source of the attack take appropriate action to prevent further spread.

Best Practice Tip # 3: Record traffic around the clock

In addition to recording your traffic at all points, IT departments need to ensure that this is recorded without interruption around the clock, so that anomalies that have occurred outside of business hours can be examined.

Best Practice Tip # 4:Take baseline network performance measurements

To get a feel for the “normal state” of a network, an IT technician should take baseline measurements across the whole network for different types of network traffic, such as HTTP, VoIP and critical business applications. This should be done over typical periods of an hour, a day and a week.

Best Practice Tip # 5:Set filters to detect abnormal behaviour

In addition to continuous daily or weekly recording of entire network traffic, it may be helpful to set up secondary recordings to cover certain anomalies that may indicate a security breach. If there are none, there won’t be any alerts and to trigger the secondary recording. However, if anomalies do occur, it’s useful for IT engineers and security experts to have evidence in a small capture file, containing precise and relevant data.

Summary and Outlook

Network forensics provides nonstop network traffic recording with secure solutions to ensure that companies are ready at any time to test and analyse performance problems, security threats and other network anomalies, even in high-speed state of the art networks.

Faster problem solving and attack resolution allows your organisation to:

  • Reduce network outages and increase employee productivity
  • Reduce the risk of attacks and avoid fines for data breaches
  • Gain a better understanding of network use and network resources

The critical issues

How can network forensics support your business?

It may help to consider the following questions when assessing your organisation’s strengths, weaknesses, strategies and potential investments:

  • What precautions have we taken to solve network performance problems and to investigate attacks?/li>
  • Are we recording traffic at all points to ensure that we can solve problems and detect security breaches as quickly as possible?
  • Following an attack on one of our servers, are we able to identify all the devices the server is communicating with? If so, how long does this take?
  • What would the consequences be if our company’s most classified data were to be disclosed? Are we satisfied with our current security arrangements and are we investigating options for protecting ourselves against this type of vulnerability?
  • If we plan to increase our network speed and bandwidth, do we need to improve our IT network monitoring and analysis? Have we carried out an audit of our current network monitoring and analysis tools to find out if these are superfluous? This could be due to trends like high-speed networks and rich media (for example, VoIP and Video) communication with a higher number of endpoints as well as security risks from using a private mobile office.

Answering these questions will allow you and your company to make important decisions about network forensics, security, application provision and employee productivity.

We will be happy to consult you and look forward to hearing from you!