Network forensics is the process of analyzing your network traffic in order to find out vulnerabilities and attempts to exploit them in you network. Before you start performing network forensics, there are a few skills you must have in your bag:
- Knowledge about network protocol on all layers, and their vulnerabilities or problem that they may introduce when configuring them incorrectly.
- Malware analysis is going to be required when getting to the payload analysis step.
Another thing you must do, is prepare a network pre-analysis report that will contain the following information:
- Protocols used on the network – This information will be used to find problematic protocols that might be used in the network (FTP,SNMPv1/2, etc.) and to find protocols that are used in the network illegitimately.
- The type of content type traveling in the network. For example a network that is used for VOIP should not have user transferring documents across it.
- Network “Service Providers” – The main services in the network and the servers that provide them. For example the IP addresses of the DNS servers and the DHCP server. This information will be used to find out computers impersonating to service providers in the network, for example a rogue DHCP server, used as part of a DHCP starvation attack. The services you are looking for, are usually DHCP,LDAP,SMB,NFS,NTP,HTTP and DNS.
- Network architecture – The structure of the network is important for the decision from where i want to capture the network traffic.
First step: Capturing the traffic
The most common way is connecting a laptop to a mirror port on the switch you want to capture traffic from, and firing up tcpdump or wireshark.
Warning: The network capture (not surprisingly) captures all traffic, and while investigating the network capture you might be exposed to private information (Personal mails, media files, pages opened by the user, credentials, etc.) It is very important to minimum the quantity of people possible will be part of the team inspecting the network capture.
The investigation process is divided into 4 parts:
- Frequency analysis – Inspect the reoccurence of incidents over time. Packet peaks, session peaks and massive file transfers reoccuring at fixed or non-fixed intervals. (Fixed interval peaks are not necesarily suspicious, they might be part of a IT process like backups.)
- Statistical and quantitive analysis – It`s all about looking for one to many, and many to one relations. One to many might be an indication for someone scanning the network, looking for lateral movement while many to one, might indicate that your network has computer infected with some kind of malware. Do not hurry and conclude that. Check that the destination is not a legitimate service provider of the network (DNS,DHCP,etc. ).
- Protocol analysis – Analyze the network traffic in order to find protocols that do not match the network architecture, or protocols that match but expose some kind of weakness. Like using SNMPv2. The indications you will look for are mostly sources/destinations that should not be using certain protocol, for example DHCP offers not sent by the network`s DHCP inftrastructure. Another example might be FTP traffic not heading the organization`s FTP servers, but a server on the internet instead.
- Payload analysis – The most complicated (and interesting) analysis type one can get into. This analysis type is about examining the content of the packets we found suspicious on previous analysis types and examining them in an malware analysis environment in order to find out the nature of the payload (Destructive/Disruptive/non-destructive). The most common way to find suspicious traffic is looking for file/data types that should not exist in the network (IRC,XML,Binaries), inspecting their source and destination and deciding wether or not they are legitimate. The payload then should be analyzed using malware analysis methods. Since payload analysis is the most complicated analysis method to explain, I will give a few examples
- An excel document with an embedded executable was found, we took it and ran it in a sandboxed environment to find out what that executable did.
- A shellcode that was part of an exploitation attempt was found in traffic from the Internet to a server in the organization. That capture was replayed using tcpreplay and replayed against a similarly configured server in the lab environment.
I recommend working in the order stated above, because that way you can find suspicious traffic, flag it and then dive inside the packets the deepest a malware analyst can get.