Pretty much everything a person does on a computer leaves a trail on the network -- and that includes nefarious actions. In their new book Network Forensics: Tracking Hackers through Cyberspace, authors Sherri Davidoff and Jonathan Ham describe how companies can take advantage of this trail to protect their information.
The book examines how organizations can uncover their own network-based evidence using Web-based crime-fighting techniques, such as packet captures, flow records and Web proxies that can reconstruct a suspect's Web-surfing history. There's a huge amount of information on networks, and organizations can and should leverage that valuable data to operate more securely and efficiently, said Davidoff, founder of LMG Security.
Read the excerpt
This is an excerpt from the book Network Forensics: Tracking Hackers through Cyberspace, authored by Sherri Davidoff and Jonathan Ham and published by Prentice Hall in June, 2012.
"When a computer crime happens, it leaves a trail on the network that you can follow," Davidoff said. "Hard drive forensics is like doing an autopsy of a body, whereas network forensics is an examination of the whole crime scene -- the footprints, the fingerprints, the bullet in the wall."
And, like a crime scene, the criminals do their best to hide their tracks. One of the biggest challenges in network forensics is the rise in encrypted network traffic, Davidoff said, adding that encryption is a "double-edged sword."
Hard drive forensics is like doing an autopsy of a body, whereas network forensics is an examination of the whole crime scene.
Encryption is great for security and privacy but makes it difficult for organizations to detect data leakage or recognize malware by content-based analysis, she said.
"We can overcome this, in part, by building better tools and techniques for statistical-flow record analysis -- identifying malicious software, for example, on the basis of patterns in packet sources and destinations, timing, and volume," Davidoff said.
Network forensics can also be used for malware detection and prevention -- a growing concern in many companies. The network-based malware detection and prevention mechanisms have several advantages over host-based counterparts, Davidoff said.
Using forensics, for example, network-based malware detection signatures can be developed and deployed throughout the organization.
"Using Web proxy and mail server logs, you can track the spread of phishing emails throughout an organization and tell exactly which workstations were infected," Davidoff said. "Using event logs, you can figure out who was logged in when the infection occurred, so you know which employees to train. Network forensics is a key component in scalable malware defense."
In this excerpt from Network Forensics: Tracking Hackers through Cyberspace, read real-world examples of network forensics use, the technical fundamentals needed to get your strategy started, and the advantages of forensics in malware prevention.
Download the excerpt from Network Forensics: Tracking Hackers through Cyberspace.
This was first published in July 2012