What is network forensics explain the 3 modes of protection in Did strategy?

Successfully reported this slideshow.

Your SlideShare is downloading. ×

More Related Content

1. 1. NETWORK FORENSICS
2. 2. Network Forensics Overview  Network forensics  Process of collecting and analyzing raw network data and tracking network traffic  To ascertain how an attack was carried out or how an event occurred on a network  Intruders leave a trail behind  Knowing your network’s typical traffic patterns is important in spotting variations in network traffic
3. 3. The Need for Established Procedures  Network forensics examiners must establish standard procedures for how to acquire data after an attack or intrusion  Essential to ensure that all comprised systems have been found  Procedures must be based on an organization’s needs and complement network infrastructure  NIST created “Guide to Integrating Forensic Techniques into Incident Response” to address these needs
4. 4. Securing a Network  Layered network defense strategy  Sets up layers of protection to hide the most valuable data at the innermost part of the network  Defense in depth (DiD)  Similar approach developed by the NSA  Modes of protection  People  Technology  Operations
5. 5. Securing a Network  Testing networks is as important as testing servers  You need to be up to date on the latest methods intruders use to infiltrate networks  As well as methods internal employees use to sabotage networks  Small companies of fewer than 10 employees often don’t consider security precautions against internal threats necessary  Can be more susceptible to problems caused by employees revealing proprietary information
6. 6. Developing Procedures for Network Forensics  Network forensics can be a long, tedious process  Standard procedure that is often used:  Always use a standard installation image for systems on a network  Fix any vulnerability after an attack  Attempt to retrieve all volatile data  Acquire all compromised drives  Compare files on the forensic image to the original installation image
7. 7. Developing Standard Procedures for Network Forensics  In digital forensics  You can work from the image to find most of the deleted or hidden files and partitions  In network forensics  You have to restore drives to understand attack  Work on an isolated system  Prevents malware from affecting other systems
8. 8. Reviewing Network Logs  Network logs record ingoing and outgoing traffic  Network servers  Routers  Firewalls  Tcpdump and Wireshark - tools for examining network traffic  Can generate top 10 lists  Can identify patterns
9. 9. Using Network Tools  Sysinternals  A collection of free tools for examining Windows products  Examples of the Sysinternals tools:  RegMon shows Registry data in real time  Process Explorer shows what is loaded  Handle shows open files and processes using them  Filemon shows file system activity
10. 10. Using Network Tools  Tools from PsTools suite created by Sysinternals  PsExec runs processes remotely  PsGetSid displays security identifier (SID)  PsKill kills process by name or ID  PsList lists details about a process  PsLoggedOn shows who’s logged locally  PsPasswd changes account passwords  PsService controls and views services  PsShutdown shuts down and restarts PCs  PsSuspend suspends processes
11. 11. Using Packet Nalyzers  Packet analyzers  Devices or software that monitor network traffic  Most work at layer 2 or 3 of the OSI model  Most tools follow the Pcap (packet capture) format  Some packets can be identified by examining the flags in their TCP headers  Tools  Tcpdump  Tshark  Netflow  Wireshark
12. 12. Examining the Honeynet Project  The Honeynet Project was developed to make information widely available in an attempt to thwart Internet and network hackers  Objectives are awareness, information, and tools  Distributed denial-of-service (DDoS) attacks  Hundreds or even thousands of machines (zombies) can be used  Zero day attacks  Another major threat  Attackers look for holes in networks and OSs and exploit these weaknesses before patches are available  Honeypot  Normal looking computer that lures attackers to it  Honeywalls  Monitor what’s happening to honeypots on your network and record what attackers are doing
13. 13. Summary  Network forensics is the process of collecting and analyzing raw network data and systematically tracking network traffic to ascertain how an attack took place  Steps must be taken to harden networks before a security breach happens  Being able to spot variations in network traffic can help you track intrusions  Several tools are available for monitoring network traffic, such as packet analyzers and honeypots  The Honeynet Project is designed to help people learn the latest intrusion techniques that attackers are using

What are the three modes of protection in the DiD strategy?

What is meant by network forensics?

What are the three main steps in the network forensic process and why?

What are the methods of network forensics?