When you have a sophisticated, targeted attacker who has compromised and taken over computers in your network, you may need to ask some questions about what was happening in your network on top of simply cleaning the malware up and getting the infected computers back online.
Before you can feel confident that you’ve really removed the malware from the network, you need to:
The process of analyzing an attacker's activity in your environment and trying to create a complete picture of everything that they have attempted to do is a process we call forensics.
As we have dealt with more and more sophisticated attackers, this process has become increasingly important. It's important, first of all, because these attackers often have multiple infection points in our network. They are using multiple different kinds of malware with different command-and-control protocols. If you find one and you clean it up, you can rest assured that there are others that you haven't found. Without doing in-depth analysis, it's really difficult to piece together a comprehensive picture of the compromise and to feel confident that you’ve completely rooted it out of your environment.
Additionally, what we've learned through handling these attacks over time is that, when you analyze them and you understand how they occurred, there are pieces of information that fall out of that analysis that might help you detect future attacks by the same adversary. For example, with the Advanced Persistent Threat, determined attackers are not going to be deterred because you found some of their malware and cleaned it up. They're going to continue to target you.
The ability to learn from their techniques and to apply what you have learned to look for continued attacks by them is a critical part of how you actually protect your network again future attacks.
There are three data sources that are of critical importance for network forensics:
Moreover, it’s not likely that a packet capture solution will be able to monitor pervasively throughout your network. You're likely to be doing it at an access point that exists between your network and the outside world. Maybe you’ve got a little bit of packet capture scattered around within your internal environment, but it's very difficult to capture every single packet that happens everywhere.
NetFlow is compressed – it's just header information regarding the transactions that happened, so it's easy to store much more NetFlow for a much longer period of time than packet capture, for the same investment in disk space.
It really boils down to how much history you want to store. With NetFlow, you can potentially store months, whereas, with the same amount of disk space, you might have only gotten days of packet capture.
Additionally, it's really easy to get NetFlow pervasively from your environment. You can get NetFlow from down in the access and distribution layers of your switching fabric.
If you look at this network map, for example, if an end-user’s computer gets infected, a system up at the firewall level might be able to identify transactions that came from that computer and went out to the Internet. What you won’t see is the record transactions that happened between those end point nodes down at the access level; and those transactions may be critically important when you're putting together what happened during a security incident to understand how the attacker pivoted from his initial point of infection to other machines within your environment.
NetFlow is a critical ingredient in the recipe of how you defend your network against attacks. It has a lot of unique value alongside Syslog and packet capture.
Learn more about how Lancope leverages NetFlow for security intelligence and forensic investigations by watching this video and this webinar.