In the world of infosec, we know that gathering evidence is critical to identifying the attack vector, understanding how to stop the attack quickly, and moving ongoing investigations further. One of the best ways to gather forensic evidence is through network monitoring.
Whether in cybersecurity or public safety, the time to respond to an incident is driven by three overlapping phases of action:
- Contain the damage
- Understand the incident
- Mitigate the effects
Contain the Damage
Imagine a ransomware attack. The first task for response is to isolate the target system as fast as you can to prevent the spread of infection or encryption of network resources (i.e., contain the damage).
Understand the Incident
The next task is to figure out how the compromise occurred (i.e., understand the incident). Was it a targeted phishing attack with a bad attachment? Was it a strategic web compromise launching an attack through an unpatched browser via an exploit kit? How do you know the difference?
You’ll need to know this information before you can move to phase 3. If you don’t know the original attack vector, you risk making incorrect assumptions and not mitigating the attack at all.
In this case, you do not know if the correct approach is to evaluate your email filters, talk to IT about your patching strategy for browsers, or both.
In terms of understanding the incident, network traffic is one of the best sources of evidence available to you. If you have detailed network traffic for the targeted computer, you can easily choose a time window and an affected system. From there you can:
- Extract and forensically analyze email attachments received by the user
- Reconstruct browser behavior without depending on the user’s memory
- Determine the source of the ransomware
Mitigate the Effects
Once you have evidence of how the attack occurred, you can start mitigation efforts from facts, rather than conjecture. Either you have the malware attachment, and you can analyze it through mail filters, or you have the network session to the compromised site and you can determine if you have browser vulnerability or need to refine your firewall blocking rules.
Creating Evidence with Network Monitor
The evidence that lets you make a correct decision is most easily identified and captured through network monitoring.
Without Network Monitor to create the evidence you need, you’re unlikely to be able to identify an exact root cause of the breach or determine which mitigation steps are going to be effective.
If you’re not already monitoring your network, you can use NetMon Freemium to get started.