Do you feel prepared for a cyber-related attack? Although most IDS/IPS systems do a very good job with the “D” (detection) and “P” (prevention), hackers still make their way in. High profile cases are all over the news, and those are just the ones we hear about.
Once an intrusion does occur, IDS/IPS and other security solutions fail to provide network engineers with the details they need to determine the magnitude of the intrusion and assess the impacts, key steps in reassuring yourself, management, and customers that you know exactly what happened, what was compromised and how it will be prevented in the future. In addition to perimeter-based network security, like IDS/IPS and firewall solutions, network recorders with network forensics capabilities are required. Without them, you are potentially exposing your network, and your company’s reputation, to a great deal of damage.
This year Bit9’s “Year of Attack” revealed that Advanced Persistent Threats (APTs), or long-term patterns of sophisticated hacking attacks, were the most concerning hacks to IT security experts. APTs don’t always have to breach a perimeter firewall or trigger IDS/IPS warnings, as many take advantage of risky, yet allowed, behavior by internal users. And in this age of mobile users, with laptops and handheld devices on wireless networks, network vulnerabilities are further exposed. Threats can sometimes be carried in on laptops that were recently connected to other less secure networks, finding yet another way to penetrate existing perimeter-based network security. The effect of such an attack is often like unpeeling an onion, so understanding what has happened on your network over a period of time by performing ongoing, detailed network forensics is one of the key ways to identify and remedy the damage caused by APTs.
To ensure that you have a complete security solution in place, here are five questions you should able to answer after an attack, based on the network security solutions you already have deployed. If you cannot honestly answer all of these questions, then additional network security, like network recorders with network forensics, is probably required.
- Who was the intruder?
- How did the intruder penetrate security?
- What damage has been done?
- Did anything get left behind?
- How can we prevent this attack from reoccurring?
While no system, including network recorders and network forensics, can prevent a zero-day cyber attack, the information provided by network forensics can lead to an informed and efficient security posture within an organization, as well as a timely and detailed response should such an attack take place. If you are interested in hearing more about how you can directly use network forensics to answer these questions, check out our cyber security webinar.
Author Profile - Jay Botelho is the Director of Product Management at WildPackets, Inc., a leading network analysis solutions provider for networks of all sizes and topologies. Jay holds an MSEE, and is an industry veteran with over 25 years of experience in product management, product marketing, program management and complex analysis. From the first mobile computers developed by GRiD Systems to modern day network infrastructure systems, Jay has been instrumental in setting corporate direction, specifying requirements for industry-leading hardware and software products, and growing product sales through targeted product marketing.