What are the top sources for collecting network data?

With Network-based attacks like DDoS and other DNS attacks a well-established staple in threat actors’ arsenals, it’s important for companies not only to prevent network-based attacks but also be able to understand them in order to develop new ways to combat them, deal with them when they occur by understanding what they are and properly attribute blame when they can.  

This is why network forensics is very important in cybersecurity. It requires analysts to utilise network traffic data to reconstruct and analyse: 

• Network-based attacks. 
• Inappropriate network usage. 
• In order to troubleshoot different kinds of operational issues.  

Like all types of forensics, network forensics is a rigorous, complex process. While it may sound simple to catch data on a network, with volatile data on live systems and threat actors spoofing multiple IPs of innocent victims before disappearing in the wind, time is of the essence and you need to know where to look immediately. 

How do networks and data work? 

Network traffic is computer network communications carried over networks between hosts. To exchange data, Networks use a process called encapsulated to transmit data packets under the Transmission Control Protocol over Internet Protocol (TCP/IP). 

Packets can be broken down into multiple layers of data, each layer providing information to overcome each hurdle in getting data from A to B. 

These layers can be broken down into four categories: 

• Application Layer, which enables an application to transfer data between an application server and a client. Common types are HTTP, DNS, FTP, SMTP.  
• Transport Layer, which is responsible for packaging the data which will be transmitted between hosts, with each packet having a source and destination port number. The most common protocols are TCP, Transmission Control Protocol, and UDP, the User Datagram Protocol.  
• Network Layer (aka IP Layer) routes packets across networks. It's the fundamental network layer protocol for TCP/IP. Other commonly used protocols at the network layer are ICMP, Internet Control Message Protocol, and the Internet Group Message Protocol, IGMP.  
• Hardware Layer aka Data Link Layer handles communications on the physical network components. The best-known Data Link Layer protocol is Ethernet.  

Analysts can utilise these layers in the forensic process in order to do a multitude of things, which can include: 

• Mapping network events to IP addresses to a Media Access Control (MAC) address of a particular Network Interface Controller (NIC), a physical identifier, to hone in on a suspect host. 
• DHCP servers can often be configured to log IP addresses assignment to associated MAC addresses with a timestamp.  
• Using a combination of IP protocol number in the network layer, port numbers, and transport layer fields, an analyst can determine which application was most likely being leveraged and targeted.  

What are great sources of network data? 

Analysts can collect data network data for a forensic investigation by utilising a multitude of sources, using a variety of tools and techniques. 

These sources can include: 

Packet Sniffers 

Packet sniffers monitor network traffic by capturing packets from a network. Normally, a Network Interface Controller (NIC) accepts only incoming packets that are specifically intended for it. But when the NIC is put into promiscuous mode, it accepts all incoming packets that it sees regardless of their intended designations.  

Most packet sniffers are also protocol analysers, meaning they can reassemble streams from individual packets and decode communications that use any of the hundreds or thousands of different protocols. 

Packet sniffers collected the most information on network activity, however this can be difficult to sort through due to the huge volumes of irrelevant data. Typically, an organisation can send out millions and billions of packets, and a packet sniffer often provides no immediate indication which are related to threat actors’ malicious activity. 

Intrusion Detection Systems (IDS)  

Network-based IDS often involves packet sniffing and analysing network traffic in order to identify suspicious activity going on in a network. IDSs identify malicious network traffic on all the TCP/IP packet layers, as well as log data fields and even raw packets that can be useful in validating events and correlating them with data sources. 

Once it identifies something suspicious, it records the relevant information. IDS data is often a great starting point for analysts examining suspicious activity. 

Security Event Management software (SEM) 

Security Event Management (SEM) software is able to import security event information from network traffic from sources like IDS and firewall logs and correlate them with other data sources. Typically, SEM receives copies of logs from every data source, putting them into a standard format and identifying related events by matching IP addresses, timestamps, and other characteristics.  

SEM software is often very useful because it automatically correlates events among various, different data sources and then extracts the relevant information, presenting it to the user. 

Network Forensic Analyst Tools (NFAT) 

NFAT combines packet sniffers, protocol analysers, and SEM software into one. NFAT software primarily on collects, examines and analyses all network traffic, while also providing additional features, such as: 

• Reconstructing cyber events on a network. 
• Visualising traffic flows and mapping IPs geographically. 
• Searching content of applications for keywords. 
• Constructing profiles for typical activity and singling out deviations. 

Firewalls and routers 

Network-based devices like firewalls and routers, as well as host-based devices like personal firewalls, examine network traffic and permit or reject it based on a set of criteria.  They’re normally configured to log basic information for rejected connection attempts in connectionless packets.  

Network-based firewalls and routers may have additional data on network traffic you can collect if:  

• They have Network Address Translation (NAT). 
• They have intrusion detection and VPN. 
• The firewalls can act as proxies. 

However, firewalls, routers and proxy servers by themselves often have little data, normally only providing a little insight into the cyber event. Although, analysing that data over a long period of time can show trends, such as increased blocked connection attempts.  

Remote Access Servers (RAS)  

Remote access servers are things which facilitate connection between networks, like modem servers and VPN gateways.  

This can involve: 

• External systems connecting to internal systems. 
• Internal systems connecting to external systems. 
• Internal systems connecting to other internal systems. 

Most remote access related logging occurs on the remote access server or the application server, although it can also be when the client logs that information. 

In addition to remote access servers, organizations typically use multiple applications that are specifically designed to provide Read only Memory (ROM) access to a particular host's operating system. ROM is a type of non-volatile data that can’t be altered by a user or an application. 

Like Firewalls, routers and proxy servers, remote access servers by themselves usually contain not much useful data, although it can be used to identify trends over time after a long period of analysis. 

Additional sources of network data 

You can also get network data from your Internet Service Provider (ISP) records, which can be valuable in tracing a cyber attack back to its original source when an attack has used spoofed IP addresses. This is mainly done if there is a legal investigation being launched. 

Another highly-effective way to get relevant, network data is using Network monitoring software to identify strange activities with ports and significant deviations in normal traffic flows, which can be an indicator of an incoming distributed denial of service attacks (DDoS), where botnets with thousands of infected systems under their control launch attacks against a host or networks at the same time.  

Securiwiser is a security monitoring tool which evaluates your company’s cybersecurity posture and flags up vulnerabilities in real-time, checking things like the security of your network and cloud, suspicious port activity, if you have malware on your network, and much, much more, presenting them all in an easy-to-read dashboard.  

Give yourself a free scan today!