Use Cases for Network Forensics Tools
by Anton Chuvakin | February 5, 2013 | 3 Comments
Most of the network forensics tool discussion focuses on two types of use cases. These are, on a high level:
- incident response and investigations of captured traffic, either related to a specific incident or based on suspicions, such as about a user or an activity.
- ongoing monitoring such as by fusing decoded traffic captures with blacklist/reputation data or by NIDS-style pattern matching.
However, in this "age of APT" there is another sneaky use case for these tools that few security people understand (on the other hand, some of the pcap literati, who were brought up playing with packets since kindergarten, actually understand it pretty well).
This "mystery use case" is data exploration, which is neither clue-driven like investigations, nor constant and ongoing like monitoring. This use case is about getting a big pot of good coffee, a network forensics tool and a few terabytes (yes, terabytes – but, beginners, please start from mere gigabytes 
) of freshly gathered packets. And then just letting the magic happen. Some organizations call it “hunting”, others call it “assuming a compromise – then looking for it”, while others (and myself in this post) prefer “data exploration” as a label for this exciting activity.
This process will sometimes reveal indicators to investigate, and sometimes new monitoring practices to initiate. In almost all cases, it will yield useful knowledge, such as that about your network, your systems, and about your threats and vulnerabilities. Or, occasionally, about the fact that you were owned by the Chinese non-stop since 2010 As I said, useful knowledge it would be!
Related posts:
Additional Resources
View Free, Relevant Gartner Research
Gartner's research helps you cut through the complexity and deliver the knowledge you need to make the right decisions quickly, and with confidence.
Read Free Gartner Research
Category: monitoring network-forensics security
Anton Chuvakin
Research VP and Distinguished Analyst
8 years with Gartner
19 years IT industry
Thoughts on Use Cases for Network Forensics Tools
Comments are closed
Who's Blogging
- Debbie Wilson
- Augusto Barros
- Hank Barnes
- Mark Mcdonald
- Scot Kim
- Andrew White
- Avivah Litan
- Daniel Sanchezreina
- Eric Schmitt
- Jason Wong
- Dave Egloff
- Chris Ross
- Rene Buest
- Frank Buytendijk
- Augie Ray
- Jitendra Subramanyam
- Jim Hare
- Michael Mccune
- Tim Barlow
- Manjunath Bhat
- Marko Sillanpaa
- Mike Mcguire
- Mark Raskino
- Claire Tassin
- Lane Severson
- Bill Ray
- Andrew Frank
- Sean Holbert
- John Wheeler
- Marty Resnick
- Anna Maria
- Charles Golvin
- Benjamin Bloom
- Vivek Swaminathan
- Michael Woodbridge
- Annette Zimmermann
- Deacon Wan
- Mike Wonham
- Don Scheibenreif
- Steve Rietberg
- Alex Gash
- Lizzy Foo
- Camden Jones
- Aparajita Mazumdar
- Jane Anne
- Sally Witzky
- David Furlonger
- Christophe Uzureau
- Mark Atwood
- Clare Dietz
About
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.
The SIEMs solutions are playing here?
Sort of (e.g. see recent announcements), but most of this is done via dedicated tools
[…] data exploration process aimed at understanding what is going on, was going on, which may be based on a threat hypothesis or other suspicions (see additional details on this here) […]