Blog post

Processes for Network Forensics

By Anton Chuvakin | February 15, 2013 | 3 Comments

securitynetwork forensicsmonitoring

Just as I did with SIEM and DLP, I wanted to explore the process (practice, procedure, workflow) side of network forensics tooling. So, my question is the same: what processes/practices are absolutely essential for an effective use of a network forensics tool?

I can think of a few off the top of my head:

  1. incident response process (and, yes, I cringe as I am writing this as it is so painfully obvious)
  2. indicator analysis process which essentially means investigating a clue reported by a 3rd party, logs, NIPS alerts, etc
  3. process for defining and refining capture policies
  4. process for defining and refining detection alerts (if the tools is utilized for monitoring)
  5. data exploration process aimed at understanding what is going on, was going on, which  may be based on a threat hypothesis or other suspicions (see additional details on this here)

Other ideas!? Do you think #5 is the same as #2 perhaps?

P.S. BTW, check out this great piece called “The Security Processes You Must Get Right.

P.P.S. While we are on the subject of network forensics, check out this excellent piece by a true network forensics literati.

Related posts:

Comments are closed

3 Comments

  • Steve says:

    Probably part of nbr 5 but look at the outliers. What is an outlier in your company? The 1%?

  • Nrupak says:

    Hi,

    I believe this would also come along with other processes, or may be included in some of the above mentioned processes.

    a. Process/Policies for retention

    – retention of data captured (logs/packets)
    – retention of evidence

    b. Process/Policies for retrieval

    I also think below mentioned points would be required, possibly these may be included in above mentioned process.

    – Defining/Applying context to the captured data (i.e. either business context, technical context, or anything useful) – Possibly this is covered in #5

    – Process for defining a baseline for security alerts (#4, #2)

    With Regards,
    Nrupak D Shah

  • @steve That’s a good point – whatever outliers you define (rare, first-time-seen, occurring in unique combinations,etc) are likely to be reviewed in #2, but what is an outlier defined in #5 based on explorations.

    @nrupak Thanks for a great comment. I like a separate process for *evidence* retention. Will check whether any NTF users have that separated as such.