Our paper on network forensics tools and practices (“Network Forensics Tools and Operational Practices” by Anton Chuvakin | Eric Maiwald) has just published.
“Network forensics tools are valuable to some organizations with cutting-edge security needs, but using them to detect and identify advanced attacks is definitely challenging and requires high security operations maturity.”
Here are some fun quotes:
- “NFTs are a technology that allows for the capture, storage, indexing, processing, search and analysis of all network traffic — with security intent — at a specific point (or specific points) in a network.”
- “An NFT is not just about packet headers and packet storage. Binary extraction, image preview and document searches all play a major role in NFT use cases. Also, an NFT “thinks” sessions, not packets, which is different from traditional network capture and analysis tools.”
- “Effective use of these complex tools requires a high degree of maturity in an organization’s security program as well as the presence of skilled personnel and a strong commitment on behalf of the organization.”
- “Among many other security monitoring tools, SIEM, DLP and the subject of this document — NFTs — require extensive processes and practices to deliver value. An NFT that is deployed in a data center and then never touched by analysts only serves to capture network data and retain it (some tools will also retain extracted metadata for a longer period of time). If nobody ever looks at it, all this effort is likely in vain.”
- “The operational reality of network forensics also determines how an NFT will fit into your organization. Will members of senior management expect the tool to just work without any human involvement? Do they perceive the tool as a “better IDS”? Perhaps only as an add-on for an SIEM device?”
- “One of the critical factors that determine whether a particular use case can deliver value is enterprise security maturity. Maturity determines whether a particular problem can in fact be solved with the help of a purchased and deployed tool. For example, using the tool for proactively exploring all network traffic in order to hunt for subtle clues of attacker activity requires not just owning the tool, but also retaining adept and dedicated personnel with the right mindset and skills and who are organized around effective and efficient processes and workflows.”
P.S. Gartner GTP subscription required for access.
Posts related to network forensics research: