007 characteristics in the network world
In 007's world, everything begins with a trigger. The trigger is an event or incident that alerts the organization about unsavory activities by persons known or unknown.
This could be reactive or proactive.
As part of its defense-in-depth defense strategy, an organization's network is protected by a number of preventive and detective (monitoring) controls. A trigger could be considered reactive in the case of an organization realizing that their competitors seem to be getting inside information, which is limited in circulation and extremely confidential in nature.
Similarly, a proactive trigger could be the result of an organization's authorized penetration testing and vulnerability assessment exercise.
Subsequent to a trigger event, a preliminary information-gathering exercise is initiated, which culminates in a briefing to the 007 (the investigator), outlining all the currently-known details of the breach/incident. Certain hypotheses are floated based on the information gathered so far. Possible cause and effect scenarios are explored. Likely internal and external suspects may be shortlisted for further investigation.
The investigator initiates a full-fledged information/evidence collection exercise using every sort of high-end technology available. The evidence collection may be done from network traffic, endpoint device memory, and hard drives of compromised computers or devices. Specialized tools are required to achieve this. This is done with the view of proving or disproving the hypotheses that were floated earlier. Just like a closed-circuit television (CCTV) camera or a spy cam that is used to collect information in real life, on a network, network traffic is collected using tools such as Wireshark, volatile memory data is collected by tools such as Forensic Toolkit (FTK) Imager, and media images are collected by tools such as EnCase.
The information collected is carefully and painstakingly analyzed with a view to extract evidence relating to the incident to help answer questions, as shown in the following diagram:
An attempt is made to answer the following critical questions:
- Who is behind the incident?
- What actually happened?
- When did it happen?
- Where was the impact felt? Or which resources were compromised?
- Why was it done?
- How was it done?
Based on the analysis result, a conclusion is drawn and certain recommendations are made. These recommendations result in an action. The action may include remediation, strengthening of defenses, employee/insider termination, prosecution of suspects, and so on based on the objectives of the investigation. The following flow diagram neatly sums up the complete process:
Bond characteristics for getting to satisfactory completion of the case
Network forensic investigations can be very time consuming and complex. These investigations are usually very sensitive in nature and can be extremely time critical as well. To be an effective network forensics Bond, we need to develop the following characteristics:
- Preparation: The preparation stage is essential to ultimately arrive at a satisfactory conclusion of a case. A calm thought-out response with a proper evidence-collection process comes from extensive training and the knowledge of what to do in the event of the occurrence of most likely scenarios that are happening in the real world. Practice leads to experience, which leads to the ability to innovate and arrive at out-of-the-box investigative insights for solving the case. A situation where the investigator is unable to identify a compromised system could lead to years of data theft, resulting in bleeding of the organization and its ultimate and untimely demise. A scenario where an investigator is able to identify the problem but is unable to decide what action to take is equally bad. This is where preparation comes in. The key is knowing what to do in most situations.
A clear-cut incident response plan needs to be in place. Trained personnel with the necessary tools and processes should be available to tackle any contingency. Just as organizations carry out fire drills on a regular basis, incident response drills should be institutionalized as part of the organization policy.
- Information gathering/evidence gathering: A comprehensive system to monitor network events & activity, store logs, and back them up is essential. Different inputs are generated by different event logging tools, firewalls, intrusion prevention & detection systems, and so on. These need to be stored and/or backed up at a secure location in order to prevent incidental or intentional tampering.
- Understanding of human nature: An understanding of human nature is critical. This helps the investigator to identify the modus operandi, attribute a motive to the attack, and anticipate and preempt the enemy's next move.
- Instant action: Just as Bond explodes into action at the slightest hint of danger, so must an investigator. Based on the preparations done and the incident response planned, immediate action must be taken when a network compromise is suspected. Questions such as should the system be taken off the network? or should we isolate it from the network and see what is going on? should be already decided upon at the planning stage. At this stage, time is of essence and immediate action is required.
- Use of technology: An investigator should have Bond's love of high technology. However, a thorough knowledge of the tools is a must. A number of hi-tech surveillance tools play an important role in network-based investigations. Specialized tools monitor network traffic, identify and retrieve hidden and cloaked data, analyze and visualize network logs and activities, and zero in on in-memory programs and malicious software and tools used by the bad guys.
- Deductive reasoning: A logical thought process, the ability to reason through all the steps involved, and the desire to see the case to its rightful conclusion are the skills that need to be a part of a network 007's arsenal. Questioning all the assumptions, questioning the unquestionable, understanding cause and effect, examining the likelihood of an event occurring, and so on are the hallmarks of an evolved investigator.
The TAARA methodology for network forensics
There is a considerable overlap between incident response and network forensics in the corporate world, with information security professionals being tasked with both the roles. To help simplify the understanding of the process, we have come up with the easy-to-remember TAARA framework:
- Trigger: This is the incident that leads to the investigation.
- Acquire: This is the process that is set in motion by the trigger—this is predefined as a part of the incident response plan—and it involves identifying, acquiring, and collecting information and evidence relating to the incident. This includes getting information related to the triggers, reasons for suspecting an incident, and identifying and acquiring sources of evidence for subsequent analysis.
- Analysis: All the evidence that is collected so far is collated, correlated, and analyzed. The sequence of events is identified. Pertinent questions such as whether the incident actually occurred or not; if it did, what exactly happened; how it happened; who was involved; what is the extent of the compromise; and so on are answered. Based on the information that is gathered during this stage, it may be necessary to go back to the acquire stage in order to gather additional evidence. Analysis is then initiated on the newly acquired evidence.
- Report: Based on the preceding analysis, a report is produced before the stakeholders in order to determine the next course of action.
- Action: The action recommended in the report is usually implemented during this stage.
This is pictorially represented in the following image: