Many organizations believe that they are doing everything they need to when it comes to advanced network security and forensics.
They have this warm and fuzzy feeling because they have one analyst, maybe a whole team, to do investigations on known incidents.
The problem is that most of these organizations have their analysts around only for a check-in-the-box.
But forensic analysts need to be looking and investigating (near) real-time data. What should networking forensics be then?
People typically follow what they see in the media, though they know how untrue that information is. To better clarify what I mean, television shows and news stories are always showing forensics as an after-the-fact methodology. How rarely, if ever, do they show the way forensics should be portrayed?
The most effective is a continuous active practice that is vital to an organizations' overall security posture.
The best inference that comes to my mind is Sherlock Holmes. He was always on an adventure. He was not assigned a mission from the beginning. He found it himself. If we allow our network forensic analysts to work in this method, we would see ourselves finding the most useful data.
The analysts may be difficult to find, but it goes beyond that. We need to enable them with the right tools and resources. They need specific tools to clone hard drives without taking down a machine. They need tools that let them parse data for hashes or certain bit patterns, and they need to be able to do deep-packet inspection to see, step by step, how an incident occurred.
Some training is required to get the analysts up to speed, but the proper thing to search for, rather than skill or expertise, is passion.
Analysts can get burnt out rather quickly if they are doing routine investigations and are not let loose to find that adventure. It is a time-intensive job, but they will not see it that way. With the proper tools and enabling the analysts to actively seek incidents real-time on their own, we will see an increase in actual misuse and malicious cases.
Since “bad guys” (a term I use loosely) are always trying to break into networks, we need people to follow their tracks.
Whether it is at 2 a.m. on Christmas morning or right after lunch on the Friday you decided to go home early, the bad guys do not sleep because they have motivation and are all over the world.
They know how to bypass even our most advanced security tools. They know ways around our firewalls, ways to circumvent our intrusion detection system (IDS) signatures and methods to make anti-virus programs not detect malicious tools.
Network forensic analysts can latch on to the bad guys' tracks and stop them before things reach their worst if they are constantly searching for the network.
I am not saying that the advanced security tools are ineffective or that they should they be removed. What I am saying is that advanced persistent threats arise from individuals with a purpose and determination.
The network analyst should be actively looking for patterns in the network to figure out what is happening, what is going on, and a way to stop it from being worse than it already may be.
Though it may not seem exciting to most people, I enjoy hunting these bad guys, regardless the day or time. It becomes its own Christmas present when I can take one guy down that could have crippled an organization. I look at it like this: It is not whether today's network forensic analysts up to par, but rather are we setting them up for success by enabling them with the right tools and objectives?
