Network Forensics Analysis Tools continuation

Network Forensics Analysis Tools continuation..

Flow and IP address analysis tools help collect and analyze network traffic data to provide insights into network performance, security, and events.

Flow Analysis :

Flow analysis focuses on analyzing metadata and statistics about network traffic, rather than capturing full packets. While full packet capture (FPC) offers detailed data, it requires significant storage and resources, making it difficult for many companies to maintain continuously. Instead, flow collectors record information from network devices like switches, routers, and firewalls. Flow analysis tools use this data to detect trends, unusual traffic patterns, or security issues, and generate reports and visual maps of network connections. These tools can alert you to suspicious behavior, malware activity, or applications exceeding bandwidth limits, helping to identify potential threats efficiently.

NetFlow :

NetFlow is a tool developed by Cisco to track and report information about network traffic. It has evolved into the IP Flow Information Export (IPFIX) standard. NetFlow groups packets into “flows” based on shared characteristics like source and destination IP addresses and protocol type. These flows are stored in a database for analysis. NetFlow provides important details such as the IP addresses, ports, protocol versions, and the type of service (ToS) used by network traffic. This data can be used to analyze network performance and security issues. There are several tools available for analyzing NetFlow data, including both commercial products and open-source tools like SiLK, nfdump/nfsen, and Argus.

Zeek (Bro)

Zeek (formerly Bro) is a network monitoring tool that works between full packet capture and NetFlow. While NetFlow only collects metadata, Zeek provides a more detailed analysis without capturing unnecessary data. It operates passively by reading traffic from a network tap or mirror port, like a sniffer, but only logs relevant data to reduce storage needs. Zeek also processes the captured data, converting it into easy-to-read formats like tab-delimited or JSON files. It can be customized using a scripting language, allowing users to adjust what data is collected and how alerts are triggered based on network behavior.

Multi Router Traffic Grapher (MRTG)

MRTG (Multi Router Traffic Grapher) is a tool that creates graphs to show the amount of traffic flowing through network devices like routers and switches. It works by polling these devices using the Simple Network Management Protocol (SNMP), which helps visualize if any network link is experiencing higher than normal traffic. MRTG is open-source software that needs to be compiled for UNIX or Linux systems from the source code, but it can also run on Windows with a Perl interpreter. After installation, users need to configure which SNMP-enabled IP or Ethernet interfaces they want to monitor.

IP Address and DNS Analysis

IP Address and DNS Analysis focuses on examining network traffic to look for suspicious access requests to external hosts. Many cyberattacks use a Command and Control (C&C) server to download malicious tools or steal data. Analyzing these requests is important because you can use threat intelligence to match IP addresses, domain names, and URLs found in your network traffic against known lists of safe (whitelists) and harmful (blacklists) addresses. This helps in identifying potential threats and improving security by using a Security Information and Event Management (SIEM) system to monitor and analyze the data.

IP Address and Domain Name System (DNS) Analysis

IP Address and DNS Analysis looks at how malware often contacts a Command and Control (C&C) server using a fixed IP address or domain name coded into the malware. This method, known as beaconing, is not very effective because security systems can easily identify and block these malicious addresses, making it possible to find and remove the malware. When this type of attack occurs, it can be detected by comparing the destination addresses from packet traces with lists of known harmful IP addresses and domains from threat intelligence sources. There are several providers that offer reputation risk intelligence and blacklists for IPs and URLs, such as BrightCloud, MX Toolbox, urlvoid.com, and ipvoid.com.

Domain Generation Algorithm Analysis

Domain Generation Algorithms (DGA) are techniques used by malware to avoid using fixed IP addresses. Instead, they generate domains dynamically through a set of rules. Here’s how DGA works:

1. Setup: The attacker creates one or more dynamic DNS (DDNS) services using fake credentials or by using a provider that ignores illegal activities. This allows them to change the domain names frequently.

2. Generation: The malware uses a DGA to create new domain names based on a seed value combined with a time or counter element. This could be the current date or another value to make it harder for security systems to block. The generated domains can look random or may include real words to avoid suspicion.

3. Record Creation: A parallel DGA is used to create corresponding records on the DDNS service, ensuring some generated domains match those the malware creates.

4. Connection Attempts: When the malware needs to connect to the command and control (C&C) server, it tries different domain names from its list.