- [W]ho did it?
- [W]hat happened?
- [W]here (in the virtual realm) did this occur?
- [W]hen did this occur?
- [W]hy did this occur?
The Challenge: Plan of AttackEvery year at DefCon, the world’s largest hacker conference, LMG Security holds their Network Forensics Puzzle Contest (NFPC). The event has evolved from an analysis and tool creation challenge to an all-out network forensics fest, requiring skill and dedication in spades. The best part about the challenge is that even if your team comes in dead last, you will learn a great deal. When engaging in such a challenge, a team should approach the task as they would an actual incident. An incident coordinator (IC) should work with the team to derive tasks that need to be accomplished. The IC should then assign tasks to team members. A scribe can be assigned to document the team’s progress. Keep in mind that successes and failures should both be taken into account. (Let’s be honest: We often learn more from our failures than we do from our successes.) Of course, to perform the tasks required to participate in such a challenge, a team must use the right tools for the job.
Tools of the TradeA veritable cornucopia of tools exists that will help security analysts with analyzing network traffic. Major tools include Wireshark, tcpdump, Network Miner, and others. Meanwhile, general-purpose tools such as bash, Python, perl, and others can be quite useful in these endeavors. The following is a breakdown of various tools and their applicable uses when it comes to network forensics. Please keep in mind that this list is just the “tip of the iceberg,” so to say. This list is by no means meant to be comprehensive. In fact, this list of more of a “some basic things to check out” kind of deal.
tsharktshark is often thought of as the engine behind Wireshark. Technically, the two tools do not share a codebase, but rather take from one another in major ways. In fact, you can think of tshark as the command line interface (CLI) equivalent of Wireshark (I know some diehard and/or OCD network guys and gals are going to lose it over this comment, but it is a fair comparison).
tcpdumptcpdump is a command line-driven packet analyzer. This puppy is one of the most reliable when it comes to packet capture, as the low overhead afforded by a CLI-based interface decreases the chances of dropped packets, which are more common with tools, such as Wireshark, and requires far more processing power to operate. In addition to capturing traffic, tcpdump can be used to analyze packet captures.
BashThe Bourne Again Shell, or bash, is a fantastic tool for… well, everything. In terms of network forensic analysis, bash can facilitate piping one tool’s output to another; counting; sorting; deduping; and other tasks. Our team uses Bash extensively, which is highlighted in my network forensics workshop. I will digress on the multitude of tools one can call from within bash but we use other tools, such as perl, sed, and awk, for text processing, including running things such as regular expressions against data.
NFPC TakeawaysAlthough utilizing tools, such as those mentioned above, is a reward in and of itself, some of the major takeaways from participating in this type of challenge are the identification of strengths and weaknesses along with the evolution of one’s skillset. As an example, challenge participation provides insight into a team’s (or individual’s) strengths and weaknesses. This type of understanding is unique, as teams often are not able to ascertain this information without going through a real incident. However, when it comes to a learning environment, it doesn’t take long to decide between learning from a contest (a form of pseudo incident, if you will) and an active incident. Forget tabletop exercises, get your hands dirty! What was done well? What could have been done differently? Did the IC and the team communicate well? Did the task assignment work well? Were any individuals not able to perform required tasks? Was task progress tracked properly? Did the scribe and IC work well with one another? Was the final documentation or report thorough, and did the report tell the story from start to finish? Was the team aware of the challenge status at all times? Did everyone participate? How can any inadequacies be addressed? Which tactics used were new to the team? Which of those tactics would work well within the teams official methods and procedures list? These are just some of the myriad questions that can be answered through review of notes taken during this type of challenge. Of course, the team also learns how to solve problems that they would otherwise not be able to solve. This type of training can be priceless.
Want to Learn More?