Getting Started with Network Forensics Tools

by Rocky DeStefano in ,

I’ve heard the following question more than a few times recently:  “I’ve invested significantly in my NetWitness/Solera/Other Network Forensics platform and it is installed and being feed information, now what do I do?”

Please allow me to contemplate the real value of these tools so that I may answer that question more effectively for a broader audience.  In my opinion, the single most important reason to have these tools is to discover the things that aren’t/can’t/won’t be logged or alerted.  With these tools we can now ask questions directly of the data and not be limited to or rely on pre-defined questions that are based on an inference of subsets of data.  The blinders are off.  To us, the tools themselves aren’t the value proposition - the data itself and the innovation in analytical techniques is the real benefit to the organization.  When used properly, network forensic tools can fundamentally change your security organization from the broken alert-driven model into a more effective data-driven analytic model.  

With that in mind here are some beneficial starting points to extract the most value from your network forensics investment(s):

Understand Risks and Visibility:  You know your risks better than anyone else.  Figure out what data you can’t live without and start there.  What is the most important problem to solve today?

  • Many start with Perimeter traffic to detect data exfiltration or C&C traffic or other suspicious activity coming in or departing the network via the front door.
  • Maybe monitoring the “Core” of the network to look for lateral movement of adversarial activity is more appropriate for your organization because of specific threats you face?
  • Perhaps you require specific views into Key Business Units / Plants / Financial enclaves / Administrator (but not backup) Segments?

Typically the answer is “yes” to all of the bove, at least eventually.  Understanding why you are monitoring those networks goes a long way into creating an environment that favors defensibility.  I would encourage you to understand very clearly why you are monitoring each segment.

For each device deployed capture device do you know what you are actually monitoring on the network?

  • Is everything sourced as the proxy?  If so, you’re going to dislike life nearly immediately.
  • Are you seeing both sides of the session?
  • Do you audit changes to taps/spans or tools like Gigamon/VSS/Anue.  Note:  This last point hurts way more often than it should.

From a Visibility and Risk Perspective perhaps the most important question to answer is as follows:

 “What data am I missing?”

You should be asking that specific question on a daily basis and finding solutions to solve any inconsistencies or omissions in data available to the analyst.


System Tuning:  Ok now that you have placed the sensors strategically and tactically throughout your network it’s time to maximize the effectiveness of your investments by efficiently using processing and storage. Simple tasks go a long way towards reducing unnecessary data and making what’s left much more useful to your analysts. 

  • Screen/Filter out backup traffic.  The tools make for a very high priced backup tool.  At the same time you probably don’t want to exclude all administrative networks.

  • System content can be “pruned” as well.  For example if a piece of content is “triggering” an alert 250K / day perhaps it is up for “tuning”.  Fix it, refine it or trash it.  Find a more effective way.


Add contextual information:  This can be as simple as providing the tool a list of subnets and descriptors so that when an analyst wants to know more about the IP that information is automatically available as “meta” or “context” and doesn’t have to be looked up individually.

This becomes more powerful as you learn to use that data to better direct analysis activities.  All the same ideas that were promised with SIEM can be brought into these tools to enable similar analytic techniques but with more fidelity and focus.

Integration efforts:  Some common Use-Cases that naturally drive integration efforts very simply and quite effectively.

  • “Enable the Analyst” by providing workflow from the SIEM to the Network Forensics tool.  “I want to research the data relevant from this SIEM correlation event by right clicking in my SIEM and pulling back the full session for reconstruction and analysis.”

  • “Automate the known bad” by sending Network Forensics data to the SIEM.   “I want to send a highly vetted “alert” to SIEM for operational workflow efficiencies.”

  • “User Context” I want to associate user information to network traffic.  Active Directory integration is available with most of these tools at least to some degree.  Or look to integration with identity tools


Training: Some of the basic usage of these tools is intuitive and easy.  Extracting the highest value from these tools is not so easy.  Things like authoring your own signatures or gathering different types of data and looking at it differently aren’t easily picked up without training or advanced assistance.  Certainly, you can and should use the companies’ community to help along the way, but don’t rely solely on that.  Enable your team to fish for themselves.

Summary:  Network Forensics Tools are helpful by adding full context to investigations and to monitoring activities, and if used correctly they are supremely valuable in maturing your security program.  These tools can help you constantly evolve your incident detection program.  Having visibility into your data and being able to interrogate your data to answer specific questions is a powerful tool in the hands of seasoned security teams.  Analysts can now carve through data in more effective ways to help keep pace with the increasing advanced threats we all face.  Instrumented properly these tools can also help you keep pace with all the environmental changes across your networks.  

Advanced, Fast, Flexible - Choose all three or keep fighting the same losing battle as you did over the last decade.