So you think that there has been a cyber attack that took place in your network. How do you find out? Where do you start looking? The fact of the matter is that there is so much information to go through that it is easy to miss indicators of compromise or in other words, signs that your network is under a cyber attack. Fortunately, there are several tools and devices at our disposal that we can use to detect and even prevent future attacks. We can start out by checking the alerts setup on our firewalls and more specifically the Intrusion Detection System (IDS) and Intrusion Prevention System (IPS). Also logs both on the firewall and Servers can help us determine whether our network has been compromised.
Forensic Analysis can provide us insight into various types of attacks, if any, on our networks. The statistics and GeoIP Location Resolution generated by forensic analysis can give us valuable information regarding the root cause of various types of cyber attacks. Furthermore, we can use various network troubleshooting tools and use features such as name resolution to ports to help us troubleshoot various cyber attacks.
We also should look into extracting files and objects from network troubleshooting tools that have this feature. In addition, it is quite hard to extract files that are encrypted. First we have to decrypt those files and then extract them. So why do we want to extract files from network troubleshooting tools? The files that we think are suspicious can be uploaded to sites like VirusTotal to determine whether these files have been compromised or not.
We can also use tools such as WireShark to spot unusual DNS activity. For example, if a company laptop gets accidentally infected with malware due to user opening up an attachment, as a result these malware survey the network to find out the location of victims machines. They can do this by connecting to sites such as Whatismyip.com either via the local DNS server or an external DNS server. By identifying such strange DNS behavior, we can determine whether our network has been infected with malware.
There are several types of attacks related to Domain Name System (DNS). Let’s just look at DNS protocol for a moment. The Domain Name System (DNS) is regarded as the one of the most vital protocols on the Internet. In a nutshell, DNS translates Fully Qualified Domain Name (FQDN) such as www.apple.com into Internet Protocol (IP) addresses and vice-versa. A cyber attack such as DNS tunneling uses DNS to create covert channel for bypassing the firewall and performing command and control functions from inside an infected network or to transfer data back and forth from the network.
By playing a proactive role and having prior knowledge of Indicators of Compromise and Forensic Analysis can greatly minimize a cyber attack. Some of the techniques and features highlighted in this article such as IDS, IPS, GeoIP location, file decrypt analysis and troubleshooting unusual DNS activity can all give us clues into identify and stopping cyber attack hence saving the company potentially millions of dollars in lost revenue.