Course 13 - Network Forensics | Episode 3: Network Forensics, Security Tools, and Defensive Architecture - CyberCode Academy

Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Imagine this. It's three in the morning and a red
light starts flashing on your.

Speaker 2 (00:04):
Network monitor the worst time.

Speaker 1 (00:06):
Always Maybe it's a huge weird spike in outbound traffic
or a server log that just you screams, I'm an intruder.
So once it's been inside your system and right there,
the mission flips. It's not about prevention anymore. It's about triage.
It's about investigation.

Speaker 2 (00:26):
It's pure detective work.

Speaker 1 (00:27):
So how do you find them, what did they take?
And I think most importantly, how do you make absolutely
sure they can never ever get back in.

Speaker 2 (00:36):
That's the moment where yeah, all the theory goes out
the window and it becomes this high stakes digital investigation.

Speaker 1 (00:42):
And that's what we're digging into today.

Speaker 2 (00:43):
Yep, we're doing a deep dive into that detective process
network forensics, and then we'll look at, you know, the
digital fortresses we build, the tools and the architectures that
are designed to protect our most critical assets.

Speaker 1 (00:55):
So we're not just say, pulling the hard drive from
a compromised computer, We're looking at the movement itself.

Speaker 2 (01:00):
Exactly.

Speaker 1 (01:00):
How is network forensics really different from standard computer forensics.

Speaker 2 (01:05):
Well, network forensics is a really specific type of investigation.
It's focused entirely on analyzing network traffic. So we're talking
praffic logs, full packet captures, device records, anything that can
help us trace an attacker's path, figure out their techniques,
and you know, gather real evidence.

Speaker 1 (01:23):
And I think we can both agree the absolute, non
negotiable starting point for any of this is understanding what's
not a threat.

Speaker 2 (01:29):
Oh one hundred percent. You absolutely cannot spot malicious or
abnormal activity if you don't have a solid, documented baseline
of what's normal for your network.

Speaker 1 (01:40):
Without that, it's all.

Speaker 2 (01:41):
Just noise, it is. If you don't know the normal
flow of data, every little spike, every unfamiliar port connection,
it means nothing. You have to know normal to find
the abnormal.

Speaker 1 (01:51):
Okay, so let's say we found that anomally. Let's talk
about the evidence. People often say that even a really
skilled intruder who's great at covering their tracks on a machine,
they have a much harder time hiding in the network
traffic logs. Why is the network so much less forgiving?

Speaker 2 (02:06):
It's really a matter of volume and redundancy. See, when
an attacker is on a single machine, they can use
tools to erase local log files. But the second they
start moving around laterally laterally or pulling data out, they
have to cross multiple points of infrastructure. We're talking firewalls, routers,

(02:26):
proxy servers, intrusion detection systems.

Speaker 1 (02:29):
And all of those are logging everything.

Speaker 2 (02:31):
Every single one and they're generating their own, often non editable,
time stamped logs. The attacker would have to sanitize every
log on every single device they touched, and doing that
quietly it's almost impossible.

Speaker 1 (02:44):
So the network leaves this trail of breadcrumbs across like
everyone's yard.

Speaker 2 (02:49):
That's a great way to put it.

Speaker 1 (02:50):
So those routers and firewalls, they're like mandatory recording devices.
So when we're gathering evidence, it's not really an either
between network forensics and looking at the compromise PC.

Speaker 2 (03:00):
No, not at all. They're completely complementary. They're constantly feeding
each other information.

Speaker 1 (03:04):
Well.

Speaker 2 (03:05):
For example, a great piece of network analysis might show
you a connection was established to a specific internal IP address.
That immediately tells the investigator, Okay, that's the machine I
need to focus on. Go pull a forensic image from
that exact computer.

Speaker 1 (03:22):
So does it I mean, does it work the other
way around too?

Speaker 2 (03:25):
Oh? Absolutely, it happens all the.

Speaker 1 (03:27):
Time, right from the machine back to the network law.

Speaker 2 (03:29):
Exactly, you might pull a memory image, maybe a hard
drive image, from an infected computer, and by reverse engineering
the malware you find on it, you discover the specific
command and control IP addresses it was talking.

Speaker 1 (03:42):
To, and that sends you right back to your network log.

Speaker 2 (03:44):
It tells you precisely which packets you need to go find, decrypt,
and analyze.

Speaker 1 (03:48):
Which brings up the challenge of just getting the data
in the first place. When an incident happens, what's the
first thing an investigator does to preserve that digital crime scene?

Speaker 2 (03:59):
The guiding principle pretty simple. Actually, in those first stages,
you don't know what's valuable yet, right, so you have
to acquire everything relevant. That means making what we call
bitstream copies.

Speaker 1 (04:10):
What does that mean? Exactly?

Speaker 2 (04:11):
It's a sector bisector, perfect duplicate of the storage, not
just the files, the empty space, the deleted space, everything.
It's a perfect forensic copy.

Speaker 1 (04:22):
You're grabbing the entire digital haystack before you even start
looking for the needle.

Speaker 2 (04:25):
That's it. You store that copy securely and then you
begin the analysis. We sometimes call it carving through it.
You're applying logic. You're filtering through billions of data points
to piece together what happened.

Speaker 1 (04:36):
Okay, let's talk about the difficulty of tracing someone with
just an IP address. It sounds simple, but I know
in reality it's a huge task.

Speaker 2 (04:45):
It's extremely tedious, and it almost always requires legal help.

Speaker 1 (04:49):
Why is that?

Speaker 2 (04:50):
Okay, Let's say you have the attacker's IP address that
addresses dynamic right it changes. To link it back to
a real device, you have to subpoena the entity that
assigned it. That's US, an Internet service provider, or more.

Speaker 1 (05:02):
Like a coffee shop if it was a public hotspot.

Speaker 2 (05:04):
A coffee shop, a library exactly.

Speaker 1 (05:07):
And what are you asking them for?

Speaker 2 (05:08):
You are asking for their DHCP logs. That's the dynamic
host configuration protocol. Those logs are the key they linked
that specific IP address at that precise date and time
to a unique identifier called a mass address.

Speaker 1 (05:22):
Which is the physical address of the network card in
the device.

Speaker 2 (05:26):
Right, and only once you have the AXI address can
you maybe trace the vendor, And if you're really lucky
and everyone kept good logs, trace it all the way
back to a system owner. It's a long, long process.

Speaker 1 (05:37):
Wow, that really puts it in perspective. So what are
the foundational tools investigators are using when they're actually carving
through all that traffic data.

Speaker 2 (05:45):
The main tool for capturing and analyzing traffic is hands
down wire shark, or it's the command line version t shark.

Speaker 1 (05:52):
That's the modern standard.

Speaker 2 (05:53):
It is though historically a lot of investigators started with
the classic TCP dump. It's still you all the time
for quick captures. These tools let you see everything right
down to the individual package.

Speaker 1 (06:05):
Okay, let's shift gears from the detective work to the
architecture to building the fortress. We can use the OSI
model to kind of frame where security focus should be.

Speaker 2 (06:16):
The OSI model is a perfect framework for this. If
you look at ATTAX today, you know layers three, four
and five that's network transport session. They're actually pretty robustly
secured by modern protocols.

Speaker 1 (06:28):
So where the weak spots.

Speaker 2 (06:30):
The weaknesses are, they're almost always at the edges. So
the lowest layers layer one in two physical and data
link and then critically the highest layers layer six and
seven presentation and application.

Speaker 1 (06:41):
And why are those top application layers so much harder
to secure?

Speaker 2 (06:45):
It's just the traffic is so complex. Securing Layer seven
means you need tools like deep packet inspection firewalls. They
have to understand the language of the application itself, HTTP, FTP,
whatever it is, not just the IP addresses and.

Speaker 1 (06:57):
Ports, and getting those rules right is.

Speaker 2 (06:59):
Tough, incredibly difficult. You have to block malicious commands without
disrupting legitimate business traffic. It's a constant balancing act.

Speaker 1 (07:06):
Let's walk through the evolution of the firewall then, starting
with the basic idea.

Speaker 2 (07:10):
At its core, a firewall is just an access control system.
It allows or denies packets based on a set of
rules about the source, IP destination, IP, the protocol, the port.
Pretty simple stuff.

Speaker 1 (07:21):
But the first generation, the packet filtering firewall, it had
a huge flaw, a.

Speaker 2 (07:27):
Major Achilles heel. Yeah, its critical weakness was its lack
of session state.

Speaker 1 (07:32):
It couldn't track a conversation exactly.

Speaker 2 (07:34):
It just looked at each packet in isolation. So an
attacker could exploit this by sending a TCP syn ack packet,
basically acknowledging a connection that was never requested, and the
firewall might just blindly let it through because the IP
and port matched a.

Speaker 1 (07:51):
Rule, And that's what led to the stateful firewall.

Speaker 2 (07:53):
Which completely revolutionized things. The stateful firewall solved that session
state problem. It keeps it dynamic table, a record of
every single initiated TCP.

Speaker 1 (08:03):
Session, so it has context.

Speaker 2 (08:05):
It has context. If an incoming synack packet shows up,
the stateful firewall checks its table. If there's no record
of an outbound syn from inside, it knows the connection
is fake and just drops it on the floor.

Speaker 1 (08:16):
Then we push the technology even higher up to the
application layer.

Speaker 2 (08:20):
Right with deep packet inspection, that's when the firewall starts,
you know, reading the mail.

Speaker 1 (08:24):
So to speak, not just looking at the envelope.

Speaker 2 (08:26):
Perfect analogy. It looks inside the packet's payload. This lets
you do incredibly specific things. For instance, you could set
up a rule to allow an FTP get command for
downloading files, but completely block the ftpput command so no
one can upload malicious code to your server.

Speaker 1 (08:44):
Now, in terms of network design, especially for things facing
the Internet, we have to talk about the DMZ.

Speaker 2 (08:50):
The DMZ, the demilitarized zone, is fundamental. It's a segregated
network segment. It usually sits between two firewalls, one facing
the untrusted Internet and one facing your trusted internal network, and.

Speaker 1 (09:02):
That's where you put all your public services.

Speaker 2 (09:04):
Everything, your web servers, your email servers, anything that the
public needs.

Speaker 1 (09:07):
To touch, and sitting inside that DMZ is what we
call a bastion host.

Speaker 2 (09:11):
Correct. A bastion host is just any machine that lives
in that untrusted DMZ segment, and because it's the most
exposed target, you have to harden it like crazy. It's
a dedicated system built to take continuous fire from the
outside world.

Speaker 1 (09:24):
Let's clarify the difference between two really critical tools IDs
and IPS detection versus prevention and IDs.

Speaker 2 (09:32):
An intrusion detection system is passive. Think of it like
a really sophisticated burglar alarm. SNORT is a great open
source example.

Speaker 1 (09:40):
So it sees something bad in yells exactly.

Speaker 2 (09:43):
It analyzes traffic, matches it against known bad signatures, and
if it spots something, it generates an alert for an administrator.
It tells you something bad happened, but it doesn't stop it.

Speaker 1 (09:54):
And the IPS is the one that steps in the its.

Speaker 2 (09:57):
The intrusion prevention system is active. It doesn't and just alert.
It actively intervenes. It can modify packets, it can drop connections,
It can even shut down a vulnerable port or an
entire network segment.

Speaker 1 (10:08):
And this is where we need to be really, really.

Speaker 2 (10:10):
Careful, massively careful, because with an IDs, if you get
a false positive, say fake traffic that just looks malicious,
the worst thing that happens is you get a pointless alert.

Speaker 1 (10:20):
Annoying but not catastrophic. Right.

Speaker 2 (10:22):
But if an IPS gets that same flood of fake
traffic and it's configured too aggressively, it might start shutting
down your own network. You can cause a devastating self
inflicted denial of service attack.

Speaker 1 (10:33):
Wow, so you have to tune an IPS with surgical precision.
You do.

Speaker 2 (10:36):
You have to remember its power to prevent is also
a power to destroy your own operations.

Speaker 1 (10:42):
That is a great cautionary tale. Okay, let's move on
to securing trust in privacy. We have to break down Carberos.
It's named after the three headed dog from mythology because
it enforces a three way trust.

Speaker 2 (10:55):
It's a brilliant system. Carberos is designed to stop a
man in the middle attack by making sure that both
the user and the resource they want to access have
been independently validated by a central server.

Speaker 1 (11:07):
Okay, let's use an example, Say I'm a client and
I want to print to a network printer.

Speaker 2 (11:12):
All right, so you, the client, want to print. The
printer immediately says, prove you are who you say you are,
give me your Carberra's ticket.

Speaker 1 (11:19):
Okay, So I give it my ticket.

Speaker 2 (11:20):
But here's the key part. The printer doesn't trust you,
and it doesn't trust your ticket directly. It takes that
ticket you gave it and goes back to the Carbrero server,
the central authority, and asks for validation. The server says, yep,
he's legit.

Speaker 1 (11:32):
Okay, So that's two heads of the dog. Where's the third?

Speaker 2 (11:36):
The third is the reciprocal trust. You the client haven't
validated the printer yet, so you then ask the printer
for its ticket, and you take that ticket back to
the Carbrero server and ask the server to validate the
printer's identity.

Speaker 1 (11:48):
So only when we have both validated each other through
that central server can we talk.

Speaker 2 (11:53):
That's it. It's a double checked, three way trust. Incredibly robust,
it really is.

Speaker 1 (11:58):
Okay, Moving to privacy, let's bust the biggest myth about VPNs.
Everyone seems to think they create some kind of magic
highway that bypasses the public Internet.

Speaker 2 (12:09):
That is just it's completely wrong. A VPN, a virtual
private network, does not create a magic tunnel that avoids
the underlying infrastructure. When you use a VPN, your traffic
travels along the exact same physical path through the same
routers as any other traffic.

Speaker 1 (12:24):
So what's the difference.

Speaker 2 (12:25):
The difference is that the traffic is fully encrypted. It's
scrambled on your end and unscrambled at the destination. Using
protocols like IPsec, the path is the same, the content
is just unreadable to anyone in between.

Speaker 1 (12:37):
And for building secure channels, especially for admins, we often
use SSH tunneling.

Speaker 2 (12:42):
Secure shell yeah, usually on port twenty two. It's essential
for creating secure, encrypted command shells. We use it for
file transfers, remote admin and creating secure tunnels like.

Speaker 1 (12:53):
Wrapping a less secure protocol and a secure one.

Speaker 2 (12:55):
Exactly if you have to run something sensitive like remote desktop,
you can establish an SSH tunnel first and then run
the RDP session inside that encrypted tunnel.

Speaker 1 (13:05):
Finally, let's clarify the SSLTLS handshake. This is what secures
basically all modern web traffic, but there's always confusion about
who generates the secret key.

Speaker 2 (13:15):
It's this beautiful hybrid process. The communication starts with the
slow but very secure asymmetric public key infrastructure or PKI,
then it quickly switches to fast symmetric shared key encryption.

Speaker 1 (13:27):
Could you walk us through that exchange?

Speaker 2 (13:28):
Sure, your browser requests a secure connection, The web server
responds with its public key. Okay, now here's the critical step.
Your browser then generates the unique, high speed secret session
key right then and there on your machine.

Speaker 1 (13:42):
Ah, So the browser makes a key.

Speaker 2 (13:43):
The browser makes it. It then encrypts that new secret
key using the server's public key, and sends that little
encrypted package across the network.

Speaker 1 (13:52):
And only the web server, which has the matching private key,
can open that package.

Speaker 2 (13:56):
Correct. The server uses its private key to decrypt and
extract the secret session key. And now, because the browser
created it and the server successfully decrypted it, both parties
have the same secret and.

Speaker 1 (14:09):
They use that shared key for the rest of the conversation.

Speaker 2 (14:12):
For the whole session. It makes the communication both secure
at the start and very efficient for the duration.

Speaker 1 (14:17):
That really locks down how digital trust gets established. Okay,
before we wrap, let's touch on the tools that help
us monitor the health of our fortress day to day.

Speaker 2 (14:25):
A big one is file integrity check tools or FIC,
something like Tripwire. Their whole job is to constantly monitor
critical system files by tracking their cryptographic hashes, their digital fingerprints.

Speaker 1 (14:38):
So a file changes, if an.

Speaker 2 (14:40):
Intruder modifies a key system file, the hash changes instantly
and the FIC tool shoots off an alert to the administrator.
It's an early warning system.

Speaker 1 (14:49):
And when you have hundreds of devices all spitting out
thousands of logs every second, you need a way to
manage that flood of data.

Speaker 2 (14:57):
That's where SIME comes in security and from and event
management tools like Splunk or Logarithm. They ingest just massive
amounts of security data from everything.

Speaker 1 (15:07):
On the network and they find the patterns.

Speaker 2 (15:09):
They aggregate it, normalize it, and analyze it looking for
correlations that a human could never ever spot manually. A
sign is how you get that comprehensive oversight.

Speaker 1 (15:21):
So we've really covered the whole life cycle today, from
the painstaking detective work of forensics to the layered defense
of firewalls and DMZs, and then the complex protocols like
cerberos and SSL that build and maintain digital trust.

Speaker 2 (15:34):
That ability to switch from slow PISAI to fast symmetric
encryption in the SSL handshake that really underpins the trust
of almost every secure thing you do online. But it's
just as important to remember that all the analysis in
the world is useless if you haven't been logging the
data properly in the first place.

Speaker 1 (15:50):
Detection and prevention have to work hand in hand, as
that's a perfect way to put it now, something for
you to think about if you are designing security for
a high speed trading network, a place where down time
is absolutely not an option. What is the most significant
operational risk you'd face by choosing an active intrusion prevention
system an IPS over a passive intrusion detection system, especially

(16:11):
if you're worried about malicious network flooding.

All Episodes

Course 13 - Network Forensics | Episode 3: Network Forensics, Security Tools, and Defensive Architecture

Episode Transcript

Popular Podcasts

Stuff You Should Know

My Favorite Murder with Karen Kilgariff and Georgia Hardstark

Dateline NBC

.css-15opob5{left:0;position:absolute;top:0.8rem;} All Episodes

.css-14f5ked{margin:0;word-break:break-word;display:-webkit-box;-webkit-box-orient:vertical;box-orient:vertical;-webkit-line-clamp:2;overflow:hidden;}Course 13 - Network Forensics | Episode 3: Network Forensics, Security Tools, and Defensive Architecture