If you were unfamiliar with the term “data breach” six months ago, chances are you’re all too familiar with it by now. Unfortunately for businesses, banks and consumers alike, some of the biggest brand names in the world — Target, Michaels and Neiman Marcus, to name just a few — have been featured in the news in recent months as victims of major information theft. And equally, if not more disturbing, we now have the “Heartbleed” vulnerability in OpenSSL, the backbone of e-commerce security, to deal with.
For Target, the victim of the largest and most public data breach, the situation has been nothing short of a total nightmare. The third-largest retailer in the U.S. had 40 million credit and debit card records stolen from its system, along with 70 million other records, including personal information like addresses and telephone numbers. Target was forced to send senior executives to a Senate hearing on the matter, and could face up to $1.1 billion in fines, to say nothing of the enormous hit the company’s brand has taken. In the time since the attack, shares of Target hit a 52-week low, and the company was forced to reduce its 2013 Q4 earnings forecast.
The 1.1 million cards stolen from Neiman Marcus’s network seem like small potatoes compared to Target’s predicament. Still, the company has been forced to make public apologies and offer free credit monitoring to customers who shopped at the store between January 2013 and January 2014.
At least in the cases of Target and Neiman Marcus we know that a breach happened, and what the consequences were. What if there was a vulnerability that allowed hackers to gain access to users’ most sensitive information — passwords, stored files, bank details, even Social Security numbers — and that they could do so entirely unnoticed? The extent of such a bug would never be known, because there is no way to detect if the vulnerability was ever exploited. This is no longer just a nightmare. The Heartbleed vulnerability in OpenSSL, used by just about every website on the planet to secure information and transactions, was recently disclosed by Finnish security researchers working for Codenomicon, and security researchers at Google. Websites large and small are now scrambling to update their software to ensure this vulnerability is eliminated. The impact on the general public is still being assessed.
The common theme throughout these and most other data breaches is that, despite the very best efforts of companies, computer networks will continue to be vulnerable to hackers — and the potential financial gains for the hackers are enormous.
Businesses may not be able to thwart every attack, but they must be able to dissect intrusions quickly, and have the ability to analyze and protect against similar invasions in the future. So, in the case of Target, how were they able to use the data gathered about the breach to determine the scope of the problem and identify the fingerprint of the attack?
As with any crime, investigators comb the crime scene and look for clues — forensics. And in this case, since the clues are primarily computer-related, they use network forensics. And as with any criminal investigation, the better and more prevalent the clues, the quicker the crime is solved.
Network forensics is the capture, storage and analysis of network events. Network events include any and all activity on the network, from initial access to data transfers to application usage. These events can be captured and stored in various ways, but the three most common sources of historical network data are logs, flow-based reporting, and packet capture and recording. Each data source has varying degrees of details, with log data being the lightest on details and packet data being the most complete. The ability to store this data for long periods of time is, of course, inversely proportional to the level of detail of the data.
We don’t know what type of data Target had available for its forensic analysis, but at a minimum, they are sure to have had at least some log information, since just about every asset on the network generates logs, and most enterprises have solutions in place to store and subsequently mine log data over relatively long periods of time. However, log data only provides reports of relatively high-level events, and cannot tell you how something happened, only that it did. And in the case of a bug like Heartbleed, there may not even be any log information from security systems, since the vulnerability can be exploited without triggering any alarms at all.
With a true network forensics solution, Target — or any victim of a security breach or vulnerability — can monitor packet-level data. Packet-level forensics provides a complete recording of all network activity, down to each and every bit that gets transmitted and communicated on a network. This includes payload information, as well, so you can see exactly what is leaving your network and where it is going.
With packet-based analysis, you can set up monitors and alerts to always be looking for suspicious behavior. In the case of the Target breach, having a packet-capture network forensics solution could have alerted the company earlier in the timeline on when its networks had been compromised. And even when specific suspicious behavior is not identified, as in the case of Heartbleed, once the vulnerability is recognized, a network forensics solution can provide a recording of many days or even weeks of network activity, making the task of determining the fingerprint of the attack, the depth of the penetration and the data that was compromised much easier to assess.