Monday, September 10, 2007

Comment on NetWitness Article

About a year ago I wrote Network Forensics with NetWitness. Today NetWitness is an independent company (again, congratulations) and is launching a new product suite. I was already a fan of their product last year but I will be taking another look at it in the coming weeks. If you want to know why please see last year's post.

I'm writing this post in reaction to
Startup Led by Ex-DHS Cyberchief Rolls Out Forensics Tool
. Specifically, I take issue with this excerpt:

[A] security and risk management analyst... says NetWitness's technology is basically immune from anti-forensic tools that attackers increasingly are using to deter investigations of breaches, for instance. "NetWitness allows organizations to investigate user activities at a level that neither attackers nor most users will be able to tamper with."

When I read that comment I immediately remembered The Eavesdropper's Dilemma, first mentioned in Latest Plane Reading from May 2007.

Network forensics can be attacked just like host forensics can be attacked. (If someone can please point me to the original citations for these, I would be grateful. I remember the terms but I can't remember who originally demonstrated the differences.)

  • Anti-forensics means attacking the evidence. Encrypting network traffic is a simple network-based anti-forensic technique. All of Matt Blaze's paper describes anti-forensics. Chapter 18 of my first book describes ways to attack NSM as well.

  • Counter-forensics means attacking the tools. All of the Wireshark security advisories describing remotely exploitable or denial of service conditions are examples of counter-forensics (e.g., Ethereal 10.x AFP Protocol Dissector Remote Format String Exploit.)


I am sure NetWitness suffers both types of problems just by the nature of its operation, like any other network forensics application.

Perhaps the comment was inspired by thoughts like Hardware-Assisted Virtual Machine Rootkit or TaoSecurity Enterprise Trust Pyramid, where I defend the notion that the network doesn't lie like a compromised host does. However, like I mentioned in Marcus Ranum Highlights from USENIX:

At a certain point the complexity [of the firewall/filter] makes you just as likely to be insecure as the original application.

This is true for protocol-aware analysis tools as well as firewalls/filters.

Update: If you check the Dark Reading article again you'll see the word "resistant" replacing "immune". Please check the comments to see a post by the person who Dark Reading "quoted" to learn what can happen when you speak to reporters!

8 comments:

Ralph Logan said...

http://www.snort.org/docs/idspaper/

http://www.isecpartners.com/files/iSEC-Breaking_Forensics_Software-Paper.v1_1.BH2007.pdf

Two looks at the problem you suggest.

Both include Tim Newsham, coincidence?

Mike Montecillo said...

To respond to the quote noted here I will first say that this excerpt does not accurately express my or my companies beliefs on the matter. Furthermore, I am happy to report that Dark Reading, being ever concerned with the accuracy of their article, has changed the quote to more accurately reflect EMA and my beliefs. The direct quote as it stands is "NetWitness allows organizations to investigate user activities at a level that many will not be able to tamper with." Thus, at this point reacting or taking issue with the excerpt from the article is no longer relevant.

However, to address the post I will note I was addressing the validity of having a network-level forensic solution in terms of "system-level" anti-forensics. I was speaking about system level anti-forensics tools such as slacker, time stomp, and wipe utilities such as DBAN or eraser. I certainly agree that network forensics can be attacked and/or circumvented. Actually, one possibility that you did not mention in your post was dynamic port forwarding or proxying traffic through another system and forwarding malicious or inappropriate traffic through that system. From a network perspective the traffic could be associated with the wrong system.

Here is a more complete response to the relevant question from DarkReading. I hope it helps clarifies my perception.. Please note that I point out that NetWitness is helpful in capturing data a user can not "easily" alter.

"The technology that drives NetWitness' flagship product is applicable in multiple arenas. As a forensic solution it is an extremely helpful tool in terms of capturing data that a user cannot easily alter. Attackers have new anti-forensic tools at their disposal that make system level forensics more and more difficult. Further complicating
these matters are disk erasing utilities that can totally destroy any useful evidence in an investigation."

"From a security management standpoint NetWitness is bridging the gaps of current layered security architectures. More and more organizations are becoming aware of their need for higher levels of network visibility in detecting and responding to threats. Between anomaly detection, IDS/IPS, and firewalls, organizations can only determine so much about what has occurred in an incident. NetWitness solutions are helping to bridge those gaps with more in-depth data captures that can be researched quickly to determine the details of an event."

If there are any questions or issues with my clarified beliefs feel free to post them here and I will happily address them. Thank you.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
lilith528 said...
This comment has been removed by a blog administrator.
sadecedizi said...
This comment has been removed by a blog administrator.
shannon said...
This comment has been removed by a blog administrator.
dghnfgj said...
This comment has been removed by a blog administrator.