For many years I've advocated Network Security Monitoring (NSM) as a powerful way to improve digital situational awareness in an independent, self-reliant, and cost-effective manner. NSM relies on watching network traffic to identify suspicious and malicious activity, which prompts incident response and remediation activities. An underlying assumption is that the asset of interest is using a network you own and have adequately instrumented.
What do you do if you do not own the network?
Consider the following situation. First, a company laptop is connected via wired Ethernet to the company LAN. Here, traffic from the laptop out to the Internet can be assumed to traverse a link monitored by a NSM sensor. No problem.
Second, the user moves the laptop outdoors, and the link switches to using a company WLAN. Here, the traffic from the laptop out to the Internet eventually reaches the same wired link used in the first scenario, and hence is monitored by the same NSM sensor. Again, no problem.
In the third case, the user moves outside the reach of the company WLAN. Her laptop transitions to using an EVDO card or other metropolitan wireless network not operated by the company. Suddenly the network traffic generated by the laptop is invisible to the NSM sensor.
In a fourth case, the user moves home and uses her home network connection to access the Internet. This is the same problem as case number 3. If you think the using a VPN client that prevents split tunnels will solve this problem, what do you when the laptop is connected to the home LAN but not yet connected to the company via VPN?
Clearly a large and definitely growing amount of network time is outside the reach of network-based sensors. I would personally still find network traffic generated by a compromised host to be extremely useful, regardless of how that host connects to any network. One option I pitched to NetWitness yesterday was to deploy a software agent to a suspected compromised system for purposes of collecting and storing network traffic to the victim hard drive.
In this model, once an asset has been identified as requiring additional monitoring, an agent is either pushed or activated that begins collection and retention. Periodically the agent reports summaries (probably session data) to a central server, and an analyst can decide what traffic should be fully retrieved for analysis. This approach has the benefit (some would say drawback, but whatever) of intercepting encrypted traffic as well. Remember, this is for an intrusion investigation. I am not a fraud/waste/abuse (FWA) investigator or privacy violator!
Of course you cannot really trust anything an endpoint does or reports once it has been compromised, but I am looking for an improvement over the current situation. The current situation is complete blindness in cases where instrumentation is lacking.
I believe at some point we will see malware that detects the various network access technologies available to a victim, and makes a choice as directed by the intruder. In other words, if the corporate LAN is too difficult for extrusion purposes, switch to a lesser controlled network -- like an EVDO connection.
If anyone knows of a product which offers the capability to remotely capture network traffic via pushing an agent, please let me know via comment. Incidentally, I am aware of Rpcap and similar technologies. Thank you.