Metal Storm for Your Network
I’ve been working for a while on a new gig, and I still get to use NetWitness on client networks, so that’s awesome- but I generated a new philosophical discussion over my refusal to encrypt email updates to the client.
My team mates on the project suggested to me that, “Best practices dictate that any communications to the customer takes place over secured channels.”
“Why?” I countered. “My communications to my home server is encrypted. My home server sends out email via TLS. If the customer somehow downloads the email unencrypted, then I’ll just list that as a finding for the final report.”
“But what if the adversary is somehow reading the email?” they asked. For years, incident response teams in unfamiliar territory on a network have to make a presumption that the adversaries on the network might be listening and intercepting communications.
I replied, “I don’t think the adversary is interested in what we have to say, and besides, I don’t care if he knows we are on the network and are shutting him out.”
The team mates seemed shocked. “Look,” I continued, “I’m tired of keeping the red carpet out for these A-holes. They aren’t welcome on this network. You think they might be peeking at application data? I have the biggest packet sniffer ever on this network. I have the advantage from now on. He might see one thing we do, but we see everything he does. Let him know we are here; have the bigger guns. I hope he’s scared and will delete everything and never come back. The game has changed. We are in charge now.”
And I saw some shrugs and nods and could tell they were considering my words. Back in the day when an incident responder had to crawl from system to system with a limited set of disk-based forensics tools, that forensics examiner was always playing defense, attempting to reconstruct network movement based on snippets of data files or incomplete logs. Now with a network-wide sniffer like NetWitness, a forensics investigator can quickly locate adversaries and work to alter control systems to block the intruders. Its only defense for the first moments, and then the power shifts away from the adversary and back to where it belongs- the owner of the network.
One person mentioned it was like creating an “area denial weapon” for a network and then he showed me the Metal Storm video. Thats the kind of power you feel you have when you are matching NetWitness against intruders on a network.
No more welcome mats.
