Attacker End Point Anti-Forensics Can't Hide from the Network


By Thomas Bienkowski, Director Product Marketing

Upon logging into your SIEM dashboard, you scan through the high priority alerts and notice an alert generated by your EDR highlighting the presence of known malware on an internal host. On the host you investigate file systems, the registry, logins, running processes, etc. to find no further signs of compromise. Why? Because the attacker has successfully executed anti-forensics techniques to hide their presence on the end point.

But you persist. From within your SIEM, you pivot to your source of network-derived metadata and packets for further investigation.

Using only the metadata, you quickly filter on network traffic from the compromised internal host. You noticed this host is communicating with one of your SQL database servers hosted in a public cloud environment. Hmm... that's odd.

Still using only metadata, you quickly pivot to the SQL database server to discover that it has been communicating not only with the internal host, but also unexpectedly, with a host in China.

Next you view packets involved in these conversations to clearly see all layer 3- 7 details of the communication. You discover someone using proper credentials from the compromised internal host to successfully gain access to the SQL database server. You also see failed attempts to login to the SQL database. And fortunately, you see no signs of successful data exfiltration.

In a matter of minutes, you have used your source of meta-data and packets to conduct a highly contextual investigation to determine the true risk to your organization and further remediation efforts.

This is the value of using network derived meta-data and packets. It complements other cybersecurity technologies such as SIEM, EDR, SOAR, etc. This is especially true when you can't deploy end point agent or attackers employ anti-forensics and AI-driven malware tactics.

The bottom line is the attacker can't avoid the network and you need a source of network metadata and packets to ultimately expose them and the truth.

NETSCOUT offers such a solution. NETSCOUT Omnis Security is a platform that provides comprehensive network-monitoring, threat detection, highly contextual investigation and threat prevention.

Underpinning the NETSCOUT Omnis Security platform is the InfiniStreamNG (ISNG) and vSTREAM network instrumentation. Using patented analysis, indexing, and compression technologies, this highly scalable instrumentation converts network packets into robust metadata – what we call Smart Data - to deliver comprehensive and consistent visibility across your entire, disparate digital infrastructure (e.g. internal or hybrid cloud environments). This Smart Data is used by Omnis Cyber Investigator for threat detection and highly contextualized threat investigation. The results of this investigation give a security analyst the confidence to block inbound/outbound threats at the network perimeter using a firewall or even better, the Omnis Arbor Edge Defense system.

NETSCOUT Omnis Security provides Security Without Borders that will ultimately expose the attacker on the network.

You can learn more about NETSCOUT Omnis Security here at Black Hat USA 2021 or you can visit:

Sustaining Partners