In the case of a computer breach, malware infection or other suspicious network event, the basic Incident Response chain (SANS Handbook) has  four steps:

1. Identification: confirmation that we have a computer breach, malware infection…etc.
2. Containment: prevent any further infections or damage from happening
3. Eradication: removal and restoration of affected systems
4. Recovery: bring systems back to normal and ensure the root cause of the breach is corrected.

Network forensics relates to the monitoring of incoming and outgoing network traffic on a network. The traffic is then stored, indexed and analyzed in real time. This is a very useful tool to ensure all four steps are working well and nothing is being missed during an incident. The usual questions answered via network forensics are:

• Are all the devices on your network accounted for? Does the list match your known inventory?
• Do you have device types (mobile devices, laptops) in parts of the network where those devices are not allowed/supposed to access?
• Do you have devices talking to known malware Command & Control (C2C) servers?
• Are your intrusion detection or intrusion protection systems effective?
• Is encrypted traffic monitored?
• Can you narrow your firewall rules to decrease your attack surface without affecting normal operations?

Our network forensics toolkit is comprised of a set of network taps  and portable servers (running vmware ESX) with a set of forensic VMs  running network forensics (moloch) and IDS software. Our equipment supports both ethernet and fibre connections, and we can reliable capture rates of up to 1Gbps.