RSA NetWitness: An Anatomy Of An Attack

Here is a post from my friend Aamir Lakhani’s blog about RSA NetWitness. The original can be found at Cloud Centrics ( Really good post on NetWitness.

RSA NetWitness

RSA NetWitness is a unique solution that captures, store and analyze network data traffic. This gives you the able to see exactly what comes in and goes out of the network in real time . In simple terms, RSA offers to you a Network CCTV. Not only that, NetWitness also allows you to see the traffic in action as it reconstructs the data that flows through the network into its original format according to its own type or application. This helps you strengthen your security measures by taking appropriate action. On top of that, since all traffic is captured and stored, you will be able to go back to a particular period of time and conduct historical data analysis. Nothing escapes undetected.

RSA NetWitness delivers an innovative fusion of hundreds of log data sources with external threat intelligence to enterprises; enabling extraordinary broad and high-speed visibility into the critical information needed to help detect targeted, dynamic and stealthy attack techniques.

Why is it important?

NetWitness records all network activity. The benefits of this forensic analysis cannot be matched by any other product. NetWitness will truly allow you to investigate what happened on the network.

More importantly, since NetWitness sees and records everything on the network, it is very easy for the product to detect threats as they are occurring. This gives administrators an opportunity to stop attacks before they cause damage on the network.

Recording all network activity with forensic accuracy and analyzing current threats in real time provides situational awareness and insight for threats on existing infrastructure devices. Typically, when systems are discovered to be compromised, the systems are imaged, and software is reinstalled. However, many people don’t actually figure out the root cause of the problem. How did the system originally get compromised and what measures should be used to prevent it from happening again? In addition, if one machine is compromised, chances are high that others will be as well.

Why are these attacks difficult to detect? The answer is that these threats originate from the inside, or trusted areas of the network. The most common network threats involve a failure in internal security. This includes APTs, Botnets, Phishing attacks, social network information leakage, and product patches.

Security fails and systems get breached because many people do not take the threat seriously or make an effort to learn about it. It takes a proactive approach to be secure and protected against threats.

Furthermore, many organizations have processes in place that actually do more harm than good. These procedures that are supposed to help an organization’s security posture degrade it instead. This is partly to do with people and attitude, but also partly to do with outdated ways of thinking about security mixed with inadequate technologies.

Anatomy of an attack

Here is an example: Zeus was a popular attack last year that stole and spread through internal networks. Zeus is a Trojan horse that steals banking information by Man-in-the-browser, keystroke logging and Form Grabbing. Zeus spread mainly through drive-by downloads and phishing schemes.

Zeus was successful because it was a well-crafted phishing attack. Victims received an email that looked interesting to them. They were instructed to download a report from what appeared to be a legitimate website. In reality, the report was a Trojan horse that allowed attackers to control the victim’s system. The hosting website was in China.

A capture (report) from NetWitness showed that the originating server of Zeus went to a command and control server in China. The program that the user downloaded allowed attackers from the Chinese server to have control of the users’ system. From that point on, it was trivial for them to exploit other systems on the users’ network.

Most anti-virus agents did not detect Zeus. Later, Zeus disabled anti-virus agents using a variety of schemes – mostly by redireiting anti-virus updates to a IP address.

Since NetWitness recorded all network traffic, it recorded what systems were compromised, communications with systems in China, and what was being transferring. When internal systems initiate a connection and transfer files, NetWitness captures that traffic.

NetWitness is the only security tool that provides complete visibility on a network. It shows when attacks are occurring in real-time and gives an organization the ability to detect and stop those attacks.

3 thoughts on “RSA NetWitness: An Anatomy Of An Attack”

  1. wow, that is an awesome post about netwitness. Looks like a fantastic product to get a overview of whats going on. I don’t think I’ve seen any other tool that can trace an attack in such detail.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.