Enterprises are realizing they might need more ammunition in their never-ending battle against ransomware.
Enter network forensics, a branch of digital forensics. Network forensics practitioners are the detectives of network security, focused on monitoring and evaluating all the digital traffic on a network. Their goal is to uncover information about intrusions, such as malware, and to gather legal evidence in the event of a court case.
The value of digital forensics is underscored by a report from Malaysian security firm AKATI. The company highlighted the case of a healthcare institution that in early 2025 suffered a massive ransomware attack that crippled multiple systems, IT infrastructure and business operations. Ransom notes were deposited everywhere across the network. System backups and shadow copies of data were deleted, which impaired data recovery. Network security activity logs were wiped out, and any remaining data was encrypted in a way that the company could not decipher it.
Understanding the Attack
This organization needed two things following this ransomware attack:
-
To get its network, systems and data up and running again.
-
To understand the full extent of the attack — how it happened, how it worked and why it was as successful as it was.
Learning why the attack happened and how to prevent similar ransomware incidents in the future required more than reviewing standard security activities and logs, which had largely been wiped out. Yet, investigating such a sophisticated intrusion surpassed the knowledge base and skills of the healthcare organization’s internal network personnel. The company decided to bring in network forensics specialists.
The subsequent investigation revealed a multi-phased, carefully planned and executed malware attack that began with the execution of an unauthorized file by an unsuspecting user. From there, the attackers gained control over multiple systems and established remote connections that enabled them to move undetected between servers. They were able to do all this because they had easily cracked weak network administrator credentials. By the time the company became aware of the intrusion, the attackers had all the data and the network itself under control.
Do Companies Need Network Forensics Skills?
Ransomware attacks are on the rise. According to a 2024 report issued by Ransomware.org, more than half of the companies surveyed reported they had experienced a ransomware attack. The largest single payout: an eye-popping $75 million, according to a separate ransomware study by Zscaler.
Companies of all sizes need some type of ransomware plan that goes beyond what standard network security monitoring can do. That capability is something that cyber insurance companies are increasingly demanding as well.
The catch is that skills like forensics are uncommon among most network staffs. When companies try to hire someone with sophisticated network malware-fighting skills, it costs them money, with salaries commanding six figures, according to ZipRecruiter.
Banks, brokerage houses, large healthcare systems, life science companies, defense companies, governments, insurance companies and pharmaceutical companies are among the most likely enterprises to hire internal network forensics specialists. For other organizations, finding network forensics expertise will involve either hiring an outside firm to do the work, or cross-training someone who is already on staff with forensics skills.
What Do Network Forensic Specialists Do?
Network forensic specialists oversee many of the areas regular network professionals cover, such as monitoring the network, studying the data traveling through the network and digging down into different layers of the OSI network communications framework when needed. These pros also study IP addresses, security, user traffic and authentications — but from this point, it gets deeper and more specialized.
Network forensic specialists train their focus on monitoring and investigating network threats and suspicious incidents. Other times, probes might be related to legal discovery and criminal investigations. Following a security compromise, a company might call in a network forensics specialist to research it. How did it happen? When did it happen? Who were the perpetrators? What data and network assets were affected?
To accomplish tasks like these, network forensics specialists usually have at least three years of network experience. They have or are taking advanced training, earning certificates such as the following:
-
Certified Network Forensics Examiner.
-
Certified Cyber Forensics Professional.
-
Certified Network Defender.
-
Certified Ethical Hacker.
-
Certified Forensic Computer Examiner.
Specialized training equips them with the skills they need for detailed forensics work, as well as the knowledge required to deploy specialized tools that regular network professionals don’t typically use. Network forensics specialists are also called upon to cross-train network staff members, potentially mentoring others who could assume a future role.
Equally important, forensics professionals must be excellent problem solvers and communicators. They must possess the soft skills needed to communicate with security and network teams, auditors and regulators — but also with management, the legal community and potentially with law enforcement.
Should Companies Invest in Network Forensics Skills?
The short answer is yes, companies should invest. Cybercrime is becoming increasingly sophisticated, and network skills must become more sophisticated as well.
The trick for network managers, especially at smaller companies, is how to bring forensics skills onboard. Most organizations can’t afford to hire a full-time forensics staff person, nor can they retain forensics consultants for long periods. One option: Equip an existing network staffer with the training, courses and mentoring from an outside expert.
Meanwhile, here are several everyday practices designed to reduce the risk of not having access to a full-time network forensics expert.
Focus on prevention. You’ve bullet-proofed your network from many malware attacks by bolting down your network boundaries and segments and performing regular security audits. Your company diligently monitors network traffic and user credentials and activities. But there’s more you should do. Train users on the importance of using strong user IDs and passwords. Use multi-factor authentication and consider rolling out passkeys. Ensure users secure their departments’ IT and devices when they’re not using them.
Don’t shirk on documentation. Network staffs struggle to keep documentation updated, but with legal forensics, it’s critical to ensure the chain of data custody is uninterrupted. Track and trace documentation, as well as certified procedures and operations to keep data safe and secure.
Start with a micro examination of network activity and then move upward. Network forensics specialists proceed from the most microscopic layers of the OSI model through sessions, applications and content analysis. This tactic should also be encouraged for network staff. This embeds the idea of detailed examination and troubleshooting from the ground up. Everyone is looking for every conceivable malware entry point — with the goal of locking down network vulnerabilities before any breach occurs.
Speak Your Mind