Page 160 - Cyber Defense eMagazine Special RSA Conference Annual Edition for 2022
P. 160
Access the actual content of a network conversation - easily
The forensic evidence gained from packet capture is a vital resource for incident response teams, helping
to accurately reconstruct cyberattacks so analysts can understand exactly what happened and what the
full impact is. Forensic evidence can provide a detailed breakdown of how far an attacker penetrated,
how they managed to get around existing defenses, and what data and systems were attacked and
potentially compromised. Without this knowledge, SecOps teams can have a hard time understanding
how to respond to and resolve incidents.
Some security teams rely on piecing together evidence from log files -- system logs, application logs,
authentication logs etc. -- combined with network metadata, threat intelligence and alerts from their
security monitoring tools. The problem with this is that it doesn’t provide the actual payload information
that enables teams to accurately reconstruct what took place to see exactly what files were transferred,
what data was extracted, and what systems were impacted. Log files and metadata provide a snapshot
summary of events which is useful for building a picture of activity. But relying solely on these sources
and not having access to packet data means teams can risk missing critical evidence when it really
matters.
The alternative is to record full packet data, which lets analysts inspect historical traffic to investigate
threats more closely. This provides access to the actual content such as files, malware, ransomware,
executables, zip archives, exfiltrated documents, code downloads and more – anything attackers can
use to compromise user and network security and steal data.
Analysts can also re-analyze recorded packet data to generate detailed logs on-demand - including DNS,
HTTPS, TLS, SMTP, database transactions, and more - or analyze recorded traffic using new rules to
detect network threats that might have been missed the first time and provide deeper contextual insight
into attack activity.
Accelerating investigation and response
The experience that many teams had in the past with packet capture is that it can be challenging to
accurately record and manage large volumes of data at high-speed -- and time-consuming to locate the
specific data that is needed for an investigation. Packet analysis has traditionally required deep expertise
too.
Modern packet capture solutions are designed to be modular and scalable. They can cost-effectively
record weeks to months of history at today's fastest network speeds (10 Gbps up to 100 Gbps or more),
giving security teams plenty of time to go back and investigate historical events.
Analysts can search/data-mine recorded data to find and analyze relevant packets quickly from within
what may be petabytes of data. Integration with a wide variety of cybersecurity solutions makes it possible
to "pivot" in-context from an alert in a security or performance monitoring tool directly to the relevant
packets. This speeds up and streamlines the investigation process and can also enable common
evidence collection and analysis tasks to be automated (e.g. using SOAR tools.)
160