By Cary Wright, VP of Product Management, Endace
In a threat landscape that is now changing more rapidly than ever before, why aren’t more companies capitalizing on the benefits of packet capture? Well, historically, packet analysis has been a manual function with very real accessibility issues. It’s not unheard of for security teams to struggle to pull several weeks’ worth of packets, running searches for hours or days across massive files to find the evidence they are looking for. Unsurprisingly, this type of packet handling has also been costly.
Packet capture has also mainly been used by senior security analysts with deep experience in packet forensics — a specific skill that’s in short-supply, and not something more junior analysts know how to do, despite its necessity in today’s threat landscape.
How do you do packet capture well, so that everyone (not just experienced, senior packet analysts) can quickly find the data they need, get to relevant packets from alerts in their relevant tools, and extract value from that full packet data?
As renowned SANS Institute course instructor Jake Williams likes to say, “today’s packet capture is not your Grandma’s packet capture.” Indeed, packet capture has truly moved to the next level, and security-savvy companies are deploying distributed, centrally managed recording appliances that are designed to be modular and highly scalable to deliver the storage capacity, performance and rapid search that is needed while accelerating investigation and response time.
Access the actual content of a network conversation – easily
The forensic evidence gained from packet capture is a vital resource for incident response teams, helping to accurately reconstruct cyberattacks so analysts can understand exactly what happened and what the full impact is. Forensic evidence can provide a detailed breakdown of how far an attacker penetrated, how they managed to get around existing defenses, and what data and systems were attacked and potentially compromised. Without this knowledge, SecOps teams can have a hard time understanding how to respond to and resolve incidents.
Some security teams rely on piecing together evidence from log files — system logs, application logs, authentication logs etc. — combined with network metadata, threat intelligence and alerts from their security monitoring tools. The problem with this is that it doesn’t provide the actual payload information that enables teams to accurately reconstruct what took place to see exactly what files were transferred, what data was extracted, and what systems were impacted. Log files and metadata provide a snapshot summary of events which is useful for building a picture of activity. But relying solely on these sources and not having access to packet data means teams can risk missing critical evidence when it really matters.
The alternative is to record full packet data, which lets analysts inspect historical traffic to investigate threats more closely. This provides access to the actual content such as files, malware, ransomware, executables, zip archives, exfiltrated documents, code downloads and more – anything attackers can use to compromise user and network security and steal data.
Analysts can also re-analyze recorded packet data to generate detailed logs on-demand – including DNS, HTTPS, TLS, SMTP, database transactions, and more – or analyze recorded traffic using new rules to detect network threats that might have been missed the first time and provide deeper contextual insight into attack activity.
Accelerating investigation and response
The experience that many teams had in the past with packet capture is that it can be challenging to accurately record and manage large volumes of data at high-speed — and time-consuming to locate the specific data that is needed for an investigation. Packet analysis has traditionally required deep expertise too.
Modern packet capture solutions are designed to be modular and scalable. They can cost-effectively record weeks to months of history at today’s fastest network speeds (10 Gbps up to 100 Gbps or more), giving security teams plenty of time to go back and investigate historical events.
Analysts can search/data-mine recorded data to find and analyze relevant packets quickly from within what may be petabytes of data. Integration with a wide variety of cybersecurity solutions makes it possible to “pivot” in-context from an alert in a security or performance monitoring tool directly to the relevant packets. This speeds up and streamlines the investigation process and can also enable common evidence collection and analysis tasks to be automated (e.g. using SOAR tools.)
This also makes it easy to extract useful information from packet data — such as reassembled files or detailed analysis logs — without having to be an experienced senior analyst with deep packet analysis expertise. And enabling this to be done on historical data – so you can go back-in-time to analyze past events.
Analysts can review days, weeks or months of recorded packet history easily and quickly for incident response, threat-hunting or troubleshooting network or application performance issues. Networks can also be set up as a fabric of multiple capture points, capable of being searched from a single pane of glass.
With these improvements and more, the next generation of packet capture is set to become the gold standard for understanding the threats traversing networks, and troubleshooting IT operational or performance issues.
About the Author
Cary Wright, VP Product Management at Endace, has more than 25 years’ experience in creating market-defining networking, cybersecurity and application delivery products at companies including Agilent, HP, Ixia and NEC. www.endace.com