CS Nov-Dec 2022

More documents

Recommendations

Info

packet data BUILDING A CAPTIVE AUDIENCE PACKET CAPTURE IS BECOMING INCREASINGLY IMPORTANT, AS MARK EVANS, VP OF MARKETING, ENDACE, EXPLAINS Mark Evans, VP of marketing, Endace. There's an adage amongst experienced SecOps and NetOps analysts - 'PCAP or it didn't happen' - highlighting why network packet capture data (the file extension .PCAP is a common file format) is so crucial. Packets provide the only truly definitive evidence of performance and security issues that happen on a network. If you can't see the packets, you may never know for certain exactly what happened. Recent widespread security vulnerabilities - such as Solarflare and Log4J 2 - have illustrated just why access to packet data on-demand is so important, igniting demand for full packet capture solutions to fill the visibility hole. Governments are also becoming aware of the importance of packet capture. The US White House has mandated, by February 2023, all Federal agencies must be able to provide access - when requested by CISA or the FBI - to a minimum of 72 hours of full packet capture data for investigating cybersecurity events. However, there's still confusion and misinformation about why packet data is important and what the term 'packet capture' means. Some organisations believe they can do packet capture by relying on network flow data and endpoint monitoring. Others only record a handful of packets relating to specific events or use 'triggered' packet capture, because they believe it saves on storage costs. This article seeks to clarify the confusion around packet capture, so organisations can make informed decisions. WHY IS PACKET DATA IMPORTANT? Packet payloads are often the only way to identify specifics: did a phishing attack compromise credentials? What data was stolen or modified in a breach? Or what malware was dropped on compromised hosts? While log files and flow data can indicate an issue has occurred, oftentimes they can't show the exact root cause of that problem. They don't provide crucial detail, such as the 32 computing security Nov/Dec 2022 @CSMagAndAwards www.computingsecurity.co.uk
packet data actual 'payload' of data an attacker may have staged and exfiltrated. This leaves SecOps and NetOps teams blind to exactly what's happening on their network. With access to packet data, analysts can resolve problems faster and be certain about their conclusions. Packet data can also reduce analyst alert fatigue by providing the evidence necessary to tune detection systems to reduce false positive alerts and increase accuracy. It also enables analysts to prioritise, investigate and respond to events far more efficiently. THREE TYPES OF PACKET CAPTURE There are three types of packet capture used for security and network performance. The first, originally called 'packet sniffing', involves connecting a device to the network when a specific problem occurs so engineers can record ('sniff') small amounts of packet data to troubleshoot the problem. It's often referred to as 'ad-hoc' packet capture. The second type of packet capture is called 'triggered packet capture' and happens when packet recording is only enabled in response to specific events - such as security alerts. Packet data relating to that event is then recorded to provide evidence for analysts for future investigation. The third and last type of packet recording is where all packets traversing the network are recorded and stored for as long as available storage allows. This is referred to as 'continuous' packet capture. PROS AND CONS OF AD-HOC, TRIGGERED AND CONTINUOUS PACKET CAPTURE Each type of packet capture can be useful. However, for enterprise cybersecurity purposes, both ad-hoc and triggered packet capture are problematic. Ad-hoc packet capture is insufficient for most security uses, because it relies on packet recording being implemented and enabled post-event - by which point evidence of crucial parts of an attack has typically already been missed. It's like turning on a surveillance camera after you've been burgled. Similarly, triggered packet capture is problematic because it assumes you can predict what traffic you might need to record ahead of time. Who could have foreseen the Solarflare attack, and how it would play out ahead of it happening? Continuous packet capture is the only reliable way to ensure record all the critical evidence of cybersecurity events. However, deploying continuous packet capture requires careful planning. STORAGE Accurately recording traffic continuously across an entire network requires dedicated recording infrastructure with significant capacity - often petabytes- to record days, weeks, or months of traffic. In the past, the cost of this infrastructure limited the widespread adoption of full packet capture to all but the largest enterprises. Or to specific industries - such as Banking, Telecommunications, Government and Military - where access to recorded packet data was considered essential regardless of cost. Thankfully, increased compute capacity, reduced storage costs, and new technologies like hardware compression mean continuous packet capture is now affordable for most organisations. How much storage do you need? The answer is how much 'lookback' time do you need/want? Typically, you'll want at least a week, and ideally a month or more. This gives SecOps and NetOps teams time to identify what packet data is important for investigating a specific issue and to archive evidence if necessary. RAPID SEARCH AND INTEGRATION WITH OTHER TOOLS Recorded packet data needs to be thoroughly indexed as it is captured - so analysts can quickly find traffic related to a particular host and protocol - or application - for a specific time period. This lets analysts quickly find what they need to complete investigations in a single, uninterrupted workflow, without requiring lengthy searches. Ideally, access to packets should be integrated into the tools analysts use already - eg, SIEM and SOAR, IDS/IPS and AI/ML solutions, and performance monitoring tools, so analysts can drilldown from alerts to related packets quickly. THE NEED FOR FORENSICS SKILLS For packet data to be useful, analysts need to understand what it is showing them. Traditionally, this expertise has been limited to senior analysts - which are increasingly scarce resources. This is another reason why integrating packet forensics into existing tools is important. With the ability to go directly from an alert to relevant packet data, even junior analysts can find quickly what they need, making them that more productive and effective. For those looking to start with packet forensics, there's a wealth of useful information available. The Wireshark community (Wireshark is an open-source application that is the tool of choice for analysing packet data) and Youtube are both fantastic resources. Organisations like SANS also run many courses covering network forensics. A FINAL WORD Organisations need to ask themselves: 'are we properly equipped to respond confidently when a serious security breach happens?' If they lack packet data, they must accept the risks associated with the lack of visibility and agility that results. If there's one thing that today's volatile cybersecurity landscape has taught us, it's that realising the gaps after the event is too late. www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2022 computing security 33
Page 1 and 2: Computing Security Secure systems,
Page 3 and 4: comment WHY DATA ETHICS MATTER Data
Page 5 and 6: We focus on your cybersecurity thre
Page 8: news Bogdan Botezatu, Bitdefender.
Page 11 and 12: 2023 predictions Meanwhile, EU Digi
Page 13 and 14: 2023 predictions zero-day exploit.
Page 15 and 16: ook review YOU AND YOUR DATA ARE TH
Page 17 and 18: 2022 CS Awards THE 2022 WINNERS: Em
Page 20 and 21: deepfakes THE DYSTOPIAN WORLD OF DE
Page 22 and 23: data management YOU AND YOUR DATA A
Page 24 and 25: ansomware RANSOMWARE ON THE RAMPAGE
Page 26 and 27: ansomware Dan Turner, Forcepoint: c
Page 28 and 29: ansomware Steve Forbes, Nominet: pa
Page 30 and 31: legislation EU CYBER RESILIENCE ACT
Page 34 and 35: data threats WHY RANSOMWARE IS 'MOV
Page 36 and 37: eaches MAJOR BREACH, HARSH LESSONS
Page 38 and 39: GDPR REGULATORS MEAN BUSINESS! THE
Page 40 and 41: GDPR Dan Middleton, Veeam: Business
Page 42: Strengthen your data resilience wit

CS Nov-Dec 2022

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?