CS Nov-Dec 2022
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
packet data<br />
actual 'payload' of data an attacker may<br />
have staged and exfiltrated. This leaves<br />
SecOps and NetOps teams blind to exactly<br />
what's happening on their network.<br />
With access to packet data, analysts can<br />
resolve problems faster and be certain<br />
about their conclusions. Packet data can<br />
also reduce analyst alert fatigue by providing<br />
the evidence necessary to tune detection<br />
systems to reduce false positive alerts and<br />
increase accuracy. It also enables analysts to<br />
prioritise, investigate and respond to events<br />
far more efficiently.<br />
THREE TYPES OF PACKET CAPTURE<br />
There are three types of packet capture used<br />
for security and network performance.<br />
The first, originally called 'packet sniffing',<br />
involves connecting a device to the network<br />
when a specific problem occurs so engineers<br />
can record ('sniff') small amounts of packet<br />
data to troubleshoot the problem. It's often<br />
referred to as 'ad-hoc' packet capture.<br />
The second type of packet capture is called<br />
'triggered packet capture' and happens<br />
when packet recording is only enabled in<br />
response to specific events - such as security<br />
alerts. Packet data relating to that event is<br />
then recorded to provide evidence for<br />
analysts for future investigation.<br />
The third and last type of packet recording<br />
is where all packets traversing the network<br />
are recorded and stored for as long as<br />
available storage allows. This is referred to<br />
as 'continuous' packet capture.<br />
PROS AND CONS OF AD-HOC,<br />
TRIGGERED AND CONTINUOUS<br />
PACKET CAPTURE<br />
Each type of packet capture can be useful.<br />
However, for enterprise cybersecurity<br />
purposes, both ad-hoc and triggered packet<br />
capture are problematic.<br />
Ad-hoc packet capture is insufficient for<br />
most security uses, because it relies on<br />
packet recording being implemented and<br />
enabled post-event - by which point<br />
evidence of crucial parts of an attack has<br />
typically already been missed. It's like turning<br />
on a surveillance camera after you've been<br />
burgled. Similarly, triggered packet capture<br />
is problematic because it assumes you can<br />
predict what traffic you might need to<br />
record ahead of time. Who could have<br />
foreseen the Solarflare attack, and how it<br />
would play out ahead of it happening?<br />
Continuous packet capture is the only<br />
reliable way to ensure record all the critical<br />
evidence of cybersecurity events. However,<br />
deploying continuous packet capture<br />
requires careful planning.<br />
STORAGE<br />
Accurately recording traffic continuously<br />
across an entire network requires dedicated<br />
recording infrastructure with significant<br />
capacity - often petabytes- to record days,<br />
weeks, or months of traffic. In the past,<br />
the cost of this infrastructure limited the<br />
widespread adoption of full packet capture<br />
to all but the largest enterprises. Or to<br />
specific industries - such as Banking,<br />
Telecommunications, Government and<br />
Military - where access to recorded packet<br />
data was considered essential regardless<br />
of cost. Thankfully, increased compute<br />
capacity, reduced storage costs, and new<br />
technologies like hardware compression<br />
mean continuous packet capture is now<br />
affordable for most organisations.<br />
How much storage do you need? The<br />
answer is how much 'lookback' time do<br />
you need/want? Typically, you'll want at least<br />
a week, and ideally a month or more. This<br />
gives SecOps and NetOps teams time to<br />
identify what packet data is important for<br />
investigating a specific issue and to archive<br />
evidence if necessary.<br />
RAPID SEARCH AND INTEGRATION<br />
WITH OTHER TOOLS<br />
Recorded packet data needs to be<br />
thoroughly indexed as it is captured - so<br />
analysts can quickly find traffic related<br />
to a particular host and protocol - or<br />
application - for a specific time period.<br />
This lets analysts quickly find what they<br />
need to complete investigations in a single,<br />
uninterrupted workflow, without requiring<br />
lengthy searches.<br />
Ideally, access to packets should be<br />
integrated into the tools analysts use<br />
already - eg, SIEM and SOAR, IDS/IPS<br />
and AI/ML solutions, and performance<br />
monitoring tools, so analysts can drilldown<br />
from alerts to related packets<br />
quickly.<br />
THE NEED FOR FORENSI<strong>CS</strong> SKILLS<br />
For packet data to be useful, analysts need<br />
to understand what it is showing them.<br />
Traditionally, this expertise has been limited<br />
to senior analysts - which are increasingly<br />
scarce resources. This is another reason<br />
why integrating packet forensics into<br />
existing tools is important. With the ability<br />
to go directly from an alert to relevant<br />
packet data, even junior analysts can find<br />
quickly what they need, making them that<br />
more productive and effective.<br />
For those looking to start with packet<br />
forensics, there's a wealth of useful<br />
information available. The Wireshark<br />
community (Wireshark is an open-source<br />
application that is the tool of choice for<br />
analysing packet data) and Youtube are<br />
both fantastic resources. Organisations<br />
like SANS also run many courses covering<br />
network forensics.<br />
A FINAL WORD<br />
Organisations need to ask themselves:<br />
'are we properly equipped to respond<br />
confidently when a serious security breach<br />
happens?' If they lack packet data, they<br />
must accept the risks associated with the<br />
lack of visibility and agility that results.<br />
If there's one thing that today's volatile<br />
cybersecurity landscape has taught us, it's<br />
that realising the gaps after the event is<br />
too late.<br />
www.computingsecurity.co.uk @<strong>CS</strong>MagAndAwards <strong>Nov</strong>/<strong>Dec</strong> <strong>2022</strong> computing security<br />
33