CS Nov-Dec 2022

packet data
actual 'payload' of data an attacker may
have staged and exfiltrated. This leaves
SecOps and NetOps teams blind to exactly
what's happening on their network.
With access to packet data, analysts can
resolve problems faster and be certain
about their conclusions. Packet data can
also reduce analyst alert fatigue by providing
the evidence necessary to tune detection
systems to reduce false positive alerts and
increase accuracy. It also enables analysts to
prioritise, investigate and respond to events
far more efficiently.
THREE TYPES OF PACKET CAPTURE
There are three types of packet capture used
for security and network performance.
The first, originally called 'packet sniffing',
involves connecting a device to the network
when a specific problem occurs so engineers
can record ('sniff') small amounts of packet
data to troubleshoot the problem. It's often
referred to as 'ad-hoc' packet capture.
The second type of packet capture is called
'triggered packet capture' and happens
when packet recording is only enabled in
response to specific events - such as security
alerts. Packet data relating to that event is
then recorded to provide evidence for
analysts for future investigation.
The third and last type of packet recording
is where all packets traversing the network
are recorded and stored for as long as
available storage allows. This is referred to
as 'continuous' packet capture.
PROS AND CONS OF AD-HOC,
TRIGGERED AND CONTINUOUS
PACKET CAPTURE
Each type of packet capture can be useful.
However, for enterprise cybersecurity
purposes, both ad-hoc and triggered packet
capture are problematic.
Ad-hoc packet capture is insufficient for
most security uses, because it relies on
packet recording being implemented and
enabled post-event - by which point
evidence of crucial parts of an attack has
typically already been missed. It's like turning
on a surveillance camera after you've been
burgled. Similarly, triggered packet capture
is problematic because it assumes you can
predict what traffic you might need to
record ahead of time. Who could have
foreseen the Solarflare attack, and how it
would play out ahead of it happening?
Continuous packet capture is the only
reliable way to ensure record all the critical
evidence of cybersecurity events. However,
deploying continuous packet capture
requires careful planning.
STORAGE
Accurately recording traffic continuously
across an entire network requires dedicated
recording infrastructure with significant
capacity - often petabytes- to record days,
weeks, or months of traffic. In the past,
the cost of this infrastructure limited the
widespread adoption of full packet capture
to all but the largest enterprises. Or to
specific industries - such as Banking,
Telecommunications, Government and
Military - where access to recorded packet
data was considered essential regardless
of cost. Thankfully, increased compute
capacity, reduced storage costs, and new
technologies like hardware compression
mean continuous packet capture is now
affordable for most organisations.
How much storage do you need? The
answer is how much 'lookback' time do
you need/want? Typically, you'll want at least
a week, and ideally a month or more. This
gives SecOps and NetOps teams time to
identify what packet data is important for
investigating a specific issue and to archive
evidence if necessary.
RAPID SEARCH AND INTEGRATION
WITH OTHER TOOLS
Recorded packet data needs to be
thoroughly indexed as it is captured - so
analysts can quickly find traffic related
to a particular host and protocol - or
application - for a specific time period.
This lets analysts quickly find what they
need to complete investigations in a single,
uninterrupted workflow, without requiring
lengthy searches.
Ideally, access to packets should be
integrated into the tools analysts use
already - eg, SIEM and SOAR, IDS/IPS
and AI/ML solutions, and performance
monitoring tools, so analysts can drilldown
from alerts to related packets
quickly.
THE NEED FOR FORENSICS SKILLS
For packet data to be useful, analysts need
to understand what it is showing them.
Traditionally, this expertise has been limited
to senior analysts - which are increasingly
scarce resources. This is another reason
why integrating packet forensics into
existing tools is important. With the ability
to go directly from an alert to relevant
packet data, even junior analysts can find
quickly what they need, making them that
more productive and effective.
For those looking to start with packet
forensics, there's a wealth of useful
information available. The Wireshark
community (Wireshark is an open-source
application that is the tool of choice for
analysing packet data) and Youtube are
both fantastic resources. Organisations
like SANS also run many courses covering
network forensics.
A FINAL WORD
Organisations need to ask themselves:
'are we properly equipped to respond
confidently when a serious security breach
happens?' If they lack packet data, they
must accept the risks associated with the
lack of visibility and agility that results.
If there's one thing that today's volatile
cybersecurity landscape has taught us, it's
that realising the gaps after the event is
too late.
www.computingsecurity.co.uk @CSMagAndAwards Nov/Dec 2022 computing security
33