Packet Capture is Back - The Force Multiplier for Cybersecurity
By Scott Welles
May 3, 2022
Scott Welles will be speaking about new uses of updated security uses of packet capture at HammerCon 2022 on May 19, 2022 - be sure to get your tickets here to hear him and our other exciting speakers before tickets run out!
Despite countless news stories about enormous network breaches, most organizations' networks are not sufficiently secure, and still lack visibility into the full breadth of their infrastructure. This lack of visibility has caused numerous security issues as is evident through the increasing frequency and sophistication of advanced threats through Zero-Day exploits and ransomware attacks.
Threats are getting more sophisticated – is your security approach keeping up?
Today's advanced threat actors – such as nation-states and global cyber-criminal organizations – easily circumvent traditional perimeter and endpoint protection, making the present security strategy of perimeter defense ineffective. As FireEye CEO Kevin Mandia said during a March 2021 US Senate Intelligence Committee hearing on the Solar Winds attack on whether properly configured firewalls are effective in thwarting threat actors: “We do over 600 red teams a year. Firewalls never stopped one of them.”
A few years ago, hackers would get in and out in a matter of minutes to accomplish their goals. However, today’s approach is a long-term investigation with dwell times of many months to acquire information, prepare material for exfiltration, and plant additional malware mechanisms. This significantly increases the risk of internal threats in your environment especially when threat actors are now much more aware of your infrastructure and the defenses you have put in place.
What’s needed – visibility inside and out
In order to identify and handle the dangers lurking in the infrastructure, security teams must be able to get better visibility into their networks. However, as today’s security monitoring solutions are already complex, costly, and difficult to manage, many organizations are limiting their monitoring traffic only at the ingress and egress of their infrastructure. To protect the internal network, many organizations rely on metadata-based monitoring, including device logs and events from any infrastructure device, and traffic flow data generated by routers and switches. This creates a massive amount of data which makes it difficult to correlate and assess by security personnel as shown in Figure 1.
Security information and event management (SIEMs) and more recently machine learning (ML)-based algorithms have been promising to do a better job of correlating these millions of data points, and to detect unusual behavior in the infrastructure. However, dwell times continue to go up while the number and sophistication of attacks increases simultaneously – turning the question of whether an attack will impact your environment from an ‘if’ to a ‘when’.
Despite the massive amount of data and the many expensive systems that security operations teams have invested in, the fundamental questions of security operations are still going unanswered in many cases:
What was compromised and/or exposed?
Who was responsible for the vulnerability?
Who was responsible for the attack?
Has the breach been resolved?
Can the resolution be validated?
Packet Capture – the Forgotten Art
One effective approach to get better visibility into your environment is to complement the vast amount of metadata with analysis of the traffic behavior in your network. Network Detection and Response solutions are an effective tool for this analysis. However, just like the rest of the security monitoring infrastructure, they are focused on threat detection. This means, traffic that was analyzed is quickly discarded, and only the event relevant information is maintained to minimize the amount of data that needs to be stored. This, however, creates issues for incident analysis and forensics. Most metadata lacks the detail needed to prioritize the severity of an event and to determine what led up to the event and what happened afterwards. Even lengthy analysis correlating desperate information from different sources often does not provide the complete picture to determine the scale and impact of an intrusion.
For that, the actual traffic surrounding the event is essential. Network and security engineers have been using packet capture, also called PCAP, for this purpose for decades. However, with the ever-increasing amount of traffic, packet capture has taken a back seat, as the increasing traffic rates and complexity has made these solutions complex and costly. These days it is mostly employed reactively after an event has been detected. Or the devices only capture the conversation of interest, which is insufficient for a more detailed analysis.
Why packet capture
Network packets captured and analyzed during the attack are extremely hard for attackers to remove or manipulate, making them irrefutable proof. Attackers must still properly encode packets in order for them to travel across the network and ensure that they include the necessary information for the activity they want to do.
As shown in Figure 2, Test Access Points (TAPs) connecting directly into the wire or Switched Port Analyzer (SPAN) ports on switches or routers are used to create copies of the traffic to feed into the monitoring infrastructure:
Once this data is collected, it may be evaluated both before and after the occurrence to establish how attackers accessed the network, what activities they did, and which devices they interacted with:
Packets can reliably recreate all communication relationships to assess how far a threat has spread
Allows for analysis of not just the header information but payload embedded in the packets (if not encrypted)
Provides reliable timing information on all packets traversing the network
Provides broader attack patterns across multiple devices
Packets provide a rich set of unalterable information and the solid foundation needed for quick threat response.
Early Versions of PCAP: Not What They Are Today
It's important to understand the history of PCAP and why it didn't capture the attention of security professionals in the past. Traditional packet capture systems are specialized proprietary hardware devices that have typically been too sophisticated and costly for mainstream usage and implementation, and as a result, were seldom used in a corporate context. Placed at important network aggregation points, packets are intercepted and stored on hard disk drives, mostly traditional hard drives. Unfortunately, this results in considerable performance issues.
Given the vast amount of traffic being stored, less expensive SATA (Serial Advanced Technology Attachment) drives are used. However, as those drives cannot simultaneously read and write, priority is given to the capture and indexing of the incoming data to avoid data loss, slowing down data extraction and analysis (see Figure 3). If too much data is extracted too quickly, packets on the intake side may be lost, resulting in gaps in the network data gathered, and significantly affecting any ability to assess the traffic accurately. This is particularly difficult to scale to today's network load levels of 100 Gbps or even higher data rates. Racks of equipment are required to spread out the traffic volume in order to keep up with high traffic rates. This has limited the use of packet capture to mostly reactive approach in select areas of the network while limiting the amount of traffic being captured which has limited its usefulness for incident response.
Today's Full Packet Capture: Newer Technologies Dramatically Improve Security
The advancement of high-speed storage solutions built on NVMe Solid State Drives (SSD) which store information in flash and non-volatile memory rather than traditional mechanical HDD drives is game-changing. By combining SSD high-speed storage with switched PCIe fabrics and a simplified file platform, read and write performance may be up to 20 times quicker than traditional HDD-based systems while significantly reducing its footprint. Figure 4 depicts this new approach:
This allows for simultaneous read and write access, providing complete PCAP access from different servers for storage and access — removing the possibility of gaps in the network packets gathered. This enables more cost-effective and widespread implementation of PCAP systems, by accessing data on all network transactions. This includes full visibility before and after each event for alarms or events recorded, as well as detailed historical assessments.
Because all traffic is saved, mitigating measures may be undertaken by replaying it. This sequence of events provides the ability to detect malware infections and Advanced Persistent Treats (APTs), as well as maliciously modified traffic. Additionally, these new packet capture solutions are built to handle high network traffic loads and can be deployed across the enterprise.
Next-generation PCAP offers unprecedented network and application visibility that is critical to security operations. It allows security professionals to monitor network traffic and detect intrusions, provide additional intelligence for incident response, gather event data for forensics investigations, and track intrusions across the enterprise.
PCAP in US Government and Defense
PCAP is gaining interest within the military and the federal government. The US Army's Defensive Cyber Operations recently announced the implementation of this new PCAP solution approach for its Garrison Defensive Cyberspace Operations Platform (GDP). The Department of Homeland Security, The Department of State, Aberdeen Proving Grounds, the US Marine Corps, and the Missile Defense Agency are among those agencies that have issued RFPs and RFIs looking for PCAP solutions to improve their incident and forensic approach.
This full packet capture approach has become much more affordable, allowing for unparalleled visibility into network breaches and malware infections, which is necessary for improved attack prevention. It not only ensures that threat identification and notification are successful, but it is also effective in providing an additional layer of defense against cyberattacks.
About the Author
Scott Welles is the Vice President for Federal Business Development and Sales at Axellio. He joined Axellio in 2021 to drive sales of Axellio’s products and services in the government sector, including the Department of Defense (DoD). Welles previously worked for management and technology consulting firm Booz Allen Hamilton Inc. leading diverse business portfolios across numerous agencies, including the Department of Defense, Justice/FBI, Homeland Security, and the Department of Transportation, among others.