Packets Matter is an op-ed series advocating the use of PCAP (Packet CAPture, or network traffic) as the primary source of intelligence in enterprise network security.
In my first post, “Why Logs Fail to Secure Networks,” I concluded that:
Ultimately, logs are diagnostic tools for systems and applications. They are not security tools, and they will not facilitate an effective response to a breach. IT leaders must recognize that an effective security operations center will demand the costs of a network security solution that empowers the team to focus on incident response.
In the next post, “Scaling Packet Capture,” I discussed exactly how to go about architecting a solution that can handle the massive volume of data traveling across a typical enterprise network. In this post, my last of this series, I’ll discuss the benefits of using a packet capture solution, especially one that focuses on empowering analysts with the information they need, when they need it, and why and how it creates a far more effective network security solution.
So, an analyst receives an alert, then what? In most shops, understanding if something is truly wrong requires actually logging on to the host machine where the alert was generated and grabbing raw files. Or perhaps prior to this, they’ll check other systems to see if the alert is corroborated. Even in a really advanced SOC, with an alert that includes raw files with it, and assuming the alert is truly problematic, the analyst has no easy way to understand the extent of the problem. Hours later, he or she will still be logging on to multiple systems attempting to track down exactly what’s happening. Usually, they’ll give up before truly understanding the extent, making a risk-based decision, “We think we’ve covered everything.” While these decisions make sense in a resource-constrained environment, it’s this exact decision that sophisticated attackers count on to remain hidden.
Wouldn’t it be nice if the analyst had almost instant access to all of the information needed to both triage an alert and fully understand the extent of a true positive? This is exactly what a network-traffic packet capture solution can provide — if it’s architected correctly (more on that a bit later). Let’s take a look at a simple example: Applications will often update, say, Microsoft with their current version and other information. This same behavior is seen in malware that has installed itself in a host, letting its command and control servers know it’s available, and what type of system it has been installed on – this is known as Beaconing. Many cyber security systems can detect this type of behavior and issue an alert, but in a shop with only a log aggregator that doesn’t include raw files with an alert, then what? The receiving analyst is, as above, left with logging in to the suspected host to understand if it’s a Microsoft update or malicious beaconing behavior, and let’s say that process takes five minutes to determine that the software is talking to Microsoft, a false positive. Now let’s say that he or she could, with one click, access the exact beaconing message taken off the wire. In this scenario the analyst could instantly and confidently – because it’s the ground truth – see if it’s just a Microsoft application talking to Microsoft, and let’s say that process takes ten seconds. Now divide five minutes by ten seconds. We’ve just made our Tier 1 Alert Triage Analyst 30 times (!) more efficient.
For our next example, let’s explore a shop that has actually deployed a leading network-traffic based Security Analytics solution. These solutions were originally architected for forensics work and have since “grown up” to handle real-time deep packet inspection. Because they unravel almost everything, their databases are very large and distributed. So, let’s say an analyst gets an alert from one of these systems, and let’s say it’s something that looks pretty serious (and they can tell this because the associated packet capture is actually included with the alert). In this case the next question the analyst will ask is, “Uh oh, was anything else infected?” So he or she starts querying the system’s very large and distributed databases to see what other machines the other host has talked to recently. Unfortunately, because of the database’s architecture, these queries will often take minutes to hours to never to return an answer. So once again the analyst is forced to turn to many other systems to manually piece together answers to the puzzle, which is debilitating in a real-time attack environment where time is of the essence.
What’s needed is a system that enables an analyst to interactively and iteratively receive truthful answers to questions such as, “Show me all traffic that went out of this IP address,“ then “Has it been communicating via HTTP?” or perhaps “Has this host been communicating with China?” With a system that can answer these types of questions almost immediately, an analyst can rapidly and confidently determine the extent of a potential problem. Then, as they continue to narrow from a haystack to a needle, with access to the actual files running across the network, they can export those files into something like WireShark or Xplico for even deeper analysis to enable them to understand questions such as, “Should we shut down this infected server? That malware might have root access. If two machines have the same malware they might be beaconing each other and if we shut one down it might wipe all data on the other. “ There’s a lot of tripwires in cyber security incident response, and with a system that captures network-traffic, enables queries to be answered almost immediately, then provides instant access to the packet capture — the actual raw files — an entire incident response procedure can be drastically accelerated, all encapsulated within one system.
Imagine if an entire security team had such a solution. Everyone from an entry-level Tier 1 analyst to the best Network Hunter in the world would be dramatically more efficient and effective.
Everything I’ve described above is illustrative of the capabilities of Novetta Cyber Analytics, which has demonstrated its effectiveness on some of the largest and most sensitive networks on the planet. You can learn more about its architecture here. You might also like to browse some of our favorite analytics made possible by this architecture, found in the “Top 10 Analytics” doc at the bottom of the Novetta Cyber Analytics product page. Hopefully I have given you some concepts and keywords to help guide your research on achieving a far more effective cyber security network architecture.