Continuing our series on layered defense, we are going to take a look at full packet capture.
Full packet capture (FPC) is still fairly misunderstood in the IT community. For many, FPC is synonymous with NetFlow, or simply source/destination and metadata information on packets. Others think of it as a beast that is used in conjunction with Wireshark to show a ton of indecipherable data. On the contrary, FPC is one of the most powerful practices that we can employ to give us a full, deep understanding of everything that is coming and going on a network, with the ability to look back in time. It’s like a DVR for your network!
Getting Excited about FPC
Forgive me if my excitement about this topic shines through. As a cyber security professional, when I am investigating an incident and I have I access to full packet captures of network traffic during the time of the incident… game over. I have the ability to understand EXACTLY what happened.
Here are some high level scenarios on how FPC can help an investigation of an incident.
- End-to-End Traffic Description. No matter how an adversary sets up a malicious website, their lies will be exposed by packets. Having a capture device sitting at the correct location on your network will be able to tell you whose traffic went where, what ports were used for connecting, and what files were requested and/or sent.
- Data Reassembly. One of the little known facts about FPC is that you can actually reassemble entire files from packets. A good adversary will clean up after themselves, which makes it harder to discover their goals and what they took. With the power of FPC we can take a packet stream from the infected machine’s web traffic and recreate the malware that was downloaded and installed. This allows a professional to analyze the malware to help determine its intent and whether the attacker likely took other actions within the network. Data Reassembly also has the added benefit of allowing you to reconstruct data that has left your network. You can use this as a postmortem DLP of sorts. Re-create the data that was syphoned from your network to determine the impact of what was taken.
- Man in the Middle. Sometimes connections to malicious locations, for infiltration or exfiltration, are encrypted. Under normal circumstances, it would be essentially impossible to see what is going on inside the packets. But if you have access to the encryption keys, you can set up a dummy server and decrypt the traffic being sent from the malware. Yet another way to put the kibosh on the enemy’s advanced tactics. (Note: custom encryption algorithms, used very infrequently and only by the most advanced of attackers, could evade this method. There’s no such thing as a perfect solution!)
Obviously full packet capture is a super powerful tool that can be deployed to help your network security posture, but why isn’t everyone using it? Here are some downsides that are worth noting.
- Cost. This is probably the biggest issue for most organizations. The biggest component when it comes to the cost of a FPC solution is storage. Remember that FPC captures everything that is coming and going on your network. That’s a lot of data! That 4GB linux distribution you downloaded – it’s in there. Bob from Accounting’s Pandora streaming – it’s in there. That viral video that’s making it around the IT department – it’s in there. They all take up space in your FPC system. And just like with your DVR, you have to decide what you want to keep, or have it roll off into oblivion. If you want to keep more time, you have to pay for more storage. But don’t let that deter you! Even a week of data is invaluable.
- Experience. Packet flow analysis is more art than science. The people who are expert at surfing the stream are specialized, talented, and somewhat hard to come by. To take advantage of the benefits we listed above, you need to find analysts who know how to use it, or who at least have the aptitude to get in there and make it dance.
- Exposure. For some reason, FPC hasn’t made a big splash as a technology in the market like other security technologies. A lot of people still think of security as firewalls and anti-virus. Then there are those who understand that those are woefully inadequate, but swear by IDS/IPS as the solution. And then there’s the Advanced Threat Management crowd. But there hasn’t yet been a groundswell of big press and hullaballoo.
Like many secure network services and security tools, there are a lot of reasons to get excited. And as with every countermeasure, you need to weigh the value your organization gains from the FPC with how much risk you are willing to accept.
Full Packet Capture is an invaluable layer of a proper defense-in-depth strategy. Let’s start a revolution! Embrace your packets! Know your flows! With deeper knowledge of the past, you can effectively guard against the future.
