The evidence teams need for cyber defence (Guest blog from Endace)
If recent, widespread vulnerabilities like Log4J 2, OpenSSL, and SolarWinds/SolarFlare have taught us anything, it’s that cyberattacks can come from directions you least expect them to. It’s therefore unsurprising that concepts like Zero Trust and network-wide security monitoring have gained such momentum as organisations scramble to reduce the risk of security breaches that can potentially emerge from anywhere.
All this is good, of course. And not particularly new either. We’ve known for a long time that adopting the principle of least privilege, segmenting networks, building defence-in-depth and assuming that attackers are already in your network, is best practice. These vulnerabilities serve as a very strong reminder of how important those principles are.
However, the missing part of the equation is that organisations are routinely failing to collect the critical evidence security teams need to properly investigate network security issues. The gold standard for network security forensics is packet data – because it contains the actual payload of network transactions: as the saying goes, “the truth is in the packets”. But organisations have traditionally shied away from recording packet data in the mistaken belief that it’s “too hard”, “too expensive”, or they can make do with log files and network flow data. If they record any packet data at all, it’s typically just the few packets that firewalls record to document why a particular rule was triggered.
That’s simply not sufficient when it comes to definitively identifying the cause of a breach or an attack and establishing how it happened and what was affected. Log files can be manipulated by attackers or may simply fail to have recorded specific activity. And network flow data is only a summary of network activity – not dissimilar to the way that the list of calls you see on your phone account can’t tell you the content of the actual calls themselves. Moreover, network flow data is often “sampled” – further reducing its reliability.
The prevailing view of packet capture is outdated. In fact it’s no longer too hard or too expensive. Technology advances such as hardware compression and inexpensive storage have brought packet capture well within the reach of most organisations. Likewise, mature traffic decryption solutions allow encrypted traffic to be unencrypted for analysis. So now the choice is less about whether or not you should deploy a packet capture solution and more about what sort of solution to deploy. And what else you need to make packet data useful.
Some vendors push “triggered” or “smart” packet capture as a way to reduce cost. This is where packet capture is dynamically turned on when a specific rule or condition is triggered. However that assumes that you determine ahead of time what traffic is going to be relevant for investigating a particular threat or issue. As we know from Zero Day Threats such as those listed at the beginning of this article, that’s an impossible task.
The only reliable way to be certain of recording the evidence you need is to implement “always-on” packet capture with sufficient storage capacity to give your security and network operations teams the time they need to go back and reconstruct threats or events and archive evidence if needed. Necessary storage capacity can range from a few days to weeks or months depending on the organisation’s specific requirements.
Having decided on what packet capture solution to deploy, the next question is how to make that data useful. Ideally, the solution should integrate with the tools you are already using – firewalls, IDS tools, SIEMs, performance monitoring tools, etc. – so analysts can go directly from alerts in those tools to the related packets for forensic analysis. The ability to quickly search and mine packets is also crucial for threat hunting, validating Zero Trust policies and checking security configuration (e.g. testing new detection rules or investigating behavioural anomalies).
If they don’t already have packet forensics expertise, your teams will also need to upskill. There is a wealth of information available from sources like the Wireshark and Sharkfest communities (Wireshark is the tool of choice for packet forensics) and organisations like SANS that provide network forensics courses. YouTube is also full of great training material.
As organisations consider their security infrastructure, it’s critical that they don’t overlook the importance of collecting the data their teams require for visibility into what’s actually happening on the network. Sooner or later an attacker is going to find that one vulnerability they need to get past defenses and that’s when lacking visibility is really going to be costly.
Endace are the Networking Sponsor for the upcoming techUK Defence Winter Dinner.
For more than two decades, Endace has provided high-speed, network recording and visibility solutions to monitor and protect some of the world’s largest, most complex networks. Our customers include defense and federal agencies around the globe, including NATO partners, who require dynamic cyber capabilities that enable rapid response to new and emerging threats.
Endace has grown to become a world leader in packet capture technology for cybersecurity, network and application performance, continuously recording network activity at thousands of deployed locations.
The open EndaceProbe Analytics Platform can host third party network analytics applications while simultaneously recording 100% accurate network history, providing definitive evidence for investigating cybersecurity threats, quantifying data breaches and analyzing network or application performance problems.
Endace’s partners include the world’s leading cybersecurity and network technology companies such as Cisco, Darktrace, Fortinet, Gigamon, IBM, Keysight Technologies, Micro Focus, Palo Alto Networks, Plixer, Splunk and many others. Customers can also host open-source tools or their own custom traffic analysis solutions on the EndaceProbe platform.
techUK Defence Winter Dinner, 8 December (Sold Out)
The techUK Defence Winter Dinner will take place on Thursday, 8 December 2022. The techUK defence dinners are a prime place to engage with the techUK defence community - individuals, businesses and serving personnel brought together through common interests and goals. Our defence dinners are always very popular with members, civil servants, and members of the armed forces alike. Our Defence Spring Dinner in May brought together over 220 delegates and we anticipate similar numbers at the winter event.
We are delighted to announce that this year's keynote speaker is Lieutenant General Tom Copinger-Symes CBE, Deputy Commander, UK Strategic Command.
