Packet capture has long been used by network operators, but a variety of challenges have limited its effectiveness in security and threat detection. In large networks, packet capture can collect terabytes of packet data, and sifting through that data for evidence of an intrusion can take a long time.
Traditionally, investigators used broad packet capture to support their investigations. They would capture everything at various points in the network. When investigating potential incidents analysts would search these captured packets looking for key IP addresses. When they had a reduced subset of the packet data they would use scripts that used the data to recreate a timeline that shows what a device and an IP address communicated with over time. From this timeline analysis the analyst could locate specific suspect exchanges and extract just those packets. This extract often returned a large number of packets, forcing investigators to spend hours searching the packets and their payloads for data relevant to the security incident. This slowed down investigations, incident response, and ultimately, the time to resolve an incident.
To address this problem, we explored using different technologies to accelerate incident response. We started by looking at incident response workflows using NetFlow and packet capture in concert. We quickly realized that IT professionals could begin their investigations using NetFlow, which is a more lightweight form of network telemetry, to identify the exact flows associated with suspicious activity. Then, using the exact time, sender, receiver, and port involved in the flow, they can create a highly targeted packet capture query that returns fewer, but higher value packets.
Together, NetFlow and packet analysis allows investigators to be quicker, more agile, and more responsive to threat activity.
There are key differences between NetFlow and packet analysis. NetFlow contains network traffic metadata, which includes aspects such as time, date, IP addresses, port number, etc. Packet capture retains the packet payload, including user and application information.
For example, an employee attempts to look up their time card through a web application hosted on a company server. That application might make a query to a database of employee information on another server. If the employee wants to look at their pay stub, that may involve a query to the payroll provider’s data center across a virtual private network (VPN).
Reconstructing these events through packet analysis requires a lengthy query that may return thousands of packet files that the investigator must then sift through.
With NetFlow, this is a speedy query that provides you with the “who” and “when” of all of the network transactions involving the target machine. But sometimes more granular insight – the “what” – is needed.
This is where packet capture shines. While NetFlow can help specify the time frame or who was involved, packet capture provides the details of a conversation. And with the added information provided from NetFlow analysis, we can craft a more precise packet capture query to reduce investigation times.
Instead of a broad query – such as retrieving every packet a specific machine sent or received on a given day – we can narrow down the time frame and port number. This returns fewer packets that are more relevant to the investigation, which can reduce an hours-long investigation to a few minutes.
Intelligent packet capture with the Cisco Security Packet Analyzer
Unrefined, large-scale packet capture is the quintessential Big Data problem. It has all of the data, but it takes time and resources to find the right information. By narrowing the scope of packet capture by performing timeline analysis with NetFlow and Stealthwatch, many of the challenges of packet capture can be reduced or removed entirely.
The integration of Cisco Stealthwatch and the Cisco Security Packet Analyzer brings together the best aspects of both NetFlow and packet analysis. Using NetFlow and packet analysis together allows organizations to:
- Accelerate incident investigations by quickly locating and analyzing the data around a specific security event
- Obtain deeper visibility into packet data to obtain greater context around an incident
- Investigate incidents based on device, user, and application instead of reconstruction based on all the packets that traverse the network
- Retain pertinent data to examine the exact sequence of events in an investigation
Like other packet solutions, the Security Packet Analyzer collects a rolling buffer of full packet capture, but where it stands out is how it works with NetFlow solutions. When an investigator uncovers a suspicious flow with Cisco Stealthwatch, an enterprise-proven visibility and threat detection solution, using NetFlow, they can click a button to run a targeted query in the Security Packet Analyzer. This query contains all of the parameters of the NetFlow record, ensuring the quickest and most specific query is used. In addition, this query is run simultaneously on all Security Packet Analyzer deployments, and once the packets in question are found, the remaining queries are terminated.
By combining NetFlow’s broad scope and quick investigation capabilities with the in-depth information provided by packet capture, the Security Packet Analyzer shortens investigation times from hours or days to just minutes. Furthermore, the accurate and timely alerts provided by Stealthwatch’s NetFlow analysis allows for the targeted storage of relevant packet capture data, preventing the loss of important information.
For more information on the Security Packet Analyzer, visit www.cisco.com/go/packet-analyzer.
A good percentage of traffic within an organization is encrypted these days. So unless you are expending resources to decrypt the traffic, then full pcap is really limited these days. But since NetFlow does not rely on decrypting traffic, it is often the best place to start an investigation.
Loved it !
Comments are closed.