How to Quickly Differentiate Between Malicious and Harmless Traffic Using the Cisco Security Packet Analyzer
With the constant news headlines about data theft it is mandatory that organizations understand what data is entering, traversing, and leaving their networks and have the ability to examine that data if necessary for conducting network forensic investigations. Two popular style of attacks that are constantly in the news are data hoarding (Edward Snowden) and data exfiltration (large media companies) attacks. In all of these incidents, organizations were blindsided to find out massive amounts of data had been hoarded and then exfiltrated on physical media or via the internet.
To help with quickly investigating and differentiating data hoarding and data exfiltration attacks Cisco is releasing the latest software version 6.3.1 for the Cisco Security Packet Analyzer solution. This release has new tools for viewing and analyzing the data packets traversing networks. Along with capturing and allowing pcap analysis via a web based Wireshark type interface, the Packet Analyzer tracks all files it captures traversing the network and makes this list available for file carving (extracting files from captured network packets). That is, you can view a list of all files that were contained in the network traffic captured by the Packet Analyzer. Further along this line of investigation, you can search this list for specific files, source and/or destination IP addresses as well as port, protocol and other network related filters. Now if the file names do not give you enough information regarding the file contents the next step you can take is to actually select any files of interest and extract them. The Packet Analyzer will allow you to download the files and open them in their native application on your desktop. That is, you could view any document, spreadsheet, diagram, or image file traversing the network, or examine a piece of malware. As well, you could view any images including vacation photos captured in the network traffic. With the Security Packet Analyzer, you can quickly differentiate between malicious data hoarding of critical files and harmless data hoarding of internal manuals, data exfiltration of sensitive company data and data exfiltration of an employee’s vacation photos to a family member’s ftp server.
This file extraction capability is amplified by the Security Packet Analyzer’s native integration with Cisco’s Stealthwatch security solution. Stealthwatch is capable via network analytics of detecting and alerting an analyst of data exfiltration and data hoarding activities. From the Stealthwatch console with one button click a packet query can be auto-populated based on alert parameters and then executed against multiple Packet Analyzers throughout the network for analysis of a specific conversation. Once the query executes the analysis interface will load with the queried conversation available for intelligent packet analysis. From the interface, a list of all files in the conversation will be available and the option to download them will be accessible so you can very quickly understand what files were involved in the alert.
In addition to the file extraction capabilities of the new software release for Packet Analyzer, Cisco has added support for packet decryption of a wide range of private key cipher suites. This means if you are using an internal application with encrypted conversations using a known corporate key or private key, Packet Analyzer will be able to use a key and other session details to decrypt a conversation. Once a conversation is decrypted, deep packet analysis would be available along with the capability to extract any file contained within the decrypted capture.
As of October 2, 2017 the new software is available to download for installation on your existing Packet Analyzers. All new Packet Analyzer appliances will ship with the new version 6.3.1 of the software.
To learn more about Stealthwatch and Security Packet Analyzer integration read Brian Ford’s great post here.
Stay tuned for updates as the next release of Security Packet Analyzer will include a new virtualized version for lower capture rate branch-type deployments and integration with Cisco’s Firepower NGFW. Be sure to check out the Security Packet Analyzer site for product details and announcements.