It is hard to move around the world today without being tracked, and while many may consider such persistent tracking to be a privacy concern, it also provides an added layer of security that can be quite necessary at times. In the world of cybersecurity, data can also be tracked. This is accomplished via a packet analyzer or packet sniffer, a computer program or computer hardware that can include a packet capture appliance. Whether software or hardware-based, the technology can be used to intercept and log traffic that passes over a computer network or part of a network. Packet capture is the subsequent process of intercepting and logging traffic. It is akin to a video camera that can help determine how a crime took place.
Full Packet Capture and Analysis (PCAP)
There are now already a number of U.S. government agencies making a shift to full packet capture and analysis (PCAP) as a way of significantly improving their cybersecurity. The Department of Homeland Security (DHS), the Department of State, Aberdeen Proving Grounds, the United States Marine Corps (USMC), and the Missile Defense Agency (MDA) are among the agencies that have recently issued requests for proposals (RFPs) and requests for information (RFIs) for PCAP solutions.
This year has seen a number of requests for PCAP solutions, and 2020 has signaled a big shift in the way cybersecurity is addressed across the federal government. While this may not completely stop hackers, it essentially allows organizations and agencies to “go back in time” to see how a breach, or other security failure occurred, and then use that information to ensure that the issues are addressed.
“It provides an immutable history of the conversations that happened within an organization’s network that, when combined with logs and other forensic data, provides a complete picture of any network intrusions,” explained Mark Zeller, chief revenue officer at Axellio, a provider of PCAP applications.
Introducing Dwell Time
PCAP solutions can help security teams determine how a breach occurred – and this can be hours instead of the days or weeks it has usually taken. This can also allow issues to be resolved before serious damage is done.
“Because of ‘dwell time’ – the amount of time between when an intrusion has happened versus when it is discovered, it is helpful to have the traffic history to A) determine how the intrusion happened, B) to determine what devices were impacted, and C) to determined what data was exfiltrated/or what damage was done,” Zeller told ClearanceJobs. “In other words, if a threat already made it into your environment and has already spread through lateral movement your priorities shift from blocking to visibility.”
An example of this could be active threats appearing as normal traffic that are free to compromise accounts and access and extract sensitive content.
“Therefore, to avoid damaging the business you need the visibility into the prediction of problems, detection of active threats, and support of remediation efforts in a race to reduce dwell times and limit impact,” added Zeller.
Use of AI and Machine Learning
Increasingly, artificial intelligence (AI) and machine learning (ML) are now being employed in these applications, which can allow for pattern matching of similar threat signatures, as well as for the assessing when the behavior or a system is outside its baseline performance during testing.
“This will help identify threats faster, and eliminate many false positives that are presented to the SOC, thus reducing the amount of highly skilled threat hunters needed in an organization,” explained Zeller. “Also, the use of ML might be able to reduce the amount of PCAP organizations will have to store for the long term by only storing packets flows that are behaving outside of the norm.”
However, AI and ML could also be used against a PCAP solution.
“One caveat that I learned from an industry leader is that the bad guys also can use ML to learn the baseline and establish a pattern that is undetectable,” warned Zeller. “I think we are just at the beginning phase of using AI and ML for threat hunting and forensic analysis.”
When employed as part of a broader cybersecurity strategy – which can include training employees and others who have access to the network to employ best practices – PCAP can be an added level of protection to help deter, and recover from a breach.
“This will provide a combination of both but with bias toward addressing breaches faster as the bad guys are always figuring out new techniques, but having that data readily available and having the capability to replay flows at high speeds to run them through further analytic tools can definitely lessen the dwell time and catch them faster,” said Zeller.
“As network speeds increase, and aggregate traffic rates increase for both North-South and East-West traffic the volume of data storage needed increases,” he noted. “This leads to the need for racks of equipment in order to capture, index, store, and then retrieve the packets of interest. A package like this drives down the cost and will lead to more organization demanding full packet capture as the mature their security posture.”