Hunting Hackers with Deep Packet Analysis: Sponsored Content
As cybersecurity threats become more sophisticated, organizations need a way to quickly detect and stop an attack or track and analyze its after-effects for clues. One important tool available to cybersecurity analysts is deep packet analysis.
Deep packet analysis, or packet sniffing, is a data processing technique that allows organizations to monitor network traffic for signs of intrusion, and to block or reroute it if an attack is detected. But its most important feature is the ability to record data traffic, allowing analysts to conduct detailed investigations into the nature of a cyber incident.
Having packet data available significantly accelerates investigations and improves security teams’ productivity, says Cary Wright, vice president of product management at Endace in Auckland, New Zealand. While some organizations have built their security operations center (SOC) teams around the use of deep packet inspection as a tool to fight cyber attacks, he adds that many companies and government agencies still don’t have this capability, putting them at a disadvantage because they’re devoting time to manually sifting through data to find evidence of an intrusion.
Another challenge is that attackers with network access can edit, delete or modify system log files to cover their tracks. But network traffic data can’t be so easily altered and deep packet analysis tools can greatly accelerate SOC teams’ response times, which can be critical in stopping an attack while it’s under way instead of sifting for clues after the fact, he says.
Advantages of deep packet analysis
One of the hurdles that prevented many organizations from getting deep packet analysis tools in the past was the difficulty scaling such analysis for a national or global-scale network. It was also difficult to capture and store that data in a way that permitted analysts to quickly search back over weeks or months to discover what happened during a particular incident. Doing that quickly is very difficult, given the data volumes involved, Wright says.
“We’re talking about hundreds of petabytes of packet data in some cases. These analysts don’t want to have to context-switch their minds around multiple different tasks—they’d like to investigate one incident from start to finish in one thought process. That means when they search for packets, they don’t want to be waiting 45 minutes or an hour, or even overnight in some cases. They need the answers within seconds or minutes so that they can complete their investigation,” says Wright.
Because deep packet storage and inspection was difficult and expensive, until recently it was mainly used by large government agencies, military and intelligence agencies, and large corporations with deep pockets. Many of those entities also operate critical infrastructure that they cannot afford to have shut down by a cyber attack or network outage because lives may literally be at stake, says Mark Evans, Endace’s vice president of marketing.
Deep packet capture and analysis systems are now within the price and operational capability range of medium or small organizations. This is important because network traffic speeds and loads continue to increase for entities of all sizes, and the ability to keep on top of that information is becoming more important, Evans explains.
Modern deep packet analysis capabilities, such as the one provided by Endace, let organizations greatly increase their productivity in terms of identifying and resolving network threats or performance problems. It is now affordable to have the ability to capture and store months of network traffic at scale, allowing SOC analysts to investigate incidents in detail, Evans says.
Changing market environment
Several factors are leading organizations to realize they need packet analysis systems. The first is regulatory as more data breach and data protection laws go into effect around the world, most notably the European Union’s General Data Protection Regulation. The increased need for compliance with these rules and the obligations to report data breaches is forcing entities to reassess their cybersecurity postures, Evans says.
But even with a suite of cybersecurity tools, fully analyzing a cyber attack isn’t easy without access to data packets. “Metadata will tell you that someone got in and that they managed to download X amount of data, but it won’t tell you what’s in the data. To know that, you’ve got to have the packets,” Evans says.
Another factor is the growing sophistication of cyber attackers. Evans notes that dark web criminal marketplaces sell a variety of increasingly powerful hacking tools and capabilities as services, which permits more advanced and subtle attack frameworks. This makes it harder for SOC teams to trace the sources of an attack without being able to get the full context of the incident.
“Your security tool might tell you that a particular host has been compromised, but it’s not got enough smarts necessarily to be able to tell you that not only that host was compromised, but it spread laterally to other hosts, and there’s some command and control traffic that could indicate backdoors being created. To get that information you need that ability to go back in time and have a deeper look at the deep packet data on your network ,” Evans says.
The emergence of artificial intelligence-based tools is another factor behind the increasing use of packet analysis. These tools, when used for security analysis and searching networks for intruders, extend the capability of security operations teams to look for statistical anomalies and lets them detect things other tools might not find.
Once a threat is detected, analysts must verify the source of a threat or attack. This is where packet analysis is emerging as a critical tool to validate that an AI-based security tool made the correct decision to trigger an alert, as opposed to it being a false positive, Evans says.
What Endace can do
With this rapidly changing threat environment, a capability like Endace’s offers advantages to organizations of all sizes. Endace’s hardware/software platform captures, records and stores all daily network traffic. It interoperates with a range of security tools and applications, allowing it to contribute to troubleshooting or diagnosing network or application performance problems.
“Think of us as the black box flight recorder for the network. When a security breach or incident occurs, you can go back and see exactly what happened. No guessing, no logs that might have been scrubbed by the hacker. There’s nowhere to hide, your network traffic shows exactly what happened,” Wright explains.
The value of Endace’s platform is its complete focus on packet capture. It is also designed to interoperate with a range of other security and analysis tools such next-generation firewalls, security information and event management systems (SIEMs), security orchestration and response (SOAR) tools, and network cyber defense tools with artificial intelligence capabilities such as Darktrace and BluVector.
Because a cyber incident can be just the tip of an iceberg once an investigation starts, the ability to record and store months of data is important because it allows analysts to look at a data breach and trace its after-effects, notes Evans. Unlike many other systems on the market, which only record data specific to an incident, Endace’s equipment and software captures all the information, allowing for more in-depth analysis.
One of the advantages of Endace’s platform is its flexibility, which means customers aren’t locked into a specific product or vendor, says Wright. This lets users operate a range of tools and systems to meet changing network or operational needs, such a quickly deploying a security tool or scaling monitoring operations up or down.
The Endace platform has a high memory and processing capacity, permitting customers to run software in virtual machines on EndaceProbe hardware while also capturing packets. Wright notes that this doesn’t affect the system’s packet capture capability because EndaceProbes specifically reserve resources for hosted applications separate from the resources required for capturing and recording traffic.
Customers buy the packet capture hardware and install it on their networks, permitting them to manage it from their data centers and record ingoing and outgoing traffic. Evans says many of Endace’s customers are government sector, usually military or intelligence agencies that require on-premises, physical infrastructure to house sensitive, mission-critical information.
Changes on the horizon
Once the purview of well-funded government agencies and large companies, packet capture and forensics capabilities are becoming more affordable and accessible. “You don’t need to be a packet junkie anymore to get a lot of value out of this,” Wright says.
Automation is another trend benefitting current packet monitoring systems that will continue to improve and become more ubiquitous over the next year, Wright says. He notes that it’s now possible to use SOAR tools to record an incident, mine for packets in the recorded data stream, extract the information and begin responding to an incident without human assistance.
Before an analyst even touches a keyboard, automated protocols can have the necessary data waiting. This kind of deep analysis couldn’t be done without the captured packets used to mine the data, he explains. A big breakthrough is the ability to do this work in an automated, seamless way within the SOAR—something that will make packet recording financially viable to many more organizations than before, Wright adds.
Another major advantage of using packet monitoring within SOAR is that junior analysts can work on solving security problems without having to learn or use specialized security tools. “They’ll be able to use the SOAR tools and the automation to get their job done, and get it done a lot quicker than trying to dig around in the circumstantial evidence such as system logs can provide,” Wright says.
For more information, visit endace.com
