Skip to content

PCAP or It Didn’t Happen

PCAP or It Didn’t Happen

How many times have you talked to your security leadership about getting broader network visibility by collecting packet data across the network just to be told it would be too expensive and there is too much traffic to monitor?

The phrase "PCAP or it didn't happen" is widely used by security experts to prove that an attack or compromise occurred by capturing and analyzing packets surrounding an event. However, many CIOs and even some CISOs, dismiss this concept as too complex and costly to implement, even though they may see the benefits. The perception is that IDS and IPS systems block everything bad coming in, and logfiles and network flow information are sufficient to analyze intrusions.

This thinking leads many organizations to take a highly reactive security operations approach.  They operate in a constant firefighting mode: relying on IDS/IPS vendors to keep their signatures updated.   If an intrusion is detected, massive amounts of logfiles and traffic flow information are analyzed to determine how to eradicate the threat. Organizations are then left vulnerable to insider and persistent threats, and potentially to stolen Intellectual Property (IP) or even ransomware attacks. LogRhythm describes this scenario well in their “Security Operations Maturity Model.”

With security operations becoming more crucial than ever and the rising risk of high-impact security threats, security operations teams need to improve their effectiveness and maturity. PCAP is an essential part of this, particularly from a maturation standpoint.

Using PCAP and Packet Analysis to Fight Cyber Threats

PCAP meaning “Packet Capture,” is an API (Application Programming Interface) to access packet data captured live off the network. PCAP provides all packet information from the Ethernet header all the way to the application payload, providing you with the full visibility of the application and network interaction, pre- and post-event.

Packet capture in many organizations, if considered at all, is mostly used reactively, deploying a packet capture tool after an event happened. This creates a complicated situation, as:

  1. You have to determine which link or links to monitor
  2. You need to decide what traffic to capture to avoid capturing too much data
  3. And the event has to happen again to capture it

A permanently deployed packet capture system readily provides this packet data for each event. But it needs to be well architected to make it affordable, minimize storage requirements, and avoid overcomplicating the network. Focusing on the ingress/egress traffic on your network is a great first step, as it limits the total amount of traffic that enters and leaves your network. Cisco’s “Global Cloud Index 2019” quantifies this as about 15% of your entire network traffic. Still a lot, but packet capture solutions have become more economical over the last few years.  That is because they are using high-density computing, FPGA accelerated NIC cards, and NVMe-based storage to keep up with high-speed network traffic, improving the footprint and economics of packet capture solutions.  Packet capture solutions can provide visibility into any external network intrusion and information about the exfiltration of critical data and IP.

To detect insider and persistent threats already in your network, monitoring of your internal traffic becomes important. However, with 85% of your total traffic being internal, according to Cisco’s “Global Cloud Index 2019”, this appears to be a daunting task, especially with many virtualized applications. A careful analysis of your infrastructure and critical applications is needed to determine high-value targets and prioritized defended asset lists. With that information, critical links and virtual environments can be identified, using a combination of physical and virtual taps to collect relevant data. Aggregation of those feeds and using intelligent traffic filtering minimizes the amount of information that needs to be stored.

Security cannot be a castle defense approach; you need to think about defending the wire – both internal and external. Traditional moat and wall protection, i.e., firewalls, IDS/IPS, and endpoint protection, work for some threats but are insufficient to address internal and persistent threats lingering in your network, which can result in expensive IP extraction, or worse, ransomware attacks.

Over the next few blog posts, we will explore why PCAP data collection is essential, how to implement it, and the benefits it provides the organization.