Is Packet Capture Critical? Heck Yes...

Tuesday, September 04, 2012

Richard Stiennon

924ce315203c17e05d9e04b59648a942

It has been 16 months since the world of cyber defense changed forever.

2011 has already been dubbed the Year of the Breach and in a year that included the Sony breach and DDoS, Anonymous and Lulzsec attacks, and the Comodo Hacker, the successful breach of RSA, the security division of EMC, stands out as the most significant.

The RSA breach got the attention of every major enterprise around the world because 60,000 of them were contacted directly by RSA to warn them that the SecurID tokens they used had to be replaced. RSA’s strong two factor authentication solution had been targeted by foreign hackers (General Keith Alexander implies China in Congressional testimony), and the attack was successful. Subsequent attacks against primary members of the vaunted Defense Industrial Base (DIB), using compromised tokens, were evidently thwarted.

The biggest impact to the security industry was the realization, once again, that a determined hacker with the right resources can get in to even the most secure environments. Firewalls, IDS, AV, VM, SEIM, NAC, and a cornucopia of other acronyms will do nothing to stop them.

What other “keys to the kingdom” are at risk? The system the Federal Reserve uses for adjusting the money supply? The deal books on major M&A plans? The hallowed crop report from the Department of Agriculture?

The realization that attackers have the advantage and will stop at nothing to achieve their aims has led to the new security mantra “if you can’t stop them from getting in, at least detect them in the process and shut them down before they abscond with the goods.”

How do you do this? Through packet capture and real time monitoring. Of course, just recording network traffic is not enough. You have to monitor the traffic for anomalies and threat indicators. One of the most glaring threat indicators is if an internal IP address is communicating with an IP address that has been identified as a Command and Control server for a botnet or belongs to an adversary. I call this beaconing detection.

It was through packet capture (from Netwitness) that EMC was able to quickly determine the severity of the RSA breach. The attackers had encrypted the exfiltrated data but EMC had a copy of the code used which included the encryption keys. They were able to de-crypt the network traffic they had recorded, leading to sure knowledge of the severity of the breach.

Beaconing detection is a feature in the fastest growing security solutions in the market. I am tracking most of these vendors at 100% annual growth rates, a sure sign of a trend. Intelligent packet capture is a must-have technology in every cyber defense armament.

If you don’t have it you may well be a victim of a breach today and not even be aware.

Possibly Related Articles:
10491
Network->General
Information Security
breaches SIEM Network Security hackers Intrusion Detection Network Security Monitoring Beaconing Detection Deep Packet Inspection
Post Rating I Like this!
1de705dde1cf97450678321cd77853d9
Ian Tibble "Beaconing detection" - is that the best marketing term they could come up with? Anyway it's IDS. IDS can be configured to detect encrypted traffic initiated outbound to CnC boxes, but it's not so reliable. In most cases it just looks like the device fired up a SSL'd HTTP connection...nothing unusual about that. These bad guys eh...they're clever.

SIEM can be triggered to detect potential outbound CnC communications based on long term analysis of IDS /firewall logs, but I haven't seen any successes in this area yet - especially as most businesses don't want to record all web traffic.

Agree on the whole detection thing, and generally one cannot argue against detection - it's a good thing, better than not detecting.

Even if the products are great, when we try to get too smart with any detection technology, we get further away from where we want to be - which is efficient risk management. There's a ceiling on potential with any detection, and it's not a very high ceiling.

VM was mentioned. This area is the weakest. Products are really poor at the moment, but with authenticaed scanning, there is at least the potential to change the game completely.
1346825104
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.