Internal Visibility – the Importance of Network Packet Captures and Deception
Written by: Joseph Salazar, Technical Marketing Engineer – If there’s one thing an attacker relies on, it is getting inside an organization and avoiding discovery. Finding malicious activity inside the network is akin to finding a particular needle in a stack of needles. Organizations struggle to gain visibility into internal “east-west” traffic for threat detection. Some start by deploying IDS inside the network to detect malicious traffic, while others use internal firewalls to block it. Solutions like UEBA attempt to analyze collected data and identify suspicious or malicious activity, while EDR solutions lock down the endpoint to gain visibility and deny attackers a foothold. There are false-positive alert issues with these approaches, and no amount of tuning will eliminate them. Additionally, these solutions abstract the actual network traffic from direct analysis, using their internal mechanisms to output a result. If the goal is internal visibility, why not look at the network traffic directly – conduct packet captures and analyze them?
Several security solutions capture and analyze network traffic for detection, analysis, and playback. Not only does this give visibility into what is traversing the networking, but it also provides tremendous forensic value, such as complete header information and encapsulated payloads. A skilled forensic examiner can extract binaries, commands, and other data with enough packet capture (pcap) files. Many of these solutions can read and tag pcaps on the fly, alerting when they detect potentially malicious traffic by matching preloaded or custom signatures. Although they also have issues with false-positive alerts, they provide capabilities that allow analysts to search the Packet Captures datastore and pattern match for specific IoCs or replay traffic to examine what transpired. For example, an analyst can replay session data and watch what the attacker did on a compromised system accessed via RDP. I used such a tool as part of my forensic duties and found it extremely useful. However, it required experience and well-developed analytical skills to find and interpret the pcap data and extract relevant information for an investigation.
Additionally, much like Big Data Analytics, these solutions require massive storage capabilities to hold enough pcap files to account for a long enough investigation period. If one considers how much traffic traverses the network at any given moment, and that these solutions must capture enough pcaps to most effectively cover an investigation, one soon realizes that storage is the limiting factor. An analyst that wants to replay two-week-old traffic must hope that the solution has the Packet Captures available. While the SOC can architect the solution such that it drops irrelevant data, the amount of filtering limits the fidelity available to the analysts. For example, filtering out traffic on OT network segments may save storage space, but the SOC loses visibility into those segments where a savvy attacker can hide for an extended period. One can always spend more on storage capacity or offload it to the cloud, but there are diminishing returns to adding more SAN capacity just for pcap storage while dumping gigabytes of data into the cloud would necessitate downloading it for analysis. The visibility it gives to the SOC is exceptional – after all, one is looking at actual in-network traffic to find suspicious activities – but the skill set and storage requirements make it extremely resource-intensive.
Enter deception technology and the Attivo Networks ThreatDefend® deception platform. Where full network traffic and analysis rely on analysts actively threat hunting to find bad actors, the deception platform instead takes the approach of setting traps for them. Imagine creating a “twilight zone” network with decoys and other deceptive assets that match production endpoints, servers, devices, applications, services, or data. The value of the decoy environment lies in the fact that, since it has no production value and is invisible to regular operations, no one should be interacting with it. Any interaction with the decoys is the result of a misconfiguration, a policy violation, or some unauthorized discovery activity, so there is no fear of false positives. With authentic enough decoy assets, attackers can’t tell the difference between the deception environment and the real one to avoid engaging with the decoys, thus triggering an alert.
Once the attacker engages with a decoy system, service, application, or piece of data, the deception platform alerts on their presence and records their activity. The decoys capture all attacker activity on the decoy’s disk, memory space, and network interface to capture dropped files, identify ephemeral network connections and processes in memory, and generating pcaps. The platform makes these available for offline analysis, meaning that the analyst can leverage the same analysis tools the SOC uses to analyze the forensic artifacts and Packet Captures from the deception platform. What’s more, there is no need to comb through irrelevant pcaps, since the ones the deception platform provides are positive recordings of malicious activity. Deception technology efficiently provides internal visibility and detection for in-network malicious traffic and can add value even if the organization already has a full network traffic capture solution.