Making use of Packet Capture Analysis Programs
In an ever-changing threat landscape, cybersecurity is constantly evolving to meet the next challenge. The typical mixture of security tools employed on a network include anti-virus software and Endpoint, Detection and Response (EDR) solutions (e.g. Sentinel One, Carbon Black). As an extra layer of defense, network traffic can be inspected to provide an extremely valuable addition to overall network security.
Why Network Security?
Network security allows for deeper visibility and insight into your network that you can’t achieve through traditional monitoring methods. Many companies today are still only using host-level detection, which can create a huge gap in overall security. Anti-virus and EDR solutions are a great way to monitor for malicious behavior at the host level, but they can be stealthily defeated to allow an Advanced Persistent Threat (APT) to continue to operate. By looking at every packet leaving and entering the network, Network Security Monitoring (NSM) allows for a holistic approach to digital forensics and a more consistent method of detecting malicious behavior.
Network Detection Methods
Packet capture (PCAP) analysis is the standard for analyzing network traffic because it contains the information necessary to hunt for malicious behavior. PCAP is the act of capturing Internet Protocol (IP) packets from networking devices and is a common troubleshooting method for network administrators. From a router or a switch, packets can be duplicated via port monitoring, port mirroring or a switched port analyzer (SPAN), and sent to a specific port on the device for ingestion into a monitoring solution. PCAP presents a certain challenge, however, because of its massive storage requirements when captured and stored over several days. To combat this challenge, open-source tools such as Zeek provide a solution for the storage requirements by stripping all the protocol data from the packets with protocol analyzers and storing them in text logs by the type of protocol detected (DNS, HTTP, HTTPS, etc.), while not sacrificing important data.
A great Intrusion Detection System (IDS) such as Suricata can provide additional insights into your network by ingesting and inspecting massive amounts of packets to get you the alerts you need. The most common use case for an IDS is utilization of its signature-based detection mode. A list of open-source signatures can be manually compiled from several different sources to make a nice detection cocktail, or a license can be purchased to keep signatures automatically up-to-date. Typically installed on a server, Zeek and Suricata can be run on any Linux operating system to be used as a network sensor; all that's needed is PCAP and a decent number of resources.
While NSM tools produce many valuable logs, efficiently sorting through them is key to responding to potential threats on your network. Logs can be ingested into any Security, Information and Event Management (SIEM) solution for analysis, but the most commonly used today are The Elastic Stack or Splunk. The Elastic Stack - utilizing Elasticsearch, Logstash and Kibana - is the most common open-source solution largely because it is free, however it requires a significant amount of expertise and configuration to be properly utilized. Splunk, while quite expensive, essentially works out-of-the-box with little configuration. Either Splunk or Elastic can create an immediate impact when it comes to NSM.
When considering the security of an entire network, a holistic approach is crucial to preventing cyber threats. Having a great NSM solution allows all the network traffic leaving and entering a network to be captured, observed and analyzed for threats. When combined with a great EDR solution, the two work hand-in-hand to provide a defense-in-depth solution that allows for a quick response to security threats.