In the ever-evolving landscape of cyber security, network packet capture remains a critical tool for Security Operations Center (SOC) teams, despite the growing prevalence of encrypted traffic.
While encryption has undoubtedly made traditional packet analysis more challenging, it has not rendered network packet capture obsolete. Instead, it has transformed this practice into a more nuanced and sophisticated defensive strategy.
The fundamentals of network packet capture
Network packet capture is the process of intercepting and logging traffic that passes through a network interface. Historically, this technique allowed security professionals to examine every detail of network communications, from source and destination addresses to the actual payload of network conversations. It’s like having a wiretap that provides granular insights into network behavior, helping detect anomalies, potential breaches, and malicious activities.
The encryption challenge
The widespread adoption of encryption protocols like TLS (Transport Layer Security) has indeed complicated traditional packet inspection methods. When network traffic is encrypted, the payload becomes unreadable, seemingly blocking the effectiveness of packet capture. However, this perspective overlooks the wealth of metadata and behavioral insights still available through packet analysis.
What metadata can reveal
Even with encrypted traffic, packet capture can still provide crucial intelligence:
- Connection metadata: Source and destination IP addresses, port numbers, protocol types, and connection durations remain visible and can indicate suspicious patterns.
- Timing and frequency: Unusual connection frequencies, unexpected communication times, or abnormal data transfer volumes can signal potential security incidents.
- Traffic patterns: The volume, direction, and characteristics of network communications can reveal potential command and control (C2) infrastructure, data exfiltration attempts, or reconnaissance activities.
Advanced network packet capture strategies
Modern SOC teams have developed sophisticated approaches to extract value from encrypted traffic:
SSL/TLS inspection
By implementing SSL/TLS inspection at network boundaries, organizations can decrypt traffic using man-in-the-middle techniques. This allows deep packet inspection while maintaining a comprehensive view of network communications. However, this approach requires careful implementation to balance security needs with privacy considerations.
Behavioral analysis
Threat Intelligence correlation
Network packet capture data can be cross-referenced with threat intelligence feeds. IP reputation, known malicious infrastructure, and emerging threat indicators can be matched against network communication metadata, providing proactive threat detection capabilities.
Practical use cases
Despite encryption challenges, network packet capture remains invaluable in several scenarios:
- Detecting potential lateral movement within networks
- Identifying communication with known malicious infrastructure
- Understanding attacker reconnaissance techniques
- Providing forensic evidence during incident investigations
- Monitoring compliance and policy enforcement
The future of network packet capture
As network technologies continue to evolve, packet capture techniques are becoming more sophisticated. Emerging technologies like encrypted DNS, quantum-resistant encryption, and advanced network segmentation will require continual adaptation of packet analysis methodologies.
If it’s so valuable, why don’t a lot of the big players in the SIEM world offer it?
There’s two main issues when it comes to network packet capture, the first of which is storing the data.
Imagine you have a 40GBps fibre backbone in your network. Multiply the bandwidth usage by 60, to convert to GB per minute. Multiply by 60 again, then by 24 to get a daily storage requirement. If you are even close to halfway using that bandwidth in your network then your storage requirements when this is written to disk will be huge. Multiply that number by your required retention period, say 30 days, then you can see how this begins to get very expensive indeed. If you’re running a SIEM in the cloud, or worse from a cloud SIEM provider, you are going to start seeing some huge bills.
The second issue with capturing network packet data in relation to a SIEM is that there’s often a need to install an appliance (server) and to reconfigure a mirrored network port. These days, a lot of IT engineering is just configuring software in the cloud. This process is often an old-school, physical sort of process. You may need to outsource some networking assistance or buy some equipment to make this work.
My feeling is that a lot of the cloud SIEM providers don’t want to get involved with this sort of data, it can be difficult to set up and involves more engineering time that a SaaS supplier might want to devote to their customers. They’d far rather their customers ingested SaaS logs and Endpoint Agent Logs. But then they’d be missing a trick.
Imagine that you have a user that clicks a malicious link on a phishing email and installed some malware. Your SaaS email logs will tell you which user received that email, and your endpoint logs might tell you which machine they accidentally installed malware on. However, you won’t know what that piece of malware is doing until it triggers another endpoint alert when it pops up on another machine. The network packet data will tell you exactly where it has traversed your network, over what ports, and what the payload was.
The best thing you can do in terms of quality security visibility is to combine SaaS, Endpoint and Network Logs together to build the full picture of what’s occurring on your estate.
Want to chat further about network packet capture? Want to tell me I’m wrong? Get in touch for a complimentary chat.
