For organizations experiencing data breaches, the consequences are considerable, especially for security operations. IBM reports that over 25,000 data records are stolen with the average data breach, and costing the targeted company as much as $8.64M per breach in the United States. And it takes on average a staggering 280 days between identifying and containing a data breach (known as the breach cycle). 

As bad as this problem is today, the trajectory is even more dismal.  Fireye, in its M-trends-2020 report, indicated that of all the malware families observed by FireEye, 41 percent were previously unknown. This means that malware creators continually innovate beyond existing malware, making these threats even more difficult to detect.

The Digital War Challenges

So why is it so hard to fight this digital war, and why is the breach cycle so long?

Those long-lasting, most damaging, and challenging to detect are Advanced Persistent Threats (APTs). In the case of an APT, a threat actor gains unauthorized access to a network, often initially through a Business Email Compromise (BEC), the “trojan horse” that serves as the malware’s entry-point. This access allows the threat actor to build a foothold on one or more machines and then remain undetected for an extended period of time, preparing for the malicious behavior. Using a combination of multiple targeting methods, tools, and techniques, threat actors gain access to a network, often time exploring year old security issues that have not been patched or ignored for too long. Staying hidden for extended periods, threat actors collect additional information, implant malware to detonate later, or are stealing intellectual property slowly,  a few bytes at a time, exfiltrating it through less monitored protocols such as DNS or outbound HTTP.   And today's prevailing technology does not give security professionals the necessary network visibility for threat detection, nor to identify the combatant or even what was stolen.

This is similar to a physical break-in on your property. To determine who the intruder is, you need to know what happened before someone entered the premises, what they did while they were on your property and how they exited.  Home video surveillance systems document all of those activities and are available for review to identify the burglar.  IT security teams have lacked this level of detail on organizational cyberattacks, leaving investigators ill-equipped to solve threats.

Today’s Approach: Efficient but Ineffective

Over the last decade, IT operations have optimized the real-time analysis of network traffic and device information.  To ensure security, services, and application delivery, IT operations have predominantly relied on real-time analysis of network traffic and device information as the most economical approach.
Collecting statistical information such as NetFlow, events, or aggregated data allows for efficient storage and analysis for event detection, alarming, performance analysis, and planning.

However, it is often insufficient when it comes to detecting threats, leaving organizations vulnerable in the process.

Just a Snapshot Available

Unlike ordinary home video security systems, most organizations’ security systems only offer a snapshot of a network intrusion, but no context of the breach. The necessary details to get to the root cause to mitigate the threat quickly are lacking.  When security professionals are notified of a data breach, they cannot see what happened before the intrusion, during the intrusion, or after.  Without this insight, they cannot effectively analyze the intrusion. They are left to take a highly reactive security operations approach, reviewing log files of all the endpoints connected to their network, which may offer proof that an event happened or that an intrusion took place, but are insufficient to determine what actually happened. Security teams operate in a constant firefighting mode and are vulnerable to insider and persistent threats, and potentially to stolen Intellectual Property (IP) or even ransomware attacks. 

Packet Capture and Analysis Provides Full Network Visibility

Even though somewhat successful in detecting more general intrusions, log analysis and correlation from various sources is often futile in detecting APT activities. While APT activities are stealthy and hard to detect, the command and control network traffic associated with APT can be detected at the network layer level with packet capture methods.

PCAP, or packet capture, is an Application Programming Interface (API) that captures all live network traffic at the basic detail level. PCAP provides all packet information from the Ethernet header all the way to the application payload, providing full visibility of the application and network interaction, pre- and post-event, and back-in-time analysis.

PCAP capture and analysis tools have not previously been widely implemented, primarily because of high storage costs and the inability to analyze large amounts of data in real-time.  But now, with solid-state storage costs drastically reduced, NVMe-based storage’s ability to keep up with high-speed network traffic and advancements in capture and analytics capabilities, the footprint and economics of packet capture solutions have significantly improved, rendering them market-ready.

Let’s go back to the home video security analogy.  If you think about five years ago when people wanted a full home security system, it was too expensive, cumbersome, hard to install, and required wires, so people went without. But now you can go online and purchase an inexpensive, wireless home security system with numerous cameras, door lock notifications and set it up in fifteen minutes.  We are now to that point with PCAP and analysis tools.  They have the unique ability to access packet-level insight, which in turn reduces time to identify root cause, the cost of downtime, and the overall impact of a data breach.

The most advanced PCAP capture systems also buffer the security monitoring infrastructure from traffic spikes and traffic growth to ensure reliable results, avoiding overload situations that lead to data loss and unnoticed intrusions.  

Cyberattacks Getting More Sophisticated, Tools Need to Keep Up

APTs and BECs are getting more sophisticated every day. It is difficult for intrusion detection systems to keep up with cybercriminals’ evolving new techniques.  It is not enough for security teams to focus on just preventing the intrusion.  It is critical for them to quickly detect an intrusion, mitigate the situation, and prevent more attacks from happening similarly.  

Furthermore, with a BEC, the initial email is just one component of the threat.  The hacker can then use the target's email and name to send spear-phishing attacks.  The number of people violated can be exponential. Often threats are not overt but rather subtle and camouflaged.  These threats can be just as perilous. Packet capture solutions can tell the entire story of the attack. How and when the hacker entered the system, what was stolen, who else was targeted.  You then have the digital fingerprints and footprints of the interactions to pass on to the authorities for investigational purposes.  

With a growing number of devices on the network, more business conducted online, and the escalation of remote work and learning, traffic is skyrocketing. Remote work specifically exposes endpoints to infrastructure outside of the IT security perimeter, increasing possibilities for threat actors to get access to the enterprise environment undetected. PCAP capture and analysis systems allow an organization to take their existing security ecosystem to the next level.  It can be an organization’s force multiplier as far as technology and staff in the digital war.