It is accepted that network packet captures (pcaps) are one of the most fundamental resources that cybersecurity professionals use to perform digital forensics and incident response. It’s extremely valuable for NetSecOps to look at packets directly, pivot to capture data from summary/logging tools like Zeek, and run network capture data through intrusion detection (IDS) software like Suricata.
What makes pcaps so valuable is that they contain all information about events on the network. But that also makes them a vulnerable security asset. When considering the workflow around pcaps for NetSecOps, teams should also consider organizing and securing the pcaps themselves. Here are a few things to consider when working with highly sensitive network data.
A great deal of confidential data crosses enterprise networks every day. This data includes customer records, financial transaction data, sales forecasts, HR and personnel information, login credentials, product plans, patent and trademark documents, research materials, bug reports, emails, chats, calls... and that’s not even an exhaustive list.
Any of these data can end up in capture files. A spreadsheet emailed by the CFO? Yes. A VoIP phone call between the company president and the company’s legal counsel? Yes. Confidential design plans for a daring new product? Yes, again.
Even if the network traffic itself is encrypted, it doesn’t address all the security vulnerabilities that can result from a capture file falling into the wrong hands. Data that is never encrypted in capture files (such as network addresses, port IDs, and some low-level OS protocol data) still provides hackers with valuable information about network infrastructure.
It’s important to realize that network captures can and will contain sensitive information and should be treated as confidentially as the information itself. However, their value in network troubleshooting and digital forensics outweighs the risk if properly mitigated.
As powerful as pcaps are, they are (unfortunately) sometimes considered something that only experts deal with. Because of this and the proliferation of specialized and esoteric tools, they end up on the workstations of operations center personnel and field technicians who generate capture files for their work. Those files often get passed around as email attachments or through file share services or even sent insecurely via FTP. We’ve even seen one incident of an organization sending all captures over FTP to one IT employee’s private server in their house!
Commonly known as “shadow IT,” this behavior occurs when workflows that are not well known or well documented by an organization run up against personnel who are just trying to get their job done.
Many government regulations require that sensitive information about a company and its customers must be secured. Perhaps the most well-known in the United States is the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which requires medical information about patients to be protected at all times. Similar requirements exist for financial information (e.g., Sarbanes-Oxley) and the European General Data Protection Regulation (GDPR). The latter also requires that identifying information like a customer’s IP address be kept confidential.
Securing network capture files can be done by following some simple guidelines.
The first step is to get control of your packet capture assets by putting them in a centralized, secure location that is protected by your organization’s digital security policies. Many companies use cloud services for many data storage use cases, and this is also fine with pcaps as long as the service meets your organization's requirements.
Make sure that it is part of your company policy to remove pcap files from local sources. The ideal case, of course, is to have any packet captures automatically sent from the capture source to your central pcap storage without the need ever to store them locally.
Moreover, network packet captures really should never be transferred via email or any other insecure channel. Any system that replicates the file an additional time is another chance to lose control. That’s why most organizations have also done away with the use of USB flash drives and other “sneakernet” practices.
This has the immediate benefit of reducing the proliferation of sensitive pcap data to systems where it doesn’t belong. In addition, it makes it significantly easier for your team to utilize pcap data when doing their investigations.
In CloudShark Enterprise, this is the function of the packet capture repository feature. Users can add their captures directly to your CloudShark Enterprise system by dragging and dropping or through CloudShark’s upload API that works with Wireshark and many other devices and tools.
Access control is a key component of cyber security and should be applied to your pcap assets as well. Make sure that personnel with the right permissions to perform these investigations also have permission to access your pcaps files. Use user/group management systems to make this easier.
While this will give you the security benefits of access control around your pcaps, it also means you are organizing your pcap data so that it has the right context for your NetSecOps personnel. Use this to your advantage! Organizing your pcaps by department, incident number, or other information will help make sure your team is working with the right data for the right problem.
CloudShark Enterprise handles this via its robust user/group management system that can work with external authentication services. In addition, the capture repository allows tagging pcaps to organize your data properly and search capabilities to find what you need.
It is often said that inconvenience is the enemy of security, and disorganized, informal practices around network capture files make them a common casualty of shadow IT. Pcaps are such a powerful asset for investigative work that it’s in your best interests to design at least part of your DFIR workflow around them.
You can mitigate these informal practices that lead to security issues and make captures useful for DFIR by making them easier to work with from the start. Give your NetSecOps teams the ability to gather pcap data, organize it, and collaborate on it with their colleagues and your customers. They will thank you for it while ensuring that they are using them securely and effectively.
You can find additional tips for helping your NetSecOps team collaborate with pcaps in our latest infographic.