There's an adage amongst experienced SecOps and NetOps analysts - 'PCAP or it didn't happen' - highlighting why network packet capture data (the file extension .PCAP is a common file format) is so crucial. Packets provide the only truly definitive evidence of performance and security issues that happen on a network. If you can't see the packets, you may never know for certain exactly what happened.

Recent widespread security vulnerabilities - such as Solarflare and Log4J 2 - have illustrated just why access to packet data on-demand is so important, igniting demand for full packet capture solutions to fill the visibility hole.

Governments are also becoming aware of the importance of packet capture. The US White House has mandated, by February 2023, all federal agencies must be able to provide access - when requested by CISA or the FBI - to a minimum of 72 hours of full packet capture data for investigating cybersecurity events.

However, there's still confusion and misinformation about why packet data is important and what the term 'packet capture' means. Some organisations believe they can do packet capture by relying on network flow data and endpoint monitoring. Others only record a handful of packets relating to specific events or use 'triggered' packet capture, because they believe it saves on storage costs.

This article seeks to clarify the confusion around packet capture, so organisations can make informed decisions.

WHY IS PACKET DATA IMPORTANT?
Packet payloads are often the only way to identify specifics: did a phishing attack compromise credentials? What data was stolen or modified in a breach? Or what malware was dropped on compromised hosts?

While log files and flow data can indicate an issue has occurred, oftentimes they can't show the exact root cause of that problem. They don't provide crucial detail, such as the actual 'payload' of data an attacker may have staged and exfiltrated. This leaves SecOps and NetOps teams blind to exactly what's happening on their network.

With access to packet data, analysts can resolve problems faster and be certain about their conclusions. Packet data can also reduce analyst alert fatigue by providing the evidence necessary to tune detection systems to reduce false positive alerts and increase accuracy. It also enables analysts to prioritise, investigate and respond to events far more efficiently.

THREE TYPES OF PACKET CAPTURE
There are three types of packet capture used for security and network performance.

The first, originally called 'packet sniffing', involves connecting a device to the network when a specific problem occurs so engineers can record ('sniff') small amounts of packet data to troubleshoot the problem. It's often referred to as 'ad-hoc' packet capture.

The second type of packet capture is called 'triggered packet capture' and happens when packet recording is only enabled in response to specific events - such as security alerts. Packet data relating to that event is then recorded to provide evidence for analysts for future investigation.

The third and last type of packet recording is where all packets traversing the network are recorded and stored for as long as available storage allows. This is referred to as 'continuous' packet capture.

PROS AND CONS OF AD-HOC, TRIGGERED AND CONTINUOUS PACKET CAPTURE
Each type of packet capture can be useful. However, for enterprise cybersecurity purposes, both ad-hoc and triggered packet capture are problematic.

Ad-hoc packet capture is insufficient for most security uses, because it relies on packet recording being implemented and enabled post-event - by which point evidence of crucial parts of an attack has typically already been missed. It's like turning on a surveillance camera after you've been burgled. Similarly, triggered packet capture is problematic because it assumes you can predict what traffic you might need to record ahead of time. Who could have foreseen the Solarflare attack, and how it would play out ahead of it happening?

Continuous packet capture is the only reliable way to ensure record all the critical evidence of cybersecurity events. However, deploying continuous packet capture requires careful planning.

STORAGE
Accurately recording traffic continuously across an entire network requires dedicated recording infrastructure with significant capacity - often petabytes- to record days, weeks, or months of traffic. In the past, the cost of this infrastructure limited the widespread adoption of full packet capture to all but the largest enterprises. Or to specific industries - such as banking, telecommunications, government and military - where access to recorded packet data was considered essential regardless of cost. Thankfully, increased compute capacity, reduced storage costs, and new technologies like hardware compression mean continuous packet capture is now affordable for most organisations.

How much storage do you need? The answer is how much 'lookback' time do you need/want? Typically, you'll want at least a week, and ideally a month or more. This gives SecOps and NetOps teams time to identify what packet data is important for investigating a specific issue and to archive evidence if necessary.

RAPID SEARCH AND INTEGRATION WITH OTHER TOOLS
Recorded packet data needs to be thoroughly indexed as it is captured - so analysts can quickly find traffic related to a particular host and protocol - or application - for a specific time period. This lets analysts quickly find what they need to complete investigations in a single, uninterrupted workflow, without requiring lengthy searches.

Ideally, access to packets should be integrated into the tools analysts use already - eg, SIEM and SOAR, IDS/IPS and AI/ML solutions, and performance monitoring tools, so analysts can drill-down from alerts to related packets quickly.

THE NEED FOR FORENSICS SKILLS
For packet data to be useful, analysts need to understand what it is showing them. Traditionally, this expertise has been limited to senior analysts - which are increasingly scarce resources. This is another reason why integrating packet forensics into existing tools is important. With the ability to go directly from an alert to relevant packet data, even junior analysts can find quickly what they need, making them that more productive and effective.

For those looking to start with packet forensics, there's a wealth of useful information available. The Wireshark community (Wireshark is an open-source application that is the tool of choice for analysing packet data) and Youtube are both fantastic resources. Organisations like SANS also run many courses covering network forensics.

A FINAL WORD
Organisations need to ask themselves: 'are we properly equipped to respond confidently when a serious security breach happens?' If they lack packet data, they must accept the risks associated with the lack of visibility and agility that results. If there's one thing that today's volatile cybersecurity landscape has taught us, it's that realising the gaps after the event is too late.