Packets don't lie: how to expose the DNA of a cyber attack

In the event of a cyber-attack, the ability to quickly and accurately quantify the impact of the incident is paramount

In the event of a cyber-attack, the ability to quickly and accurately quantify the impact of the incident is paramount. As demonstrated recently in the case of several high-profile data breaches, failure to understand and communicate a breach so can have a disastrous effect on customer trust and retention, and ultimately, revenue.

In a landscape where cyber crime has become prolific, hindsight is truly a wonderful thing and perhaps a company's most powerful weapon. When investigating a breach, normally information security analysts are faced with attempting to reconstruct events by gathering data from a range of sources, including log files, high-level network traffic summaries (NetFlow) and several different security monitoring tools.

As you can imagine, it can be a painfully slow and often inconclusive process, and companies are often left with a backlog of unresolved incidents that continue to pose unknown threats.

Successfully dealing with attacks means being able to quickly understand how and when they've occurred, the vulnerabilities that allowed them to happen in the first place and what data and systems were exposed and possibly breached.

Without this level of network visibility, companies stand little chance of being able to respond appropriately, or preventing future attacks. This is where network recording of raw data steps in: but what exactly does it entail, and how can it help businesses around the globe?

Taking stock of your network traffic

Communications between the various components across your infrastructure - for example servers, desktops, laptops, and mobile devices - are captured as streams of network 'packets' that travel across your network. These packets contain raw information including where the traffic originated from, where it is destined to go and the 'payload', or actual data, being transmitted.

Packets act as a 'single source of truth' and the upside is twofold: you've got a comprehensive source of raw data for the investigation of network security issues, and you can also look at data from a performance issue point of view in order to pinpoint and solve issues that may affect performance.

Here are two typical scenarios where it really comes into its own:

Scenario 1: You've been breached, and it's time to alert your customers to the compromise in data security. On the plus side, with a month's worth of raw network data to analyse, you're able to do more than tell them that a breach has happened. You can find out exactly when it happened, and where the offenders were able to tap into your network. You can also likely determine whether any ‘reconnaissance' happened before the breach, exactly what data was taken, and how and where it was extracted.

It's a powerful subset of information to have when communicating with customers, and for making security stronger.

Scenario 2: Your network is experiencing serious performance issues that are preventing you from servicing customers. If the problem is not your ISP, it could well be that your network is not the problem at all. By analysing packet data, companies are often quickly able to determine and fix common performance issues, such as problems with how applications interact with a given database.

Integration is key

Often it's the number of security solutions an organisation has that makes it difficult to get a coherent, single view of threats and activity on a network. This points to the need for better integration.

This process doesn't need to be complicated, or involve implementation of new infrastructure. By integrating network recording capabilities with the tools that they are already using, analysts can jump directly from alerts in those tools to examine the underlying packet-level network history and see exactly what has taken place. This makes for streamlined investigations; and helps analysts to eliminate false positives and identify, prioritise and respond to the real threats more quickly.

In the race to stay even remotely on top of cyber crime and to win market share with top performance, organisations don't need to re-invent the wheel or become cyber DNA sequencing specialists. With raw data available that holds many of the answers to today's breaches and performance issues, companies are in a great position to harness hindsight quickly and fix security weaknesses and performance problems faster than ever before.

Cary Wright is the VP of product management at Endace