Resources

Why Packet Capture is Important for Cybersecurity

The threat landscape faced by organizations is sophisticated and ever-changing. The cybercriminal attackers use elaborate techniques to avoid detection. In many attacks, their goal is to gain access and stay hidden on the compromised systems for as long as possible. This is known as an advanced persistent threat. It contrasts with more immediate and destructive attack types like ransomware.

The sophisticated and stealthy methods used by bad guys for advanced persistent threat attacks require an equally sophisticated response from cybersecurity defenders. Monitoring the network for anomalous behavior is key to this, alongside other defensive strategies. There are two main ways to monitor network activity to detect threats and attacks: log file capture & analysis and packet capture & analysis.

Log file capture is a largely historic analytical process. The logs tell you what happened in the past at a certain level of detail. Many log analysis systems try to shorten the time between capture and analysis, but it still presents past events. Useful, but not enough to combat modern threat actors. Packet capture (PCAP) allows for real-time analysis of what is happening on the network and IT systems right now. It also enables suspicious events to be analyzed in greater depth later if the packet data is still stored.

What is PCAP?

PCAP captures network packets traveling over the network, analyzes them in real-time, and makes the information available to cybersecurity experts in a useful format. PCAP systems also write copies of the stored data packets to disk for analysis in the future should the need arise.

Depending on the level of data capture performed (full packet capture is everything and partial packet capture is a subset), the amount of storage required can be significant. This can influence how long the captured packets get retained. Scaling PCAP systems is a complex problem. Critical Insight are experts in this task and has the experience to design and implement a suitably sized PCAP system for every organization.

PCAP is an ideal solution for detecting advanced persistent threats and other attacks that hide their activities from network monitoring. All cyber-attacks put command and control traffic onto the network. This can be internal traffic as infected systems communicate or search for new hosts to attack. It can also be external traffic out onto the Internet as malware tries to communicate with attacker's systems or exfiltrate stolen data. PCAP enables the detection of this traffic and can alert cybersecurity professionals to its presence.

PCAP allows for all the information in a network packet to be inspected. This enables cybersecurity professionals to get complete details of the sending host, the target destination, the data payload carried, and more. Analysts can use this information to replay events and determine what has happened. For example, Critical Insight's experts recently used PCAP to get to the bottom of some strange DNS activity on a client network.

Critical Insight Can Defend Your Network with PCAP

Defenders need to be able to see the overall network picture to counter modern cyberattack methods. Many techniques contribute to the process of building this picture. PCAP is one of the most important, but it needs implementing correctly to be effective. Critical Insight has extensive experience using PCAP to analyze and protect networks across organizations of all sizes in the critical infrastructure sector.

Critical Insight can help you secure your organization's IT systems using PCAP and other techniques. Our security analysts focus on the threat landscape across healthcare, critical infrastructure, and industry. These security experts, combined with the 24x7 monitoring teams based in our security operations center, can deliver the cybersecurity expertise an organization needs to deal with threats. Contact us to find out how we can work together to secure your network.