The Driver Behind This
Full Packet Captures (FPCs) and NetFlow are probably the most important data you will need during an incident. FPCs contain all of the data, think of them like a DVR. FPCs record all communications over a network. FPCs allow you to reconstruct network activity between systems, allowing you to “re-play the conversation between two systems”, which you will need (note need, not want) when an incident occurs.
Like FPCs, NetFlow is just as important, similar in nature to a phone bill, NetFlow is a summary (the metadata of an FPC) associated with network communications. NetFlow will summarize which addresses talked to each other and when, what protocols were being used (e.g., web, ssh, DNS) and how much data was transferred. This data gives you the ability to track the movements of an attacker throughout the network (BTW, workstation to workstation movement is NOT AT ALL normal).
Having FPC and NetFlow available during an incident is invaluable. Without FPC or NetFlow your chances of finding all the systems an adversary has accessed is greatly handicapped, reliant more on luck than a defined capability at this point. If you miss even one compromised system, at best you may find yourself doing the exact same investigation again or, at worst, cleaning up the remnants after an adversary has decided to take a scorched earth doctrine after they have been discovered.
Processes, Practices, and Activities That Address This Question
Given the fact that Full Packet Captures (FPCs) are copies of your network traffic, prior planning inclusive of storage, use, retention and retirement/disposal of the data is extremely important. Remember, FPCs are in effect an exact copy of what is going on within your network. Initially, you will want to capture network traffic at your ingress/egress points, so make sure you have that inventory we previously talked about in the previous post. The benefit of having FPCs available is that you can extract files for analysis, identify potential data leaks, trend system behaviors, identify traffic utilization and saturation periods – long story short – you can do a whole lot!
If you can’t afford the spare storage, NetFlow is a lot easier to manage and isn’t cost prohibitive for long term storage. Additionally, you can pretty much get NetFlow relatively easily from most enterprise grade routers and switches (not just the ingress/egress points!!!). If you’re running on something other than enterprise grade equipment, you can easily capture packets using a network tap and convert it to NetFlow.
We typically recommend storing at least three months’ worth of FPC and a year’s worth of NetFlow data. This allows staff time to analyze the data and use it to find new trends, patterns and events.
- “Under provisioning storage.”
- “Not analyzing the data collected”
- “Not leveraging its availability – enable, collect and analyze it – it’s not a technical challenge!”