Packets Don’t Lie: Stronger Symantec Tools for the Network Incident Fight

There are many steps that businesses can take to ensure the security of their buildings and facilities: installing strong locks on doors, putting in alarms, and using thermal sensors that can detect motion for example. These go a long way toward making a building safer, and alerting authorities as soon as possible should bad actors manage to actually find a way inside a building.

But at Symantec, a division of Broadcom, we believe that while all of that is well and good, there are also some basic security measures that shouldn’t be overlooked. For example, cameras and digital video recording (DVR) equipment can catch criminals in the act, and help provide proof of who exactly broke into that facility—and more importantly, how. In the end, seeing is not only believing, it is understanding. 

Packets Don’t Lie

The same concept can be applied to network security. Various threat detection and response (EDR, NDR, XDR, …) systems are currently getting a lot of attention, and along with prevention solutions, will remain an essential part of cyber security controls. But, to get to the end of a network attack investigation, the details that can only be provided by network forensic tools based on full packet capture are critical to know. Packets don’t lie. And like that physical security system that incorporates security cameras and video recordings into its operations, packet capture technology can lay out all the evidence of an attack for investigators to see.

The SANS Institute demonstrates the importance of network forensics in security investigations in a new white paper “Packets, or It Didn’t Happen: Network-Driven Incident Investigations.” In this paper, The SANS Institute looks at the necessity of having a full security and forensic solution, including packets, in order to provide the best-possible method of attack protection, prevention and assessment.

Alan Hall, Director of Product Marketing, for Symantec Network Information Security, will join in a discussion of the paper, during a SANS Institute webinar with SANS instructor and author, Jake Williams at 2 p.m., ET, on Thursday, May 20. Among the topics to be discussed will be how endpoint anti-forensic activities can be confirmed with packet capture-based network forensics.

Trust the Experts

Symantec’s expertise in such network security matters earned the company acknowledgement from analysis firm KuppingerCole as a Leader in Network Detection and Response in four categories—Innovation, Market, Product and Overall Leadership. In its report, KuppingerCole said that Symantec’s NDR solution is “top-notch, covering all the basics plus providing supports for advanced use cases requiring full packet decryption and analysis and sandboxing.”

When it comes to hunting down threats on the network there is a greater volume of data to assess. But, with such data, investigators only have to deal with that which is relevant to their threat hunt. However, on the endpoint, everything from registries to file systems to running processes can act like a highway for bad actors to infiltrate enterprise systems. The endpoint offers a place for attackers to hide, but attackers there have to get on the network if they want to communicate or exfiltrate data. When it comes to data theft, it’s rare for endpoint forensics to determine what data was taken. But, to reiterate, packets never lie. An appropriate network traffic capture can provide answers to many of the questions regarding what was done on the endpoint.

The Real World

Let’s consider this in context of the recent cyber attack launched against the Colonial Pipeline. The 5,500-mile conduit, which connects the U.S. Gulf Coast to the Northeast and transports about 45% of the East Coast’s fuel, was taken offline on May 7 following a ransomware attack attributed to DarkSide according to the FBI. Thus far, using after-the-fact forensic techniques, investigators have been able to determine who the threat actors were and what data was affected. However, without pre-positioned network forensics, it will take a long time to understand how the attackers broke in, and remediation efforts will necessarily rely on exhaustive examination and strengthening of system controls. Simply put, network forensics is part of the fastest path to understanding not only the “who” and “what” of a cyber attack, but also the “how.”

When it comes to network forensics solutions, organizations have often felt implementing such projects was outside the scope of what they could afford and manage. At Symantec, we have lowered the barriers to entry with our Intelligent Capture functionality and made packet capture more cost effective, more relevant, and worth implementing now.