Thursday, August 11, 2016

FPC

Here is my opinion on FPC. 

Full packet capture can be an intrusion analyst's best friend. Consider this example: You receive an alert that an internal device accessed a piece of JavaScript on some web site and the rule says there was an object use-after-free attempt. You need to inspect that code and see if it is malicious and preferably, what occurred afterwards. 

You could use a tool like wget or Spondulas to download the code, or you could use a sand boxed machine to browse to the URI and view the source. You could put the URI into some online site checker and see what it finds. You could check the reputation of the domain.

But, what if you are capturing full packets going in and out of your network to the Internet?

You can pull up the URI in a tool like Moloch or a commercial tool, and look at the session. You can see the JavaScript as it was delivered exactly to THAT client, running that OS, using that browser and user-agent and see what happened afterwards. You can save the code off as a file to further inspect it and run the pcap through Wireshark or SteelCentral Packet Analyzer or Netwitness or some other analysis tool.

You CAN do intrusion analysis without FPC, but you can't do it as quickly OR as effectively. 
Flow data and logs and threat intelligence are all fine (well, maybe not so much on the threat intelligence) but having packets trumps them all.

No comments:

Blog Archive