Endace Packet Forensics Files: Episode #58

Original Entry by : Michael Morris

Michael talks with Stephen Donnelly about the importance of packet capture in cloud environments.

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

In this episode of the Endace Packet Forensics Files, I talk with Stephen Donnelly, CTO of Endace, about why packet capture is essential in cloud environments. He shared an amusing anecdote about an executive claiming, “Cloud doesn’t have packets.” While humorous, it highlights a misunderstanding of cloud technology. Even though cloud networks are more abstract, they still rely heavily on network packets, just like traditional on-premises systems.

Why Packet Capture Matters in the Cloud

There are two main reasons why packet capture is as important in the cloud as it is on-premises:

  1. Network Operations: Packet data is crucial for diagnosing and troubleshooting issues like slow network speeds, downtime, and performance problems. Without packet capture, it becomes difficult to identify and resolve network challenges, even in cloud environments.
  2. Security: Cloud environments face the same security threats as traditional networks. Packet capture plays a vital role in security operations, including detecting threats, incident response, and maintaining overall security. “DEATH” (Detection Engineering and Threat Hunting) emphasizes the need for proactive security in cloud environments.
How to Capture Packets in the Cloud

Several methods exist for capturing packets in cloud environments, each with its own advantages and challenges:

  • Port Mirroring Services: Many cloud providers offer services that allow traffic from virtual machines or containers to be captured. However, these services often come with limitations, such as performance impacts and visibility gaps.
  • Cloud Packet Brokers: These tools use software agents installed on virtual machines to capture and forward traffic. While useful, this method can consume additional CPU and network resources.
  • In-line Devices: Firewalls and routers can mirror traffic for packet capture, but cloud-based devices may not offer all the features of their physical counterparts, requiring thorough research.
Conclusion

Capturing packets in the cloud brings challenges, including performance impacts, visibility gaps, and costs. These factors should be carefully considered when developing a packet capture strategy.

The belief that packet capture isn’t needed in cloud environments is a myth, and a dangerous one. Packet capture is just as important in the cloud as it is in traditional networks. It provides the visibility and security needed to effectively manage and protect cloud environments. As more organizations move to the cloud, the need for strong packet capture solutions only increases.

Endace Packet Forensics Files Ep 58 Thumbnail

Follow Stephen on LinkedIn

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.


Endace Packet Forensics Files: Episode #57

Original Entry by : Michael Morris

Michael talks to Ryan Chapman about the growing complexity of ransomware – how to prepare, investigate and respond.

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

Ransomware has shifted from simple, isolated attacks to coordinated, human-operated campaigns that target entire organizations.  

In this episode of the Endace Packet Forensics FilesI talk with Ryan Chapman, SANS Instructor and expert in Digital Forensic and Incident Response (DFIR) about these evolving threats.  

Ryan explains how attackers are becoming more methodical and sophisticated, focusing on disabling EDR/XDR solutions to evade detection and leaving organizations vulnerable to advanced attacks.  

One of the key challenges Ryan highlights is visibility. Without robust logging, packet capture, and monitoring tools, it’s nearly impossible to understand how an attack happened fully. Even encrypted traffic can reveal critical patterns if analyzed properly.   

Ryan shares examples of organizations that suffered reinfections because they rushed to restore systems without identifying the original entry point. Packet capture data plays a vital role in pinpointing when and how attackers infiltrated, ensuring a safe recovery and minimizing disruption.  

As ransomware tactics evolve, adopting a Zero-Trust approach is essential. Ryan discusses how limiting permissions and avoiding overly trusting software configurations can help prevent breaches. He cites the Kaseya attack, where some organizations avoided compromise by not blindly whitelisting trusted directories. As attackers increasingly use legitimate tools, verifying all network activity and following least privilege principles are critical defenses.   

Don’t miss this insightful episode, where Ryan provides actionable advice for preparing your organization against today’s ransomware threats.  

Follow Ryan on Linkedin

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.


Endace Packet Forensics Files: Episode #56

Original Entry by : Michael Morris

Michael talks to Cary Wright about why security certifications such as FIPS, NIAP, and DoD APL are important across industries.

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

In this episode of the Endace Packet Forensics Files, I talk with Cary Wright, VP, Product at Endace about the importance and impact of Federal security certifications such as FIPS, NIAP, and DoD APL  to ensure the robust security of cybersecurity tools.

Although these standards are primarily applied in Federal Government, the rigorous testing that products must undergo to be compliant is extensive.  Regardless of your industry, you can be confident that products certified to these standards are robust and have been thoroughly tested and scrutinized.

Cary explores the detailed testing procedures these certifications entail and their role in enhancing network device security. The standards are continuously updated to ensure that they continue to address new cybersecurity challenges that emerge. We discuss the relevance of these standards for Government and Defense sectors as well as how they can provide surety for large enterprises looking to improve their security measures.

Cary explains what these certifications test in order to validate cybersecurity tools’ encryption strength and overall security robustness. He also talks about the challenges and costs to manufacturers of achieving these standards, and the real-world benefits this testing delivers – such as improved protocol security.

Don’t miss this episode as Cary provides valuable insights into the impact of Federal security certifications and the critical role they play in helping ensure best practices in  cybersecurity.

Follow Cary on Linkedin

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.


Endace Packet Forensics Files: Episode #55

Original Entry by : Michael Morris

Michael talks to Taran Singh about network observability.

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

In this episode of the Endace Packet Forensics Files, I talk with Taran Singh, VP, Product Management at Keysight Technologies.

Taran sheds light on how network observability differs from traditional network monitoring by consolidating data sources to provide a comprehensive view of network activity.  This is crucial when it comes to validating zero-trust architectures.  

We talk about the challenges organizations face in achieving clear network visibility amidst complex IT environments and evolving threats. Taran emphasizes the pivotal role of network visibility in incident response and investigation, particularly for thoroughly verifying network activity. He stresses the importance of historical lookback and analyzing packet-level data for incident response and cybersecurity investigations, highlighting the value of packet evidence.  

Taran also explains how scalability and historical data-analysis significantly improve cybersecurity posture. He talks about Keysight’s strategy for network visibility, emphasizing reliability and scalability tailored to the demands of sizable corporations and hybrid-cloud setups. 

Finally, Taran talks about the escalating threat landscape, discussing recent cyberattacks and ransomware incidents, and emphasizing the importance of prioritizing network security measures. By treating networks as valuable assets, leveraging enriched data, analytics, and advanced tools, and adopting proactive approaches, organizations can enhance their readiness to combat cyberthreats more effectively.  

Don’t miss this informative episode as Taran shares his invaluable insights into network observability and its critical role in modern cybersecurity practices. 

Follow Taran on Linkedin 

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.


Endace Packet Forensics Files: Episode #54

Original Entry by : Michael Morris

Michael talks to “Malware Jake” Williams, about the concept of Zero Trust and its implications for enhancing your security posture.

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

In this episode of the Endace Packet Forensics Files, I talk with cybersecurity expert Jake Williams, aka ‘MalwareJake’,  IANS faculty member, former SANS educator, computer science and information security expert and U.S. Army veteran, about the concept of Zero Trust and its implications for organizations striving to enhance their security posture.

Zero Trust challenges traditional security models by advocating for a “deny all, permit by exception” approach. Jake describes it as a mindset—a philosophy focused on continuous verification and least privilege access. Despite its potential benefits, embracing Zero Trust can be challenging. Jake highlights obstacles such as defining and operationalizing Zero Trust, legacy system dependencies, and cultural shifts within organizations.

Continuous verification is crucial in Zero Trust environments. Jake provides examples of verification challenges, emphasizing the importance of network visibility and packet capture in incident response and threat detection. He emphasizes the interconnectedness of networking and cybersecurity, citing Managed File Transfer appliances, Citrix NetScalers, and SSL VPNs as examples. These network security appliances often have extensive technical depth and may harbour unpatched vulnerabilities, presenting significant risks to organizations. He predicts increased targeting of network security appliances by threat actors, underscoring the importance of Zero Trust principles and network visibility in mitigating such threats.

Jake touches on the importance of tools like Wireshark for detailed analysis but also emphasises the need to understand the role network visibility plays and how it relates to business challenges. He recommends that analysts strengthen their networking fundamentals, while SOC directors should broaden their skill set by understanding business concepts for effective communication with stakeholders.

Finally, Jake suggests that embracing Zero Trust requires a holistic approach, encompassing technical ability, organizational buy-in, and a commitment to continuous improvement. His insights on this topic serve as valuable guidance on the path to cybersecurity resilience.

Follow Malware Jake on the below links. 

 

Also watch our series of Threat Investigation webinars with SANS and Jake Williams here – https://www2.endace.com/sans-webinar-series

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.


Endace Packet Forensics Files: Episode #53

Original Entry by : Michael Morris

Michael talks to Tanya Janca, Head of Education and Community at Semgrep, Founder of WehackPurple.

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

In this episode of the Endace Packet Forensics Files, I talk with Tanya Janca, Head of Education and Community at Semgrep, Founder of WehackPurple, and renowned cybersecurity expert, author and RSA Speaker.

Tanya shares her journey from software developer to penetration tester to application security specialist, to cybersecurity education evangelist. She stresses the value of hands-on experience in cybersecurity education and urges universities and training programs to keep pace with evolving threats.

Tanya discusses the skills gap in cybersecurity, suggesting there is inadequate education in secure coding and design. She believes industry practitioners should be involved in teaching to ensure relevance. Tanya also highlights the need for affordable training options to connect theory with real-world practice.

Tanya underscores the importance of varied perspectives and real diversity and inclusion for organizations to understand and counter modern threats. She challenges the notion of diversity as a mere checkbox and calls for organizations to create inclusive environments to address the skill shortage effectively.

Tanya emphasizes the importance of continuous learning and adaptation as vital for cybersecurity professionals to navigate the changing landscape.

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.


Endace Packet Forensics Files: Episode #47

Original Entry by : Michael Morris

Michael talks to network forensics and incident response specialist, Jasper Bongertz.

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

What are some of the challenges of responding to a serious incident – such as a ransomware attack or advanced persistent attack? Where do you start, and what are the critical things you need to do?

In this episode we are lucky to welcome Jasper Bongertz, Head of Digital Forensics and Incident Response at G DATA Advanced Analytics in Germany. Jasper has a wealth of experience from working in the front line of incident response at G DATA as well as in his previous role at Airbus. He also has a long background in network forensics – having been a Wireshark and network forensics instructor, and continues to be a very active member of the Wireshark community.

Jasper starts by outlining some of the steps to mitigate “headless chicken mode” which is what he often sees when organization first encounters a serious incident.

The process starts with understanding exactly what has happened, and what the impact is so that a clear response plan and timeline for resolution can be established. This requires gathering the available evidence – including network packet data if it’s available. It’s important to be able to do this quickly – particularly in the case of ransomware attacks where the organization’s IT systems may be unavailable as a result of the attack. With ransomware, speed is crucial since the organization’s primary priority is typically to get back to an emergency operating state as quickly as possible. Jasper lists some of the tools that his team finds useful in rapidly gathering that critical evidence.

Once the scope of the incident has been established, you need to have the specific expertise on hand to investigate and understand what happened and how it happened so you can identify the right response. Typically, Jasper says, that will involve having at least an incident response specialist, a forensic expert, and a malware reverse engineer, but depending on the scale of the event may involve many others too.

Jasper outlines the most important steps organizations can take to protect themselves against ransomware attacks and ensure that in the event of a successful attack they can recover. The two most important of these being to make sure domain administrator credentials are protected to prevent privilege escalation and ensuring your backups are complete and protected from sabotage.

Lastly, Jasper discusses the changing cyberthreat landscape. He outlines why he thinks data exfiltration and extortion will become more common than ransomware and encryption, and why network data is critical to combat this growing threat.

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.


Endace Packet Forensics Files: Episode #46

Original Entry by : Michael Morris

Michael talks to Gerald Combs, Wireshark Founder, and Stephen Donnelly, Endace CTO

By Michael Morris, Director of Global Business Development, Endace


Michael Morris, Director of Global Business Development, Endace

How did Wireshark come to be, and what’s made it so successful – not just as the pre-eminent tool for analyzing network packet data, but as an open-source project in general?

In this episode I talk to Wireshark founder, Gerald Combs, and Endace CTO, Stephen Donnelly, about the origins of Wireshark, and why packet capture data is so crucial for investigating and resolving network security threats and network or application performance issues.

Gerald talks about the early days of Ethereal, a “packet sniffer” he originally created for his own use in his role at an ISP, but subsequently open-sourced as Wireshark. That fortuitous decision was key, Gerald says, to the subsequent ongoing growth and success of the Wireshark project – which will turn 25 years old in July! It enabled developers from around the world to contribute to the project, creating a Windows version in the process, and helping Wireshark to become the gold standard tool for network analysis, used by SecOps, NetOps and IT teams the world over.

Stephen has been using Wireshark right from the earliest days – when it was still called Ethereal – and is one of the many contributors to the project.Stephen and Gerald both talk about why packet analysis is so important for cybersecurity and network performance analysis (the ubiquitous “Packets Don’t Lie” T-shirt – available from the Wireshark Foundation store – says it all really), and discuss examples of the many and varied problems that Wireshark is helping people to solve.

Stephen outlines the differences between network flow data and packet capture data and why packet data is essential for solving some problems where flow data just doesn’t contain the level of detail required.

Wireshark is continually evolving, with support for new protocols, and new UI enhancements that make it easier for analysts to slice-and-dice packet data. Gerald says that Wireshark is almost the perfect open-source project because it allows for a lot of parallel collaboration from contributors in creating new dissectors and ensuring that Wireshark continues to keep pace with the rapid pace of change in networking. Now that planning for Wireshark 5.x has started Gerald also looks ahead to some of the possible new features that might appear in future releases.

And finally, Gerald talks about the new Wireshark Foundation (which Endace is a sponsor of) which has been setup to provide support for ongoing development of the Wireshark project and ensure it continues its resounding success into the future.

Wireshark is coming up on its 25th birthday and still going from strength-to-strength. Don’t miss this fascinating interview with the leader of one of the most successful open-source projects around. Gerald and Stephen’s insightful commentary as well some fantastic tips-and-tricks make this a must-watch episode.

Other episodes in the Secure Networks video/audio podcast series are available here. Or listen to the podcast here or on your favorite podcast platform.