PCAP-ing Cybersecurity Threats in Financial Services
By Roy Urrico
Full “PCAP,” or packet capture, is gaining traction as an important new option for fighting cybersecurity threats in the financial services space. PCAP is the total capture and analysis of all “packets” in networks. It allows financial institutions to detect various network intrusions and malware infections in great detail.
Packet capture and analysis is not a new concept. It has been around for years, but companies have not been able to scrutinize all packets because of price and hardware limitations. But now it is more feasible as hardware costs dropped and artificial intelligence matured, according to Colorado Springs, Colo.-based Axellio Inc., which provides cybersecurity services to a number of fintech and commercial enterprise customers.
Todd Golub, fintech business development manager at Axellio, explained that packet capture is a real-time snapshot of network traffic. “These data packets contain complete data transmission information, starting with the network protocol information required to transmit the traffic (i.e., Ethernet and IP header information), all the way to the application specific protocols and payloads.”
Additionally, capturing this information directly off the network provides valuable communication process timing and data on the impact of the network infrastructure on the data transmission. Golub noted, “Using sets of these data packets, PCAPs, the IT engineer can have full visibility of the network and application interactions to monitor, identify and research pre- and post-event.”
Total capture and analysis are critical, as even missing a small percentage of packets can mean missing a huge number of intrusions/attacks. Golub maintained, “Having all packets is like having archive video to go back and review during a robbery at a store.”
Network and application protocols are the foundation of any data communication, Golub suggested. “Just like the meaning of words, their spelling, and the associated grammar rules in our language, network and application communication protocols have certain rules that need to be adhered to, ensuring a successful communication and transfer of data.”
The problem, advised Golub, is that many application and security engineers struggle with too many indicators, but not enough hard data to solve the many problems experienced in the network infrastructure. Not only are they flooded with indicators, but prioritizing problems is overwhelming since many false positives or minor ones are not impacting the user or the environment.
The industry has moved to measuring the performance and effects that the infrastructure has on data communication, given the vast amount of data transferred across the network daily, Golub noted. “This creates vast amounts of abstracted metadata, uncorrelated indicators that either performance, security, or communication may be compromised, but which are often insufficient to mitigate the issue. Using the language analogy, this would be determining the quality of the book based on the back-cover summary.”
Golub said packet data, the actual transaction information, just like a chapter out of a book, provides organizations with the complete details, including ability to:
· Assess the severity of the issue
· View the detailed content of the messages exchanged
· Evaluate the surrounding data leading up to the event and after the event
· Accurately apply message timestamps and sequencing; and analyze their respective deltas
· Compare to previous instances of similar events to determine changes and trends
“Unlike metadata that provides vast amount of uncorrelated event information, PCAPs only provide information relevant to the event and therefore fewer datapoints to analyze. This provides the necessary content all in one place to determine both severity, urgency, root cause, and potential mitigation strategies,” Golub said.
Help for Credit Unions and Other Financial Institutions
How can credit unions, banks and other finserv organizations use this technology?
According to Axellio, PCAP can address multiple areas in financial institutions:
Security: “The phrase ‘PCAP or it didn't happen’ is widely used by security experts to prove that an attack or compromise occurred by capturing and analyzing packets surrounding an event,” Golub said. He added, although an essential incident response, threat hunting and digital forensics tool; in today’s environment, PCAP only receives reactive and selective utilizations. “Either one approach is often insufficient to completely understand and mitigate an intrusion.” This is especially true with more sophisticated phishing attacks, which plant malware that stay hidden and create persistent threats lingering in a network. This can result in expensive IP extraction, or worse, ransomware attacks.
Trading Performance Monitoring: Golub indicated monitoring trading and market data performance is essential to financial institutions to meet both internal business goals (system performance, efficiency, profitability) and externally to meet regulatory compliance requirements (e.g., ensure equal access to source data across market data streams). “Being able to capture and analyze packets at nano-second accuracy at high speeds provides these firms with the information required for reliable analysis. In addition, while also having access to their trade information they could assess any anomaly or use it to validate the accuracy of their latest trade algorithms.”
Troubleshooting Multi-Tiered Applications: Most organizations use multi-tiered applications that break essential app components out across separate virtual applications or virtual machines, physical components (servers), service providers or institutions, Golub pointed out. “An example is a banking application that uses different components for the web front end, authentication, and multiple databases to present account values and even tie-in information from accounts from other financial institutions,” he said. If these applications fail, troubleshooting those requires detailed analysis of this complex orchestration. Without having access to packet data makes it extremely complicated to get to root cause or to validate any changes made to this environment.
PCAP solutions have become more economical over the last few years, Golub said. “That is because they are using high-density computing, FPGA (field-programmable gate array) accelerated NIC (network interface controller) cards, and NVMe (Non-Volatile Memory Express)-based storage to keep up with high-speed network traffic, improving the footprint and economics of packet capture solutions.”
Golub added that packet capture solutions can provide visibility into any external network intrusion and information about the exfiltration of critical data and IP. “Perhaps not surprisingly, they are learning that it is more cost efficient to use PCAPs to efficiently monitor one’s system, than to use it in a less monitored way.”