PCAPs and Security Instrumentation

When you are importing attack behaviors that will later be used to validate your security stack, you might utilize PCAPs with your Security Instrumentation Platform (SIP). While Verodin SIP ships with regularly-updated default content like PCAPs, you can import PCAPs from your own packet captures, third-party PCAP repository sites, ISAC’s, threat intelligence feeds, and the like. You can even go beyond PCAPs by using sockets, malicious DNS queries, shells, and many other attack vectors . . . but we’ll stick to PCAPs for this piece.

For a detailed step-by-step piece on weaponizing PCAPs with Verodin SIP, check out: Weaponizing PCAPs for Security Assessments.

Before customers see Verodin SIP in action, they may think that the use of PCAPs to validate security controls, like firewalls, IPS, DLPs, and WAFs, is like running tcpreplay. While tcpreplay offers a wide range of benefits, that’s not how SIP works and, frankly, that wouldn’t work in production environments because it’s not stateful. Not being stateful results in problems like incorrect routing, communication data not being valid, and poor measurement of your defenses.

Instead, Verodin SIP automatically extracts and rebuilds the application-level requests and responses from the actual malicious PCAPs. The session of the conversation is recreated to include requests and replies. This process can even work through additional controls like authenticated proxies.

Verodin leverages these conversations between Verodin SIP Actors. Because the Actors only attack other Actors, you are able to safely execute the real attack behavior (the actual real bytes) in your production environment. Here’s the best part: there are zero false positives. Either the attack behavior between the Actors was or was not blocked; the attack behavior was or was not detected; or the attack behavior showed up in your security management device, such as a firewall manager or SIEM, which either generated an alert or didn’t.

So, when the boss asks: “What will happen if we get hit by that XYZ attack I keep hearing about on the news?” you’ll be able to empirically answer the question. And if the response is that you are not blocking, detecting, or correlating, Verodin SIP prescriptively shows you what needs to be changed to mitigate the attack. You can then revalidate to ensure the change worked and monitor for environmental drift to ensure it stays working in perpetuity.  

Leveraging PCAPs in Verodin SIP is extremely powerful, yet fast and easy. You can identify and remediate issues against new PCAPs within a few minutes–instead of the weeks it generally takes to get the PCAP–and dissect it, weaponize it, make it routable, build a vulnerable system, deploy a test network that is emblematic of your production environment, and then actually conduct the validation. Some Verodin customers have moved from validating their security controls against a few dozen PCAPs a year to doing hundreds in a week.

back to blog