Weaponizing PCAPs for Security Assessments

Who’s got time to do awesome ninja stuff with PCAPs? PCAPs have long been a staple for security analysis. But weaponizing PCAPs for use in security assessments takes too much time. And time is rarely something security ninjas have in abundance.

I recently wrote a blog about a CEO calling a CISO to verify that their organization was safe from an attack they heard about on the news. In that blog I explained the process the CISO went through to develop an empirical answer to their CEO’s question, “Are we safe?” This blog is a simple technical summarization without the customer narrative that illustrates the steps taken for PCAP weaponization with Verodin.

A short note about Verodin

Verodin is a security instrumentation company with a platform that allows you to validate your security effectiveness across solutions like firewalls, IPS, DLPs, SIEMs, endpoint security controls and the like by allowing you to safely execute real attacks in your production network. This results in empirical evidence about the true state of your security effectiveness at a point in time and trended over time.

In short, by executing attacks, with PCAPs for example, you can quickly and easily see what security controls are and aren’t working.

Finding PCAPs

You might collect PCAPs on your own network with a variety of free or paid packet capture solutions. Some products provide basic captures, others provide deep packet inspection, packet reassembly, and even some malicious activity detection capabilities. Or you might simply download packets from third-party sources that specialize in sharing malicious packets for the purposes of analysis.

A few Google searches will point you to a number of websites that share PCAPs. One popular source is malware-traffic-analysis. This site is a resource for network traffic related to malware and exploits kits.

Let’s say you’re interested in PCAPs related to 2016-01-11-Rig-EK-malware-payload-Qbot.exe. You can get details about this from Payload SecurityVirusTotal and malware-traffic-analysis, which is where I got the following screenshots.

Downloading PCAPs

Downloading PCAPs from malware-traffic-analysis is fast and simple.

The PCAPs are usually pretty small so this should only take a couple seconds. Once the PCAP is downloaded you can unzip it and inspect it.

Inspecting PCAPs

There are many tools you can use to inspect PCAPs. One of the most common is Wireshark. Some solutions such as Verodin have PCAP inspection built right in so you can see all the PCAP details.

Here is an example of information that can be pulled out of a PCAP. Looking at the 2016-01-11-Rig-EK-malware-payload-Qbot.exe PCAP you can see associated, malicious domains. This might be something you get from a threat intelligence feed for example.

If you try to simply block the nefarious IPs and domains found within the PCAPs it will be extremely challenging as outlined in my blog: Inadequate intelligence integration. There are millions of these malicious IPs and domains and they are always changing.

Richer information in the PCAP reveals the bad areas. You can actually see what’s going across the wire that is actually nefarious.

Weaponizing the PCAP with Verodin

With Verodin, once the pcap is downloaded and unzipped, you needn’t inspect it with Wireshark or take any additional steps. You simply upload the pcap to your Verodin platform.

This is where it gets really cool

Without Verodin you would have had to:

  • Build out a test system vulnerable to this particular PCAP
  • Dissect the PCAP to understand it
  • Rebuild the pcap to make it network routable so you could launch the attack
  • Deploy a vulnerable system in your production network behind your protective security controls so that’s it’s a real-life test
  • Get permission from the powers that be to execute the attack

With some luck that’s 2-3 weeks. With Verodin it’s just a few minutes.

After you download the PCAP simply drag and drop it into Verodin. It takes Verodin just a few seconds to ingest the pcap as illustrated here in the Verodin Director – Verodin’s management console.

As shown below, the entire PCAP is pulled into Verodin and can be inspected if you want to look inside it.

The PCAP can then be tuned, if desired, within Verodin for greater specificity as shown with some of the options below. This lets you fine-tune how the pcap will be executed in the attack.

Once you accept the default PCAP or make modifications, you can use Verodin the safely execute the PCAP across various Verodin Actors on your production network.

Note that Verodin is designed to only attack Verodin. More specifically, Verodin Actors are only able to attack other Verodin Actors. Verodin Actors are VMs, software, hardware or cloud-based instances that act as both attacker and target and are controlled by the Verodin Director.

You can not use Verodin to launch attacks of any type, including those derived from PCAPs as in this example, to target assets within or outside your organization – only Verodin Actors. Because the attacks are simply between Verodin Actors your assets are not put at risk but you are able to measure the effectiveness of your security.

For example, did my firewall block, did my endpoint security detect, did my SIEM receive the logs and did my SIEM fire a rule and alert my security team are all common evaluations. Safety is core to Verodin and that’s partly what makes it so quick and easy to use yet so powerful.

Getting results

Within just a few minutes of bidirectional testing between network zones such as the Internet, DMZ, Desktop, Server and the like as displayed below, you can see if any of your zones are not preventing and or detecting the attack as well as how your SIEM is reacting. Further, you can evaluate the effectiveness of your security team and the processes they follow.

With Verodin, what would have taken weeks is accomplished in minutes and you know the exact impact on your environment.

About Verodin

Verodin is defining the emerging concept of Instrumented Security. Its revolutionary platform empowers customers to measure and continuously validate the cumulative effectiveness of layered security infrastructures, revealing true security effectiveness. Through automated defense analysis, Verodin customers achieve maximum value from security spending, better leverage existing security investments, and measurably improve their cyber prevention, detection and response capabilities.

Request a demo and learn more about Verodin.

back to blog