Packet Analysis

How do packet captures affect cybersecurity framework compliance?

6 min read

Network packet captures present a unique challenge to CIOs and CISOs when considering cybersecurity framework compliance like those outlined by NIST or the DHS Cybersecurity and Infrastructure Security Agency (CISA) Trusted Internet Connections program. Since they contain all of the data that traverses your network, captures are a sensitive asset that must be protected and included in your overall security process.

What is the NIST Cybersecurity Framework?

The National Institute of Standards and Technology (NIST) has developed a Cybersecurity Framework consisting of standards, guidelines, and practices to promote the protection of critical infrastructure. These standards exist for organizations to manage and reduce cybersecurity risk. As a voluntary framework, it is meant for organizations to develop their own cybersecurity compliance programs.

Some US federal agencies also use it to develop their own requirements that apply to contractors and agencies under their purview. One example of this is the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) Trusted Internet Connections program.

You can read more about the NIST Cybersecurity Framework here.

What is the NIST Cybersecurity Framework?

The National Institute of Standards and Technology (NIST) has developed a Cybersecurity Framework consisting of standards, guidelines, and practices to promote the protection of critical infrastructure. These standards exist for organizations to manage and reduce cybersecurity risk. As a voluntary framework, it is meant for organizations to develop their own cybersecurity compliance programs.

Some US federal agencies also use it to develop their own requirements that apply to contractors and agencies under their purview. One example of this is the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) Trusted Internet Connections program.

You can read more about the NIST Cybersecurity Framework here.

Here are some considerations when determining how your organization can work with network packet captures in the context of different cybersecurity framework controls, including where they are kept, how they are accessed, how they are analyzed, and how effectively they can assist your cybersecurity and IT teams.

What is a cybersecurity framework and what are controls?

Frameworks like NIST’s cover a broad spectrum of best practices to construct your own standard operating procedures for cybersecurity. These practices go beyond IT tasks like deploying and monitoring computing devices and networks, all the way down to personnel management, physical asset control, reporting, and remediation.

These standards divide different considerations into a set of “controls” that can be selected to implement in cybersecurity policy and procedures to help organizations use the framework. Controls cover topics such as:

  • Access control to physical and digital assets
  • Physical assets (such as personal workstations) and approved software
  • Chain of custody of physical and digital assets and the security of information flow
  • Record keeping and how long digital assets are kept
  • System recovery and backup

What should you consider for packet captures in a cybersecurity framework?

Packet captures are extremely useful to your network and security teams, but you should treat them with the same rules as other digital assets. Also, the software used to acquire them and analyze them presents risks that should be avoided.

Access control

Packet captures should be treated just like any other sensitive digital assets. Most framework controls recommend limiting access to digital assets as much as possible and abiding by the principle of least privilege when you can. Packet captures can be easily missed, as the expertise surrounding their use is somewhat esoteric and can create “shadow-IT” problems.

Though they can be collected from multiple sources, collecting and storing them in a secure, centralized location will allow you to apply group and individual user access control policies to the network trace data, helping to retain least- privilege practices. In addition, having a centralized system for captures lets you apply auto-delete or information expiration policies to these assets.

Physical system and software control

The software used to collect and analyze network data is usually native to a user’s operating system and installed locally. That usually means that the packet captures are often downloaded to the analyst’s local machine, creating multiple copies that can pose a security risk if the physical system is lost or compromised. Moreover, high-level policies may heavily restrict what software can be installed and used on workstations, regardless of the use case.

Using a web-based or private cloud application for analyzing network data eliminates most of the danger posed by specialized native software. It will help satisfy controls around physical systems and software security in your framework.

Information flow, collaboration, and chain of custody

We mentioned above that packet captures can raise “shadow-IT” issues. In the context of cybersecurity framework controls, your team’s need to collaborate, share, and report on network incidents can make it difficult to comply with information flow and chain of custody controls.

Not only is sending packet captures as email attachments a potential security risk, but it’s also inefficient. As mentioned, packet captures need to be considered as digital assets that need to be secured in the context of your cybersecurity framework. However, they are also an incredibly valuable tool for enhancing other framework controls around incident response and remediation.

Using a system that allows analysts to access, share, and analyze data in their browsers without downloading them locally (or even accessing them over a shared drive) enhances this collaboration while maintaining secure information flow and chain-of-custody rules.

System recovery and incident history

Cybersecurity frameworks also contain controls around digital asset recovery and storing information about past incidents for future use.

Having a centralized system for packet captures makes it significantly easier to recover from data loss or system compromise. Incident history is a big part of your overall cybersecurity framework, and losing that historical data makes it that much more difficult to recover from future security breaches.

Let pcaps work for you in your cybersecurity policy

Many enterprises use the NIST framework as part of their overall risk strategy. It provides a clear way to develop cybersecurity policies at all stages of that strategy, including protection, incident response, and recovery.

Though voluntary from a regulatory standpoint, these standardized cybersecurity frameworks are required for most work with government agencies. Other countries besides the US may have similar guidelines, and they can make the difference when landing or maintaining a contract or adhering to your agency’s SOP.

Packet captures are extremely valuable and must be considered in the controls you build into your own policy. Using a centralized, web-based system like CloudShark will make that easier!

Photo credit timJ vis Unsplash


Want articles like this delivered right to your inbox?

Sign up for our Newsletter

No spam, just good networking.