Begin Your Visibility Journey Using PCAP Analysis

Jori VanAntwerp

CEO and Founder at EmberOT || Web

For over two decades, Jori has enabled industrial and IT organizations to be successful in reducing risk, increasing compliance, and improving their overall security efforts. He has had the pleasure of working with companies such as Gravwell, Dragos, CrowdStrike, FireEye, McAfee, and is now CEO & Founder at EmberOT, a cybersecurity startup focused on making security a reality for critical infrastructure.

A fruitful visibility journey starts with network monitoring and PCAP analysis.

Network monitoring is a core component of protecting every part of your operational technology (OT) environment, ensuring continuous normal operations from ongoing processes to the equipment itself.

Visibility Isn’t Optional (or Simple)

Gaining visibility in OT environments is incredibly challenging. Environmental, size, and power constraints all add layers of complexity, meaning there is no one-size-fits-all solution for network monitoring. The main challenge many security and operational teams face is how best to monitor network data and traffic.

Organizations use an infinite combination of hardware and software to monitor their network traffic, so the first step is understanding the options for these disparate and diverse environments. Some examples include:

• Log collection and analysis
• Intrusion and detection systems (IDS)
• Packet capture (PCAP) collection and analysis

The methods you use will be determined by your organization’s requirements, environment, and infrastructure.

Some questions to ask to determine the optimal monitoring methods are:

• Does your organization have any regulatory or compliance initiatives or requirements?
• What equipment and/or infrastructure is available in your environment today?
• What are the most expedient and efficient ways to gain access to network data?

In some cases, it may be challenging to answer these questions. However, an initial project to quickly gather data using your existing infrastructure can help you answer some, if not all, of these questions.

Using PCAP Analysis to Evolve in Your Visibility Journey

PCAPs are raw snapshots in time of all the traffic transmitted over a network, saved into one or more files.

Packet captures can span fractions of seconds to days, and your organization can gain a wealth of information by analyzing them, such as:

• Devices on the network
• Associated metadata (IP, MAC, vendor, their class – OT or IT)
• Subclass type (workstation, PLC, virtualization, etc.)

They can also be used to gain insight into network performance, identify bottlenecks, and provide evidence of compliance with security regulations and standards.

PCAPs are incredibly useful and powerful for assessment, response, and forensics. For example, analysts can inspect PCAP files to identify odd behavior or evidence of a suspected breach.

What better way to see if a device is functioning as intended or if a tool/policy meant to limit a specific type of traffic on your network is working than to validate it by analyzing the traffic itself?

🤷 But if they’re so useful, why don’t we all use packet captures?

PCAPs have a lot of valuable information. They contain all of the raw data from the segment where they were captured. But let’s be honest — they’re not easy to understand, read, or analyze. It requires a level of knowledge and skill, not to mention time, to read and gain insights from PCAPs.

Cue the OT PCAP Analyzer! 🎉

A Simple, Free PCAP Analysis Tool for the ICS Community

EmberOT’s OT PCAP Analyzer is a free tool that makes it easy to get a high-level breakdown of the networks, devices, and protocols in your packet capture file.

Device information and metadata, protocols, and communication networks are broken out by device into a simple, human-readable format, so security analysts, compliance teams, operators, and others can get quick visibility into the network offline.

We created the PCAP Analyzer to simplify the network analysis process and allow analysts and operators to quickly gain insights into their environment without digging through the raw data and evolve their visibility journey.

If you’re interested in trying it out, the tool is free (forever). Get access at https://www.emberot.com/ot-pcap-analyzer/

This is just the beginning of the amazing adventures of EmberOT and Visibility.

Their journey has just begun and is destined to be packed with non-stop action, peril, and excitement.

Together, they’ll encounter amazing friends and evil enemies.

As their journey unfolds, we will unlock the magic and mystery of a most wondrous place…

the incredible world of OT.

~~~~~

Stay tuned for our next episode…

What?

VISIBILITY is evolving!

VISIBILITY has evolved into OBSERVABILITY!

~Pokémon nerd, Jori 🤘🔥