The Packet Never Lies
The Black Box
That’s the marketing double-speak to sell you a “black box” that supposedly teaches itself about your computer network. Then, it autonomously spots bad stuff happening and takes actions to fix it.
It sees all things, knows all things, and is never wrong. You don’t need to do anything. Plus, it has an awesome graphical user interface (GUI).
Well, not exactly. You see, it may learn bad behaviors and think they’re good. It has to be trained properly. It sounds like something from a movie I once saw.
HAL 9000 from 2001: A Space Odyssey
We deployed our PacketWatch sensors and began to collect data. Right away, we detected an older “bot” operating on one of the computer controllers for an IoT device. “No way,” they said. It’s simply not possible. And they dismissed our claim. We showed them in our PacketWatch analysis GUI, but they still didn’t believe us. So, we pulled a packet capture (PCAP) of the device’s traffic over the previous 48-hour period and showed the internal team the results.
The packets never lie. Sure enough. There it was.
Wireshark was brought in to definitively prove our claim. We had all the packets, including the payloads showing repeated malicious activity: inbound commands and outbound responses. If we only had net flow data, they probably would have wiggled off the hook claiming some ambiguity in interpreting the data. But we had the whole enchilada—full packet capture history. If we didn’t have historical data, a quick fix would have caused the bot to “disappear” before additional forensics could be run. But there’s no wiggle-room when you have the actual packets. In fairness, we asked the black box for its opinion, but it wasn’t capable of responding.
That meeting prompted an angry call from the client’s Chief Information Security Officer (CISO) to the black box vendor demanding answers. He had staked his reputation on the black box. The vendor went back and reviewed their application history. They couldn’t say exactly how, but the “bot” traffic was detected and somehow whitelisted. What? It had been whitelisted several years prior. So, a detection went without action, and the black box had “learned” it was OK. Oops. How do you un-learn that?
As a result of our findings, the client had to send an embarrassing incident disclosure to their supply-chain partners. The client’s CEO was angry, too. He had blown his budget on all this black box stuff the CISO guaranteed would work. The truth was that an entry-level human analyst with the proper tools would have found the bot easily for roughly the same spend.
Would this be a resume-generating event for the CISO?
Fortunately, not. As we worked together on the balance of the assignment, we continued to show our value.
- We were able to troubleshoot an application configuration error by providing them with the session negotiation packets. We showed them exactly where the handshake was failing. None of their other tools could.
- We also showed them some misconfigured DNS entries creating daily internal DNS storms.
- Our threat hunters showed them several design vulnerabilities (i.e., clear text credentials) that needed attention.
Again, the packets never lie. The CISO was now a hero for bringing us in.