Using the packet continuum incident response workflow

Every important detected threat requires follow up action. This kind of “Incident Response” action often involves investigating the full details of a critical network event by retrieving the lossless recorded network traffic in the form of a standard PCAP file, including the full payloads, attachments, etc.

From Packet Continuum’s convenient GUI dashboard, a cyber-investigator can query any PCAP history using data from IoC (Indicator of Compromise) events. Over time the investigator builds up a history of PCAP query results in the form of critical incidents from which they can gain insight about the problem to solve, whether it is a network performance problem or a cyber-threat.

A unique feature of Packet Continuum is ability to pre-wire an Open PCAP Forensic Workflow. PCAP queries execute very fast, extract a standard PCAP file format, and begin almost immediately to stream the PCAP results in small chunks to third party or open source DPI (Deep Packet Inspection) analysis tools. Using the REST/API, a technical team can “pre-wire” their system to automatically process the streamed results of every PCAP query. In fact, it is good practice to pre-wire PCAP results to multiple tools, because different analysis tools have different benefits – and not all tools will interpret the same PCAP data in the same way.

The ultimate benefit to a cyber investigator, when Packet Continuum query results are automatically pre-wired for DPI processing, is that they can easily visualize the results they need using all those tools immediately – almost as soon as they press the “submit PCAP query” button on the GUI dashboard.

Manual Incident Response Workflow

Click to Enlarge

Innovative Packet Capture Solutions for a variety of use cases

Importing IoC alerts

Packet Continuum can generate a wide variety of indicator of Compromise (IoC) alerts, in the form of system logs or optionally as IPFIX (netflow) broadcasts. You can import such network metadata and events into a Security Information and Event Manager (SIEM), or other third party analytics tool.

User-Created Scripts

For example, a home-grown software tool, utilizing the open REST/API, might automatically process Packet Continuum PCAP file extractions with open source DPI and PCAP analysis software tools.

Data exfiltration

Using the file hash IoC alerting feature of Packet Continuum, will allow determination of data exfiltration by identifying source hosts and content transferred. This can answer questions about content source, amounts, and time frames and be correlated with forensic artifacts from local systems.

Bring PCAP evidence to court

All packet captures and PCAP files extractions can automatically be tagged with a file hash, to assure the “chain of custody” of legal evidence, which is a requirement for use as evidence in a future criminal prosecution after a breach or attack.

Botnet Command-and-Control activity

Using extracted metadata such as a malware encryption key, forensic analysts can go back in time and reconstruct all C2 activity performed by such malware (e.g. via a tool such as ChopShop). This will provide insight into critical attacker activities such as details on lateral movement through the environment.

Search for User anomalous behavior

Identify employees using unapproved applications or using applications in ways that violate policies. Correlate metadata about users, files and sessions with real-time threat information, and use the correlations to provide situational awareness reports and alerts.

Forensic traffic analysis

Captured data can be analyzed for suspicious traffic, such as non-DNS traffic, over port 53, encrypted traffic over 80, etc. This is especially useful if the End User uses third party forensic tools with complementary analysis capabilities. There many possible creative use cases.

Network Behavior Anomaly Detection (NBAD)

Packet Continuum can generate header information and other metadata and alerts, which are the basis for finding anomalies from normal network traffic behavior.

Integration of real-time threat intelligence

Information from third party threat intelligence can be used to detect, classify and extract objects (files, URLs, IP addresses, etc.), and to inspect and take appropriate actions to enrich cyber investigations and generate alerts.

Encrypted Traffic analysis

Under a controlled environment, it is valuable to understand what employees are sending over encrypted email, ftp or other channels.