MITRE ATT&CK KILL CHAIN
MITRE’s Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK™) is a curated knowledge base and model for cyber adversary behavior, reflecting the various phases of an adversary’s lifecycle and the platforms they are known to target. ATT&CK is useful for understanding security risk against known adversary behavior, for planning security improvements, and verifying defenses work as expected.
The ATT&CK Kill Chain Matrix categorizes technologies techniques and procedures (TTPs) for behavior of adversaries and insider threats. Columns of the ATT&CK Matrix are categories of adversary “tactics” progressing right-to-left from Initial Access to Lateral Movement to ultimate Command & Control. In each tactic category there are a number of named techniques.
ATT&CK MATRIX DASHBOARD
- ATT&CK prioritizes real-time Indicators of Compromise (IoC) & Incident Response actions
- Automated mapping of IoC events to adversary behavior in the Kill Chain
- One-click searches from the ATT&CK dashboard
- Live updates to the Capture Data Graph, and Critical Alerts List
ATT&CK DRIVES INCIDENT RESPONSE
- Start with red-flag behavior, like Exfiltration or suspect C&C activity
- Work backward in the ATT&CK Map to uncover penetration and lateral movement
- One-click search to show IoCs for each step in the Kill Chain
- Then click thru for all correlated PCAP data
Case Manager – IOC POLICIES
- SNORT/SURICATA Rule Sets
- YARA Malware Rule Sets for Detected Files
- Threat IPs
- Defended Assets & Services
- Active Triggers (BPF-based)
Case Manager – Event Search Actions
- One-click time-based search
- Text-based search of alerts
- All IoC events correlated with PCAPs, IPFIX flow records, and sessionized logs
LOSSLESS PACKET Capture with DATA ENRICHMENT
The immutable ground truth of any critical event – not merely an interpretation. Packet Continuum provides a performance guarantee of sustained lossless capture rate, for a set of real-time packet analytics (Case Manager) functions, and a specified number of Packet Continuum cluster nodes. This means a deterministic guarantee to capture every packet under real world conditions, not just a “best effort” attempt.
- Lossless packet capture from 1Gbps, to 40Gbps, to 100+Gbps telco interfaces
- Remote Packet Viewer for wireshark details about packets-in-place at remote sites
- Time stamping of 150 nanoseconds
- Real-time IDS alert configurator generates event logs for HTTP, Files, DNS, email, user agents, TLS/SSL, VOIP – all cross-correlated with PCAP & IPFIX flow records
- Case Manager advanced packet analytics options include real-time event logging & cross-correlation
- 1000s of Snort/Suricate rules, from prepackaged libraries and user-defined rulesets
- Sessionaized logging for Email, HTTP, SMTP, Files, DNS, User Agents, TLS/SSL
- IPFIX flow record logging and search
- Scalable architecture to meet your speed and/or analytics requirements
- Federate multiple cluster-based capture systems, for global visibility and PCAP retrieval
Packet Continuum simplifies your workflow by integrating endpoint behavior and network signature visibility and DPI with a simple pivot to the sessionized network data, enriched metadata and file recovery. Mitigate the nearly 2/3 of breaches per incident that are easy to catch, like administrative issues, by implementing effective, basic cyber practice policies by tracking user agent signature characteristics, email and file exfiltration.
The Packet Continuum user interface (and programmatic REST/API) integrates Policy Management, Case Management, Forensic Investigation, and Open Data Access.
An integrated Case Manager gives visibility to analysts about critical events, and allows quick drill-down to full session logs and full PCAP file content. Real-time IoC Policy Management comes with pre-packaged ruleset libraries, and allows SOC teams to design and upload their own rule sets, including
- IDS rulesets
- Malware rulesets
- ThreatIP lists
- Defended assets
- Defended services
- BPF-based Active Triggers
All policy-driven IoC events can map to MITRE’s open ATT&CK matrix kill-chain categories, for adversary behavior and insider threats.
All policies generation logs/metadata which are compressed, correlated, and instantly searchable.
All policies integrate within a full-featured Case Management User Interface.
Packet Continuum facilitates the “Spiral-Model” methodology for effective forensic investigations.
Open Source Rulesets & Data Interfaces:
- MITRE’s ATT&CK kill-chain matrix — map events to adversary TTP acitvity
- Snort/Suricata — IDS alert rulesets
- Yara — File-based malware detection rulesets
- BPF — User-defined Active Trigger alerts
- Defended Assets/Services — Flexible user-defined lists
- TAXII/STIX — pre-packaged ThreatIPs and rulesets, supported via structured cyber threat information
- Nessus — active PEN test scanning of End Points (optional)
- Kali — active vulnerability scanning of End Points (optional)
Open Data Access, with standard file formats:
- PCAP-NG packet data
- IPFIX netflow records
- Text/CSV/syslog for enrichment log data
Open Workflow Automation & Orchestration:
- Full-featured, mature REST/API
- Custom Workflow Scripting
- 3rd Party Event/Data/PCAP Correlation
INTEGRATED CASE MANAGEMENT
Packet Continuum facilitates and automates incident response and threat-hunting for individual investigators, or for a coordinated SOC team. Policies applied to logs/events in real-time are escalated to Active Hunt Cases, either manually or by automated policy management. For example, traffic involving known ThreatIPs, or file checks detecting malware, are automatically escalated. In a similar way, SOC teams may curate their own automated policy rulesets. To further assist analysts to evaluate the relative importance of Active Hunt Cases, any type of alert/trigger/DNS event can be automatically mapped to a TTP category within the ATT&CK matrix.
labor / cost reduction
Combine zero day alerting and pivot for analysis/mitigation and historical post breach forensics analysis including “cyber-espionage,” “point-of-sale intrusions,” and “privilege misuse.” Reduce the cost of network recording software and systems needed for medium and large networks.
Reduce labor needed for identification of indicators of compromise with an easy process to pivot to sessionized data / enriched meta data and reconstruct email and files for review.
Multiple features enable labor / cost reduction including
- Real-time Data Compression: In-line packet compression is transparent to the user. All packets are compressed as they are captured, and all extracted PCAP files are decompressed. Overall storage amplification up to 10x (depending on percentage of traffic with SSL encrypted or compressed packet payloads)
- Cluster architecture leverages CPU power over many servers for super-fast query response, while enabling low-cost local-attached storage on a massive scale. Forensic timelines smoothly scale over days, weeks & months.
- Massive queries over large timelines respond quickly, even as the timeline increases
- Federated search across multiple Packet Continuum appliances at diverse geographic locations, without any “concentrators” required
Packet Continuum’s Federation Manager allows you to federate multiple capture appliances in multiple locations.
- Remote control capability via browser and REST API
- Federated View of all data
- Map-reduced framework to extract out packets, DPI data and logs across federation
Federation manager dashboard for easy identification of Packet Continuum appliances/clusters that can even be in different physical locations. Your enterprise network can identify the IP address of each appliance and federate together for a single pane of glass view of all network data.
Federated search across PCAP data, DPI log data and flow records, as well as email text and files for reconstruction.
Federated list of SMTP email sessions with time stamp, capture node location, session information, and SMTP email address, sender, and receiver. The user can click to obtain full session packets, extract email text, subject and reconstruct attachments in their original mime format, PDF, doc etc.
SMOOTH SCALE TO 100GBPS LOSSLESS PCAP
Packet Continuum MapReduce Architecture uses Capture Nodes and Cluster Nodes as the building blocks of massive scale. The following diagrams illustrate how to use Federation Manager for continuous lossless packet capture of 40Gbps and 100Gbps and even higher rates– including real-time IDS alerting (Snort/Suricata) running at line rate, together with other packet analytics and Policy Management functions. Each configuration uses the same core appliance as a “Node”: a Dell R730 enterprise-class server with 100TB storage specifically allocated for capture timeline, net of other storage requirements.
Fast Query / Streaming
- Fast, Streamed Query Results
- Every query has the option to return PCAP files, IPFIX records, and/or any log files.
- All results are streamed in “chunks”, allowing partial results to be analyzed while the remaining query is completed, the first of which appear almost immediately after the query initiates.
- Historical “look-back” queries based on standard Berkeley Packet Filter (BPF) within a time period.
- Active Trigger “look-forward” alerts, BPF-based and user-defined, can generate dozens of simultaneous alerts when the target condition occurs.
- Pre-capture filters (BPF-based) can be changed on-the-fly during capture operations
- All historical logs searchable by text string
- Real-time indexing
- Every packet gets a timestamp and correlation index
- Every log & alert event is cross-correlated to PCAPs and IPIX flow records
- Streaming Playback Feature
- PCAPs that have been searched/filtered/extracted with the Packet Continuum UI may be regenerated out a 1G copper RJ45 interface to an external device
- Compatible with ANY 3rd party capture/analysis tool – just like a span/mirror port.
Great for recording, additional packet/signature analysis, or back-testing new firewall policies against real historical traffic.
Packet Continuum enables identification, monitoring, viewing, and mitigation of pre-defined Threat IPs as well as user-defined IPs. Packet Continuum comes pre-loaded with a known list of Threat IPs; a number of malicious IPs previously identified by trusted sources such as US-CERT, for your protection.
From the Packet Continuum Log Manager or Sankey Graph, users can:
- Upload/enable, view or delete/disable lists of identified Threat IPs
- Set alerts based on identified Threat IPs
- Create Active Defense actions (via user criteria or Suricata rules) to be taken when a Threat IP is identified
- With one click, view detailed PCAP session information where a threat is identified
When a Threat IP is identified as present in a session, the system generates a severe alert and a pre-defined Active Defense action can be executed or, if one is not available, alert info can be sent to an external server.
Defended Assets & Services
Packet Continuum enables identification, monitoring, viewing and automatic approval of Defended Assets, which consist of Critical IPs (essential infrastructure) as well as Trusted Asset IPs (host IP addresses defined as safe). Similarly, Defended Services for each critical network application/protocol are defined by port #.
Using the Packet Continuum Dashboard and Case Manager, users can:
- Upload, view or delete lists of identified Assets and Services
- Associate assets or services with the MITRE ATT&CK matrix
- Set alerts based on identified assets or services
- Monitor / view sessions containing specified assets/services as the source or destination
- With one click from the ATT&CK Dashboard, view detailed PCAP session information where an asset/service is identified
Email Search / Extraction
Identify and search email strings and subjects. Email extraction feature includes sender, receiver, subject line and text reconstruction.
- SMTP email session logging with body text in HTMP format and file attachment reconstruction from original Mime format
- SMTP subject, send and receive email address logging
Log Manager email tab showing SMTP email session extraction and reconstruction of email attachment as Excel file with original content and metadata file
Packet Continuum simplifies the email session logging process with pivot to sessionized search and file recovery.
- Free form text search capability
- Clickable by event
- Second click initiates packet session recovery and file reconstruction
- Just two more clicks to the reconstructed file and meta data for that HTTP or SMTP email session
- All viewable and downloadable
List of SMTP emails sessions searchable with time stamp, capture node location, session information, and SMTP email address, sender / receiver. A user can click to get the full session packets, extract email subject / text and reconstruct file attachments in original mime format, PDF, doc, etc.
File Leakage / Exfiltration
Packet Continuum enables
- HTTP, email and file transfer session logging and file identification
- Identification and reconstruction of files and associated metadata in original mime type for viewing and analysis
File Leakage Session showing logs and pivot to session search and file reconstruction with metadata
TLS / SSL Visibility
Gain visibility into TLS / SSL encrypted sessions. Log and extract sessionized PCAP data via timestamp, capture node and session information for recovery of sessionized packets, then offload them to WireShark using customer provided keys.
Open Data interfaces
Packet Continuum’s open interface enables use of 3rd party commercial and open source tools from SIEM for additional cyber analytics.
- Open file formats and data viewers
- Standard PCAP-NG file and IPFIX record extractions viewable in WireShark or TShark
- Log files and alerts viewable as CSV or text files in any compatible application such as MS Office.
- Remote Access to file extractions with Web GUI
- PCAP playback feature for 3rd party tools
Open REST/API for creating custom workflows to automate Incident Response, Policy-driven data retention, or interface to legacy analytics tools.
Web UI & REST API
- Packet Continuum dashboard integrates MITRE’s ATT&CK Matrix methodology to provide quick context for policy-driven IoC events.
- One-click searches directly from Dashboard areas: ATT&CK Matrix, Capture Data Graph or Critical Alerts. Searches auto-populate with the query request per user context, simplifying the process of finding and viewing critical events and associated PCAP files
- Packet Continuum has remote viewers for sessions, packets, IoC events, and even previews for detected files. Data can be viewed without external tools or downloading to the local system. Besides viewing, user also has the capability to create more concentrated and focused searches from the view data available.
- Comprehensive Case Manager screen with tabs for each IoC policy type, allowing instant search and correlation with PCAP and IPFIX flow records
- Remote access to manage and control multiple devices including hot-accessible cluster node changes
- Control of multiple clusters in a global-dispersed federation of capture systems
Packet Continuum deploys on a wide range of rackmount and desktop common hardware platforms, from cost-effective sensor/recorders to enterprise-class servers. It is uniquely cost-effective when deployed at scale. Examples of how packet Continuum can scale include:
- Numerous distributed sensor/recorders within a highly-scalable “Federated” network architecture, for close coordination with a central Security / Network Operations Center.
- Long capture timelines for days, weeks, or months of lossless packet capture data history, when quick-response search is required. Added timeline features include in-line data compression and policy-driven data retention.
- High capture rate capture points (eg. 40Gbps, 100Gbps, and beyond) where a full feature set of real-time analytics functions must run at line rate with deterministic performance: Continuous lossless full packet capture (PCAP), real-time IDS alerting and other user-defined Policy Management, with simultaneous search/recall for Incident Response.
100s of “federated” capture appliances, where each Analyst has access to the federation via a web-based UI, without any need for intermediary data collectors or data concentrators.
Packet Continuum is disrupting the market with open data access, smooth scale, and long timelines – at very low cost.
As an “Open PCAP Infrastructure”, the Packet Continuum supports even the largest enterprise-scale users. Lossless packet capture is the immutable ground truth of any critical event – not merely an interpretation. Take direct ownership of your own critical network data resource.
Packet Continuum includes comprehensive support services for long-term management of large numbers of sensors in the field. This is particularly valuable for Service Providers who can focus on optimizing their yber analytics and SOC procedures, while NextComputing manages a wide variety of hardware sensors, all with an identical software stack capable of field upgrades. The range of services includes:
- Flexible Pricing, including hardware financing and software subscription or site licensing
- Optimized Platform Specs
- Based on requirements for Deterministic Real-Time Performance + Low Cost
- OS, BIOS, Memory, CPU Cores, Hyper-Threads, RAID, Storage, Patch/Vulnerability Updates
- Common Architecture Flexibility
- Customer-branded hardware & UI software
- Customization / Integration
- Software, Hardware, Cabling, Documentation, Packaging
- Application Support
- Example: Legacy Transition Support
- Configuration Management & Revision Control
- Sensor Refurbishment, QA, and Regression Testing
- Supply Chain Logistics
- Standards-Based Certification
- Electrical, Vibration, etc
- Long Term Support Commitment
- Tier 1/2/3 disciplined policies for ticket escalation/resolution
- End User Training + Innovative “Train-the-Trainer” techniques