Using the Packet Continuum Incident Response Workflow

Every important detected threat requires follow up action. This kind of “Incident Response” action often involves investigating the full details of a critical network event by retrieving the lossless recorded network traffic in the form of a standard PCAP file, including the full payloads, attachments, etc.

From Packet Continuum’s convenient GUI dashboard, a cyber-investigator can query any PCAP history using data from IoC (Indicator of Compromise) events. Over time the investigator builds up a history of PCAP query results in the form of critical incidents from which they can gain insight about the problem to solve, whether it is a network performance problem or a cyber-threat.

A unique feature of Packet Continuum is ability to pre-wire an Open PCAP Forensic Workflow. PCAP queries execute very fast, extract a standard PCAP file format, and begin almost immediately to stream the PCAP results in small chunks to third party or open source DPI (Deep Packet Inspection) analysis tools. Using the REST/API, a technical team can “pre-wire” their system to automatically process the streamed results of every PCAP query. In fact, it is good practice to pre-wire PCAP results to multiple tools, because different analysis tools have different benefits – and not all tools will interpret the same PCAP data in the same way.

The ultimate benefit to a cyber investigator, when Packet Continuum query results are automatically pre-wired for DPI processing, is that they can easily visualize the results they need using all those tools immediately – almost as soon as they press the “submit PCAP query” button on the GUI dashboard.

Automated Incident Response Workflow

Click to Enlarge

Innovative Packet Capture Solutions for a variety of use cases

Event-to-PCAP Correlation

OEM solution databases can easily correlate with the Packet Continuum PCAP repository. For example, any outside event or log which contains 5-tuples and timestamp information can be used to generate a PCAP query. Furthermore, the OEM can control case/event names via the REST query process, so the PCAP repository will be in sync with the OEM data base.

Policy-Driven Packet Capture

Packet Continuum has unique features, such as compression and clustering, to support very long capture timelines at low cost. Further dramatic cost reduction is possible when advanced analytics of an OEM solution selectively extracts PCAP files based on what activity is determined to be suspicious. The lossless Capture Store timeline can be reduced to simply the amount of latency time required for the OEM solution to determine what to save.

Automated File Detection

A file hash alert from Packet Continuum causes the OEM application to look up the file hash in their database of white list files (known to be OK), and black list files (known to contain malware). Black-listed files may require follow up action with the associated End Points. Unknown files may trigger a BPF Search to extract PCAP data to review the network transaction in more detail, and possibly to send the new file to a research or sandbox application.

Selective DPI Analytics

Based on real-time IOC alerts about ongoing network traffic, the OEM solution may wish to selectively extract PCAP data for Deep Packet Inspection (DPI) using OEM software algorithms. Using the REST/API, and other high speed access methods, Packet Continuum allows the OEM application to focus on the most important packet-level data – rather than having to read every packet. In this way, Packet Continuum technology can upgrade legacy software systems to operate at much higher data throughput rates.

Fast DPI Analytics

The OEM application receives streamed PCAP results from any query. In this way, OEM analytics can process the query results in parallel with very long PCAP extractions, which greatly accelerates the OEM DPI analytic results.

Look-back + Look-forward actions

When a new threat or CVE is discovered, the OEM application can automatically search all packet history for any past occurrence, and simultaneously establish an Active Trigger alert to watch for any future occurrence of similar activity.

Full Context PCAP Extraction

When some network event is detected, even by a third party system or probe, a query to Packet Continuum can extract the PCAP file associated with the full TCP session – no matter how long the session has been active. Active Triggers and other features allow tracking of similar activity in the future, resulting in PCAP data with the critical event in it’s full context.

Offload Resource-Intensive Operations

For example, in-line network appliances such as IPS or NGFW require low-latency packet operations. Packet Continuum can optimize critical resources within those in-line solutions by offloading functions that do not require low latency, such as event logging and selective packet capture. On the other hand, Packet Continuum is optimized for these functions, and additional alerting/capture capacity is simply a matter of adding more Cluster Nodes.

Entry-Level Platforms

An “analytics-only” platform, as an attractive entry-level OEM product, with real-time IOC alerts, but without the costs associated with extensive Forensic Timeline features. This allows an easy up-grade for their end-user to select a long timeline “PCAP” capability for Incident Response and other reasons, as they wish.

Adaptive PCAP algorthms

Cyber threats evolve continuously, and advanced threat detection solutions must rapidly adapt. With Packet Continuum, all of recent history is readily available to assist advanced analytics applications to interpret a changing situation. For example, when a pattern suddenly emerges as relevant, all of PCAP history can be searched to find similar patterns – even before such activity was suspicious.