Using the packet continuum incident response workflow
Every important detected threat requires follow up action. This kind of “Incident Response” action often involves investigating the full details of a critical network event by retrieving the lossless recorded network traffic in the form of a standard PCAP file, including the full payloads, attachments, etc.
From Packet Continuum’s convenient GUI dashboard, a cyber-investigator can query any PCAP history using data from IoC (Indicator of Compromise) events. Over time the investigator builds up a history of PCAP query results in the form of critical incidents from which they can gain insight about the problem to solve, whether it is a network performance problem or a cyber-threat.
A unique feature of Packet Continuum is ability to pre-wire an Open PCAP Forensic Workflow. PCAP queries execute very fast, extract a standard PCAP file format, and begin almost immediately to stream the PCAP results in small chunks to third party or open source DPI (Deep Packet Inspection) analysis tools. Using the REST/API, a technical team can “pre-wire” their system to automatically process the streamed results of every PCAP query. In fact, it is good practice to pre-wire PCAP results to multiple tools, because different analysis tools have different benefits – and not all tools will interpret the same PCAP data in the same way.
The ultimate benefit to a cyber investigator, when Packet Continuum query results are automatically pre-wired for DPI processing, is that they can easily visualize the results they need using all those tools immediately – almost as soon as they press the “submit PCAP query” button on the GUI dashboard.
Importing IoC alerts
Bring PCAP evidence to court
Botnet Command-and-Control activity
Using extracted metadata such as a malware encryption key, forensic analysts can go back in time and reconstruct all C2 activity performed by such malware (e.g. via a tool such as ChopShop). This will provide insight into critical attacker activities such as details on lateral movement through the environment.
Search for User anomalous behavior
Forensic traffic analysis
Network Behavior Anomaly Detection (NBAD)
Integration of real-time threat intelligence
Encrypted Traffic analysis
Under a controlled environment, it is valuable to understand what employees are sending over encrypted email, ftp or other channels.