Packet Capture Use Cases
Incident Response Workflow
Every important detected threat requires follow up action. This kind of “Incident Response” action often involves investigating the full details of a critical network event by retrieving the lossless recorded network traffic in the form of a standard PCAP file, including the full payloads, attachments, etc.
From Packet Continuum’s convenient GUI dashboard, a cyber-investigator can query any PCAP history using data from IoC (Indicator of Compromise) events. Over time the investigator builds up a history of PCAP query results in the form of critical incidents from which they can gain insight about the problem to solve, whether it is a network performance problem or a cyber-threat. A unique feature of Packet Continuum is the ability to pre-wire an Open PCAP Forensic Workflow. PCAP queries execute very fast, extract a standard PCAP file format, and begin almost immediately to stream the PCAP results in small chunks to third party or open source DPI (Deep Packet Inspection) analysis tools. Using the REST/API, a technical team can “pre-wire” their system to automatically process the streamed results of every PCAP query to gain the benefit of multiple analysis tools.
The ultimate benefit to a cyber investigator, when Packet Continuum query results are automatically pre-wired for DPI processing, is that they can easily visualize the results they need using all those tools immediately – almost as soon as they press the “submit PCAP query” button on the GUI dashboard.
Packet Continuum provides twofold security against malicious IP addresses. Asset IP monitoring enables identification, monitoring, viewing and automatic approval of Critical IPs (essential infrastructure) as well as Trusted Asset IPs (host IP addresses defined as safe).
Threat IP monitoring enables identification, monitoring, viewing, and mitigation of pre-defined Threat IPs as well as user-defined IPs. Packet Continuum comes pre-loaded with a known list of Threat IPs; a number of malicious IPs previously identified by trusted sources such as US-CERT, for your protection.
INCIDENT RESPONSE INVESTIGATIONS
SOC & CyberSecurity teams need access to PCAPs for Incident Response (IR) investigations. Combine zero day alerting and pivot for analysis/mitigation and historical post breach forensics analysis including “cyber-espionage,” “point-of-sale intrusions,” and “privilege misuse.” Utilize open REST/API for creating customized workflows for automated Incident Response, Policy-Driven data retention, or interface to legacy analytic tools.
USER BEHAVIOR ANALYSIS
The log manager’s enhanced search capabilities allowing integrated pivot to PCAP and enriched metadata enables behavior and signature visibility. The IDS Alert configurator and DPI Analyzer enable multi-level signature and behavior event session search and logging. This gives you the ability to configure groupings of signature and unusual behavior alerts dynamically from a grouping of 30,000.
ANALYZE UPTIME & PERFORMANCE ISSUES
IT/Operations need fast IR access regarding uptime and performance problems. Compliance, Audit and Legal teams increasingly have their own IR requirements for the same ground truth for critical network events
PCAP RECORDING as CPE SERVICE
MSSP or Telecom Service Providers use Open PCAP Infrastructure for internal diagnostics, but also offer PCAP recording as an incremental CPE service to customers, with enhanced “IR-to-PCAP” Incident Response services linked to multiple value-add hosted MSSP solutions like SOC, DLP, DDoS Mitigation, and other Big Data Analytics.
OEM solution databases can easily correlate with the Packet Continuum PCAP repository. For example, any outside event or log which contains 5-tuples and timestamp information can be used to generate a PCAP query. The OEM can control case/event names via the REST query process, so the PCAP repository will be in sync with the OEM data base.
Automated File Detection
A file hash alert from Packet Continuum causes the OEM application to look up the file hash in their database of white list files (known to be OK), and black list files (known to contain malware). Black-listed files may require follow up action with the associated End Points. Unknown files may trigger a BPF Search to extract PCAP data to review the network transaction in more detail, and possibly to send the new file to a research or sandbox application.
Selective DPI Analytics
Based on real-time IOC alerts about ongoing network traffic, the OEM solution may wish to selectively extract PCAP data for Deep Packet Inspection (DPI) using OEM software algorithms. Using the REST/API, and other high speed access methods, Packet Continuum allows the OEM application to focus on the most important packet-level data – rather than having to read every packet. In this way, Packet Continuum technology can upgrade legacy software systems to operate at much higher data throughput rates.
Active Trigger Alerting
When a new threat or CVE is discovered, the OEM application can automatically search all packet history for any past occurrence, and simultaneously establish an Active Trigger alert to watch for any future occurrence of similar activity.
Full Context / Email PCAP Extraction
When a network event is detected, even by a third party system or probe, a query to Packet Continuum can extract the PCAP file associated with the full TCP session – no matter how long the session has been active. Active Triggers and other features allow tracking of similar activity in the future, resulting in PCAP data with the critical event in its full context. Email search and extraction that includes the sender, receiver, subject, text and attachments for reconstruction into their original form is a NEW feature recently added to Packet Continuum.
Offload Resource-Intensive Operations
Offloading is helpful for in-line network appliances such as IPS or NGFW requiring low-latency packet operations. Packet Continuum can optimize critical resources within those in-line solutions by offloading functions that do not require low latency, such as event logging and selective packet capture. On the other hand, Packet Continuum is optimized for these functions, and additional alerting/capture capacity is simply a matter of adding more Cluster Nodes.
ADVANCED ANALYTICS INTERPRETATION
Cyber threats evolve continuously, and advanced threat detection solutions must rapidly adapt. With Packet Continuum, all recent history is readily available to assist advanced analytics applications to interpret a changing situation. For example, when a pattern suddenly emerges as relevant, all PCAP history can be searched to find similar patterns – even before such activity was suspicious.
Packet Continuum also provides a complete End User solution for large enterprise / agency, telecom or MSSP network service providers for multiple, additional applications including:
- IoC alert logging
- Data ex-filtration
- PCAP evidence to court cases
- Botnet C&C activity
- User behavior analysis
- Forensic traffic analysis
- Integrated threat intelligence
- Encrypted Traffic analysis