Packet Capture Use Cases

Incident Response Workflow

Every important detected threat requires follow up action. This kind of “Incident Response” action often involves investigating the full details of a critical network event by retrieving the lossless recorded network traffic in the form of a standard PCAP file, including the full payloads, attachments, etc.

From Packet Continuum’s convenient GUI dashboard, a cyber-investigator can query any PCAP history using data from IoC (Indicator of Compromise) events. Over time the investigator builds up a history of PCAP query results in the form of critical incidents from which they can gain insight about the problem to solve, whether it is a network performance problem or a cyber-threat. A unique feature of Packet Continuum is the ability to pre-wire an Open PCAP Forensic Workflow. PCAP queries execute very fast, extract a standard PCAP file format, and begin almost immediately to stream the PCAP results in small chunks to third party or open source DPI (Deep Packet Inspection) analysis tools. Using the REST/API, a technical team can “pre-wire” their system to automatically process the streamed results of every PCAP query to gain the benefit of multiple analysis tools.

The ultimate benefit to a cyber investigator, when Packet Continuum query results are automatically pre-wired for DPI processing, is that they can easily visualize the results they need using all those tools immediately – almost as soon as they press the “submit PCAP query” button on the GUI dashboard.

INCIDENT RESPONSE INVESTIGATIONS

SOC & CyberSecurity teams need access to PCAPs for Incident Response (IR) investigations. Combine zero day alerting and pivot for analysis/mitigation and historical post breach forensics analysis including “cyber-espionage,” “point-of-sale intrusions,” and “privilege misuse.” Utilize open REST/API for creating customized workflows for automated Incident Response, Policy-Driven data retention, or interface to legacy analytic tools.

USER BEHAVIOR ANALYSIS

The log manager’s enhanced search capabilities allowing integrated pivot to PCAP and enriched metadata enables behavior and signature visibility. The IDS Alert configurator and DPI Analyzer enable multi-level signature and behavior event session search and logging. This gives you the ability to configure groupings of signature and unusual behavior alerts dynamically from a grouping of 30,000.

ANALYZE UPTIME & PERFORMANCE ISSUES

IT/Operations need fast IR access regarding uptime and performance problems. Compliance, Audit and Legal teams increasingly have their own IR requirements for the same ground truth for critical network events

PCAP RECORDING as CPE SERVICE

MSSP or Telecom Service Providers use Open PCAP Infrastructure for internal diagnostics, but also offer PCAP recording as an incremental CPE service to customers, with enhanced “IR-to-PCAP” Incident Response services linked to multiple value-add hosted MSSP solutions like SOC, DLP, DDoS Mitigation, and other Big Data Analytics.

Event-to-PCAP Correlation

OEM solution databases can easily correlate with the Packet Continuum PCAP repository. For example, any outside event or log which contains 5-tuples and timestamp information can be used to generate a PCAP query. The OEM can control case/event names via the REST query process, so the PCAP repository will be in sync with the OEM data base.

Automated File Detection

A file hash alert from Packet Continuum causes the OEM application to look up the file hash in their database of white list files (known to be OK), and black list files (known to contain malware). Black-listed files may require follow up action with the associated End Points. Unknown files may trigger a BPF Search to extract PCAP data to review the network transaction in more detail, and possibly to send the new file to a research or sandbox application.

Selective DPI Analytics

Based on real-time IOC alerts about ongoing network traffic, the OEM solution may wish to selectively extract PCAP data for Deep Packet Inspection (DPI) using OEM software algorithms. Using the REST/API, and other high speed access methods, Packet Continuum allows the OEM application to focus on the most important packet-level data – rather than having to read every packet. In this way, Packet Continuum technology can upgrade legacy software systems to operate at much higher data throughput rates.

Active Trigger Alerting

When a new threat or CVE is discovered, the OEM application can automatically search all packet history for any past occurrence, and simultaneously establish an Active Trigger alert to watch for any future occurrence of similar activity.

Full Context / Email PCAP Extraction

When a network event is detected, even by a third party system or probe, a query to Packet Continuum can extract the PCAP file associated with the full TCP session – no matter how long the session has been active. Active Triggers and other features allow tracking of similar activity in the future, resulting in PCAP data with the critical event in its full context. Email search and extraction that includes the sender, receiver, subject, text and attachments for reconstruction into their original form is a NEW feature recently added to Packet Continuum.

Offload Resource-Intensive Operations

Offloading is helpful for in-line network appliances such as IPS or NGFW requiring low-latency packet operations. Packet Continuum can optimize critical resources within those in-line solutions by offloading functions that do not require low latency, such as event logging and selective packet capture. On the other hand, Packet Continuum is optimized for these functions, and additional alerting/capture capacity is simply a matter of adding more Cluster Nodes.

ADVANCED ANALYTICS INTERPRETATION

Cyber threats evolve continuously, and advanced threat detection solutions must rapidly adapt. With Packet Continuum, all recent history is readily available to assist advanced analytics applications to interpret a changing situation. For example, when a pattern suddenly emerges as relevant, all PCAP history can be searched to find similar patterns – even before such activity was suspicious.

Packet Continuum also provides a complete End User solution for large enterprise / agency, telecom or MSSP network service providers for multiple, additional applications including:

  • IoC alert logging
  • Data ex-filtration
  • PCAP evidence to court cases
  • Botnet C&C activity
  • User behavior analysis
  • Forensic traffic analysis
  • Integrated threat intelligence
  • Encrypted Traffic analysis