Using the CyberPro Incident Response Workflow
Every important detected threat requires follow up action. This Incident Response action often involves investigating the full details of a critical network event by retrieving the lossless recorded network traffic in the form of a standard PCAP file, including the full payloads, attachments, etc.
From CyberPro’s convenient GUI dashboard, the cyber-investigator can query any PCAP history using data from IoC (Indicator of Compromise) events. Over time the investigator builds up a history of PCAP query results in the form of critical incidents from which they can gain insight about the problem to solve, whether it is a network performance problem or a cyber-threat.
A unique feature of CyberPro is that several open source DPI (Deep Packet Inspection) analysis tools are not only pre-installed, but also are pre-wired to automatically process the streamed results of every PCAP query. The benefit to a cyber investigator using CyberPro is that they can see results they need from all those tools immediately – almost as soon as they finish pressing the “submit PCAP query” button on the GUI dashboard.
Innovative Solutions for a variety of use cases
Cyber Incident Response
An End User can use data from any third party threat detection system for a PCAP search and investigation. Such incidents might be triggered by cyber security threat detection, suspicious activity, or performance anomalies, or simply based on an audit trail requirement (eg. for cross-border packet activity within a multi-tenant data center.)
Network Performance Diagnostics
When the network is slow, or bottlenecks develop, CyberPro includes software tools with particular focus on performance and root cause analysis.
CyberPro makes it easy to investigate compliance violations on an enterprise network. In addition, the ease of portability allows for non-intrusive testing and audits at branch office locations.
Drill down into specific network events to find out exactly what happened. Direct suspect network traffic through DPI software for analysis and data visualization.
Collect IoC alerts
CyberPro can generate a wide variety of indicator of Compromise (IoC) alerts. Use these alerts to selectively route PCAP data to a variety of open source tools, each of which generate further useful IoC information, events, and insights.
Using the file event IoC alerting feature of CyberPro, you can flag suspicious data exfiltration by identifying source hosts and content transferred.
Bring PCAP evidence to court
All packet captures and log events can be used as legal evidence or compliance verification, which can be a requirement for use as evidence after a breach, attack, or any incident.
Botnet Command-and-Control activity
Using extracted metadata such as a malware encryption key, forensic analysts can go back in time and reconstruct all C2 activity performed by such malware (e.g. via a tool such as ChopShop). This will provide insight into critical attacker activities such as details on lateral movement through the environment.
Search for anomalous User behavior
Identify employees using unapproved applications or using applications in ways that violate policies. Correlate metadata about users, files and sessions with real-time threat information, and use the correlations to provide situational awareness reports and alerts.
Forensic traffic analysis
Captured data can be analyzed for suspicious traffic, such as non-DNS traffic over port 53, encrypted traffic over 80, etc. Especially if the End User uses third party forensic tools with complementary analysis capabilities, there many possible creative use cases.
CyberPro’s pre-capture feature is ideal for enforcing the selective capture of targeted users on a network, with a self-contained portable form factor for non-intrusive network connectivity, and evidence chain-of-custody enforcement via hashing.