23 Mar 2013

What's New?! - Threat Analysis with Deep Packet Inspection

0 comments Permalink Saturday, March 23, 2013

Introduction

Context is King when it comes to understanding and analysing attacks and attackers. Today we are releasing the analysis feature for the Threats module. Internally we call this feature "play by play" and it does exactly that. It allows you to peer inside every attack and step through it so you can rule the attack in or out of your analysis.

What do you need to do to enable it? - nothing. We are processing all datasets on Packetloop today to enable this new functionality.

MySQL Login and a Drop Database shown in Analysis view
In the screenshot above the full context of a MySQL root login is shown. Stepping through the attack you can see the successful connection, authentication and then a "drop database" command is issued and executed successfully on the database server.

Packet Level Detail and Protocol Context

For every Attack each packet is analysed using deep packet inspection to identify and parse the protocol used in the attack. Relevant information from each layer of the TCP/IP stack is easily accessed and presented in a tree structure so you can drill down to specific information you are looking for.

If you want to know who dropped your database tables - it's right there. The specific HTTP URI used as part of an attack - it's right there.

Clicking on the attack in the Analysis view allows you to explore and find evidence and details that can aid your analysis.

How does it work?

Every packet capture you upload is passed through multiple detection engines and are analysed for attacks. At the same time we pass every packet and conversation through deep packet inspection - for every attack we record the specific protocol information related to the attack.

Rule in or Rule Instantly

The analysis information combined with Packetloop's Advanced Search allows you to access the context you need incredibly fast. Click on a Country, City, IP or Attack type and you can immediately filter all analysis to that data type. Using your scroll wheel or mouse pad you can zoom in and out from years to minutes or pan left and right to go forward and back in time. 

No detection system is perfect and context is king for analysts. Allowing you to inspect any attack and be able to rule it in or out of your analysis almost instantly saves you precious time. Time that can be spent finding other complex attacks.

Availability

This feature is now available for all new uploads and any packet captures stored in Packetloop. We have more functionality to add to it. As always if you have any feedback let us know.



No comments:

Post a Comment