Threat2Alert | Active Packet Analysis

Active Packet Analysis

Identify malicious traffic flows on your network

Within the Threat2Alert service we implement a high capacity network probe that sits at the egress point of your internet feed. This device is configured to assess all traffic flowing into and out of your environment. It functions at the data link layer and is able to capture attempted data breaches and malware attacks. It is also able to hold full information about all network conversations for a rolling one month period. In addition it collects information about IP address pairs, protocols and other meta-data for an indefinite period. This approach provides invaluable information to an Computer Incident Response Team (CIRT) that can be used to identify threats and attempted violations of a company’s information assets.

Threat2Alert combines comprehensive managed Security information and event management (SIEM) functions with powerful packet capturing capability. Through our Security Operations Centre (SOC) we are able to provide ongoing security detection and response services around the clock. Acting as an extension of your in-house security function, Threat2Alert provides your organisation with the assurance that their environment is being closely monitored and that your data is safe from prying eyes.

Indicators of Compromise

Many organizations find it difficult to identify data ex-filtration attempts until it becomes too late. Despite this challenge, techniques do exist to assist an organization spot these attempts.

Malware will frequently exhibit at least three different types of traffic patterns: beaconing, command & control traffic and data ex-filtration traffic.

Through Threat2Alert’s active network analysis, we identify what normal network behavior looks like. Once we have defined normal behavior, we build a series of algorithms and rules to identify deviations from this norm. Through this approach, we are able to identify traffic anomalies and react before data ex-filtration occurs. This approach combined with our active event analysis provides unparalleled levels of assurance to our managed services clients.

  • Beaconing

    This type of traffic is frequently initiated every n seconds. It is not uncommon for statistical analysis to unearth this type of traffic. Beacons tend not to be one-off traffic, and can be easier to identify when there is lower amounts of data traversing the wire. Beacons tend to be initiated from inside a network to hosts outside of the network.

  • Command & Control Traffic

    This type of traffic will typically be initiated in response to a beacon, and will be initiated from outside of the network to a malware infected resource inside of the network.  Command & control traffic usually contains instructions to the device that has been compromised. In more sophisticated malware these instructions will be obfuscated or encrypted.

  • Data Exfiltration Traffic

    This type of traffic will typically result in large amounts of data being sent from the internal network to resources on the internet. This traffic may be exception to normal network behavior.

Contact Nettitude and a dedicated technical account manager will talk to you about Threat2Alert for your company.