What’s New?! – Threat Analysis with Deep Packet Inspection
Context is King when it comes to understanding and analysing attacks and attackers. Today we are releasing the analysis feature for the Threats module. Internally we call this feature “play by play” and it does exactly that. It allows you to peer inside every attack and step through it so you can rule the attack in or out of your analysis.
What do you need to do to enable it? – nothing. We are processing all datasets on Packetloop today to enable this new functionality.
|MySQL Login and a Drop Database shown in Analysis view|
In the screenshot above the full context of a MySQL root login is shown. Stepping through the attack you can see the successful connection, authentication and then a “drop database” command is issued and executed successfully on the database server.
Packet Level Detail and Protocol Context
For every Attack each packet is analysed using deep packet inspection to identify and parse the protocol used in the attack. Relevant information from each layer of the TCP/IP stack is easily accessed and presented in a tree structure so you can drill down to specific information you are looking for.
If you want to know who dropped your database tables – it’s right there. The specific HTTP URI used as part of an attack – it’s right there.
Clicking on the attack in the Analysis view allows you to explore and find evidence and details that can aid your analysis.
How does it work?
Every packet capture you upload is passed through multiple detection engines and are analysed for attacks. At the same time we pass every packet and conversation through deep packet inspection – for every attack we record the specific protocol information related to the attack.