Platform for Incident and Breach Responders

PacketSled has released its Incident Response (IR) platform, a network visibility solution for incident responders. The PacketSled IR platform enables incident and breach response teams to quickly identify attacker activity by monitoring network traffic and performing advanced protocol analysis combined with sophisticated analytics.

The PacketSled platform provides network visibility from deep packet inspection, protocol dissection, ensemble detection methods, and behavioral analysis with a visualization engine that provides first responders with an intuitive and efficient view of network activity. This capability, combined with system automation and ease of sensor implementation, helps incident responders.

According to PacketSled CEO, Fred Wilmot, the PacketSled sensor technology from the IR platform can be installed in minutes with no need for expensive and bulky appliances. "We set out to build a flexible network visibility platform that incident responders can deploy anywhere quickly. Today, we are enabling first responders with that capability, shortening the gap between compromise detection and response, and magnifying their capabilities in minutes," said Wilmot.

“PacketSled provides IR investigators with the ability to monitor suspicious traffic by creating individual cases within it. It also provides the ability to trigger specific packet captures if suspicious traffic is starting and stopping, as is often the case with malware,” said David Biser, Manager of the Critical Incident Response Team at NTT Security. “Rather than ‘speaking’ continually, most malware will be silent until it is time to ‘phone home.’ If identified, you can enable PacketSled to conduct a packet capture of specific traffic that frees an investigator to continue to investigate other suspicious events. We have found the new platform from PacketSled to be a tremendous asset for the work that we do.”

The PacketSled IR platform is not just extensible for IR toolchains, it’s flexible in deployment options as well. Most incident response teams will take advantage of the PacketSled Cloud platform. For cloud-averse, security-restricted or classified environments, PacketSled provides a portable platform that can be shipped anywhere around the world.

In addition to fast and easy sensor deployment, IR teams can track and manage incident behavior through the PacketSled Case Manager. Once IR teams establish attack chain behavior, responders can persist that logic through PacketSled’s Incident Response Expert System (IRES). IRES allows responders to add network indicators of compromise (IOCs), behaviors, conditions, and patterns to a sensor with a few mouse clicks, leveraging MITRE’s ATT&CK framework. The Sensor Management Framework also allows responders to add custom intelligence feeds, including STIX objects for known campaign activity.

“If PacketSled were being used on the network prior to an incident it would provide those first responders with the ability to monitor, identify, and record suspicious events and traffic, which would then give the Incident Response analysts better ability to quickly identify the issue, mediate it, and stop the attack. In one incident, I found what appeared to be a brute force attack. This application was making multiple calls using SMB traffic that looked like an attempt to compromise a password. Once the behavior was identified through PacketSled’s platform, I was able to respond immediately and conduct a packet capture of specific traffic to collect artifacts and free me, as an investigator, to continue to explore other suspicious events,” added David Biser.