Network packet captures contain the hard evidence you need when performing cybersecurity Digital Forensics and Incident Response (DFIR). They are especially powerful when applied to an intrusion detection system (IDS), like Suricata, which can operate on packet captures as if they were live traffic.
Suspicious network activity is often identified using “threat signatures” which generate an alert based on predefined rules, collectively known as a “ruleset”. The alert includes details such as the source and destination IP addresses, timestamps, and the specific signature that triggered the alert.
“There’s no magic to Suricata and other forensic tools on their own - having a great visualization that lets us pivot from an alert to the PCAPs was a critical point for us.” - Jeremy Brown, Trinity Cyber
On their own, these alerts are difficult to visualize. CloudShark uses a “ladder diagram” view to provide some additional context to each alert, including the endpoints that generated and received the traffic and directionality.
This is a good starting point for many investigations. Each of the above alerts can be expanded to show the details of the alert, with easy access to any further information. The real power, however, comes from the ability to pivot directly to the recorded network data associated with the alert.
In a traditional security analysis workflow, security analysts often need to manually correlate alerts with packet data, which can be time-consuming and prone to errors. In CloudShark, you can go to the exact packet that triggered the alert, or to the entire conversation stream related to it by clicking “follow stream”, then “show only this stream”. However you choose to start looking, having full access to switch between your alert view and packet view, the ability to pivot directly to the packets provides several benefits:
As cyber threats evolve in complexity, including packet captures in your DFIR strategy becomes increasingly important for maintaining a strong security posture and ensuring a swift and effective response to potential threats. They add a vital layer of granularity and depth to your security investigations that give analysts a comprehensive understanding of the events that led to an incident and enables them to accurately identify root causes and develop targeted mitigation strategies.
You can read more about how to use CloudShark in your overall incident response in these articles: