Open in app

Sign in

Write

Sign in

The CyberSift Packet Capture Parser — Threat Intelligence

David Vassallo
CyberSift
Published in
3 min readAug 22, 2018

This article is part of a series on the CyberSift Packet Capture Parser

Once a packet capture is uploaded to the system, it will be submitted to a first-come-first served queue to await processing. This may take a while so check back in often and reload the page or click on “refresh status”. Once the packet capture has been processed the status will change to “File analysis complete, you can now load the results”, and the “Load Results” button will become available to you

The dashboard view that loads is the “Packet Capture Descriptive Analysis”. As the name implies, this view contains information that summarizes and describes the content of the uploaded packet capture and contains four sections:

  • Threat Intelligence
  • Bandwidth Per TCP Connection
  • Bandwidth Per ASN
  • Detected DNS Queries

In this article we’ll explore “Threat Intelligence”

Threat Intelligence

Threat Intelligence screenshot

Threat intelligence is a module of the system which has a simple function: to check each IP address with popular threat intelligence providers such as AlienVault OTX, ThreatCrowd and Firehol (among many others). These threat intelligence providers keep a record about IP addresses which have been misbehaving in the past, such as scanning hosts, C&C hosts, or IP addresses involved in spam.

The threat intelligence module displays this information in a tree diagram, grouped by threat intelligence provider. The tree is interactive and allows you to expand / contract each node. For example, in the above screenshot we can see that three IP addresses in my packet capture have been flagged:

  • 204.79.197.200 — flagged by threatcrowd
  • 69.172.216.55 — flagged by threatcrowd
  • 192.168.1.173 — flagged by firehol

The last entry is an internal IP address which is obviously a false positive, which brings us to an important point. While threat intelligence is a very good tool in your arsenal, always double check the results by cross-referencing your sources. That’s why, if you click on a node representing an IP address, you will be taken to IBM’s X-Force, yet another threat intelligence provider — one of the best out there.

Let’s see what clicking on 69.172.216.55 give us:

XForce Entry for 69.172.216.55

X-Force tells us that this IP address is actually part of an advertising network, and in the past it was involved in scanning activities — probably why it’s flagged by ThreatCrowd to begin with. However at present it seems the IP address is well-behaved and has been given the green light. So very probably this is not a threat right now — but worth keeping an eye on

This exposes a challenge with any signature based system — threats like IP addresses and domains change very quickly and it takes time for providers to react. That’s why we also include some statistical anomaly analysis which we’ll discuss in another article

Make sure to check out the rest of the articles in this series!

Networking
Cybersecurity
Computer Security

--

--

David Vassallo
CyberSift

Written by David Vassallo

100 Followers
Editor for

https://blog.davidvassallo.me

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams