Why You Need PCAP and Forensics in the Cloud

Packet capture plays a vital role in forensic investigation, incident response, and threat hunting, but it hasn't always translated easily to security use cases in cloud environments. Historically, collecting and analyzing packets in cloud environments was a complex, time-consuming, manual process that often involved using multiple tools.

To avoid those issues, cloud-focused security teams often rely on logs. However, it's impossible to log everything in cloud environments, which limits the amount of information incident responders and threat hunters can use to conduct deeper investigations. Limited information leads to limited insights and less context, but ExtraHop is making packet capture (PCAP) in cloud environments possible without the complexity and friction of limited data sources and multiple tools.

Reveal(x) 360 Ultra cloud sensors with continuous PCAP unlock network forensics in AWS environments with streamlined and guided investigation for always-on incident response and threat hunting. By capturing every packet, Reveal(x) 360 Ultra cloud sensors provide unprecedented visibility, definitive insights, and immediate answers, reducing the amount of time and effort previously required to perform packet-level analysis. Cloud-focused security teams now have the forensic detail they need to reduce mean time to respond (MTTR) or to fulfill chain-of-custody requirements.

Available in 1 Gbps and 10 Gbps sensors, Reveal(x) 360 Ultra cloud sensors enable SOC analysts and incident responders to view metrics and packets from a single management interface, securely accessible from anywhere. With detections, transaction records, and packets all indexed and searchable, analysts can also expedite speed to resolution. ExtraHop continuous packet capture appliances write natively to an Amazon Elastic Block Store (EBS) volume. Organizations that want to save important flows can query the REST API for the related packets, download them, and save them to a local file store or a cloud store like S3 for archival purposes.

Forensic investigation is more critical than ever as organizations navigate the landscape of a post-compromise world. Attacks evolve daily, and threat detection is becoming increasingly challenging, making better detection and response capabilities critical. The new realities of cloud and hybrid security also show the value of always-on incident response compared to IR that's focused on specific security events.

For attacks like SUNBURST, which didn't cause detections to fire, only continuous PCAP enables analysts to go back in time and inspect packets for proper forensics. Line-rate decryption and analysis via cloud-hosted machine learning ensure that analysts also have an accurate understanding of what's happening in their AWS environment.

To experience Reveal(x) 360 for yourself, start the live online demo. You can choose a scenario to stop a SUNBURST attack, find threats in a real cloud environment, or investigate a simulated attack unfolding in real time. You can also choose to explore the demo on your own.