Case Studies

Senior Certified SANS Instructor Paul Henry Uses CloudShark to Enhance Network Security Courses

3 min read

We got a chance to sit down with one of CloudShark’s most engaging customers, Fox-IT, who sit on the front lines of the exciting Cybersecurity world. Here’s what they had to say about using CloudShark!

 fox it

The Challenge: Using Valuable Packet Capture Data in Cybersecurity Services

Fox-IT is an active team of hackers, programmers, and cybersecurity experts that provides innovative solutions for government, defense, law enforcement, critical infrastructure, banking, and commercial enterprise clients worldwide. Its services range from digital investigation and incident response services, high-end security products, and network monitoring solutions including their DetACT, InTELL, and ProACT services.

It is in this world of network monitoring for cybersecurity with ProACT Security Monitoring that Fox-IT uses packet capture analysis as a critical tool in the fight against intrusion and cyber crime.

“With ProtACT we monitor customer networks with our own detection rules,” said Yonathan Klijnsma, Security Specialist at Fox-IT. “Developing and testing these rules was done by uploading PCAPs to a test machine and running them on that same machine. When developing rules for a specific attack or malware communication protocol, we’d need to ask colleagues what each capture was if you couldn’t find the proper one”

The Solution: The CloudShark Capture Management System

“We have built a large collection of PCAPs which was becoming so big it would be impossible to maintain without a structured database,” said Yonathan. “That’s when we found CloudShark. CloudShark for us means we have a tagged, indexed, and structured PCAP repository we can use to automatically test our rules as well as write new rules.”

“We’ve now integrated CloudShark with our own systems, which communicate with the repository for PCAP data,” said Yonathan. “When developing rules, for example, we give the CloudShark ID (CID) and we write our rule. The system communicates with our CloudShark appliance to replay the PCAP data against the rule to see whether or not it works. This is combined with a system that automatically creates unit tests – a combination of a rule ID and CID – which are then tested to see if a rule is still detected with a specific configuration.”

Working With Captures Has Never Been Easier

“The results are dramatic,” said Yonathan. “Working with PCAPs by hand proved to be a slow process, as not all of the captures were properly archived to re-use and re-test. Now, we tag and comment on PCAPs so we can refer to them at a later time. The indexed repository has been the biggest benefit for us, allowing both our team and our automated systems to make use of packet capture data easily and more efficiently than ever before. Collaborative analysis has changed the way we do things.”