Most threat actors use Living Off the Land tactics, techniques, and procedures (TTPs) to masquerade as authorized users or legitimate tools, allowing them to carry out malicious cyberattacks that traditional defenses (e.g., EDR) can't see.

PacketWatch identifies when these users or tools behave differently or communicate with devices in an atypical manner. That suspicious activity becomes a "hunt lead" that will require further investigation.

When malware communicates with Command & Control (C2) servers, the data travels over the network. For devices that are not running EDR, this activity could go undetected.

PacketWatch watches the packets on your network and recognizes protocol anomalies, beaconing behaviors, DNS queries, unusual outbound connections, and data exfiltration. These activities typically indicate external communications with C2 servers and become a "hunt lead" requiring further analysis and DNS reputation testing.

Detecting intentional and unintentional actions by authorized users is challenging with conventional host-based detection tools. While some behavioral activities might be spotted on the endpoint, understanding the user's complete sequence of events is essential to determine whether the activity is normal, accidental, or malicious.

The PacketWatch platform helps threat hunters investigate and document a user's endpoint and network activities. With CrowdStrike Falcon API integration, the known endpoint telemetry is available natively in the PacketWatch portal. Combining this data with the user’s network activities will show the various systems that the user accessed during and outside normal working hours.

During the investigation, the threat hunter can create nested rules to filter network and system activities, providing visibility into the specific time, data volume exfiltrated, and other activities executed.

PacketWatch's full packet capture features allow the threat hunter to rewind, replay, and export the user’s activities to PCAP files as admissible forensic evidence.

Internet of Things (IoT), Operational Technology (OT), and legacy systems (like Windows 98, Windows NT, etc.) have one thing in common. None of them can run commercially available endpoint detection and response (EDR) applications. This lack of security, visibility, and management makes these devices vulnerable to cyber campaigns.

Fortunately, PacketWatch regularly scans the network and subnets for these devices, then monitors and captures their related packet-level network activity. This provides threat hunters with complete visibility of all devices, whether they are running EDR or not.

If any device changes its typical behavior—such as communicating with new devices inside or outside the firewall, using new protocols or ports, or performing abnormal tasks—PacketWatch will create a "hunt lead" for further investigation.

For organizations that rely solely on EDR to protect their environment and devices, adding PacketWatch eliminates this gap in their cybersecurity strategy.

Threat actors are utilizing legitimate tools, common protocols, and standard ports to blend in and evade endpoint detection alerts. These techniques may fool many conventional cybersecurity defenses, but PacketWatch analyzes the network traffic looking for specific and malicious packet-level anomalies.

These anomalies then become high-fidelity “hunting leads” that analysts can investigate to determine the activity’s context, intent, and subsequent actions. Analysts can immediately contain any malicious activity.

Specific to data exfiltration, the PacketWatch platform is looking for the North-South movement of large amounts of data, particularly from machines that don’t typically send many or large files externally. The platform can also identify risky destinations either through integrated threat intelligence or by leveraging our integration with Validin for context-rich DNS data.

Everyone follows your cyber policies, right? How would you know if they weren't? The PacketWatch platform provides a unique vantage point that shows you exactly what people are doing and who is not complying. We see everything that happens on your network. Whether you have selected NIST CSF, HIPAA, CMMC, PCI DSS, ISO 27001, SOC 2, GDPR, or NERC-CIP, all have requirements that we can see and verify.

Your policy may restrict the use of certain applications, such as WhatsApp or other communication tools and instant messengers. PacketWatch can monitor all users sending and receiving data from those SaaS domains. Simply create a rule or combine several queries to filter your results, and your "hunting leads" or report will be generated automatically. Other applications that may have similar restrictions include large language models or Generative AI. PacketWatch can identify who is using these SaaS applications and how much data they are transmitting. More importantly, PacketWatch can prove that you are fully compliant and that no one is using these SaaS tools.

Another example of what PacketWatch can see is clear text transmissions. HIPAA and PCI DSS require that PHI/PII and credit card numbers be encrypted during transmission. PacketWatch can either identify when this data isn’t encrypted or confirm that all transmissions are compliant.

Every other week, the PacketWatch Threat Intelligence team publishes a Cyber Threat Intelligence report. Our analysts review this report with their managed clients. The report highlights what we are seeing in the wild and provides important information on how to protect your environment from falling victim to the latest Zero-Day cyber campaigns. Sometimes there are patches available; other times, they haven’t been released yet.

Even if a patch isn't available, the Common Vulnerabilities and Exposures (CVE) documentation details many of the tactics, techniques, and procedures that threat actors are using to exploit environments. While you're waiting for a patch, the PacketWatch platform helps you hunt for evidence of a Zero-Day attack in your environment, so you can quickly contain the threat before it causes any damage.

The platform also helps identify when available patches haven't been installed.

Cloud environments are everywhere. Although mainly virtual, they face many of the same security challenges as physical environments. This includes protecting servers, networks, storage, data, and users from threat hunters trying to exploit all of them.

PacketWatch virtual sensors capture packets from your software-defined networks, much like our traditional collectors operate in a physical network. However, for threat hunters, there is more freedom to hunt across cloud platforms like virtual private containers on AWS, Azure, and other public clouds.

Threat hunters using PacketWatch in a cloud environment focus on the same key areas—data crossing boundaries, malicious activities, user security and compliance, and connections to external locations. For the virtual server side of the cloud, we integrate with CrowdStrike Cloud Security Posture Management to collect telemetry and provide a unified threat hunting interface.

Most segmented networks are poorly documented. They never seem to be configured as or work as people imagine they do. Network discovery helps threat hunters determine:

• How the subnets are configured?
• Which assets are on each subnet?
• Which assets and subnets are talking to each other?

PacketWatch passively collects, organizes, and displays all this network data without needing pings or causing performance issues. Seeing the network map visually helps threat hunters understand when boundaries are being crossed and where security needs to be strengthened.

Our emphasis on developing tools to track East-West lateral movement across networks stems from years of investigating complex incidents and cybersecurity breaches.

Hunting for the secondary and tertiary stages of an attack is crucial to ensuring all malicious code is contained and eradicated from an environment. This is not a typical feature of endpoint detection and response (EDR) software.

The ability to inspect Patient Zero (the initial point of compromise) and investigate every other asset they communicated with after a breach is a PacketWatch full packet capture superpower.