Blog | Presentation
Investigating Cybersecurity Incidents using Full Packet Capture
Cybersecurity Incident Response requires technical expertise, the right tools, and a trained investigative eye. On Monday, January 6th, Michael McAndrews, our Vice President of Network Security Services and former FBI Special Agent, walked the audience at the Southwest CyberSec Forum through the process we used to investigate and resolve a recent international cybersecurity incident.
The PacketWatch incident response team used a combination of full packet capture, forensic collection tools, and CrowdStrike Falcon EDR technologies to identify abnormal host activity and malicious network traffic. Analyzing packet-level data over time helps uncover anomalous activity that is often missed by traditional toolsets. This PacketWatch case study described the plan we executed, highlighting the need for advanced incident response tools to mitigate and eradicate the malicious activity.
There was a strong turnout for the CrowdStrike-sponsored event held at the University of Advanced Technology (UAT) theater in Tempe. One of the attendees shared his thoughts after seeing Michael’s presentation:
“Michael’s story was fascinating. It really hits home when you see shades of your own organization in security incidents like the one he described. Most IT departments would have to deploy an assortment of tools to gather the kind of granular information collected by PacketWatch. This case study showed how having access to both historical and active network data in a single platform enabled responders to achieve successful mitigation quickly. Without the visual analysis of network patterns provided by PacketWatch, doing this level of investigation would be daunting.”
You can watch Michael’s presentation “The Need for Advanced Incident Response Tools and Capabilities” on the Southwest CyberSec Forum YouTube page (43 min).