|
This video is part of the appearance, “cPacket Presents at Security Field Day 13“. It was recorded as part of Security Field Day 13 at 9:00-10:30 on May 29, 2025.
Watch on YouTube
Watch on Vimeo
cPacket enables deterministic incident detection by inspecting every byte in every packet at line rate, delivering real-time visibility into threats like DNS beaconing, volumetric DDoS, and C2 channels. With high-speed, packet-level analytics across hybrid cloud and enterprise networks, security teams gain definitive, actionable insights to accelerate threat detection, incident response, and breach prevention. cPacket’s approach to incident detection is “deterministic,” meaning it relies on clear, definable thresholds. For threats like DNS beaconing, cPacket’s smart port technology, leveraging FPGAs and ASICs, can inspect every byte in every packet at line rate to perform string matching. This allows for immediate detection of specific domain requests, such as those associated with supply chain attacks, providing a definitive “yes or no” answer regarding infection status.
For volumetric DDoS attacks, cPacket’s ability to count every packet in real-time allows for rapid detection of anomalies, such as an unusually high ratio of SYN packets to SYN/ACK packets (SYN flood) or excessive DNS responses without corresponding requests (DNS amplification). These detections are measured in seconds, providing much faster and more accurate alerts than traditional methods like NetFlow. While cPacket focuses on detection rather than mitigation, these real-time alerts can be used to initiate on-demand mitigation strategies with ISPs or scrubbing centers, particularly crucial for financial services firms that prioritize low latency.
Furthermore, cPacket’s packet capture solutions can identify long-duration, low-traffic sessions, which are characteristic of command and control (C2) channels. By tracking millions of open TCP sessions, even those with minimal data transfer, cPacket can alert security teams to sessions that persist for days or weeks, indicating potential compromise. While this specific capability primarily applies to TCP sessions, the overall approach of leveraging high-speed, pervasive network observability to detect clear deviations from normal behavior offers invaluable, actionable insights for security teams, complementing existing security tools by providing definitive, packet-level evidence of threats.
Personnel: Andy Barnes, Ron Nevo