Since our inception, we discovered the need for a global inventory of the Internet's traffic to enrich network forensics. The simple need was to understand what it meant when we saw communications to a distant IP address and to answer questions such as: Who owns the IP? Where is it located and how is it routed? What websites are hosted on that IP? Who owns each and do they have a history of malicious activity? Who can I call to report abuse?
The results of our efforts was in the form TraceCop which is the largest reputation based threat intelligence cloud in existence and is used to inform our Shield SaaS solution on whether or not a communications is good or should be killed.
TraceCop is key to the success of Shield as it is a collation base for reputation, trust, ownership, history, and attribution for the entire Internet.
It is so unique and complete, our customers often sole source their requests for TraceCop subscriptions – since there is no competition that offers a comprehensive historical database which can be deployed on premise. History is the key to understanding hidden ownership and associations today. While competing products focus on current datasets, they lack the historical depth that TraceCop has collected. Malicious actors focus on hiding and changing ownership, history, and associations to avoid detection, but TraceCop allows cyber forensic analysts and threat hunters to follow their patterns and techniques.
TraceCop contains an inventory of network selectors and enrichments useful to support forensic investigations. TraceCop data contains a history of IP (IPv4 and IPv6) block allocations and transfers, historical mappings of IP addresses to Autonomous Systems (ASNs) as observed through BGP, and approximately one billion historically registered domain names and registration context. TraceCop also contains tens of billions of historic DNS resolutions of fully-qualified domain names (FQDNs) (or hostnames) on each of these domains. Together, this shows relationships, hosting, and attribution for Internet resources spanning over two decades. TraceCop maintains web server content surveys of content, such as natural language and topic of the content on hundreds of millions of websites and servers and OS fingerprints of services showing applications running on an IP. With this context, it allows analysts to assess the usage and purpose of an Internet resource. TraceCop also contains a history of threat and reputation for each hostname and IP address over time.
INTRUSION Shield leverages the TraceCop historical database of ownership, usage relations and reputation to identify known malicious and unknown flows in your network. When combined with our high-speed Savant engine it allows real-time protection and automatic killing of threats in your network.