INTRUSION TraceCop™ v 21.01

During investigations of breaches back in 1991, we discovered the need for a global inventory of the Internet to enrich network forensics. The simple need was to understand what it meant when we saw communications to a distant IP address and to answer questions such as: Who owns the IP? Where is it located and how is it routed? What websites are hosted on that IP? Who owns each and do they have a history of malicious activity? Who can I call to report abuse?

By 1996 we had compiled the beginnings of a massive inventory of Internet usage, which we announced and started shipping in June 2001 as TraceCop™. TraceCop is key to the success of Shield™, as it is a collation base for reputation, trust, ownership, history, and attribution for the entire Internet. It is so unique and complete, our government customers often sole source their requests for TraceCop subscriptions – since there is no competition that offers a comprehensive 20 year historical database which can be deployed on premises. History is the key to understanding hidden ownership and associations today. While competing products focus on current datasets, they lack the historical depth that TraceCop has collected over the past decades. Malicious actors focus on hiding and changing ownership, history, and associations to avoid detection, but TraceCop allows cyber forensic analysts and threat hunters to follow their patterns and techniques.

INTRUSION TraceCop contains an inventory of network selectors and enrichments useful to support forensic investigations. TraceCop data contains a history of IP IPv4 and IPv6 block allocations and transfers, historical mappings of IP addresses to Autonomous Systems (ASNs) as observed through BGP, and approximately one billion historically registered domain names and registration context. TraceCop also contains tens of billions of historic DNS resolutions of fully-qualified domain names (FQDNs) (or hostnames) on each of these domains since 2002. Together, this shows relationships, hosting, and attribution for Internet resources spanning over two decades. TraceCop also contains web server content surveys of content, such as natural language and topic of the content on hundreds of millions of websites and servers and OS fingerprints of services showing applications running on an IP. With this context, it allows analysts to assess the usage and purpose of an Internet resource. TraceCop also contains a history of threat and reputation for each hostname and IP address over time.

INTRUSION Shield AI leverages the massive TraceCop historical database of ownership, usage relations and reputation to identify known malicious and unknown flows in your network, and when combined with the high-speed INTRUSION Savant ™engine, allows real-time protection and automatic killing of threats in your network.

Building-3