1 / 29

Infocyte HUNT TM

“Threat Hunting Simplified”. Infocyte HUNT TM. The Leader in Post Breach Detection. Shawn Reilly Executive Director, Sales East. History. Our founders established the US Air Force Enterprise Hunt team - later renamed the Defensive Counter-Cyber (DCC) Operations team.

rstone
Download Presentation

Infocyte HUNT TM

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. “Threat Hunting Simplified” Infocyte HUNT TM The Leader in Post Breach Detection Shawn Reilly Executive Director, Sales East

  2. History • Our founders established the US Air Force Enterprise Hunt team - later renamed the Defensive Counter-Cyber (DCC) Operations team. • Most attackers that breached Department of Defense security remained dormant and undiscovered for long periods of time. • The team developed numerous forensics analytics, techniques, and tools that enabled hunt activities at scale (800,000 nodes) • Many of these are now what Infocyte HUNT is today

  3. What is Threat Hunting • Defined: “The process of searching through networks to detect threats that have evaded existing security controls.” Goal: Reduce Dwell Time of Attackers (catch them before they do damage) Reference: SANS [W5H] of Effective Threat Hunting

  4. What Threat Hunting is NOT • Defined: “The process of blocking malicious attacks or malware based on events, alerts and or behaviors.” EDR or EPP are necessities as so are we!

  5. Attackers Continue to Evade Security Defenses • Prevention will fail Expand and hide Tough to detect Average time attackers dwell on networks until discovered SOCs top challenge is detection of hidden, unknown, and emerging threats1 Threats undetected by automated security tools1 12017 Threat Hunting Report, Crowd Research Partners

  6. The faster you hunt and contain breaches, the smaller the financial impact Reducing Dwell Time is Key Organizations that are able to contain a breach in less than 30 days paid nearly $1 million less in total breach costs.* *Ponemon Institute 2017 Cost of Data Breach Study: Global Overview

  7. Post breach Security Mindsets • Reactive: Alert -> Investigation • Team receives an alert on a host within the network • Team analyzes and investigates that host/incident • Proactive: Assume Breach -> Hunt • Hunter actively searches the network and connected systems for compromise • Performed on a regular basis

  8. Quote from distinguished Cyber Security Industry Expert • Kai Pfiester founder of Black Cipher – www.blackcipher.com • “The Compromise Assessment is the next Pen Test.” Here is what Jeff R. says about Kai – “Kai Pfiester is the real deal when it comes to IT security, and an expert IT diagnostician.”

  9. Threat Hunting Approaches Vary • Find something missed via historical search of logs and or alert data – Indicators of Compromise Historical Search Alert Data Event Match IOC Basic • Identify patterns of behavior based on known attacker tactics, techniques and procedures Behavior Analysis Event Data TTP Pattern Match Difficult • Find anomalies relative to baselined profiles and user behavior User Behavior AD Logs Baseline Deviation from Normal Experimental Validate integrity via live forensic analysis at the point in time of scan State Analysis Forensics Artifacts and/or Malware Forensic Collection

  10. Where does Infocyte fit?

  11. Infocyte has a substantial role Real-Time Prevention & Monitoring Threat Hunting Containment, Eradication & Recovery Reconnaissance Exploitation Installation Command & Control Lateral Movement Exfiltration Persist Attack In Progress Post Breach Activity Incident Response Endpoint Protection Platforms (EPP) Hunt Platforms (HP) Incident Response Platforms (IR) • Block known attack entry and/or malware installation • Detect post breach activity and persistence that has bypassed EPP and EDR solutions • Identify exact endpoints that need remediation • Triage IR activity and workload • Breach breadth and depth identification, containment, eradication, recovery and hardening against future attacks • Root cause and impact assessment via log, alert, and traffic analysis Endpoint Detection and Response (EDR) • Detect attacks in progress based on application behavior & IOCs • Collect event history for big data investigation & downstream IR User Entity & Behavior Analytics (UEBA) • User / device behavioral anomaly analytics

  12. This sets Infocyte HUNT Apart Forensic State Analysis Memory Analytics Endpoint Characteristics Forensic Analysis File Intelligence Services Reputation Services Data

  13. What does Infocyte look like?

  14. Asset Discovery & Scanning

  15. Endpoint Analysis Results

  16. Finding In-Memory “File-less” Implants Rogue executable code found in unprotected memory space within Microsoft Explorer Multiple malware engine & threat intel hits

  17. Identifying Dormant Threats (via Persistence Mechanisms) • Random file is referenced in a couple Registry Runkeys • (Will execute once every time someone logs in) Analysis of file indicates something not so good

  18. Reporting

  19. Attacker Movement Visualizations

  20. Infocyte HUNT Architecture Third Party Threat Intel Infocyte Intelligence – “Lab in the Cloud” Digital Forensic Analytic Services (executables, modules, injected memory) File Intelligence Services Infocyte HUNT™ Server API UI HUNT Core Service Database Workstation Endpoints ON-PREMISE

  21. Use Cases

  22. Pure Threat Hunting Full Scope Hunting • Conduct sweeps of thousands of networked endpoints using forensic techniques to proactively discover threats Targeted Hunting • Triage security data via other analytics • Create target list and scan subset of machines having suspicious indicators

  23. Compromise or Risk Assessment A periodic evaluation of networked devices to detect threats that have evaded existing security controls • Effective at detecting presence of malware, remote access tools, and other indications of unauthorized access • Fast– Assess thousands of endpoints per day • Affordable – A typical organization should be able to conduct it proactively and regularly (i.e. quarterly) • Independent – The assessment does not rely on existing detection solutions already in the environment • Why • Risk Management • Mergers & Acquisitions • Third Party & Vendor Risk Management • Security Program Validation / Audit

  24. Alert Validation • Infocyte HUNT provides an automated solution to help validate alerts from your SIEM, network or endpoint product • Performs a scan of the endpoint in question to determine if the threat is real. • Weeds out false positives and quickly identifies which alerts to escalate. • Reduces the time and resources needed to manually comb through volumes of false and low priority alerts. • Allows your security team to focus on remediating real threats. • Leverages your existing security investments.

  25. All data collected can be downloaded and or programmed to be sent through Syslog A single pane of glass with Splunk integration Our entire front end is API driven allowing you to write to our API for automation capabilities

  26. Case Study: Public Transportation Organization • A metropolitan mass transit agency (“Metro”) serving a major US city and surrounding municipalities. Challenge • In the face of increasing cyber risk to public infrastructure, Metro took steps to understand their current security posture and assess the need for more advanced security investments. Solution • Compromise Assessment using Infocyte HUNT™ Results • Two (2) days to scan 1000 systems. • Despite enterprise-grade security, Metro was infected with six (6) variants of malware – some active as far back as 3 years. • Metro was able to quickly identify and remediate the issues before they could cause any significant damage. Without a compromise assessment, Metro’s security problems would have continued to go undetected and it would have been difficult to provide tangible evidence to warrant increasing their security posture.

  27. Infocyte HUNT Advantages FORENSIC DEPTH • Detects post breach activity that other hunt tools are prone to miss • Targeted surveying of volatile memory, forensic artifacts, and OS integrity • Live memory analysis - as opposed to static file export analysis BECOME THE HUNTER • Automates the threat hunting process • Enables your IT and security teams to hunt without specialized knowledge EASY TO IMPLEMENT • Agentless surveys are fast and lightweight • Full independence from existing security stack • Able to survey thousands of endpoints simultaneously vs. 'single endpoint at a time’ alternatives FAST ROI • “Zero to Hero” in hours to days—not months or years • Forensic talent is expensive – Infocyte helps do more with less • Reduces dwell time to limit breach damage and costs

  28. How to invest in the solution and or evaluate • Channel Partner go to market • Request trial software here • Licensed based on number of endpoints • Yearly or multi-year subscription sku’s • MSSP pricing models • Services sku’s to augment partner or customer staff • Professional training available • Advanced Malware Analysis services – Coming Soon!

  29. “Threat Hunting Simplified” www.infocyte.com

More Related