Cyber Security is Broken…. Why?

There are Three Critical Weaknesses in the Typical Cyber Security Model…

CIRT Overcomes these Weaknesses

AccessData Named 2013 HP AllianceOne Security Partner of the YearCIRT is the first and only product to integrate network forensics, host forensics, malware analysis and large-scale data auditing. It gives you visibility into all of this critical information through a single pane of glass, and unlike other products it actually provides enterprise-class remediation capabilities. So not only are you able to figure out what’s happening on your network faster, you’re actually able to do something about it faster.

What Can You Do with Cyber Intelligence & Response Technology?

    • Detect Unknown Threats and Data Leakage
    • Continuous Monitoring
    • Auto-respond to Third-Party Alerts
    • PCI Compliance
    • Multi-team Collaboration and Real-Time Incident Management
    • Malware Disassembly Analysis – No Sandbox Required
    • Gather Cyber Intelligence
    • Root Cause Analysis
    • Remediate

Proactive Compromise Assessment to Detect External and Internal Threats

  • Scan tens of thousands of computers and network shares to identify suspicious binaries or data leakage without having to rely on signature-based tools and alerting systems.
    • Scan for known malware using your existing threat intelligence.
    • Audit for data spillage, using a broad variety of search criteria.
    • Identify previously unknown malware using built-in threat scoring and malware analysis.
    • Get the same robust analysis capabilities of FTK.

  • Advanced volatile data/memory analysis.
    • Static RAM analysis from an image or against a live system.
    • Enumerate all running processes, including those hidden by rootkits, and display associated DLLs, network sockets and handles in context.
    • Dump a process and associated DLLs for further analysis in third-party tools.
    • Memory string search allows you to identify hits in memory and automatically map them back to a given process, DLL or piece of unallocated space and dump the corresponding item.
    • VAD tree analysis and expose registry artifacts in memory and will parse and display handle information from memory.

  • Correlate host data with network traffic.
    • Real-time network traffic visualization allows you to detect anomalous behavior.
    • Build integrated maps of assets and users.
    • Monitor for known threats and receive email alerts.
    • Once anomalous behavior has been detected or an alert received, immediately drill into all suspect nodes for host analysis.

Reactive Impact Assessment and Root Cause Analysis

CIRT gives you the visibility you need to detect and respond to an incident without sifting through and manually correlating event logs. If you suspect a compromise or need to validate an alert from another tool, such as IDS or DLP, you can easily scan all suspect nodes to expose malicious binaries, data leakage or unauthorized access.
  • Learn the behavior and intent of suspicious binaries in seconds.
  • Forensically analyze hosts to determine the delivery mechanism of an exploit, whether its email, removable media, a website, hacking or a rogue employee.
  • Search hosts for confidential or classified data.
  • Build a threat profile and scan the enterprise against it to identify all compromised nodes.
  • Correlate host data with forensic network data to see proliferation, external domains being called and more.
    • Build “integrated maps” of certain assets or users.
    • Play back incidents in real time.
    • Independent of keyword or linguistic matching, you can determine how proprietary or inappropriate information proliferated from code servers, HR or financial databases, R&D labs and others.
    • Directly visualize audit logs and alerts, and correlate actual network traffic to provide a complete picture of activity around the time a suspicious event occurred.

The ONLY malware analysis technology to provide detailed behavior and intent information WITHOUT THE SANDBOX.

  • CIRT’s built-in malware analysis generates threat scores for binaries during an enterprise-scan.
  • Set a threshold so higher scoring binaries are automatically disassembled for deeper analysis.
    • Cerberus disassembly analysis will emulate a binary without the need for a sandbox, signature-based tools or traditional heuristics.
  • Gain actionable intelligence in seconds without waiting hours or days for a malware team.
  • Once you have the information you need to make critical decisions, you can pass on the binary for traditional analysis to ensure you’ve gathered all possible intel on the binary.
  • See the attributes Cerberus is able to expose.

Large-scale Compliance and Data Spillage Auditing

CIRT allows you to bring your compliance auditing in house, saving you hundreds of thousands if not millions of dollars.
  • Perform PCI audits, using regular expressions consisting of credit card number patterns, to identify all instances of payment card information on every node across your enterprise.
  • Use classified caveats, such as “eyes only” and “classified” to zero in on classified data spillage.
  • Detect PII across the enterprise using social security number patterns and other PII search terms.
  • Robust reporting of all activities and findings allows you to illustrate your compliance to regulatory bodies.

Continuous Monitoring, Including Employee Laptops that are not Logged into Your Network

  • Removable media monitoring allows you to see removable device usage, showing exactly what files were copied to the device or downloaded from the device.
  • Build threat profiles using your existing threat intelligence and the intelligence gathered with CIRT, then monitor network traffic and host activity.
  • Receive alerts when unauthorized activity is detected.
  • Configure CIRT to automatically respond when unauthorized activity, malware or confidential data is detected.
  • Monitor social media, chat and webmail activity, even when an employee laptop is not logged into your network.

Integrates with third-party alerting solutions, such as ArcSight ESM

CIRT integrates with third-party alerting tools, to enable automated response. Create rules to automatically execute a series of tasks to initiate impact assessment and root cause analysis. CIRT can even automatically kill known malicious processes if alerts are triggered.

GUI-integrated Batch Remediation

CIRT is not just another platform that feeds you a mound of data. It actually gives you the power to remediate. Using batch remediation, you can kill processes and wipe confidential files and emails on thousands of computers and network shares simultaneously. This is vital to preventing widespread damage and is significantly more efficient and effective than traditional remediation methods.

Intelligent Agent – Persistent and “Dissolving”

  • Agent-side search and analysis of live memory and volatile data on both 32x and 64x machines
  • All jobs are executed agent-side, so even if an employee logs off for the day, jobs are not interrupted.
  • Schedule the agent to “check in” periodically to send back data and alert you to potential threats, including suspicious internet activity and removable device usage.
  • Even if an employee is using public Wi-Fi or their own internet connection, you still have visibility into their activity.

Our experienced team can provide in depth product or service explanations as well as, schedule a demo, and/or price quotes. You can expect a reply within 24-48 hours.

For an immediate response please contact us at: Domestic US: 800.574.5199 | Int’l: +44(0)20 7010 7800.

First Name * Last Name *
Email *
Phone *
Job Title * Company *
State *
Country *
Time Frame of Purchase *
Organization Size *
        

Perform immediate malware triage with Cerberus, and gain actionable intelligence prior to engaging a malware team.

Cerberus is the malware analysis component of AccessData’s integrated incident response platform, CIRT (Cyber Intelligence & Response Technology). This module is also available as an add-on to FTK 4. The first step towards automated reverse engineering, Cerberus allows you to determine the behavior and intent of suspect binaries, giving you actionable intelligence without having to wait for a malware team to perform deeper, more time consuming analysis.

Cerberus Triage vs. Traditional Malware Analysis
Cerberus is able to disassemble and simulate the functionality of a suspect binary, without actually running the code. This first-pass analysis is of great value in that it not only enables incident responders to take decisive action more quickly, but it reveals behavior and intent without running the risk of triggering defense mechanisms commonly found in malware.

               

Traditional methods each have its own shortcomings, which Cerberus methodologies avoid…

  • Dynamic Analysis is often not reliable, because the binary could recognize that it is being analyzed and perform a different action in order to intentionally fool the analyst.
  • Traditional Heuristics are not based on the fundamental characteristics of malware and have high false positive / false negative rates.
  • Signature-based / Byte String Analysis cannot detect new malware or new variants and requires prior knowledge in the form of an action or byte string.
Cerberus is able to uncover the following attributes during analysis…

Stage One Analysis

The following first-level analysis is conducted to quickly tally  threat scores.

  • Product Name
  • Product Version
  • Company Name, etc.
  • Functions included in the Import Table
    • Network
    • Process
    • Security
    • Registry
  • Dynamic Loading, etc.
  • Does the binary have high entropy (obfuscated)?
  • Does the binary have signatures of:
    • Internet Relay Chat ("IRC")
    • Shellcode
    • Cryptography ("Crypto")
  • Does the binary contain strings associated with autoruns?
  • Digital Signature Verification

Stage Two Analysis

Stage two involves more complex disassembly analysis to give you  more detailed behavioral information. This simulation and data flow  analysis is possible without running binaries in a sandbox, and there  is no reliance on white lists or signatures.

Basic Disassembly Analysis:

  • Integrated disassembly engine
  • If using network functionality, potentially what host it is  communicating with and over what protocol(s)
  • If using network functionality, can it bypass proxy servers?
  • For functions that require usernames and/or passwords, does  the executable contain a static string, indicating insider or advanced  knowledge?
  • More advanced Functionality Interpretation
    • IP addresses and Domain Names Used
    • Debugger and Sandbox avoidance
    • Command and Control Functionality
    • Hooking Techniques
    • Arbitrary Code Execution
    • Host Forensic Artifacts
    • Registry Settings
    • Temp Files
    • Configuration Files
               
           
     




What You Don't Know Can Hurt You: Detecting Unknown Threats and Reducing Response Times



The incident response community has been wishing for something like this for a long time. This [CIRT] is the holy grail of incident response.

Incident Responder,
Fortune 500 Company