Cyber Security is Broken…. Why?There are Three Critical Weaknesses in the Typical Cyber Security Model…
CIRT Overcomes these Weaknesses
CIRT is the first and only product to integrate network forensics, host forensics, malware analysis and large-scale data auditing. It gives you visibility into all of this critical information through a single pane of glass, and unlike other products it actually provides enterprise-class remediation capabilities. So not only are you able to figure out what’s happening on your network faster, you’re actually able to do something about it faster.
What Can You Do with Cyber Intelligence & Response Technology?
- Detect Unknown Threats and Data Leakage
- Continuous Monitoring
- Auto-respond to Third-Party Alerts
- PCI Compliance
- Multi-team Collaboration and Real-Time Incident Management
- Malware Disassembly Analysis – No Sandbox Required
- Gather Cyber Intelligence
- Root Cause Analysis
Proactive Compromise Assessment to Detect External and Internal Threats
- Scan tens of thousands of computers and network shares to identify suspicious binaries or data leakage without having to rely on signature-based tools and alerting systems.
- Scan for known malware using your existing threat intelligence.
- Audit for data spillage, using a broad variety of search criteria.
- Identify previously unknown malware using built-in threat scoring and malware analysis.
- Get the same robust analysis capabilities of FTK.
- Advanced volatile data/memory analysis.
- Static RAM analysis from an image or against a live system.
- Enumerate all running processes, including those hidden by rootkits, and display associated DLLs, network sockets and handles in context.
- Dump a process and associated DLLs for further analysis in third-party tools.
- Memory string search allows you to identify hits in memory and automatically map them back to a given process, DLL or piece of unallocated space and dump the corresponding item.
- VAD tree analysis and expose registry artifacts in memory and will parse and display handle information from memory.
- Correlate host data with network traffic.
- Real-time network traffic visualization allows you to detect anomalous behavior.
- Build integrated maps of assets and users.
- Monitor for known threats and receive email alerts.
- Once anomalous behavior has been detected or an alert received, immediately drill into all suspect nodes for host analysis.
Reactive Impact Assessment and Root Cause Analysis
- Learn the behavior and intent of suspicious binaries in seconds.
- Forensically analyze hosts to determine the delivery mechanism of an exploit, whether its email, removable media, a website, hacking or a rogue employee.
- Search hosts for confidential or classified data.
- Build a threat profile and scan the enterprise against it to identify all compromised nodes.
- Correlate host data with forensic network data to see proliferation, external domains being called and more.
- Build “integrated maps” of certain assets or users.
- Play back incidents in real time.
- Independent of keyword or linguistic matching, you can determine how proprietary or inappropriate information proliferated from code servers, HR or financial databases, R&D labs and others.
- Directly visualize audit logs and alerts, and correlate actual network traffic to provide a complete picture of activity around the time a suspicious event occurred.
The ONLY malware analysis technology to provide detailed behavior and intent information WITHOUT THE SANDBOX.
- CIRT’s built-in malware analysis generates threat scores for binaries during an enterprise-scan.
- Set a threshold so higher scoring binaries are automatically disassembled for deeper analysis.
- Cerberus disassembly analysis will emulate a binary without the need for a sandbox, signature-based tools or traditional heuristics.
- Gain actionable intelligence in seconds without waiting hours or days for a malware team.
- Once you have the information you need to make critical decisions, you can pass on the binary for traditional analysis to ensure you’ve gathered all possible intel on the binary.
- See the attributes Cerberus is able to expose.
Large-scale Compliance and Data Spillage Auditing
- Perform PCI audits, using regular expressions consisting of credit card number patterns, to identify all instances of payment card information on every node across your enterprise.
- Use classified caveats, such as “eyes only” and “classified” to zero in on classified data spillage.
- Detect PII across the enterprise using social security number patterns and other PII search terms.
- Robust reporting of all activities and findings allows you to illustrate your compliance to regulatory bodies.
Continuous Monitoring, Including Employee Laptops that are not Logged into Your Network
- Removable media monitoring allows you to see removable device usage, showing exactly what files were copied to the device or downloaded from the device.
- Build threat profiles using your existing threat intelligence and the intelligence gathered with CIRT, then monitor network traffic and host activity.
- Receive alerts when unauthorized activity is detected.
- Configure CIRT to automatically respond when unauthorized activity, malware or confidential data is detected.
- Monitor social media, chat and webmail activity, even when an employee laptop is not logged into your network.
Integrates with third-party alerting solutions, such as ArcSight ESM
GUI-integrated Batch Remediation
Intelligent Agent – Persistent and “Dissolving”
- Agent-side search and analysis of live memory and volatile data on both 32x and 64x machines
- All jobs are executed agent-side, so even if an employee logs off for the day, jobs are not interrupted.
- Schedule the agent to “check in” periodically to send back data and alert you to potential threats, including suspicious internet activity and removable device usage.
- Even if an employee is using public Wi-Fi or their own internet connection, you still have visibility into their activity.
- Ponemon Study: Threat Intelligence and Incident Response
- Weaponizing Incident Response
- Ponemon Study: Threat Intelligence and Incident Response(EMEA)
- Weaponizing Incident Response
- What You Don’t Know Can Hurt You: Detecting Unknown Threats and Reducing Response Times
- Cerberus: Malware Triage and Analysis Technology
Our experienced team can provide in depth product or service explanations as well as, schedule a demo, and/or price quotes. You can expect a reply within 24-48 hours.
For an immediate response please contact us at: Domestic US: 800.574.5199 | Int’l: +44(0)20 7010 7800.
Perform immediate malware triage with Cerberus, and gain actionable intelligence prior to engaging a malware team.
Cerberus is the malware analysis component of AccessData’s integrated incident response platform, CIRT (Cyber Intelligence & Response Technology). This module is also available as an add-on to FTK 4. The first step towards automated reverse engineering, Cerberus allows you to determine the behavior and intent of suspect binaries, giving you actionable intelligence without having to wait for a malware team to perform deeper, more time consuming analysis.
Cerberus Triage vs. Traditional Malware Analysis
Cerberus is able to disassemble and simulate the functionality of a suspect binary, without actually running the code. This first-pass analysis is of great value in that it not only enables incident responders to take decisive action more quickly, but it reveals behavior and intent without running the risk of triggering defense mechanisms commonly found in malware.
Traditional methods each have its own shortcomings, which Cerberus methodologies avoid…
- Dynamic Analysis is often not reliable, because the binary could recognize that it is being analyzed and perform a different action in order to intentionally fool the analyst.
- Traditional Heuristics are not based on the fundamental characteristics of malware and have high false positive / false negative rates.
- Signature-based / Byte String Analysis cannot detect new malware or new variants and requires prior knowledge in the form of an action or byte string.
Stage One Analysis
The following first-level analysis is conducted to quickly tally threat scores.
- Product Name
- Product Version
- Company Name, etc.
- Functions included in the Import Table
- Dynamic Loading, etc.
- Does the binary have high entropy (obfuscated)?
- Does the binary have signatures of:
- Internet Relay Chat ("IRC")
- Cryptography ("Crypto")
- Does the binary contain strings associated with autoruns?
- Digital Signature Verification
Stage Two Analysis
Stage two involves more complex disassembly analysis to give you more detailed behavioral information. This simulation and data flow analysis is possible without running binaries in a sandbox, and there is no reliance on white lists or signatures.
Basic Disassembly Analysis:
- Integrated disassembly engine
- If using network functionality, potentially what host it is communicating with and over what protocol(s)
- If using network functionality, can it bypass proxy servers?
- For functions that require usernames and/or passwords, does the executable contain a static string, indicating insider or advanced knowledge?
- More advanced Functionality Interpretation
- IP addresses and Domain Names Used
- Debugger and Sandbox avoidance
- Command and Control Functionality
- Hooking Techniques
- Arbitrary Code Execution
- Host Forensic Artifacts
- Registry Settings
- Temp Files
- Configuration Files
The incident response community has been wishing for something like this for a long time. This [CIRT] is the holy grail of incident response.
Fortune 500 Company