Not Just Rapid Detection and Response…Continuous, Automated Incident Resolution.

AccessData Named 2013 HP AllianceOne Security Partner of the YearCyber Intelligence & Response Technology (CIRT) is a rapid detection and response solution designed to enable Continuous, Automated Incident Resolution (CAIR™). Available as a stand-alone platform, it is also a key component of AccessData’s new ResolutionOne™ Platform.

It’s the first and only solution to integrate network forensics, host forensics, malware analysis and data leakage detection, giving you visibility into all of this critical information through a single, intuitive, console. CIRT is engineered to deliver the workflows and capabilities necessary to detect, analyze, and resolve security breaches and Governance, Risk and Compliance (GRC) issues. In addition, it provides enterprise-class remediation. So with CIRT, not only can you detect faster, you can remediate faster.

  • Eliminate several disparate point products.
  • Monitor endpoints and the network for threats in real time.
  • Leverage multiple formats of threat intelligence from multiple sources with the integrated, customizable ThreatBridge™ library.
  • Hunt for threats with IOCs and YARA rules.
  • Detect unknown threats with signature-less malware detection
  • Automatically validate and respond to alerts from next-gen alerting tools and SIEMs.
  • Perform comprehensive analysis of both network communications and endpoint data.
  • Automate routine incident response operations and remote remediation.
AD ResolutionOne™

AccessData’s Cyber Intelligence and Response Technology (CIRT) integrates network, endpoint and malware analysis, data leakage detection  and remediation capabilities for a solution that doesn’t just deliver rapid detection and response; it delivers Continuous Automated Incident Resolution.

Endpoint Threat Detection

  • Real-time threat monitoring, auto-correlating with integrated ThreatBridge™ library.
  • Hunt threats using IOCs and YARA rules with customizable known file filter to remove noise.
  • Signature-less malware detection, with Cerberus triage and analysis. No sandbox required.
  • Bi-directional removable media monitoring.
  • See all activity, including Internet communications, even when traveling / telecommuting employees aren’t VPN’d into the network.

Network Threat Detection

  • Full packet capture.
  • The only technology that also provides host-based packet capture.
  • Detect anomalous behavior on network and endpoints indicative of hacking and APTs.
  • Capture and analyze Web, chat and social media.
  • Decrypts SSL and SSH.
  • Monitors 2500 protocols and all 7 layers of the OSI stack.

Automate Alert Validation and Incident Response with SIEM, Next-Gen
Firewall and Next-Gen Malware Detection Integration

  • Automated response and remediation capabilities. (See IDT Corporation Case Study.)
  • Launch operations and view analysis in either SIEM or CIRT Platform.
  • Automatically isolate compromised endpoints in seconds.
  • Alerts from next-gen tools are auto-validated by confirming the malware has executed at the endpoint(s).
  • CIRT can automatically provide endpoint analysis (live response data, memory or even full disk image), as well as network communications data when triggered by an alert.
  • Easy to configure and customize automation parameters.

ThreatBridge Functionality Integrates Threat Intelligence with Incident Resolution

  • Ingests multiple formats of threat intelligence and IOCs from multiple sources.
  • Monitor both network and endpoints against ThreatBridge library.
  • Easily define automatic response to and remediation of detected threats.

Full-spectrum Incident Analysis with Integrated, Comprehensive Remediation

  • Forensic Toolkit® (FTK®) technology.
  • Advanced volatile/memory analysis.
  • Visibility into Windows®, Apple®, Linux®, Solaris and AIX® hosts.
  • BlakBox™ incident replay for endpoint activity and network communications.
  • Determine the behavior and intent of suspicious code in seconds with Cerberus malware triage.
  • Quickly correlate endpoint and network analysis to facilitate root cause analysis, visualize propagation and understand all actions being taken by the threat.
  • View content of files intercepted from network communications.
  • Enterprise-wide compromise assessment to identify all affected nodes.
  • Right-click process kill.
  • Batch remediation, including remote reimaging and surgical remediation

Real-time Collaboration

  • A “virtual war room” for all teams (Security Operations, Network Security, Forensics, Malware, etc).
  • All data is accessed through single console to facilitate correlation and collaboration.
  • Work synchronously to detect, analyze and remediate compromises.
  • Easy reporting up and down the chain of command.
        

Perform immediate malware triage with Cerberus, and gain actionable intelligence prior to engaging a malware team.

Cerberus is the malware analysis component of AccessData’s integrated incident response platform, CIRT (Cyber Intelligence & Response Technology). This module is also available as an add-on to FTK 4. The first step towards automated reverse engineering, Cerberus allows you to determine the behavior and intent of suspect binaries, giving you actionable intelligence without having to wait for a malware team to perform deeper, more time consuming analysis.

Cerberus Triage vs. Traditional Malware Analysis
Cerberus is able to disassemble and simulate the functionality of a suspect binary, without actually running the code. This first-pass analysis is of great value in that it not only enables incident responders to take decisive action more quickly, but it reveals behavior and intent without running the risk of triggering defense mechanisms commonly found in malware.

               

Traditional methods each have its own shortcomings, which Cerberus methodologies avoid…

  • Dynamic Analysis is often not reliable, because the binary could recognize that it is being analyzed and perform a different action in order to intentionally fool the analyst.
  • Traditional Heuristics are not based on the fundamental characteristics of malware and have high false positive / false negative rates.
  • Signature-based / Byte String Analysis cannot detect new malware or new variants and requires prior knowledge in the form of an action or byte string.
Cerberus is able to uncover the following attributes during analysis…

Stage One Analysis

The following first-level analysis is conducted to quickly tally  threat scores.

  • Product Name
  • Product Version
  • Company Name, etc.
  • Functions included in the Import Table
    • Network
    • Process
    • Security
    • Registry
  • Dynamic Loading, etc.
  • Does the binary have high entropy (obfuscated)?
  • Does the binary have signatures of:
    • Internet Relay Chat ("IRC")
    • Shellcode
    • Cryptography ("Crypto")
  • Does the binary contain strings associated with autoruns?
  • Digital Signature Verification

Stage Two Analysis

Stage two involves more complex disassembly analysis to give you  more detailed behavioral information. This simulation and data flow  analysis is possible without running binaries in a sandbox, and there  is no reliance on white lists or signatures.

Basic Disassembly Analysis:

  • Integrated disassembly engine
  • If using network functionality, potentially what host it is  communicating with and over what protocol(s)
  • If using network functionality, can it bypass proxy servers?
  • For functions that require usernames and/or passwords, does  the executable contain a static string, indicating insider or advanced  knowledge?
  • More advanced Functionality Interpretation
    • IP addresses and Domain Names Used
    • Debugger and Sandbox avoidance
    • Command and Control Functionality
    • Hooking Techniques
    • Arbitrary Code Execution
    • Host Forensic Artifacts
    • Registry Settings
    • Temp Files
    • Configuration Files
               
           
     




What You Don't Know Can Hurt You: Detecting Unknown Threats and Reducing Response Times



The incident response community has been wishing for something like this for a long time. This [CIRT] is the holy grail of incident response.

Incident Responder,
Fortune 500 Company