Versions Compared

Old Version 2

changes.mady.by.user Dennis Underwood

Saved on

compared with

New Version Current

changes.mady.by.user Dennis Underwood

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Advanced Threat Hunting, + Automated Protection

The process injection, credential use monitoring, and process creation capabilities provide a rich set of data, captured via kernel-level behavioral analytics, to conduct threat hunting.

The automated protection kicks in once data theft, credential (token, password) theft, or ransomware encryption begins. For everything else - this is a great resource.

The most common finding thus far is unmanaged (at least by the current IT admins) remote management tools installed by users. Yes, they do sometimes result in an automated extortion protection (aka, the unmanaged RMM is used by a bad actor), but it is always better to know more about your environment beforehand, regardless!

Here is a quick video of a type of attack we saw in use by attackers, in multiple client environments, that was used to successfully evade the customers' EDR solutions (we don’t like to names…there were 3 products in four enterprises).

...

Post-Incident Forensic Analysis & Remediation

There are a couple types of use cases for Cyber Crucible data.

The first is so that a security person at a company, or an IT person, can investigate root cause for a program to be suspended. For some customers, who typically install our software, then only login again when there are new employees to onboard, they have never used any Cyber Crucible functionality except for the Manage Agents page. We’re glad to help them learn about root cause analysis - which is painless and simple for technical and semi-technical users.

The second type of customer for post-incident forensic analysis are DFIR firms that are called in to investigate an issue at a client, sometimes at the cyber insurance company’s request, and Cyber Crucible is installed after an issue. (Hey, we can’t always be there before the attacker, as much as we want to be…otherwise every company in the world would have us, and extortion would be history!)

The best way to describe a roll-out after an extortion attack is, “messy”. Not because we are difficult to install or start protecting. Quite the opposite! In that instance, the attackers have normally moved around the system, and are embedded in operating systems, network gear, Active Directory, and are operating in memory. Multiple machines end up having processes suspended, and sometimes the attackers even try to regain control. It is a bit like taking medicine that makes you sick in the beginning, but you need it to ever get better.

Clients who are already stressed out, sometimes react emotionally to “more” noise, as the attackers are finally rooted out and defeated. There is a lot of education as to why or how their in-place security stacks didn’t find the attackers. At the end, though, the business regains control over their IT infrastructure. They will not become one of the 80-90% of companies that are re-extorted a year or two later, in what we call, “the extortion subscription economy”.

The third type of customer we have is an MSSP that, oftentimes is a partner of Cyber Crucible, that is responding to an automated protection from Cyber Crucible. They need to find out the way the attacker achieved a temporary foothold, and close any holes in security. The good news is that HIPAA or other compliance reporting typically reports little or no breach of confidentiality, due to the speed of the automated response. Many times, the MSSP reports, “nothing to report”, which makes everyone involved happy. Well, except for the criminal.