Hunting, Detecting, and Responding to Hidden Threats Using FSA
This post was last updated on August 7th, 2019 at 01:27 pm
A Brief History of Forensic State Analysis
Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network.
With virtually unlimited resources and access to any endpoint security solutions available, Chris and Russ decided to build something better.
Fast forward to 2014 when Infocyte was established, Forensic State Analysis (FSA) emerged as the core technology powering our Threat Detection & Incident Response platform, Infocyte HUNT. FSA enables security teams to expose, investigate, and eliminate hidden cyber threats quickly and cost-effectively.
How Forensic State Analysis Helps You Hunt, Detect, and Respond to Hidden Cyber Threats
FSA involves continuously inspecting thousands of hosts/systems/servers (“endpoints”) within a network to collect and analyze digital forensics data, and then validating each endpoint’s state as “compromised” or “not compromised.”
In other words, FSA is a continuous compromise assessment of every endpoint on your network.
At the host/server level (endpoint) FSA seeks to validate:
- What applications and processes are running (in memory)
- What is triggered to run (through persistence mechanism)
- What has already run (via forensic execution artifacts)
Lastly, FSA examines the operating system (OS) for manipulations and/or suspicious active processes (i.e. an executable running from your recycle bin).
Together, these steps allow Infocyte HUNT to reveal OS configuration settings (e.g. if insider threats disable system security controls or if an attacker is trying to hide their presence) or an API call via a rogue or hidden process within volatile memory (e.g. rootkit).
Based on the results, Infocyte HUNT performs additional analysis/categorization/prioritization, eliminating false negatives and false positives, and helping security teams focus on responding to real threats, faster.
Advanced Threat Detection with FSA
The process of hunting and exposing advanced persistent threats (APTs), file-less malware, hidden backdoors, etc. with FSA is performed in five steps:
- Inspect the endpoint and collect forensic data
- Enrich the forensic data with threat intelligence
- Triage leads with AI and machine learning algorithms
- Investigate suspicious findings
In terms of endpoint security and threat detection, this is a highly differentiated approach from behavior analysis techniques employed by endpoint detection and response (EDR) platforms and UEBA products.
FSA enables Infocyte HUNT to dig deeper, exposing advanced threats inside each host and helping security teams investigate and respond to threats, faster.
Learn more about Forensic State Analysis — view our on-demand webinar about cyber Threat Hunting with FSA and Infocyte.