Infocyte Release Notes, October 2019: Incident Response Ready Program and Platform Extensions
Currently, Infocyte is capable of detecting a vast array of cyber threats — ransomware, file-less attacks, advanced persistent threats, etc. — that exist within an environment. Our detection and response platform does this by leveraging multiple sources of threat intelligence feeds and enriching that threat data with our proprietary INCYTE™ machine learning; however, there are some unique (and new) threats that are difficult to detect through these methods. As a result, detecting these new, advanced cyber threats may require more customized investigations.
Additionally, customers and partners want to not only detect the occurrence of malicious activities, they also want to respond quickly to those problems — remediating those cyber attacks to reduce risk across their environment. Advanced Detection and Response capabilities are key for Infocyte and for the customers and partners who leverage Infocyte as a security platform.
To address these challenges, Infocyte has introduced our Response Ready program and new platform extensions, which equip our customers and partners with:
- Advanced Detection: Extensions will enable customers and partners to leverage advanced detection capabilities, for example, within a particular vertical or area of expertise, such as detecting APTs or personally identifiable information (PII) within compromised systems.
- Automation and Scale: As more companies subscribe to the digital transformation, IT environments become more complex. Couple this digital transformation adoption with the cybersecurity skills shortage and wage increases, and it’s easy to understand why many companies fall behind — unable to detect and respond to threats in a timely manner. Extensions enable security analysts to automate both detection and incident response operations, saving time, money, and helping scale D&R efforts across large, complex IT environments.
- Differentiation (partners) and Integration (customers/partners): Infocyte’s delivery model and services (e.g. compromise assessments, incident response services, and managed security services) are partner-first. Extensions enable customers and partners to incorporate their unique IP, threat intelligence, and approach to cybersecurity into a scalable platform.
- Peace of mind: Our Response Ready program allows customers to pre-deploy Infocyte — before a security incident — and leave it idle until the time comes when you need to detect and respond to a security incident.
Prior to releasing Extensions, Infocyte could highlight malicious activity, cyber threats, hidden risks, and critical vulnerabilities within your environment while providing forensic evidence to confirm those risks. Now, with Extensions, Infocyte addresses the need for both advanced detection capabilities and automated response/remediation.
Problems with the Security Incident Response Market
Today’s security incident response (IR) market is constantly growing because many organizations do not have the staff or expertise to perform deep detection of threats, nor do they have the capability to properly respond or remediate those threats. Company’s seeking to offload their detection and response capabilities to a more-skilled and more-equipped provider is a fantastic option and ensures the business can focus on what they are good at, rather than trying to build expertise in an area that doesn’t directly grow their business.
The challenge that exists is the “what and who” companies should choose as their Detection and IR partner — often a managed security service provider or MDR provider. There are many managed security service firms to pick from — particularly in the Incident Response space; however, when you dig into what they offer, the managed security services they provide and the efficacy of their platform, you see where they have problems and ultimately fail…
Most managed security service providers run into problems centered around their detection and response capabilities, and an inability to create a collaborative ecosystem for detection and response capabilities. Their detection and response capabilities only work well if the stars align.
Rarely are security incident response situations perfect, and in many cases, custom capabilities must exist in order to detect or respond to security situations. This is a problem today, just as it was a problem in the past, and Infocyte wants to fix it by providing a Detection and Response platform that is easy to use and extensible.
Infocyte has already delivered an industry-leading Incident Response and Compromise Assessment tool. Through the platform’s innovative Forensic State Analysis (FSA), Machine Learning capabilities, and access to multiple sources of Threat Intelligence, Infocyte HUNT gives customers and partners the details and information needed to quickly remediate problematic security issues. Now, with Extensions, we’re building on our capabilities and directly tackling the aforementioned problems with detection and response products and managed security service providers.
An overview of Infocyte Extensions
Extensions provide the ability for customers and partners to develop, deploy, and share collection, detection, and response actions across an environment that is being inspected by the Infocyte platform. Extensions are user-defined, virtually limitless in their capability, and can be shared and leveraged across the customer and partner ecosystem.
Extensions solve many detection and response problems, and this new extensibility of our platform allows Infocyte to directly tackle other major problems without heavy research and development efforts.
Some examples of problems that Infocyte Extensions solves:
- Detection needs more than machine learning and commonly available threat intelligence sources
- Incident response sometimes requires research and deep analysis, performed offline
- Incident response needs to be swift in order to protect the rest of your environment from breach
- Security teams and analysts must work together — across teams, companies, industries, and geographic boundaries — to solve the growing threats of a cyber attack
Infocyte Extensions: Use Cases within NIST’s Incident Response Framework
While Infocyte is continuing to provide Managed Detection and Response (MDR) capabilities for our partners, we are uniquely positioned to be an industry leader in Incident Response (IR). The NIST Computer Security Incident Handling Guide (Special Publication 800-61 Revision 2) specifies four primary phases of an Incident Response Plan for handling a cyber security incident.
Each phase builds on the previous and the publication provides a clear methodology for taking necessary steps from preparing for the security incident to conducting post-incident activities. The primary use case for Infocyte is to provide a technical platform for Incident Responders to leverage when conducting an Incident Response activity as outlined by NIST.
Infocyte is uniquely positioned to provide a holistic solution for the Detection & Analysis Phase; as well as, Containment, Eradication and Recovery Phase of an Incident Response plan.
Many standard Incident Response (IR) Plans establish the Preparation step as ensuring contact information, tools and all the necessary mechanisms are in place, ready, and testable. Infocyte helps during IR preparation by enabling a Response Ready stance. Being Response Ready with Infocyte provides users a very simple, efficient, and effective method to quickly jump into action
if when a cybersecurity incident arises. Response Ready positions the Infocyte platform for on-demand use to quickly inspect (or respond) in minutes.
Detection & Analysis
Infocyte’s unique method for conducting detection and analysis of threats on assets greatly exceeds the typical functionality found in many endpoint security solutions, like Endpoint Detection and Response and Endpoint Protection tools.
Using Forensic State Analysis (FSA) Infocyte collects detailed data from a multitude of sources within the asset under inspection. Leveraging Live Memory Analysis, artifacts, processes, historical timelines from shimcache and more, Infocyte’s detection leaves no stone unturned in the search for a compromise. Once detection has occurred, Infocyte’s multi-sourced threat intelligence combines numerous third-party sources, machine learning, and custom detection capabilities (available with Extensions) and analyzes the collected data to identify:
- How the asset was compromised
- How impactful the compromise is
- A history of activity (ActivityTrace)
Infocyte adds to the Detection & Analysis phase by providing numerous mechanisms to notify the user (an Incident Responder) of these findings. This level of inspection naturally leads to the next phase, Response.
Response: Containment, Eradication, and Recovery
Infocyte Extensions are directly aimed at providing the user with a unique, flexible and extensible method for containing, eradicating, and recovering an asset from a security incident. Through the Infocyte Platform, users may leverage pre-existing and available extensions from our community library, or develop their own extensions to completely customize how they would like to respond to a security incident. Whether the response be host isolation or collecting/dumping additional data to conduct offline analysis, Infocyte’s Extensions make the impossible, possible.
The Infocyte Platform can provide key information to aid in an organization’s Post-Incident Activity and the data necessary to properly close out the incident case. Infocyte retains the evidence discovered during the Incident Response activity; as well as, any documentation on the findings or each malicious item discovered. Infocyte also provides a reporting capability that will allow the export of key reports, which highlight uncovered threats, asset reports, and any identified vulnerabilities.
Infocyte Extensions: Key Features & Capabilities
Extensions offer an open-ended platform providing users with the ability to develop the capabilities they need to collect, detect, and/or respond in a manner that makes sense for their business. Some examples of Extensions already in use within Infocyte’s platform, include the following…
Detection: eDiscovery (PII Forensics)
The eDiscovery (PII Forensics) Extension is an example use-case for forensics that allows users to hunt through documents on a compromised host for personally identifiable information (PII) data that may exist. This can be used to quickly assess the potential for data breach on compromised hosts.
Analysis: Memory Dump for Offline Analysis
The Memory Dump for Offline Analysis Extension allows users to conduct an offline memory analysis. The initial case for this capability is to drop memory locally, so users can move the memory dump to a different system for offline analysis. This extension can be extended to dump the memory locally and also move the memory to an offline storage system (i.e., FTP, SMB, or AWS S3).
Response: Host Isolation
The Host Isolation Extension provides the user with a very quick response capability that simply isolates the host from the network. The host isolation extension leverages the asset’s local firewall functionality to block any and all communications to and from the host, except for communication back to Infocyte. This keeps the asset’s threats from spreading across your IT environment while allowing Incident Responders to conduct deeper inspection and analysis on the asset.
Recovery: Windows Volume Shadow Copy Snapshot and Restore
The Volume Shadow Copy Snapshot and Restore extension allows you to easily create a backup of your systems; as well as, recover from those backups (should a compromise occur). This provides users with the flexibility to leverage Infocyte’s Extension functionality to handle recovery efforts leveraging commonly used backup and restore capabilities.
Working with Extensions
Creating an Extension is done through the Infocyte Console and can be found under the Admin section. Administrators are the only user authorized to create an Extension and all documentation for supporting syntax and methods can be found within the GitHub documentation (https://github.com/Infocyte/extensions). From our GitHub, users can also openly comment, contribute, and fork submissions.