A Brief History of Forensic State Analysis
Prior to starting Infocyte, our co-founders, Chris Gerritz and Russ Morris, created the first enterprise-scoped threat hunting team for the entire U.S. Department of Defense. Their teams were responsible for hunting, detecting, and responding to highly sophisticated attacks across an 800,000-node network.
With virtually unlimited resources and access to any endpoint security solutions available, Chris and Russ decided to build something better.
Fast forward to 2014 when Infocyte was established, Forensic State Analysis (FSA) emerged as the core technology powering our Threat Detection & Incident Response platform, Infocyte HUNT. FSA enables security teams to expose, investigate, and eliminate hidden cyber threats quickly and cost-effectively.
How Forensic State Analysis Helps You Hunt, Detect, and Respond to Hidden Cyber Threats
FSA involves continuously inspecting thousands of hosts/systems/servers (“endpoints”) within a network to collect and analyze digital forensics data, and then validating each endpoint’s state as “compromised” or “not compromised.”
In other words, FSA is a continuous compromise assessment of every endpoint on your network.
At the host/server level (endpoint) FSA seeks to validate:
- What applications and processes are running (in memory)
- What is triggered to run (through persistence mechanism)
- What has already run (via forensic execution artifacts)
Lastly, FSA examines the operating system (OS) for manipulations and/or suspicious active processes (i.e. an executable running from your recycle bin).
Together, these steps allow Infocyte HUNT to reveal OS configuration settings (e.g. if insider threats disable system security controls or if an attacker is trying to hide their presence) or an API call via a rogue or hidden process within volatile memory (e.g. rootkit).
Based on the results, Infocyte HUNT performs additional analysis/categorization/prioritization, eliminating false negatives and false positives, and helping security teams focus on responding to real threats, faster.
Advanced Threat Detection with FSA
The process of hunting and exposing advanced persistent threats (APTs), file-less malware, hidden backdoors, etc. with FSA is performed in five steps:
- Inspect the endpoint and collect forensic data
- Enrich the forensic data with threat intelligence
- Triage leads with AI and machine learning algorithms
- Investigate suspicious findings
In terms of endpoint security and threat detection, this is a highly differentiated approach from behavior analysis techniques employed by endpoint detection and response (EDR) platforms and UEBA products.
FSA enables Infocyte HUNT to dig deeper, exposing advanced threats inside each host and helping security teams investigate and respond to threats, faster.
Learn more about Forensic State Analysis — join us for an upcoming webinar about Threat Detection and Incident Response with Forensic State Analysis…
More from our blog
In Q1, we released new tools to assist cybersecurity incident responders. One of those new features is a root cause analysis tool, is designed to help IR teams trace the source of suspicious activity or identified threats across their environment. This blog introduces the new root cause analysis (RCA) feature, Activity Trace, and how it…Read More »
An Overview of False Positives and False Negatives Understanding the differences between false positives and false negatives, and how they’re related to cybersecurity is important for anyone working in information security. Why? Investigating false positives is a waste of time/resources and distracts your team from focusing on real cyber incidents (alerts) originating from your SIEM.…Read More »
Cyber attacks are evolving so rapidly that security teams are struggling to integrate and operationalize security tools that apply to only one area of the protection model. Malware Hunting (threat hunting) for example is becoming a necessity in today’s enterprise IT environments — especially for organizations charged with protecting our personally identifiable information (PII) and…Read More »