Event: CYDEF 2019
This post was last updated on April 8th, 2020 at 10:42 am
Infocyte had the pleasure of participating in CYDEF 2019, held June 18th and 19th in Kuala Lumpur, Malaysia. Our founder, Chris Gerritz, gave a 30-minute talk on Threat Intelligence, Deceptions, Confusions and Attacks.
The talk focuses on examples of recent attacks and some of the mistakes or errors organizations tend to make in their incident response processes. Ultimately, these mistakes lead to longer dwell times of malware, ATPs, and other unwanted/malicious software if left uncorrected.
Question and Answers
We’re open to taking questions on this topic. If you have any, please post them openly and we will do our best to post a reply within 48 hours.
Q: We are performing active-hunting in our IDS and perimeter defensive logs and are struggling with modern malware like doublepulsar, which we find to be extremely stealthy and also is successfully evading our IPS/IDS and network perimeter defences. Is there a best practice to detect this kind of malware or does this kind of challenge require a tool like Infocyte HUNT?Deputy CISO, National Electric Power Company, Malaysia
A: Malware that poses a threat is going to reside on endpoints where data is created and consumed – therefore a best practice would dictate that you need to hunt on endpoints themselves.
We would urge you to work towards two goals:
1/ defining and enforcing a dwell time period that is acceptable to your risk tolerances as an enterprise (how long are you willing to tolerate something like double pulsar running undiscovered)
2/ developing or acquiring the ability to validate that endpoints are malware free
Infocyte HUNT relies on a methodology called Forensic State Analysis that enables both of these goals.
In this methodology, endpoints are surveyed for forensic state data across three primary groupings: memory (what is currently running), persistence mechanisms (what is going to run), and artifacts (what has run). The results are then enriched, analyzed, and scored, prior to being presented to users. The goal is for a user to rapidly dismiss any false positives and identify high quality leads that need to be investigated to a conclusion.
The result is that you obtain evidence based and independent results on the compromise state of endpoints and you always know where you stand. If there’s a problem you address it, if not then you know you are malware free.
Scans of endpoints are run at a frequency determined by the user, this means that any potential dwell time is up to you.
Infocyte HUNT is not the only solution that can do this kind of work, however it’s faster, easier to use, and more affordable than other commercial options that claim the same functionalities. ‘
Please use the form below to submit a question for our team!