This post was last updated on December 10th, 2019 at 12:49 pm

Feature Overview

Forensic State Analysis (FSA)

forensic state analysis threat hunting


Infocyte HUNT is an agentless threat hunting solution that utilizes Forensic State Analysis (FSA) to perform deep host inspections of devices. Unlike analytics (UEBA) solutions, Infocyte pulls its own primary forensic data (rather than relying on existing security/information logs from sensors — IDS, AV, EDR, etc. — that failed to alert on the attack in the first place).

The log analysis approach to threat hunting is expensive, difficult to manage, time consuming, and error-prone. Log analysis threat hunting requires in-depth knowledge of adversary tactics and how those tactics present themselves in the logs of your security solutions.

Infocyte complements and strengthens your existing defensive cybersecurity tools via ongoing forensic inspection and baseline-independent analysis — all without the need for specialized knowledge and threat hunting experts.

HUNT is designed to be independent, minimally invasive, and easy-to-use. It begins with assuming your endpoints are already compromised. HUNT then seeks to validate this assumption, using a variety of forensic and threat hunting techniques — automated forensic collection, threat intel enrichment, and deep analysis workflows to dig into anomalies and outliers — helping threat hunters find what purely automated detection tools regularly overlook.

Compare HUNT to other enterprise endpoint security solutions like Endpoint Detection & Response (EDR) and Antivirus (AV) tools.

Forensic State Analysis is the best approach for hunting for persistent compromises and advanced threats.

How Infocyte HUNT Works

Infocyte HUNT uses FSA to discover hidden threats and compromises within a network. HUNT's agentless threat hunting survey sweeps thousands of endpoints per hour to conclusively validate their state as: "Compromised" or "Not Compromised."

Infocyte HUNT inspects each endpoint/device to validate:

  • What is actively running?
  • What is triggered to run (through a persistence mechanism)?

Next, it identifies any manipulation of the operating system (OS) or active processes, e.g., what a rootkit does to hide its presence, or what an insider threat might do to disable the system's security controls. This will reveal things like an OS configuration setting, or an API call being hooked by a rogue/hidden process within volatile memory, i.e., rootkit.

This is starkly different from the behavior analysis techniques used by Endpoint Detection and Response (EDR) or User Behavior Analytics (UBA) products - which only record the changes to a system or network as events, e.g., a new process spawning, a registry key change, or a user elevating privileges. FSA digs much deeper.

Perhaps the most important aspect of ensuring the state analysis of a compromised device (or endpoint) is successful is being able to bypass anti-forensics techniques. This is accomplished by digging into higher-level Operating System APIs and working directly with volatile memory structures — both of which Infocyte HUNT does, automatically.

The Infocyte HUNT Advantage

Infocyte HUNT does not replace the need for centralized logging or real-time behavior monitoring. On the contrary, these endpoint security tools are highly complementary.

Rather, HUNT fills the gap in post-compromise detection by providing the capabilities to audit, assess, and validate what and who is on all the hosts in your network.

For the mature enterprise Security Operations Center (SOC) already doing threat hunting, Infocyte HUNT enables you to shift from custom scripts and other one-host-at-a-time DFIR processes you use to validate suspicious behaviors your team detects — and automates the threat hunting process.

With Infocyte HUNT’s FSA methodology you can iteratively and effectively sweep every endpoint to find entrenched threats and beachheads capable of penetrating your existing cybersecurity defenses.

HUNT provides the best approach to hunting persistent threats, because it is:

  • Easy to use
  • Independently conclusive
  • Highly cost-effective

Learn more about Forensic State Analysis and Infocyte HUNT's unique approach to finding hidden and persistent threats.