What Sets Us Apart

Forensic State Analysis (FSA) 


What Sets Infocyte Apart from Other Threat Hunting Tools

FSA-FNL-web.png

Infocyte HUNT is a threat hunting tool that offers Post Breach Detection using Forensic State Analysis (FSA). EDR and UEBA-based solutions focus on finding a breach in progress that has evaded traditional defenses. These approaches are expensive, difficult to manage, and error-prone.

Post breach detection is different. Infocyte HUNT assumes endpoints are already compromised and then uses Forensic State Analysis (FSA) to find definitive proof. 

 

FSA: The best approach for hunting post breach activity

 

Infocyte HUNT uses FSA to discover hidden threats and compromises within a network. It sweeps thousands of endpoints, spending a couple minutes on each host, and conclusively validates their state as: "Compromised" or "Not Compromised".

    At the highest level, Infocyte HUNT digs deep into an endpoint to validate:

    • What is actively running?
    • What is triggered to run (through a persistence mechanism)?

    Next, it identifies any manipulation of the operating system (OS) or active processes, e.g., what a rootkit does to hide its presence, or what an insider threat might do to disable the system's security controls. This will reveal things like an OS configuration setting, or an API call being hooked by a rogue/hidden process within volatile memory, i.e., rootkit.

     

     

    This is starkly different from the behavior analysis techniques used by Endpoint Detection and Response (EDR) or User Behavior Analytics (UBA) products - which only record the changes to a system or network as events, e.g., a new process spawning, a registry key change, or a user elevating privileges. FSA digs much deeper.

    Perhaps the most important aspect of ensuring the state analysis of a compromised machine is successful is being able to bypass anti-forensics techniques. This is accomplished by going underneath higher-level Operating System APIs, and working directly with volatile memory structures - both of which Infocyte HUNT does.

    The Infocyte HUNT Advantage

     

    Infocyte HUNT does not replace the need for centralized logging or real-time behavior monitoring. On the contrary, they are highly complementary – filling the gap in post-compromise detection. For the mature enterprise SOC already hunting, Infocyte HUNT enables you to do away with the custom scripts and other one-host-at-a-time DFIR processes you use to validate suspicious behaviors your team detects. 

    With Infocyte HUNT’s FSA methodology you can iteratively and effectively sweep all endpoints to find entrenched threats and beachheads hiding on any of your endpoints.

     

     

    It provides the best approach for hunting post breach activity because it is the:

    • Easiest to use
    • Most conclusive
    • Most cost-effective

    Learn more about Infocyte HUNT's FSA approach and its advantages for Post Breach Detection.