What Sets Us Apart

Forensic State Analysis (FSA) 


What Sets Infocyte Apart from Other Threat Hunting Tools

FSA-FNL-web.png

Infocyte HUNT is an agentless threat hunting solution that utilizes Forensic State Analysis (FSA) to perform deep host inspections of devices. Unlike analytics (UEBA) solutions, Infocyte pulls its' own primary forensic data rather than relying on existing security logs from sensors (IDS, AV, EDR, etc.) that failed to alert on the attack in the first place.

Log analysis approaches are generally expensive, difficult to manage, and error-prone. They require in depth knowledge of adversary tactics and how those tactics present themselves in the logs of your security solutions.Log analysis approaches can be an effective security stack component for those able to commit the monetary and expert resources needed to realize full value from them. Infocyte complements and strengthens these tools via ongoing forensic inspection and baseline-independent analysis to find the threats that elude traditional log analysis – all without the need for specialized knowledge.

Infocyte HUNT is designed with several principles: independence, minimally invasive, and simplicity. To do this, we start by assuming endpoints are already compromised and seek to validate using a variety of forensic and threat hunting techniques. Automated forensic collection, threat intel enrichment, and deep analysis workflows to dig into anomalies and outliers help hunters find what purely automated detection misses. 

 

FSA: The best approach for hunting for persistent compromises

 

Infocyte HUNT uses FSA to discover hidden threats and compromises within a network. It sweeps thousands of endpoints, spending a couple minutes on each host, and conclusively validates their state as: "Compromised" or "Not Compromised".

    At the highest level, Infocyte HUNT digs deep into an endpoint to validate:

    • What is actively running?
    • What is triggered to run (through a persistence mechanism)?

    Next, it identifies any manipulation of the operating system (OS) or active processes, e.g., what a rootkit does to hide its presence, or what an insider threat might do to disable the system's security controls. This will reveal things like an OS configuration setting, or an API call being hooked by a rogue/hidden process within volatile memory, i.e., rootkit.

     

     

    This is starkly different from the behavior analysis techniques used by Endpoint Detection and Response (EDR) or User Behavior Analytics (UBA) products - which only record the changes to a system or network as events, e.g., a new process spawning, a registry key change, or a user elevating privileges. FSA digs much deeper.

    Perhaps the most important aspect of ensuring the state analysis of a compromised machine is successful is being able to bypass anti-forensics techniques. This is accomplished by going underneath higher-level Operating System APIs, and working directly with volatile memory structures - both of which Infocyte HUNT does.

    The Infocyte HUNT Advantage

     

    Infocyte HUNT does not replace the need for centralized logging or real-time behavior monitoring. On the contrary, they are highly complementary – filling the gap in post-compromise detection by providing a capability to audit and validate what and who is on all the hosts in the network.

    For the mature enterprise SOC already hunting, Infocyte HUNT enables you to do away with the custom scripts and other one-host-at-a-time DFIR processes you use to validate suspicious behaviors your team detects. 

     

    With Infocyte HUNT’s FSA methodology you can iteratively and effectively sweep all endpoints to find entrenched threats and beachheads hiding on any of your endpoints.

    It provides the best approach for hunting persistent threats:

    • Easiest to use
    • Most conclusive
    • Most cost-effective

    Learn more about Infocyte HUNT's FSA approach and its advantages for finding persistent threats.