What is Cyber Threat Hunting?
Threat hunting is a proactive cybersecurity practice aimed at identifying and mitigating threats that have evaded existing security measures within an organization’s network. Unlike traditional reactive security approaches that rely on automated alerts and known threat signatures, threat hunting involves actively searching for indicators of compromise (IoCs) and tactics, techniques, and procedures (TTPs) used by adversaries.
Key Aspects of Threat Hunting:
- Proactive Approach: Threat hunting is initiated based on the hypothesis that threats may already be present in the network. It involves actively searching for abnormal behavior and signs of potential breaches before they manifest into significant security incidents.
- Human-Centric: While tools and automation play a role, threat hunting relies heavily on the expertise, intuition, and analytical skills of cybersecurity professionals. Hunters use their understanding of adversary behavior and network operations to uncover hidden threats.
- Hypothesis-Driven: Hunters often start with a hypothesis about possible threat vectors, derived from threat intelligence, past incidents, or emerging trends. They then seek to confirm or refute these hypotheses through investigation and analysis.
- Iterative Process: Threat hunting is not a one-time activity but an ongoing, iterative process. Hunters continuously refine their techniques and strategies based on new intelligence and findings.
Purpose and Importance of Threat Hunting:
- Early Detection of Threats: By actively searching for threats, organizations can detect and respond to malicious activities before they cause significant damage. This early detection is crucial in reducing the dwell time of threats within the network.
- Enhanced Security Posture: Threat hunting helps identify gaps in existing security measures and improves overall defenses by uncovering previously unknown vulnerabilities and weaknesses.
- Understanding Adversaries: Through threat hunting, organizations gain insights into the tactics and techniques used by attackers. This knowledge is invaluable for improving defensive strategies and anticipating future threats.
- Reduced Risk: Proactively hunting threats minimizes the risk of data breaches, financial losses, and reputational damage by addressing potential threats before they escalate.
- Continuous Improvement: The findings from threat hunting exercises inform the development of better detection mechanisms and security policies, leading to a more robust security environment.
In summary, threat hunting is a critical component of modern cybersecurity strategy, emphasizing a proactive stance against potential threats. Its goal is to stay ahead of adversaries by continuously seeking out and mitigating risks that traditional security measures might miss.
How Threat Hunting Works
The threat hunting process is a structured approach to proactively search for cyber threats within an organization’s network. It consists of several key steps, from hypothesis generation to investigative techniques and response actions. Here’s a detailed breakdown of each step:
1. Hypothesis Generation
a. Identify Potential Threats:
- Use threat intelligence feeds, past incidents, and knowledge of current attack trends to identify potential threats.
- Develop a hypothesis about where threats might exist and what they might look like.
b. Formulate Hypotheses:
- Create hypotheses based on potential attack vectors, adversary tactics, techniques, and procedures (TTPs), and known vulnerabilities.
- Example Hypothesis: “Adversaries might be using compromised credentials to access sensitive data during non-business hours.”
2. Data Collection and Preparation
a. Identify Data Sources:
- Determine which data sources are needed to test the hypothesis, such as log files, network traffic data, endpoint data, and threat intelligence reports.
b. Collect and Aggregate Data:
- Gather relevant data from various sources and aggregate it in a centralized location for analysis.
- Ensure data is cleaned and normalized for consistency.
3. Investigative Techniques
a. Data Analysis:
- Use advanced analytical techniques to examine the collected data for indicators of compromise (IoCs) and anomalies.
- Apply pattern matching, statistical analysis, and machine learning algorithms to identify suspicious activities.
b. Search for IoCs and TTPs:
- Look for known IoCs such as unusual IP addresses, domain names, file hashes, and registry changes.
- Analyze the data for TTPs outlined in frameworks like MITRE ATT&CK.
c. Behavioral Analysis:
- Monitor and analyze user and system behavior to identify deviations from normal patterns.
- Use User and Entity Behavior Analytics (UEBA) to detect anomalies that might indicate malicious activities.
d. Threat Hunting Tools:
- Utilize threat hunting tools and platforms that provide capabilities for data analysis, visualization, and threat detection.
- Examples include SIEM systems, EDR solutions, and specialized threat hunting platforms.
4. Hypothesis Testing and Refinement
a. Validate Findings:
- Correlate findings with the initial hypothesis to determine if the hypothesis holds true.
- Validate detected anomalies and IoCs through manual investigation and cross-referencing with threat intelligence.
b. Refine Hypotheses:
- Refine and adjust the hypothesis based on new insights and findings.
- Develop new hypotheses if initial ones are disproven or if additional suspicious activities are uncovered.
5. Response Actions
a. Incident Response:
- If a threat is confirmed, initiate incident response procedures to contain, eradicate, and recover from the threat.
- Coordinate with the incident response team to ensure a swift and effective response.
b. Documentation and Reporting:
- Document the findings, investigative process, and response actions taken.
- Generate reports to inform stakeholders and improve future threat hunting activities.
c. Mitigation and Remediation:
- Implement measures to mitigate the identified threats and remediate any vulnerabilities exploited by attackers.
- Update security controls, policies, and procedures to prevent similar threats in the future.
6. Continuous Improvement
a. Review and Learn:
- Conduct post-hunt reviews to assess the effectiveness of the threat hunting process and identify areas for improvement.
- Analyze what worked well and what could be enhanced for future hunts.
b. Feedback Loop:
- Use the insights gained from threat hunting to improve detection capabilities, update threat intelligence, and refine hunting techniques.
- Continuously iterate on the threat hunting process to adapt to evolving threats and attack methodologies.
By following these steps, organizations can systematically and effectively hunt for threats within their networks, staying ahead of adversaries and improving their overall cybersecurity posture.
Key Components of Threat Hunting
Hypothesis Generation
Hypothesis generation is the foundational step in the threat hunting process, where cybersecurity professionals create educated assumptions about potential threats based on available data and threat intelligence. This involves analyzing current threat landscapes, understanding adversary tactics, techniques, and procedures (TTPs), and leveraging insights from previous incidents and threat intelligence feeds.
Hunters formulate hypotheses by considering possible attack vectors, targeting methods, and the nature of the organization’s assets. For instance, a hypothesis might propose that attackers are exploiting a specific vulnerability in a software application to gain unauthorized access. By generating these hypotheses, threat hunters can direct their investigations towards the most likely areas of compromise, making the hunting process more focused and efficient.
Investigative Techniques
Investigative techniques in threat hunting encompass a range of methods used to identify and analyze potential threats within an organization’s network. Anomaly detection involves monitoring network traffic, user behavior, and system activities to spot deviations from established baselines that could indicate malicious activity. Behavioral analysis further scrutinizes these anomalies by comparing them against known patterns of legitimate and malicious behavior.
Additionally, deception technology, such as honeypots and honey tokens, is deployed to lure attackers and study their methods without compromising actual systems. These techniques, combined with advanced data analytics, machine learning, and threat intelligence, enable threat hunters to uncover hidden threats, understand the modus operandi of adversaries, and take proactive measures to mitigate risks before they escalate into significant security incidents.
Threat Hunting Tools
- Provide an overview of tools commonly used in threat hunting, highlighting their capabilities and how they assist in identifying threats.
Threat hunting relies on a variety of sophisticated tools to assist in identifying and analyzing potential threats. These tools offer a range of capabilities, from data collection and aggregation to advanced analytics and threat detection. Here is an overview of some commonly used tools in threat hunting:
Deception Technology: This proactive approach involves deploying deceptions that act as baits for attackers. By monitoring how attackers interact with these deceptions, threat hunters can learn about their tactics and identify real attacks hidden within the network. This intelligence helps threat hunters understand the adversary’s behavior and improve defenses.
Security Information and Event Management (SIEM) Systems
SIEM systems, such as Splunk, IBM QRadar, and ArcSight, are central to threat hunting efforts. They collect and aggregate log data from various sources within the network, providing a comprehensive view of all activities. SIEM systems use advanced analytics to correlate events, detect anomalies, and generate alerts based on predefined rules. They also offer powerful search and visualization capabilities, allowing threat hunters to investigate suspicious activities and identify patterns that may indicate a threat.
Endpoint Detection and Response (EDR) Tools.
EDR tools, like CrowdStrike Falcon, Carbon Black, and SentinelOne, focus on monitoring and protecting endpoints such as computers and mobile devices. These tools collect detailed data on endpoint activities, including file modifications, process executions, and network connections. EDR solutions use behavioral analysis and machine learning to detect suspicious activities and provide threat hunters with real-time visibility into endpoint behaviors. They also offer response capabilities, enabling hunters to isolate compromised devices and remediate threats.
Network Traffic Analysis (NTA) Tools
NTA tools, such as Corelight, Darktrace, and ExtraHop, analyze network traffic to detect malicious activities. These tools monitor network flows, inspect packet contents, and use machine learning to identify anomalies and potential threats. NTA tools help threat hunters by providing insights into lateral movement, data exfiltration attempts, and communication with known malicious IP addresses. They offer detailed forensic data that can be used to trace the path of an attack and identify compromised systems.
Threat Intelligence Platforms (TIPs)
TIPs, like ThreatConnect, Anomali, and Recorded Future, aggregate and analyze threat intelligence from multiple sources. These platforms provide threat hunters with up-to-date information on emerging threats, IoCs, and adversary TTPs. TIPs help hunters enrich their hypotheses, validate findings, and prioritize threats based on the latest intelligence. By integrating with other security tools, TIPs enable automated threat detection and response.
User and Entity Behavior Analytics (UEBA) Tools
UEBA tools, such as Exabeam, Securonix, and Vectra, focus on detecting anomalies in user and entity behavior. These tools create behavioral baselines for users, devices, and applications, and then identify deviations that may indicate malicious activities. UEBA tools use machine learning to detect insider threats, compromised accounts, and advanced persistent threats (APTs). They provide threat hunters with detailed insights into abnormal behaviors and potential security incidents.
Threat Hunting Framework
A structured framework for conducting threat hunting ensures a systematic and thorough approach to identifying and mitigating potential threats within an organization’s network. This framework typically includes the following phases: Preparation, Detection, Investigation, and Response.
1. Preparation
a. Define Objectives and Scope:
- Establish clear goals for the threat hunting activity, such as detecting specific types of threats or improving overall security posture.
- Define the scope of the hunt, including which systems, networks, and data sources will be examined.
b. Assemble a Threat Hunting Team:
- Gather a team of skilled cybersecurity professionals with expertise in threat hunting, data analysis, and incident response.
- Assign roles and responsibilities to team members.
c. Gather and Prepare Data:
- Identify and aggregate relevant data sources, such as logs from SIEM systems, EDR tools, network traffic, and threat intelligence feeds.
- Ensure data is cleaned, normalized, and ready for analysis.
d. Develop Hypotheses:
- Based on threat intelligence, past incidents, and known vulnerabilities, create hypotheses about potential threats and attack vectors.
- Example: “An attacker might be using stolen credentials to access sensitive data during non-business hours.”
2. Detection
a. Deploy Detection Tools:
- Utilize SIEM systems, EDR tools, NTA solutions, and other detection technologies to monitor network and endpoint activities.
- Configure tools to generate alerts for suspicious activities and potential threats.
b. Conduct Data Analysis:
- Analyze collected data using advanced techniques such as pattern matching, statistical analysis, and machine learning.
- Identify anomalies, IoCs, and unusual behaviors that deviate from established baselines.
c. Use Behavioral Analysis:
- Employ UEBA tools to monitor and analyze user and entity behaviors.
- Detect deviations from normal patterns that may indicate compromised accounts or insider threats.
d. Leverage Threat Intelligence:
- Integrate threat intelligence platforms to enrich detection capabilities.
- Cross-reference detected anomalies with known IoCs and TTPs.
3. Investigation
a. Validate and Correlate Findings:
- Validate detected anomalies and potential threats through manual investigation and analysis.
- Correlate findings with threat intelligence and other data sources to confirm their legitimacy.
b. In-depth Analysis:
- Conduct deeper analysis of identified threats, examining log files, network traffic, endpoint data, and other relevant information.
- Use forensic techniques to trace the origin, method, and impact of the threat.
c. Refine Hypotheses:
- Based on the investigation, refine and adjust initial hypotheses.
- Develop new hypotheses if additional suspicious activities are uncovered.
d. Document Findings:
- Document all findings, including the nature of the threat, affected systems, and potential impact.
- Create detailed reports to inform stakeholders and guide response actions.
4. Response
a. Initiate Incident Response:
- If a threat is confirmed, initiate the incident response process to contain, eradicate, and recover from the threat.
- Coordinate with the incident response team to ensure a swift and effective response.
b. Containment and Mitigation:
- Isolate affected systems to prevent further spread of the threat.
- Implement measures to mitigate the impact, such as blocking malicious IP addresses or resetting compromised credentials.
c. Remediation and Recovery:
- Remediate vulnerabilities exploited by the attackers.
- Restore affected systems and data to normal operation.
d. Post-Incident Review:
- Conduct a post-incident review to assess the effectiveness of the threat hunting and response efforts.
- Identify lessons learned and areas for improvement.
5. Continuous Improvement
a. Feedback and Learning:
- Use insights gained from threat hunting activities to improve detection capabilities, refine hunting techniques, and update security controls.
- Incorporate feedback into training and development programs for the threat hunting team.
b. Iterate and Evolve:
- Continuously iterate on the threat hunting process to adapt to evolving threats and attack methodologies.
- Stay updated with the latest threat intelligence and cybersecurity trends.
By following this structured framework, organizations can systematically and effectively conduct threat hunting activities, enhancing their ability to detect, investigate, and respond to potential threats and improving their overall cybersecurity posture.
Types of Threat Hunting
Manual Threat Hunting
Manual threat hunting involves cybersecurity professionals actively searching for threats within an organization’s network using their expertise, intuition, and analytical skills. Hunters manually investigate logs, network traffic, and endpoint data to identify signs of potential threats that automated systems may have missed.
Benefits:
- Deep Insights: Manual threat hunting allows hunters to gain a deeper understanding of the network and identify sophisticated threats through detailed analysis.
- Flexibility: Human hunters can adapt to new and emerging threats quickly, modifying their search techniques based on the latest intelligence and observed patterns.
- Hypothesis-Driven: Manual hunters often use their experience and intuition to form hypotheses about potential threats, which can lead to the discovery of novel attack vectors.
Challenges:
- Resource-Intensive: Manual threat hunting is time-consuming and requires significant human resources, making it difficult to scale across large networks.
- Skill-Dependent: The effectiveness of manual threat hunting heavily depends on the skills and experience of the hunters, leading to variability in results.
- Slow Response Time: Manual processes can be slower in detecting and responding to threats compared to automated systems, potentially allowing threats to persist longer.
Automated Threat Hunting
Automated threat hunting leverages advanced technologies, including artificial intelligence (AI) and machine learning (ML), to continuously monitor and analyze network activities for potential threats. Automated tools can process vast amounts of data quickly and efficiently, identifying anomalies and suspicious behaviors that warrant further investigation.
Benefits:
- Scalability: Automated threat hunting can handle large volumes of data and monitor extensive networks in real-time, providing comprehensive coverage.
- Consistency: Automated systems apply consistent detection rules and algorithms, reducing the variability in threat detection that may occur with manual hunting.
- Speed: Automated tools can quickly analyze data and generate alerts for potential threats, enabling faster response times.
Enhancements by AI and Machine Learning:
- Anomaly Detection: AI and ML algorithms can learn normal behavior patterns within the network and detect deviations that may indicate malicious activities.
- Predictive Analysis: ML models can predict potential threats based on historical data and known attack patterns, allowing proactive threat hunting.
- Threat Intelligence Integration: AI can automatically correlate findings with threat intelligence feeds, enriching the context and accuracy of threat detection.
- Reduced False Positives: Machine learning algorithms can improve over time, reducing the number of false positives and focusing hunters’ attention on genuine threats.
Challenges:
- Complexity: Implementing and maintaining AI and ML-based systems can be complex and require specialized expertise.
- Initial Training: ML models require extensive training with quality data to be effective, which can be resource-intensive.
- Adaptability: While AI and ML are powerful, they may struggle to adapt to novel attack techniques that deviate significantly from learned patterns without human oversight.
Proactive Threat Hunting
Proactive threat hunting is a cybersecurity strategy where hunters actively search for potential threats within an organization’s network before any signs of compromise become apparent. Unlike reactive approaches that rely on responding to alerts and incidents after they occur, proactive threat hunting seeks to identify and mitigate threats at their earliest stages.
Advantages:
Early Detection
Proactive threat hunting enables the identification of threats before they can cause significant damage. By continuously monitoring and analyzing network activities, hunters can detect subtle signs of malicious behavior, such as unusual login patterns, abnormal data transfers, or the presence of unauthorized software. Early detection allows for prompt intervention, reducing the risk of data breaches, financial losses, and operational disruptions.
Improved Security Posture
A proactive approach to threat hunting enhances an organization’s overall security posture. By regularly hunting for threats, organizations can identify and address vulnerabilities that might otherwise go unnoticed. This continuous improvement cycle helps in strengthening defenses, closing security gaps, and ensuring that security measures evolve alongside emerging threats and attack techniques.
Reduction of Dwell Time
Dwell time, the period during which a threat remains undetected within a network, is a critical factor in the severity of a security incident. Proactive threat hunting significantly reduces dwell time by actively seeking out threats rather than waiting for automated systems to trigger alerts. This reduction in dwell time limits the window of opportunity for attackers, minimizing the potential impact of their activities.
Enhanced Threat Intelligence
Proactive threat hunting provides valuable insights into the tactics, techniques, and procedures (TTPs) used by adversaries. By uncovering and analyzing these TTPs, hunters can contribute to the organization’s threat intelligence, informing better detection and response strategies. This intelligence can also be shared with the broader cybersecurity community, helping to improve collective defenses against common threats.
Continuous Monitoring
Proactive threat hunting involves continuous monitoring of network activities, enabling real-time detection and response to emerging threats. This continuous vigilance ensures that threats are identified and addressed promptly, maintaining the security of the organization at all times. It also provides a dynamic defense mechanism that can adapt to the ever-changing threat landscape.
Better Resource Allocation
By identifying potential threats early, proactive threat hunting allows organizations to allocate their security resources more effectively. Instead of reacting to incidents and managing the aftermath, security teams can focus on preventive measures and strategic improvements. This shift from a reactive to a proactive stance leads to more efficient use of time, personnel, and technology.
Building a Security Culture
Implementing proactive threat hunting fosters a culture of security awareness and vigilance within the organization. It emphasizes the importance of staying ahead of threats and encourages continuous learning and adaptation. This culture of proactive security helps in building a resilient organization that is better prepared to handle future challenges.
In conclusion, proactive threat hunting is a crucial element of modern cybersecurity strategies. By taking a proactive approach, organizations can identify and mitigate threats early, enhance their security posture, reduce dwell time, and improve resource allocation. This approach not only strengthens defenses but also fosters a culture of continuous improvement and vigilance, essential for staying ahead of evolving cyber threats.
How Acalvio Can Help with Threat Hunting
Acalvio ShadowPlex introduces a novel way of utilizing Deception Technology for active threat hunting activities. ShadowPlex offers a powerful threat hunting toolkit that is designed to ferret latent threats by providing controlled opportunities for the threats to reveal themselves on the network. ShadowPlex does not solely rely on IoC sweeps from event logs, firewall logs, DNS logs, IDS alerts, vulnerability data and other industry standard sources but instead uses its indigenous discovery anomaly detection technology, advanced AI algorithms and security domain knowledge to assist threat analysts in the hunt.
Recognizing that a good defensive posture requires an understanding of the battlefield, the toolkit is designed based on the attacker’s view of the enterprise – what information is most appealing, potential attack vectors, an attacker’s motivations, and which areas are vulnerable. Threat analysts can leverage this premium-level visibility coupled with ShadowPlex’s purpose-built deceptions for threat hunting activities.
HYPOTHESIS FORMATION
Threat hunting is a multi-stage process. It starts with a testable hypothesis. Since a proactive threat hunt implies that there is no confirmed threat to hunt, the hypothesis is often derived from the following sources. These sources can also be used to hunt for threats that have already invoked an incident but are still lurking in the enterprise:
THREAT INTELLIGENCE
The ability for threat hunters to consume threat intelligence is one of the key enablers for generating Threat Hunting hypotheses. Actionable threat intelligence reveals adversarial motives and their tactics, techniques, and procedures (TTPs). It also surfaces indicators of compromise (IoC), such as malicious IP addresses, fraudulent URLs, malware samples, TTPs associated with anomalous events, such as an unauthorized instance of Mimikatz on an endpoint, among others. Enterprises normally leverage this collective intellectual capital to formulate a hypothesis and set a starting point for the hunt.
ShadowPlex’s relevant and context-rich threat intelligence capability connects vulnerabilities with threat actors, their targets and their TTPs. ShadowPlex’s threat intelligence derivation is based on analysis from observations across internal data sources, detection events and enrichment data received from EDR, IDS, IPS, Vulnerability Management, SIEM and SOAR solutions. ShadowPlex uses sophisticated AI algorithms to analyse the data and predict threat movement in the network. Threat analysts can use this intelligence to build hypotheses to confirm the presence of threats and also test the enterprise’s preparedness against new variants of threats.
SITUATIONAL AWARENESS
A productive threat hunt requires a near-perfect knowledge of the enterprise environment. The widening attack surface with the introduction of new devices, applications, the cloud and the internet of things (IoT) has created new and unexpected challenges for enterprises. Enterprise networks are often extensive and involve many key assets, endpoints, interfaces, topologies and users, with layers of policies and rules. This results in a very complex interplay between the network entities.
Mission-critical applications, services, and data, commonly called crown jewels are some of the most critical IT assets in any organization. Active Directory, Exchange or Email Servers, Database Servers, Application Servers, Critical Applications and Data Center Assets are all generally categorized as high-value assets. Additionally, Source Control, Bug Tracking and Build Systems often get the attention of the attackers.
When the vastness of the network space increases, for threat analysts, it becomes important to look beyond a single incident occurrence on an asset and understand the underlying threat, its mission and motivation against the backdrop of the overall enterprise security objectives.
ShadowPlex provides powerful capabilities in automatically discovering the assets on the enterprise network and providing invaluable insights that reveal attack surfaces. ShadowPlex fuses multiple sources of data for discovery. Such a perspective encompassing the network entities, its users and possible lurking threats or attacks provides a level of situational awareness for the defense teams that can be invaluable in charting out appropriate investigation and mitigation or response activities.
Armed with this knowledge of deep network visibility, threat analysts can ask questions that lead to hypotheses about what an adversary might be looking for upon entering the network. They can determine the most useful types of data to collect in the environment and the locations from where it should be collected to be able to start the hunt.
In addition to hypothesis formation, situational awareness can also be leveraged for precision placement of deceptions to confirm the presence of threats and protect enterprise assets and crown jewels.
THREAT CONFIRMATION
The next step of the threat hunting process is to test the hypothesis.
ShadowPlex provides a rich palette of deceptions, specifically hand-crafted for threat hunting. With contextualized threat intelligence and situational awareness, threat analysts can configure and deploy the purpose-built deceptions on endpoints and other assets in the network to test hypotheses and provide opportunities for latent threats to surface. For example, A decoy with a vulnerability exposed can be deployed to provide an opportunity to malware or attackers looking for such a vulnerability and to help surface visibility of the latent threat.
ShadowPlex provides advanced luring techniques using breadcrumbs and baits (deployed on enterprise endpoints and assets) and lures (deliberate misconfigurations and vulnerabilities exposed in a secure, contained manner) to divert attackers away from real enterprise assets and towards purpose-built, high-interaction decoys. Deceptions are not visible to normal enterprise users but are designed to become visible in attacker tools. Enumeration or access of these deceptions trigger alerting within the enterprise to reveal the presence of a threat.
Note: Hypothesis generation and testing is a continuous process. The threat hunter forms one hypothesis, tests it, if proven false, forms and tests another one. Many threat hunting exercises might test several hypotheses in parallel.
If the hypothesis is proven and a threat is identified, the IR team can investigate the threat and subsequently initiate response actions, such as isolating or quarantining infected endpoints, generating alert notifications, suspending or killing a process, among other actions.
THREAT INVESTIGATION USING ADVANCED ANALYTICS
Once there is enough information to confirm the stated hypothesis, then the IR Team can check the nature, extent, and effect of the threat. Traditionally, enterprises perform endpoint IoC sweep scans, peruse vulnerability data reported by third-party vulnerability management systems, examine event logs and perform antivirus scans to investigate a threat. Decoy engagement, however, captures deep forensics of attacker intelligence, thereby offering valuable insight into threats that had penetrated perimeter defenses. With ShadowPlex, enterprises can obtain high confidence alerts of compromised endpoints with complete forensic data to enhance investigation efforts.
ShadowPlex offers advanced analytics including Script analysis (to analyze malicious and modified scripts such as PowerShell Scripts and derive their origin and capabilities such as Discovery, Lateral Movement, Privilege Escalation, and others), Log file analysis (to analyze the script execution and its capabilities), memory analysis to analyze memory dumps to detect advanced fileless threats. The present-day malware variants are increasingly fileless, memory resident and evade detection by traditional defense solutions. Memory analysis tasks are normally carried out as manual activities by defense teams and need specialized skills and non-trivial time and effort. ShadowPlex’s memory analysis helps with rapid, automated, and scalable threat identification and response. ShadowPlex incorporates the security domain knowledge in forensic analysis and that includes any recent sophisticated TTPs employed by the adversaries.
ShadowPlex can also be used to generate the adversary traversal path that shows how a potential threat may have traversed to the endpoint under investigation. ShadowPlex can also show the most probabilistic path that may have been taken. The nodes (endpoint systems) that appear in the traversal path can be used for further investigation to obtain insights into their potential compromise.