Compromise Assessment Service
Your essential post-breach strategy for detecting systems already compromised by attacks that are too sophisticated for your existing security controls to catch.
To establish trust in the IT environment for the board and executives, CyberStash conducts forensic-level analysis across the entire IT fleet at a frequency defined by the organization’s risk appetite. CyberStash obtains a higher degree of resilience and assurance by forensically detecting and responding to compromised systems and discovering previously undetected breaches before they can cause irreversible damage. With the ability to uncover compromised hosts within 1 day, CyberStash reduces the likely occurrence of actual business impact by 96%.
Collection
Collection of forensic-level system information from all endpoints across
the entire IT fleet
Forensic State Analysis
Validate every aspect of the system by going underneath higher-level Operating system APIs and working directly with volatile memory structures.
Enrichment
Inform discovery using Code Comparison, Machine Learning, Sandboxing, Threat Intelligence and
Stacking Techniques.
Conclusive Validation
Conclusively confirm endpoints as compromised to establish trust in the
IT environment for the Board and Executives.
Cybersecurity has traditionally focused on preventive controls driven by compliance and regulation standards. While these approaches continue to be important, it is now evident that no amount of defense can protect organizations against all types of cyber-attacks. Equal focus is also required for the early detection of post-breach activity and incident response before these attacks are able to compromise information or impact business. Furthermore, when responding to an incident, business stakeholders require a higher level of assurance that all malware and human adversaries have been eradicated from their IT environment and that the vulnerability leading to compromise has been discovered and remediated.
Detection Methodology
Unlike other breach-detection strategies, CyberStash doesn’t wait for predetermined events to occur before investigating suspected breaches. Instead, we use Forensic Depth Analysis (FDA) to proactively hunt and discover sophisticated and unknown attacks that would otherwise remain invisible in an enterprise environment. The FDA approach thoroughly validates every aspect of a system by going underneath higher-level operating system APIs and working directly with volatile memory structures. We combine FDA with intelligence and the anomaly analysis of operating system artifacts (STACKING) to generate leads. Once we have these forensic hits, we inform and enrich what we have discovered using additional techniques, including Code Comparison, Machine Learning, Sandboxing, Threat Intelligence, and finally Human Analysis.
Discovery of all compromised systems in your environment, including servers, workstations, and remote endpoints, whether hosted on-premise or in the cloud.
Validated clean-up of all human adversaries, backdoors, and malware following a cyber breach to re-establish trust in the IT environment for the board and executives.
Detection of systems compromised by advanced cyber-attacks that routinely circumvent existing security controls, whether operating on disk or in memory
Benefits
Defines Policy for Controlling Breach-Dwell Time
Establishes and Maintains Trust in the IT Environment
Reduces Likelihood of Business Impact by 96% following a Breach
Methodology
That’s why our methodology involves looking at every possible forensic artefact, behaviour and traffic in an environment and conclusively validating its level of risk to business
Endpoint Forensic-Depth Analysis
Human analysis of discovered threats with context to business risk and final reporting.
In-Memory Living-off-the-Land Analysis
Fileless attacks analysis using forensic level memory analysis to detect malicious code in memory.
Endpoint Adversary Behavior Analysis
Detonating unknown and suspicious files in the CyberStash sandbox to discover its actual intention and level of risk.
Network Threat Intelligence Analysis
Capturing network traffic in-line and correlating with millions of known malicious IP address and domain indicators.
Dynamic Analysis and Software Mapping
Mapping commands seen in the environment to 100s of adversary behaviors and their actions to a risk level.
Human Analysis and Reporting
File reputation and state-change analysis of processes, artefacts, autostarts, drivers, registry, accounts, modules and network connections.
High-Risk Country and Autonomous System Intelligence
Detecting network traffic traversing to high-risk countries and autonomous systems.
15 Steps For Conclusive Validation & Response
CyberStash establishes trust in an IT environment by carrying out 15 steps.
The process we follow is akin to that of a highly trained digital forensic analyst, however, we deliver our deep-level analysis at scale through automated host-level surveys before augmenting and enriching what we’ve discovered.
When delivered as a Managed Detection and Response (MDR) service, our security analysts then go over the endpoint meticulously to flag every operating system component as Verified Good, For Review, Potentially Unwanted or Verified Bad. We maintain a memory of these decisions and then work on all the net-new forensic leads we discover on subsequent assessments, thus enabling us to deliver a feasible and scalable service to any size enterprise.
Finding Code in Memory
Discovering malicious code in memory requires forensic level analysis, and CyberStash achieves this through the 5-step process illustrated below
ENUMERATE LOADED MODULES
Ask the OS for a list of modules in
process (WMI, etc.)
PROCESS MEMORY WALK
Brute force a process’s private memory regions (heap) using VirtualQuery. Identify and inspect any allocated sections with executable markers (i.e., RWX or RX)
MEMORY/DISK COMPARISON
For disk-mapping modules. Compare the executable section of a module on disk to what it looks like in memory. Fuzzy hash comparison will give variation %.
THREAD WALK
Iterate through each executing thread within a
process.Identify and inspect any threads
pointing at private memory sections.
INSPECT LOADED TABLES
Inspect the process’s import tables to
find references to all loaded libraries.
State-of-the-art
Cyber Security Soultions
To stay ahead of threats, the methodology used must not depend on detection engines designed to catch the threat itself.
The capability used to support such a methodology must be designed to ‘catch all leads’ and then validate each one and provide a conclusive verdict of either ‘compromised’ or ‘not compromised’ without leaving any room for doubt.
Human Analysis
Allowing threat enrichment and
ultimate recognition of even the most sophisticated APTs in seconds
Identification
Allowing threat enrichment and
ultimate recognition of even the most sophisticated APTs in seconds
Unknown File
We upload files that are flagged as
forensically bad or suspicious to the
CyberStash Cloud
Extraction
Allowing threat enrichment and
ultimate recognition of even the most sophisticated APTs in seconds
CyberStash combines best-in-class technology, people, and processes
to deliver its Compromise Assessment Service.
We offer 4 service levels which meet the requirements of organization
to control the breach dwell-time and aligned with its risk appetite.
Business Case
Controlling the breach dwell-time reduces the likelihood of business impact. By detecting and cleaning-up breached systems within 1-day, the likelihood of business impact is reduced by 96%.
CyberStash combines human analysis with forensic depth analysis, malware analysis, and code comparison, to establish a higher level of trust and confidence in an IT environment for stakeholders. We are the Forensic Depth Compromise Assessment Company, delivering valuable outcomes through innovation and human experience.
Threat Management Incident Response
Our Threat Management service package includes System Breach Incident Response which can be used to either escalate the incident to your IT team or to have the CyberStash security team take response actions such as:
Killing the process
Isolating the compromised machine from the rest of your network
Removing the persistence mechanism
