Endpoint Detection and Response

Your essential post-breach strategy for detecting systems already compromised by attacks that are too sophisticated for your existing security controls to catch.

Download Datasheet
Demo
To establish trust in the IT environment for the board and executives, CyberStash conducts forensic-level analysis across the entire IT fleet at a frequency defined by the organization’s risk appetite. CyberStash obtains a higher degree of resilience and assurance by forensically detecting and responding to compromised systems and discovering previously undetected breaches before they can cause irreversible damage. With the ability to uncover compromised hosts within 1 day, CyberStash reduces the likely occurrence of actual business impact by 96%.
Collection
Collection of forensic-level system information from all endpoints across the entire IT fleet
Forensic State Analysis
Validate every aspect of the system by going underneath higher-level Operating system APIs and working directly with volatile memory structures.
Enrichment
Inform discovery using Code Comparison, Machine Learning, Sandboxing, Threat Intelligence and Stacking Techniques.
Conclusive Validation
Conclusively confirm endpoints as compromised to establish trust in the IT environment for the Board and Executives.
Cybersecurity has traditionally focused on preventive controls driven by compliance and regulation standards. While these approaches continue to be important, it is now evident that no amount of defense can protect organizations against all types of cyber-attacks. Equal focus is also required for the early detection of post-breach activity and incident response before these attacks are able to compromise information or impact business. Furthermore, when responding to an incident, business stakeholders require a higher level of assurance that all malware and human adversaries have been eradicated from their IT environment and that the vulnerability leading to compromise has been discovered and remediated.
Discovery of all compromised systems in your environment, including servers, workstations, and remote endpoints, whether hosted on-premise or in the cloud.
Detection of systems compromised by advanced cyber-attacks that routinely circumvent existing security controls, whether operating on disk or in memory
Validated clean-up of all human adversaries, backdoors, and malware following a cyber breach to re-establish trust in the IT environment for the board and executives.
Detection Methodology 
Unlike other breach-detection strategies, CyberStash doesn’t wait for predetermined events to occur before investigating suspected breaches. Instead, we use Forensic Depth Analysis (FDA) to proactively hunt and discover sophisticated and unknown attacks that would otherwise remain invisible in an enterprise environment. The FDA approach thoroughly validates every aspect of a system by going underneath higher-level operating system APIs and working directly with volatile memory structures. We combine FDA with intelligence and the anomaly analysis of operating system artefacts (STACKING) to generate leads. Once we have these forensic hits, we inform and enrich what we have discovered using additional techniques, including Code Comparison, Machine Learning, Sandboxing, Threat Intelligence, and finally Human Analysis.
15 Steps Used For Conclusive  Validation and Response 

CyberStash establishes trust in an IT environment by carrying out 15 steps. 

The process we follow is akin to that of a highly trained digital forensic analyst, however, we deliver our deep-level analysis at scale through automated host-level surveys before augmenting and enriching what we’ve discovered. 

When delivered as a Managed Detection and Response (MDR) service, our security analysts then go over the endpoint meticulously to flag every operating system component as Verified Good, For Review, Potentially Unwanted or Verified Bad.

We maintain a memory of these decisions and then work on all the net-new forensic leads we discover on subsequent assessments, thus enabling us to deliver a feasible and scalable service to any size enterprise.

Finding Code in Memory

Discovering malicious code in memory requires forensic level analysis, and CyberStash achieves this through the 5-step process illustrated below

ENUMERATE LOADED MODULES Ask the OS for a list of modules in process (WMI, etc.)
PROCESS MEMORY WALK Brute force a process’s private memory regions (heap) using VirtualQuery. Identify and inspect any allocated sections with executable markers (i.e., RWX or RX)
MEMORY/DISK COMPARISON For disk-mapping modules. Compare the executable section of a module on disk to what it looks like in memory. Fuzzy hash comparison will give variation %.
THREAD WALK Iterate through each executing thread within a process.Identify and inspect any threads pointing at private memory sections.
INSPECT LOADED TABLES Inspect the process’s import tables to find references to all loaded libraries.

Human Analysis software mapping

Operating under the evolutionary principle that all software, whether legitimate or malicious, is used previously by another organization, our service leverages human analysis to identify new forms of malware by reverse engineering unknown files that behave suspiciously.

This Process Allows Cyberstash to:

Further validate and enrich discovery 

Ultimately classify & attribute a file to a risk

Unknown File

We upload files that are flagged as forensically bad or suspicious to the CyberStash Cloud

Extraction

We use a machine-code decompiler to perform platform-independent analysis of executable files.

Human Analysis

Our security analysists go to enough forensic depth to determine whether the file is malicious.  

Identification

We apply threat enrichment for ultimate recognition of even the most sophisticated APTs.

eclipse.edr | Endpoint Detection and Response
Demo
Download Data Sheet
CyberStash combines best-in-class technology, people, and processes to deliver its Managed Endpoint Detection and Response (EDR) Service.
CyberStash combines human analysis with forensic depth analysis, malware analysis, and code comparison, to establish a higher level of trust and confidence in an IT environment for stakeholders. We are the Forensic Depth Compromise Assessment Company, delivering valuable outcomes through innovation and human experience.
Threat Management Incident Response
Our Threat Management service package includes System Breach Incident Response which can be used to either escalate the incident to your IT team or to have the CyberStash security team take response actions such as:
Terminating the process
Isolating the compromised machine from the rest of your network
Removing the persistence mechanism
Collecting forensic artefacts to preserve evidence

Let’s get started

The independent cyber defense platform eclipse.xdr acts as a force multiplier to dramatically reduce an organization’s exposure to cyber-attacks and minimize the likelihood of business impact. 
 
Contact us to learn about: