Compromise Assessment Service

Your essential post-breach strategy for detecting systems already compromised by attacks that are too sophisticated for your existing security controls to catch.
To establish trust in the IT environment for the board and executives, CyberStash conducts forensic-level analysis across the entire IT fleet at a frequency defined by the organization’s risk appetite. CyberStash obtains a higher degree of resilience and assurance by forensically detecting and responding to compromised systems and discovering previously undetected breaches before they can cause irreversible damage. With the ability to uncover compromised hosts within 1 day, CyberStash reduces the likely occurrence of actual business impact by 96%.
Collection
Collection of forensic-level system information from all endpoints across the entire IT fleet
Forensic State Analysis
Validate every aspect of the system by going underneath higher-level Operating system APIs and working directly with volatile memory structures.
Enrichment
Inform discovery using Code Comparison, Machine Learning, Sandboxing, Threat Intelligence and Stacking Techniques.
Conclusive Validation
Conclusively confirm endpoints as compromised to establish trust in the IT environment for the Board and Executives.
Cybersecurity has traditionally focused on preventive controls driven by compliance and regulation standards. While these approaches continue to be important, it is now evident that no amount of defense can protect organizations against all types of cyber-attacks. Equal focus is also required for the early detection of post-breach activity and incident response before these attacks are able to compromise information or impact business. Furthermore, when responding to an incident, business stakeholders require a higher level of assurance that all malware and human adversaries have been eradicated from their IT environment and that the vulnerability leading to compromise has been discovered and remediated.

Detection Methodology

Unlike other breach-detection strategies, CyberStash doesn’t wait for predetermined events to occur before investigating suspected breaches. Instead, we use Forensic Depth Analysis (FDA) to proactively hunt and discover sophisticated and unknown attacks that would otherwise remain invisible in an enterprise environment. The FDA approach thoroughly validates every aspect of a system by going underneath higher-level operating system APIs and working directly with volatile memory structures. We combine FDA with intelligence and the anomaly analysis of operating system artifacts (STACKING) to generate leads. Once we have these forensic hits, we inform and enrich what we have discovered using additional techniques, including Code Comparison, Machine Learning, Sandboxing, Threat Intelligence, and finally Human Analysis.

Discovery of all compromised systems in your environment, including servers, workstations, and remote endpoints, whether hosted on-premise or in the cloud.
Validated clean-up of all human adversaries, backdoors, and malware following a cyber breach to re-establish trust in the IT environment for the board and executives.
Detection of systems compromised by advanced cyber-attacks that routinely circumvent existing security controls, whether operating on disk or in memory
Benefits

Defines Policy for Controlling Breach-Dwell Time

Establishes and Maintains Trust in the IT Environment

Reduces Likelihood of Business Impact by 96% following a Breach

Methodology
When conducting compromise assessments, the priority must not be to reduce false-positives but to reduce false-negatives.
That’s why our methodology involves looking at every possible forensic artefact, behaviour and traffic in an environment and conclusively validating its level of risk to business

Endpoint Forensic-Depth Analysis

 

Human analysis of discovered threats with context to business risk and final

In-Memory Living-off-the-Land Analysis

Fileless attacks analysis using forensic level memory analysis to detect malicious code in memory. 

Endpoint Adversary Behavior Analysis

Detonating unknown and suspicious files in the CyberStash sandbox to discover its actual intention and level of risk. 

 

Network Threat Intelligence Analysis

Capturing network traffic in-line and correlating with millions of known malicious IP address and domain indicators.

Dynamic Analysis and Software Mapping

Mapping commands seen in the environment to 100s of adversary behaviors and their actions to a risk level.

Human Analysis and Reporting

 File reputation and state-change analysis of processes, artefacts, autostarts, drivers, registry, accounts, modules and network connections.

 

High-Risk Country and Autonomous System Intelligence

 

Detecting network traffic traversing to high-risk countries and autonomous systems.

15 Steps For Conclusive Validation & Response
CyberStash establishes trust in an IT environment by carrying out 15 steps. The process we follow is akin to that of a highly trained digital forensic analyst, however, we deliver our deep-level analysis at scale through automated host-level surveys before augmenting and enriching what we’ve discovered. 

When delivered as a Managed Detection and Response (MDR) service, our security analysts then go over the endpoint meticulously to flag every operating system component as Verified Good, For Review, Potentially Unwanted or Verified Bad. We maintain a memory of these decisions and then work on all the net-new forensic leads we discover on subsequent assessments, thus enabling us to deliver a feasible and scalable service to any size enterprise.

Finding Code in Memory

Discovering malicious code in memory requires forensic level analysis, and CyberStash achieves this through the 5-step process illustrated below

ENUMERATE LOADED MODULES Ask the OS for a list of modules in process (WMI, etc.)
PROCESS MEMORY WALK Brute force a process’s private memory regions (heap) using VirtualQuery. Identify and inspect any allocated sections with executable markers (i.e., RWX or RX)
MEMORY/DISK COMPARISON For disk-mapping modules. Compare the executable section of a module on disk to what it looks like in memory. Fuzzy hash comparison will give variation %.
THREAD WALK Iterate through each executing thread within a process.Identify and inspect any threads pointing at private memory sections.
INSPECT LOADED TABLES Inspect the process’s import tables to find references to all loaded libraries.

State-of-the-art
Cyber Security Soultions

To stay ahead of threats, the methodology used must not depend on detection engines designed to catch the threat itself. 

The capability used to support such a methodology must be designed to ‘catch all leads’ and then validate each one and provide a conclusive verdict of either ‘compromised’ or ‘not compromised’ without leaving any room for doubt. 

 

Human Analysis

Allowing threat enrichment and
ultimate recognition of even the most sophisticated APTs in seconds

Identification

Allowing threat enrichment and
ultimate recognition of even the most sophisticated APTs in seconds

Unknown File

We upload files that are flagged as
forensically bad or suspicious to the
CyberStash Cloud

Extraction

Allowing threat enrichment and
ultimate recognition of even the most sophisticated APTs in seconds

CyberStash combines best-in-class technology, people, and processes

to deliver its Compromise Assessment Service.

eclipse.edr|Endpoint Detection And Response

We offer 4 service levels which meet the requirements of organization

to control the breach dwell-time and aligned with its risk appetite.

Business Case

Controlling the breach dwell-time reduces the likelihood of business impact. By detecting and cleaning-up breached systems within 1-day, the likelihood of business impact is reduced by 96%.

CyberStash combines human analysis with forensic depth analysis, malware analysis, and code comparison, to establish a higher level of trust and confidence in an IT environment for stakeholders. We are the Forensic Depth Compromise Assessment Company, delivering valuable outcomes through innovation and human experience.
Threat Management Incident Response
Our Threat Management service package includes System Breach Incident Response which can be used to either escalate the incident to your IT team or to have the CyberStash security team take response actions such as:
Killing the process
Isolating the compromised machine from the rest of your network
Removing the persistence mechanism
Collecting forensic artifacts to preserve evidence

Let’s get started

The independent cyber defense platform eclipse.xdr acts as a force multiplier to dramatically reduce an organization’s exposure to cyber-attacks and minimize the likelihood of business impact. 
 
Contact us to learn about: