Endpoint Detection and Response
Your essential post-breach strategy for detecting systems already compromised by attacks that are too sophisticated for your existing security controls to catch.
To establish trust in the IT environment for the board and executives, CyberStash conducts forensic-level analysis across the entire IT fleet at a frequency defined by the organization’s risk appetite. CyberStash obtains a higher degree of resilience and assurance by forensically detecting and responding to compromised systems and discovering previously undetected breaches before they can cause irreversible damage. With the ability to uncover compromised hosts within 1 day, CyberStash reduces the likely occurrence of actual business impact by 96%.
Collection
Collection of forensic-level system information from all endpoints across
the entire IT fleet
Forensic State Analysis
Validate every aspect of the system by going underneath higher-level Operating system APIs and working directly with volatile memory structures.
Enrichment
Inform discovery using Code Comparison, Machine Learning, Sandboxing, Threat Intelligence and
Stacking Techniques.
Conclusive Validation
Conclusively confirm endpoints as compromised to establish trust in the
IT environment for the Board and Executives.
Cybersecurity has traditionally focused on preventive controls driven by compliance and regulation standards. While these approaches continue to be important, it is now evident that no amount of defense can protect organizations against all types of cyber-attacks. Equal focus is also required for the early detection of post-breach activity and incident response before these attacks are able to compromise information or impact business. Furthermore, when responding to an incident, business stakeholders require a higher level of assurance that all malware and human adversaries have been eradicated from their IT environment and that the vulnerability leading to compromise has been discovered and remediated.
Discovery of all compromised systems in your environment, including servers, workstations, and remote endpoints, whether hosted on-premise or in the cloud.
Detection of systems compromised by advanced cyber-attacks that routinely circumvent existing security controls, whether operating on disk or in memory
Validated clean-up of all human adversaries, backdoors, and malware following a cyber breach to re-establish trust in the IT environment for the board and executives.
Detection Methodology
Unlike other breach-detection strategies, CyberStash doesn’t wait for predetermined events to occur before investigating suspected breaches. Instead, we use Forensic Depth Analysis (FDA) to proactively hunt and discover sophisticated and unknown attacks that would otherwise remain invisible in an enterprise environment. The FDA approach thoroughly validates every aspect of a system by going underneath higher-level operating system APIs and working directly with volatile memory structures. We combine FDA with intelligence and the anomaly analysis of operating system artefacts (STACKING) to generate leads. Once we have these forensic hits, we inform and enrich what we have discovered using additional techniques, including Code Comparison, Machine Learning, Sandboxing, Threat Intelligence, and finally Human Analysis.
15 Steps Used For Conclusive Validation and Response
CyberStash establishes trust in an IT environment by carrying out 15 steps.
The process we follow is akin to that of a highly trained digital forensic analyst, however, we deliver our deep-level analysis at scale through automated host-level surveys before augmenting and enriching what we’ve discovered.
When delivered as a Managed Detection and Response (MDR) service, our security analysts then go over the endpoint meticulously to flag every operating system component as Verified Good, For Review, Potentially Unwanted or Verified Bad.
We maintain a memory of these decisions and then work on all the net-new forensic leads we discover on subsequent assessments, thus enabling us to deliver a feasible and scalable service to any size enterprise.
Finding Code in Memory
Discovering malicious code in memory requires forensic level analysis, and CyberStash achieves this through the 5-step process illustrated below
ENUMERATE LOADED MODULES
Ask the OS for a list of modules in
process (WMI, etc.)
PROCESS MEMORY WALK
Brute force a process’s private memory regions (heap) using VirtualQuery. Identify and inspect any allocated sections with executable markers (i.e., RWX or RX)
MEMORY/DISK COMPARISON
For disk-mapping modules. Compare the executable section of a module on disk to what it looks like in memory. Fuzzy hash comparison will give variation %.
THREAD WALK
Iterate through each executing thread within a
process.Identify and inspect any threads
pointing at private memory sections.
INSPECT LOADED TABLES
Inspect the process’s import tables to
find references to all loaded libraries.
Human Analysis software mapping
Operating under the evolutionary principle that all software, whether legitimate or malicious, is used previously by another organization, our service leverages human analysis to identify new forms of malware by reverse engineering unknown files that behave suspiciously.
This Process Allows Cyberstash to:
Further validate and enrich discovery
Ultimately classify & attribute a file to a risk
Unknown File
We upload files that are flagged as forensically bad or suspicious to the CyberStash Cloud
Extraction
We use a machine-code decompiler to perform platform-independent analysis of executable files.
Human Analysis
Our security analysists go to enough forensic depth to determine whether the file is malicious.
Identification
We apply threat enrichment for ultimate recognition of even the most sophisticated APTs.
CyberStash combines best-in-class technology, people, and processes to deliver its Managed Endpoint Detection and Response (EDR) Service.
CyberStash combines human analysis with forensic depth analysis, malware analysis, and code comparison, to establish a higher level of trust and confidence in an IT environment for stakeholders. We are the Forensic Depth Compromise Assessment Company, delivering valuable outcomes through innovation and human experience.
Threat Management Incident Response
Our Threat Management service package includes System Breach Incident Response which can be used to either escalate the incident to your IT team or to have the CyberStash security team take response actions such as:
Terminating the process
Isolating the compromised machine from the rest of your network
Removing the persistence mechanism
Collecting forensic artefacts to preserve evidence
