Forensic State Analysis: a better approach to proactive hunting

We use Forensic State Analysis (FSA) - the use of live host forensic data (volatile and non-volatile) to determine the compromise state of a system or set of systems. FSA does not rely on logs or monitoring changes to a system over time. It assumes the device is already compromised and seeks to validate systems through a comprehensive deep host inspection.

Why state analysis?

If an adversary is embedded in a network, they will most likely reside on an endpoint or server as a beachhead or have indicators of compromise there. Therefore, endpoint inspection is of utmost importance.

Second, persistent adversaries might not be active during your assessment window; dormant malware doesn’t have any “behavior” to analyze, it requires state analysis of persistence mechanisms (autostarts).

And third, focused forensic collection has no time-dependency. As a real-time monitoring tool, it can only look forward, not backward or the current state. Therefore, EDR is required to be installed and working during the initial attack for the logs to be most useful.

The faster a data breach can be identified and contained, the lower the costs.

As per a report released by Ponemon Institute, on the relationship between how quickly an organization can identify and contain data breach incidents and the financial consequences. For their consolidated sample of 477 companies, the mean time to identify (MTTI) was 197 days, and the mean time to contain (MTTC) was 69 days. Both the time to identify and the time to contain were highest for malicious and criminal attacks and much lower for data breaches caused by human error. Companies that identified a breach in less than 100 days saved more than $1 million as compared to those that took more than 100 days. Similarly, companies that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve.

Please find more about this report

How Threat hunting is scoped and what are the deliverables?

We scope based on the size of the environment (typically number of endpoints in total) along with the number of days it may take to sweep and scan the endpoints. Part of delivery is a set of documents with all the evidence of the affected endpoints and suggested remediation information to assist your SoC/Security team to carry out the cleaning/mitigation.

Threat Hunting As A Service

We offer Threat Hunting As A Service, where we can conduct the task and deliver the results as a one time project. Typically enterprise customers run such tasks twice in an year or on a quarterly basis. Unlike traditional way of doing forensic analysis which consumes so many days and complex analysis with data taken off site some times, we make it a breeze, seamless and completely non-intrusive at a cost affordable to most enterprises.

Threat Hunting As A Product

Threat Hunting Platform can be bought as a product which will entitle you unlimited number of scans. The product can be augmented by our managed service to deliver better ROI. It helps you stay focused on your current investment and leverage more value out of it. Since you have the breach assessment report at your fingertip every time you want, your reliance on traditional defense can be lowered.

Interested? Fill in the form and we shall reach out to you.

Would you like to know more about Threat Hunting? Please fill in the form below and we shall revert back.

Thank you! Your submission has been received! We shall reach out to you soon.
Oops! Something went wrong while submitting the form.