HOW DOES IT WORK?

The primary goals of a threat hunting program are to reduce exposure to external threats, improve the speed and accuracy of threat response and thus reduce the severity and number of data breach events.  The cycle is generally a six-step process of (a) Preparation (b) Identification, (c) Containment, (d) Eradication, (e) Recovery and (f) Lessons Learned.  The huge challenge encountered is that in spite of the deployment of more tools and access to an exploding volume of data, cybersecurity analytics and operations are getting more difficult and the number of engineers who are trained and experienced enough to use those tools is insufficient to meet the demands.

We at TriagingX believe that hunting solutions need to augment the human intelligence and experience of Information Security teams by providing deep analysis that is automated and easy to understand. Our philosophy is to detect the attack from earliest indications (not relying on known IOC’s). Learn the attack methods used and adapt by finding the weakness in other connected systems. By doing this, we can fix the weakness, before the attacker can act.

TXHunter is a new generation of machine-assisted hunters used for conducting highly focused threat incident investigations remotely. You only need to tell TXHunter which endpoints you want to investigate, download the disposable run-time agent to gather the data and wait for the analysis.

The agent takes a snapshot of the suspicious system and automatically conducts an incident investigation.  If the investigation process identifies suspicious files or URL links, it will automatically launch the built-in sandbox capabilities for a behavior analysis. It is also integrated with third-party engines and intelligence, to provide additional context on the detected objects.  

In about 5 to 10 minutes, TXHunter provides a straight and clear answer whether the endpoint has been infected or hacked, the severity level of that action and all supporting data.

 

Built-In Intelligence and Automated Analysis

The agent takes a snapshot of the suspicious system and automatically conducts an incident investigation.  If the investigation process identifies suspicious files or URL links, it will automatically launch the built-in TXSandbox capabilities for a behavior analysis. It is also integrated with third-party engines and intelligence, to provide additional context on the detected objects. In about 5 to 10 minutes, TXHunter provides a straight and clear answer as to whether the endpoint has been infected or hacked, the severity level of that particular attack and all supporting data.  TXHunter’s intelligent engine learns from every new discovery found during threat investigation and can optionally be deployed as a lightweight passive agent on the endpoint systems with scheduled execution.

 

Focus on Behaviors, not IOC’s

Attackers are getting smarter at avoiding detection of known Observables / Indicators of Compromise (IOC) by using unique code per infected host, e.g. unique IP ’s and/or unique File Hashes.  Thus, many of the static IOC’s that are commonly collected today are historic and brittle. The threat hunting tools should focus instead on attacker techniques and anomalies, i.e. threat actor tactics, techniques, and procedures (TTPs). TXHunter focuses on collecting and analyzing the system behaviors and not the static IOC’s.

 

Evidence Extracted

TXHunter provides investigative capabilities to search for signs of malicious activity through memory and file analysis and the development of a threat assessment profile. The following data is collected from the endpoint:

  • File system Meta-data
  • Windows prefetch data
  • Event logs
  • Scheduled task data
  • Registry data
  • Other artifacts of interactive sessions such as Web History
  • Memory data
  • Alternative persistence mechanisms
  • Network Connections
  • Windows Firewall Rules
  • Kernel Info: GDT, IDT, SSDT, Shadow SSDT, Hidden Process, Kernel Exports

The associated TXHunter server leverages multiple TXSandbox virtual machine instances to perform behavior analysis for suspicious files and URLs that are also involved in the triage process. Third party security intelligence can also be accessed by TXHunter for integrated analysis.   Once the server detects reconnaissance activities or clues, it will generate a summary report to the SOC/Incident Teams in order to contain the suspicious behavior.

 

Faster than EDR Solutions

Information Security teams who are investigating potential breaches are often required to deploy endpoint detection response (EDR) sensors across the network environment to try and pick up evidence of system breaches or data exposure.  Their goal is to detect incidents that may have bypassed the protection defenses, confirm and prioritize the risks associated with these incidents and ultimately contain or remediate them. This is the equivalent of casting a wide net to try and collect as many fish as possible, but not knowing exactly where they are, or what they are.

In contrast, by leveraging the TXHunter solution, incident response (IR) teams are able to quickly deploy a disposable client to suspect systems to promptly identify the presence of unknown and suspicious files on critical production Windows servers or endpoint systems. This allows the IR team to determine the extent and severity of the incident for risk analysis and remediation as early in the investigation process as possible.