Managed HUNT

With the ever-changing threat landscape and the evolution of malware, cyber-attacks are an increasingly serious risk for organizations. Many companies seem to believe that their organization won’t be targeted. They might say that their organization is too small to be on an attacker’s radar, or that they don’t have anything worth attacking, but the truth is that cyber criminals are indiscriminate in their attacks and can almost always find something worth stealing. A lot of companies that say they won’t be targeted may have already been breached – they just don’t know it yet. And as the Ponemon 2017 Cost of a Data Breach Study shows, the longer it takes to detect a breach, the more expensive it will be. The study found that US companies took an average of 206 days to detect a data breach. This is a slight increase on the previous year (201 days). Ponemon suggests all organizations should aim to identify a breach within 100 days. The average cost of identifying a breach within this time was $5.99 million, but for breaches that took longer to identify, the average cost rose to $8.70 million. There is a similar correlation in terms of containing a breach. Breaches that took less than 30 days to contain had an average cost of $5.87 million, but this rose to $8.83 million for breaches that took longer to contain. At Inceptus we think 100 days is too long, so we designed a service to rapidly detect these intrusions to contain the attack. 

image14

Are Your Security Controls Working?

image15

Inceptus’ Managed HUNT service evaluates an organization’s enterprise for the presence of advanced attacks, stealthy malware and persistent threats that may have successfully bypassed existing defenses. This is accomplished by attempting to discover Indicators of Attack (IoA) and Indicators of Compromise (IoC) left after an attack has been perpetrated. Managed HUNT combines automated data collection and proactive analysis by highly skilled analyst to bring the most advanced forensic detection and alerting. We make it easy for organizations to rapidly deploy our services with minimal effort and no on-site equipment. We simply deploy our lightweight “run and done” client on your endpoints, collect relevant information from the system, encrypt the data and send it to our cloud-based analytics system for analysis. 

What Do We Look At?

File System Attributes

image16

Windows PE Attributes

image17

.

Operating System Artifacts

image18

Standard System Information

image19

Volatile Data

image20

DNS Cache

image21

What Do We Look For?

New and Re-Configured Services

Run Keys

Persistence Areas

Threat Actor Tools, Techniques and Procedures (TTPs)

Hacker Trade-craft

Lateral Movement

We Found Something! Now What?

image22

Inceptus will notify the you immediately of the intrusion and give details as to the nature of the discovery. This will provide you with the detail that is needed to decide on the best course of action. Inceptus can also be engaged to conduct a multi-phase process beginning with incident triage and provide you with an action plan for execution. You can decide, based on the action plan, how to utilize Inceptus’ expertise for further analysis. During this time, Inceptus will, conduct a number of cyber incident response activities which may include digital forensics, malicious code analysis, log reviews, system access level analysis, timeline analysis, recovery of exfiltrated data, persistence, entrenchment, lateral movement techniques, tools the attackers used (including system administrator tools, remote desktop, PsExec, net command, etc.), host and network indicators of compromise, existing monitoring capabilities, other traditional and non-traditional incident response and investigative tasks. Deliverables will include status reports, which may include a comprehensive list of indicators of compromise, identified risk factors and recommendations, analysis reports, management, and other deliverables as necessary .