The best prevention in the world will not stop all attackers - especially the highly skilled and determined - all of the time. Breaches will occur. When they do, the challenge for the SOCs is to minimize the dwell time. One method of doing so is threat hunting - a proactive process where SOC analysts search networks, endpoints, and data in an effort to isolate and detect advanced threats that have evaded defenses. A variety of threat hunting methods exist, some real-time and others retrospective.
Retrospective analysis traditionally focuses on logs and PCAPs. These solutions are costly, resource intensive, and require additional data processing to expose the intricate layers that threat hunters are looking for, such as embedded logic, semantics, and metadata.
FDR RetroHunting automates the process of hunting back in time for the presence of malware, ransomware, exploits and other end user-induced security issues. This is made possible through a set of features - including Session and File Level Search, Automated Retrospective Analysis, Tunable Retrospective Window and Retrospective Data Leak Discovery - which dramatically speeds up and simplifies threat hunting to collapse dwell time.
Example analyst / threat hunter use cases made easy and fast by RetroHunting include:
- What historical files do we now know to be malicious?
- Find any file/email containing the keyword __🔍 __.
- Show me emails which failed SPF validation.
- Search metadata across all Office documents.
- Hunt PDFs with evasive characteristics.
- Retrieve all invoices with values greater than __ 💵 __.
- Validate the efficacy of custom detection logic.
Very often organizations just do not know a threat actor or malware has breached them until days, months, or even years after the initial intrusion. Worse yet, some organizations may receive their first notice of a breach from a third party. Fast incident response time is crucial in remediation and mitigation of both known and unknown threats. As well, it is enormously useful to be able to proactively monitor your environment for the presence of attacks, threat actor groups, and malware of interest. This is the essence of how RetroHunting adds immediate value to the lives of security analysts and threat hunters.