Free Workshop: Investigating Insider Threats — February 20-27

Prioritize

Make your investigations fast and comprehensive by letting Cyber Triage score all of the collected artifacts so that you can start with the most important clues first.

Rapidly prioritize thousands of artifacts

  • Bad items are related to past intrusions and should be the first clues you look into
  • Suspicious items could be the attacker trying to blend in and are your 2nd priority
  • Good items aren’t worth your precious time.

Leverage comprehensive threat intelligence

  • Malware scanning from 40+ engines
  • Yara to integrate cutting-edge rules
  • Heuristics that experienced responders look for, such as anomalous processes
  • Import IOC threat intelligence lists.

Get context on the clues

  • Use the Timeline to see what happened before and after a given event
  • See what other files are stored alongside malware and other suspicious files with File Explorer
  • You can easily pivot data types to learn about related artifacts, such a network connection associated with a file.

Scored artifact details

  • Files with malware based on results from multiple ReversingLabs engines
  • Known bad files and other items based on IOCs and blacklists
  • Windows processes that were tampered with by verifying parent hierarchy and owner
  • Programs and scheduled tasks that were run out of uncommon locations
  • Startup programs, services, or drivers in uncommon locations or that are not signed
  • Processes with names that are too similar to normal Windows processes
  • Processes that could have been exploited and are now running command prompts
  • Active network connections to uncommon remote ports
  • Listening ports on uncommon local ports
  • Remote desktop connections with suspicious users and settings
  • User accounts with abnormal behaviors and failed logins
  • Executable files hidden in NTFS Alternate Data Streams
  • Executable files that have suspicious structure and settings
  • Encrypted archive files that could be from data exfiltration
  • Known good operating system and application files based on MD5 hash values and NIST NSRL and ignore them; this reduces the amount of data that needs to be analyzed and reviewed
  • For more details, including a complete list of scored artifacts, contact us.