How It Works

While we try to hide Cyber Triage’s complexity, many people want to know what it is doing.  This page goes into more detail about what it does.

Agentless Automated Collection

The first step in the analysis process is to collect data from the target system.  Unlike other commercial tools, Cyber Triage does not require an agent to be installed on a live system and it can collect data disk images.  Its collection tool has a minimal footprint on the target system and does not need to be installed, which means that it does not add itself to the registry. Its targeted collection approach saves time because it copies the most important data from the system and does not require the user to make an image of the entire drive.

  • Collection tool properties:
    • Runs on all versions of Microsoft Windows XP and newer.
    • Requires no installation on target systems. It is pushed to live systems as needed or can run directly from a USB drive.
    • Collection can be started manually or automated from a SIEM or other workflow tool using our REST API.
    • Analyzes disk images in raw or E01 formats.
  • Performs targeted file collection through:
    • Registry analysis identifying startup programs, drivers, services, and programs that were run.
    • Reviewing scheduled tasks.
    • Event log and registry analysis for login and remote desktop activity.
    • Using The Sleuth Kit® forensics library, thereby making it less vulnerable to typical rootkits and does not modify file access times.
  • Additional collected data includes:
    • Volatile data (running processes, open ports, logged in users, active network connections, DNS cache, etc.)
    • File metadata about all files for timeline, blacklisting, and indicator of compromise analysis.
    • A file system scan for indicators of data exfiltration and suspicious executables.

Automated Analysis

After data is collected from the target system, it is stored in a central database and analyzed.  The analysis automatically applies heuristics that an experienced responder would otherwise have to perform manually as they review the data. The automated analysis looks for suspicious processes and startup items and sends all collected files for malware analysis.  The result is a set of high and medium threat items presented for user assessment.  Users can also configure the system to look for items based on their experience and threat intelligence.

  • Applies heuristics to collected data, such as running processes, remote desktop connections, recently run programs, and open ports.
  • Sends collected files for malware analysis, currently using the OPSWAT Metascan service that wraps over 40 commercial malware scanning applications.
  • Ignores known files based on MD5 values and NIST NSRL.
  • Compares collected data with user-configurable blacklisting (known bad) and whitelisting (known good).

Guided Review

Every host is used differently and therefore not all data can be automatically analyzed.  Cyber Triage has a unique feature that presents certain types of data to the user for them to review and identify as good or bad.  It fuses and enriches the data to make it as easy as possible for the user to make the decisions.   Situational awareness is maintained, using previously collected data to show how often an item has been seen before and if any previous investigation flagged it as bad.

  • Questions are posed to the first responder about hosts, users, ports, and scheduled tasks  to identify the suspicious data that cannot be determined by heuristics alone.
  • Backend database provides situational awareness by showing:
    • What has changed on this host since the last collection
    • What other hosts in the same incident, or overall, have similar data
  • Remote hosts are shown with Geo-IP information, from MaxMind, and reputation service results to help identify suspicious connections.  Heuristics are applied to remote desktop and network shares to help flag abnormal activity.
  • Open ports are displayed with metadata, such as parent process.  Common ports are hidden from view.
  • Local and domain users are displayed with login and other activity from local event logs.
  • Scheduled tasks are displayed with triggers and location of executable.

Incident-level Grouping

Consultants and law enforcement groups often encounter a large number of systems to analyze. Cyber Triage groups these hosts so that they can be prioritized among each other based on automated analysis results.  When an item is found to be bad on one of the hosts, it is automatically marked as bad on the other hosts, thereby saving time and reducing mistakes.  This grouping capability allows for better collaboration and faster results.