Jon MillerWorld-Renowned Incident Responder & Security Expert
The ‘last mile’ in security is the most limiting factor in successful detection and response. Preventing subsequent failures requires understanding how controls failed, while fully remediating a threat requires understanding the scope of their activity. Even for people with the talent to do this, it’s laborious and tedious work. By consuming the ground truth found in network traffic and using analytics to handle the most error-prone and grueling investigative tasks, Awake helps newer and seasoned investigators alike, while giving them the power to analyze threats in ways they couldn’t before.
Key Use Cases for Security Teams
Awake supports a wide variety of security use cases across three broad categories. Many of these are either impossible, error-prone or cumbersome to do using any existing technology.
DETECTION OF MALICIOUS INTENT
Detect file-less malware, insider attacks, credential abuse, lateral movement, data exfiltration and other threats that blend in with business-justified activity.
With one click pivot from an alert in your SIEM to a detailed device profile including a list of similar devices for campaign analysis.
Discover endpoints that are invisible to log- or agent-based approaches including unmanaged IoT, BYOD and contractor devices.
Real-world Detection and Response Case Studies
Lateral Movement Detection via Remote Service CreationA threat actor was moving within a customer environment using tools that are not malicious themselves. This included standard operating system administrative utilities that were being used to create services on remote hosts. Traditional detection mechanisms deployed by this customer missed this activity as there was no malware in use.
Within a few minutes of Awake being deployed, we detected this activity as being suspicious and interesting, prioritizing it for the security analyst to investigate.
Awake detected this file-less malware threat by:
- Highlighting the use of SMB control commands for service creation.
- Surfacing that these commands were not seen across the general user population.
- Identifying devices that had a similar work function as those being targeted.
- Pointing out that the user account being used was accessing more systems than the average.
Spear Phishing Response & Campaign InvestigationA customer received an alert that one of their users had clicked on a link within a phishing email. The victim was collaborating with a cross-departmental team on some proprietary efforts for the organization. The investigator was concerned about a broader campaign.
Starting with only the email address of the victim, Awake was able to reveal that this was a sustained campaign that had used multiple lures in the past and targeted multiple members of the team working on the project. The entire analysis with Awake was complete in about half an hour.
Awake enabled a quick and effective response by:
- Providing a one-click pivot from victim email address in the SIEM to list of affected devices.
- Highlighting devices in a similar work function as the victim and users of those devices.
- Identifying additional victims of the campaign and a forensic timeline.
- Surfacing other lures that had the same attacker TTPs e.g. domains registrant information used.
- Enabling ongoing monitoring of the targeted users and devices for real-time protection.
Discovering a Malicious Hardware Implant on the NetworkAwake uncovered a malicious hardware implant that was sniffing traffic from local networks and then exfiltrating information externally. Existing tools such as logs and endpoint repositories provided no visibility since the implant was needless to say not part of the organization's infrastructure.
Using Awake the hunting team had visibility to all devices based on network ground truth. Awake automatically surfaces entities that have the most interesting behaviors to the top which highlighted the hardware implant in this case.
Awake's comprehensive visibility into managed and unmanaged devices detected this malicious device by:
- Surfacing the hardware implant as notable because it has SSL client characteristics that were unique from any other device.
- Identifying the destination domain as notable due to a unique SSL fingerprint.
- Highlighting that the device had unusual traffic patterns: communicating only once a day and significantly more data going out than coming in.
- Providing a forensic timeline of when the implant first appeared on the network.