Use Cases: Detection and Response

Leading experts and global organizations use Awake to combat threats such as file-less malware, insider attacks, lateral movement and data exfiltration.

Featured Testimonial

jon miller

Jon Miller

World-Renowned Incident Responder & Security Expert

The ‘last mile’ in security is the most limiting factor in successful detection and response. Preventing subsequent failures requires understanding how controls failed, while fully remediating a threat requires understanding the scope of their activity. Even for people with the talent to do this, it’s laborious and tedious work. By consuming the ground truth found in network traffic and using analytics to handle the most error-prone and grueling investigative tasks, Awake helps newer and seasoned investigators alike, while giving them the power to analyze threats in ways they couldn’t before.

Key Use Cases for Security Teams

Awake supports a wide variety of security use cases across three broad categories. Many of these are either impossible, error-prone or cumbersome to do using any existing technology.
network traffic analysis icon
Detect file-less malware, insider attacks, credential abuse, lateral movement, data exfiltration and other threats that blend in with business-justified activity.
investigation icon
With one click pivot from an alert in your SIEM to a detailed device profile including a list of similar devices for campaign analysis.
hunting icon
Discover endpoints that are invisible to log- or agent-based approaches including unmanaged IoT, BYOD and contractor devices.

Real-world Detection and Response Case Studies

Lateral Movement Detection via Remote Service Creation
A threat actor was moving within a customer environment using tools that are not malicious themselves. This included standard operating system administrative utilities that were being used to create services on remote hosts. Traditional detection mechanisms deployed by this customer missed this activity as there was no malware in use.

Within a few minutes of Awake being deployed, we detected this activity as being suspicious and interesting, prioritizing it for the security analyst to investigate.

detection use case awake security screenshot

Awake detected this file-less malware threat by:
  • Highlighting the use of SMB control commands for service creation.
  • Surfacing that these commands were not seen across the general user population.
  • Identifying devices that had a similar work function as those being targeted.
  • Pointing out that the user account being used was accessing more systems than the average.

Spear Phishing Response & Campaign Investigation
A customer received an alert that one of their users had clicked on a link within a phishing email. The victim was collaborating with a cross-departmental team on some proprietary efforts for the organization. The investigator was concerned about a broader campaign.

Starting with only the email address of the victim, Awake was able to reveal that this was a sustained campaign that had used multiple lures in the past and targeted multiple members of the team working on the project. The entire analysis with Awake was complete in about half an hour.

investigation use case awake security screenshot

Awake enabled a quick and effective response by:
  • Providing a one-click pivot from victim email address in the SIEM to list of affected devices.
  • Highlighting devices in a similar work function as the victim and users of those devices.
  • Identifying additional victims of the campaign and a forensic timeline.
  • Surfacing other lures that had the same attacker TTPs e.g. domains registrant information used.
  • Enabling ongoing monitoring of the targeted users and devices for real-time protection.

Discovering a Malicious Hardware Implant on the Network
Awake uncovered a malicious hardware implant that was sniffing traffic from local networks and then exfiltrating information externally. Existing tools such as logs and endpoint repositories provided no visibility since the implant was needless to say not part of the organization's infrastructure.

Using Awake the hunting team had visibility to all devices based on network ground truth. Awake automatically surfaces entities that have the most interesting behaviors to the top which highlighted the hardware implant in this case.

visibility use case awake security screenshot

Awake's comprehensive visibility into managed and unmanaged devices detected this malicious device by:
  • Surfacing the hardware implant as notable because it has SSL client characteristics that were unique from any other device.
  • Identifying the destination domain as notable due to a unique SSL fingerprint.
  • Highlighting that the device had unusual traffic patterns: communicating only once a day and significantly more data going out than coming in.
  • Providing a forensic timeline of when the implant first appeared on the network.

Ready to try Awake?

Benefit from two years of research with hundreds of security
professionals and improve analyst productivity tenfold.