Group-IB Threat Hunting Framework

Additional Info

CompanyGroup-IB
Websitehttps://www.group-ib.com/
Company size (employees)500 to 999

Overview

Group-IB Threat Hunting Framework (THF) is a single solution for complex protection of IT and OT segments in any organization. It is based on an adversary-centric approach to detection and mitigation of targeted attacks and our patented technologies.
It consists of 6 different modules, each one is a complex and advanced solution on its own:
• THF Sensor for network research and protection
• THF Huntpoint for endpoint protection
• THF Polygon for malware detonation and analysis
• THF Huntbox for collaborative hunting, events correlation and automated response
• THF Sensor Industrial for OT network traffic protection
• THF Decryptor for TSL/SSL traffic decryption
Product’s architecture grants increased visibility and network protection, empowered by Threat Intelligence data and advanced threat hunting and analytical tools. With Group-IB Threat Hunting Framework our customers can:
Detect previously unknown threats, using ML and dynamic analysis to look for anomalies in network traffic and on the hosts.
Partially automate threat hunting within and beyond network perimeter with events correlation, attackers’ infrastructure exposer and technological toolkit
Detonate and analyze malware like no other solution, using realistic virtual environments and unique detection-evasion tools
Protect workstations, servers and other nodes with instruments for automated incident response and host isolation
Attribute and analyze threats with network Graph analysis, based on unparalleled amounts of data

How we are different

• Network traffic analysis using signatures
Attacks are detected by searching for certain patterns in network traffic (e.g., byte sequences), known commands, or sequences of commands used by malware.
• Analysis of network anomalies
Machine learning algorithms are used to detect covert channels and anomalies in network traffic, such as DGAs (Domain Generation Algorithms) or tunnels in application layer protocols.
• North/south and East/west traffic
- C&C communication channels
- Payloads
- Advanced vulnerabilities for infection
- Covert channels for commands
and data upload
- Lateral movement
- Privilege escalation, using remote access & vulnerabilities
- Policy violation including LOTL techniques.