Group-IB Threat Hunting Framework

Promote this Nomination

Additional Info

Company (that provides the nominated product / solution / service)Group-IB
Company size (employees)500 to 999
Type of solutionHybrid

In 3 bullets, summarize why this product or service is different from the competition and deserves recognition:

• Full payload execution
Implements our set of technologies that force malicious payloads to fully execute in an isolated environment without risk
• Advanced anti-evasion techniques
Deals with hundreds of different malware stealth TTPs: time-based attacks, fuzzy URLs, environmental checks and steps requiring user interaction
• Full behavioral report
Verdict always comes with clear evidence and decision analytics. Deep IOCs are automatically extracted during analysis. All artifacts are available for download and further analysis

Brief Overview

Group-IB Threat Hunting Framework (THF) is a single solution for complex protection of IT and OT segments in any organization. It is based on adversary-centric approach to detection and mitigation of targeted attacks and our patented technologies.
THF Sensor module sends a file extracted from mail or Internet traffic to the THF Polygon module, which is specifically designed for unknown threats and causes them to detonate in an isolated environment. Ordinary sandboxes also try to check such files, but if nothing is found during unpacking, they are skipped.
Cyber criminals have learned how to determine whether they are on a real machine or are still being checked in a virtual environment. For instance, they look at the presence of documents on the desktop, in the recently edited folder, in order to understand whether this is a sandbox. Therefore, the system must behave like a real user in order to provoke the execution of malicious code. This includes imitation of a mouse movement and more – after all, the robot often will not absentmindedly move the mouse across the screen, it will immediately and accurately hit the desired button.
Also, a lot of trouble is caused by links – in the moment of checking it can lead to a normal site, and after a while – to the Trojan’s download page. Hackers also use the tactics of deferred tasks, when their mine is triggered after a certain, sometimes very long time. Despite these tricks, THF Polygon copes with them perfectly and makes the malware manifest itself.