Group-IB Threat Hunting Framework

Promote this Nomination

Additional Info

Company (that provides the nominated product / solution / service)Group-IB
Company size (employees)500 to 999
Type of solutionHybrid

In 3 bullets, summarize why this product or service is different from the competition and deserves recognition:

• North/south and East/west traffic
- C&C communication channels
- Payloads
- Advanced vulnerabilities for infection
- Covert channels for commands
and data upload
- Lateral movement
- Privilege escalation, using remote access & vulnerabilities
- Policy violation including LOTL techniques.
• Full traffic visibility and retrospective view
Supports hundreds of L7 protocols for deep analysis, meta extraction, and diverse retrospective view on analyzed traffic
• Additional integration features
Integrate with email flows, proxy servers (ICAP), file storages for better coverage. Custom hunt signatures and YARAs supported

Brief Overview

Group-IB Threat Hunting Framework (THF) is a single solution for complex protection of IT and OT segments in any organization. It is based on an adversary-centric approach to detection and mitigation of targeted attacks and our patented technologies.
It consists of 6 different modules, each one is a complex and advanced solution on its own:
• THF Sensor for network research and protection
• THF Huntpoint for endpoint protection
• THF Polygon for malware detonation and analysis
• THF Huntbox for collaborative hunting, events correlation and automated response
• THF Sensor Industrial for OT network traffic protection
• THF Decryptor for TSL/SSL traffic decryption
THF Sensor is a Group-IB Threat Hunting Framework module designed to analyze incoming and outgoing data packages. Using its own signatures, Sensor detects interactions between infected devices and adversary infrastructure, general network anomalies, and behavior anomalies of network devices. The module also extracts objects under analysis from various sources and transfers them to THF Polygon.
THF Sensor provides follow functions:
• Extraction of files from network traffic
Files are extracted from traffic, deemed to be suspicious or not, and then transferred Polygon for behavioral analysis.
• Blocking of downloadable files
Integration is performed with ICAP proxy solutions to block downloadable malicious objects in conjunction with Polygon.
• File storage analysis
File storage content is examined and selectively blocked depending on the presence or absence of malware, in conjunction with Polygon.