Group-IB Threat Hunting Framework

Promote this Nomination

Additional Info

Company (that provides the nominated product / solution / service)Group-IB
Websitehttps://www.group-ib.com/
Company size (employees)500 to 999
Type of solutionHybrid

In 3 bullets, summarize why this product or service is different from the competition and deserves recognition:

• Control over the environment
Detects topology changes on the OT network and abnormal interaction that doesn’t comply with AI-built communication map.
• Automated software integrity control
Controls the integrity of either firmware or software used in PLCs/
• Broad protocol support
Modbus, S7comm, S7comm+, UMAS, OPCUA, OPCDA, IEC104, DNP3, DeltaAV, CIP, and others. Configurable detection policies – on top of protocol support, Industrial Sensor provides a policy configuration tool to set up detection rules that fit specific client needs.

Brief Overview

Group-IB Threat Hunting Framework (THF) is a single solution for complex protection of IT and OT segments in any organisation. It is based on an adversary-centric approach to detection and mitigation of targeted attacks and our patented technologies.
To detect attacks in the technology segment of the enterprise, Group-IB recently developed the THF Sensor Industrial module. Analyzing data packets of technological protocols with its own behavioral rules, THF Sensor Industrial allows you to detect the transfer of illegitimate control commands between the levels of the APCS, to detect the use of service commands of the APCS for the purpose of flashing the PLC, replacing the control program, stopping technological processes, and other violations.
The module supports both open protocols – CIP, DNP3, IEC 60870-5-104, IEC 61850-MMS, Modbus TCP, OPC-DA, OPC-UA, MQT, and some proprietary – Siemens, Schneider Electric, Rockwell Automation, Emerson. If the required protocol is not on the compatibility list, Group-IB experts are ready to add it within a few weeks.
THF Sensor Industrial does not affect technological processes in any way, everything works in mirror mode. A good addition to the system will be the use of the THF Huntpoint module on the APM of operators and engineers, which will record actions on critical machines inside.