Group-IB, a global threat hunting and intelligence company, has revealed the results of its years-long development of proprietary high-tech products for threat hunting and research — Threat Intelligence & Attribution and Threat Hunting Framework. Altogether the solutions represent a new smart cybersecurity ecosystem uniting Group-IB’s patented innovative technologies unveiled by Group-IB at CyberCrimeCon 2020, a global threat hunting and intelligence conference.
Group-IB has become the first company to offer a new type of cybersecurity solution called Threat Intelligence & Attribution. The system is designed to create and customize a cyber threat map for a specific company, correlate individual cybersecurity events in real time, and attribute attacks to a particular threat actor. It embodies the result of the evolution of Group-IB’s proprietary technologies for threat hunting and research. The creation of TI&A marks the emergence of a new type of solutions for collecting data on threats and attackers relevant for a particular organization with the aim of examination and proactive hunting for threat actors, research, and protection of network infrastructure. Currently, there no analogues to TI&A on the international market.
Yet another innovation presented by Group-IB is Threat Hunting Framework – a system for IT and OT networks that protects against unknown threats and targeted attacks, hunts for threats both within and outside the protected organization’s perimeter, and helps investigate and respond to cybersecurity incidents and minimize their impact.
According to Hi-Tech Crime Trends 2020-2021, a report that provides an analysis of high-tech crimes worldwide, the merge of various cybercrime segments has led to the appearance of new threats, which resulted in increased damage as a result of attacks. Thus, analysts’ most conservative estimates suggest that the overall damage to companies in 45 countries caused by known ransomware incidents amounts to over $1 billion. The market for selling access to compromised corporate infrastructures has grown at an explosive pace: in one year it has increased four-fold reaching $6,189,388. The number of sellers has jumped to 63, with both cybercriminals and state-sponsored actors among them. Compared to the previous period, the size of the carding market, which is connected with the theft of bank card data, has grown by 116% nearing $2 billion. In the face of these challenges, public and private sector companies have to reevaluate their cybersecurity strategies and focus on hunting threats, relevant to their specific industry.
Today, Group-IB presented the result of the evolution of its proprietary high-tech crime investigation and cyberattack prevention product line, which includes two innovative solutions: Threat Hunting Framework (THF) and Threat Intelligence & Attribution (TI&A). The complex engineering systems are connected to each other brought together in a single smart ecosystem capable of automatically halting targeted attacks against organizations. The ecosystem provides security teams with tools for linking individual events, attributing threats, analyzing malicious code, and instantly responding to cyber incidents. It is based on the patented technologies developed by Group-IB’s analysts and engineering teams.
Group-IB currently has 33 patents (including 6 in the United States, 5 in the Netherlands, 4 in Singapore, and elsewhere). All of them were issued for the technologies lying at the heart of TI&A, THF and the company’s other innovative products. In addition, Group-IB has 55 patent applications (14 in the United States, 5 in the Netherlands, 12 in Singapore, and 24 more internationally).
“The dynamic of cybercrime is signaling to the market that companies should be able to prevent most threats automatically, but this is not enough,” says Group-IB CTO Dmitry Volkov. “Smart threat actors with money and resources will eventually learn to bypass any automated detection system. You need to prepare for that by building your experience in hunting for threats using tools customized to this task. In this fight, blocking will not help: tomorrow you will be attacked based on how you stop the threat today. Hunting for threats is an ongoing process based on the ability to handle huge amounts of internal and external data lakes, ranging from system events and traffic metadata to domains, hosts, and hacker groups’ profiles. To be able to work with this data means to be a professional threat hunter. This is the future of cybersecurity.”
Group-IB’s team of engineers base their development of cybersecurity technologies on several principles. Firstly, detection systems and algorithms have to be adversary-centric; this means that cybersecurity experts should receive alerts with either clear technical justification or full intelligence context on a given threat: who the attackers are, what their motivation is, what their tactic is, and what IOCs and TTPs are expected to be used in further attacks. When possible, a solution has to block threats immediately, but detection and blocking is not enough. This is only the beginning of building effective security systems.
Secondly, the enrichment process has to be fully automated and should provide as much context related to IOCs and TTPs as possible. To achieve that, an analysis engine must go beyond simple threat detection: it is crucial to extract and fully detonate discovered payloads in a safe isolated environment, harvesting indicators of compromise that help in subsequent threat hunting activities. Thirdly, threat hunting is a crucial process of proactive searching for something that could have been missed in the past and potentially might be missed in the future.
Detection is never enough
Group-IB Threat Hunting Framework (THF) is an all-in-one solution for IT and OT networks that detects unknown threats and targeted attacks, hunts for threats both within and beyond the protected perimeter, and helps investigate and respond to cybersecurity incidents. The fact that Group-IB Threat Hunting Framework serves as a single cybersecurity solution and unites standards for two different network segments is a certain innovation on the cybersecurity market that changes the rules inside the industry.
The new product’s key goals are the detection of previously unknown threats and targeted attacks, the containing of detected threats and automation of instruments for identifying links between threats both inside and outside of the protected perimeter. The THF has a patented malware detonation technology that goes beyond traditional sandboxing and sets up new industry standards for file analysis solutions and an innovative endpoint module for real-time host protection and malicious behavior detection with a unique patented server-side classifier. Threat Hunting Framework architecture has several main modules, each of which is innovative in its nature and whose functionality goes beyond the existing product categories defining absolutely new types of cybersecurity solutions.
THF Sensor is designed to identify threats at the network level thanks to an in-depth analysis of network traffic. The solution identifies threats and infected hosts by analyzing the network traffic protecting not only IT segment of the network, but also OT network with the help of its Sensor Industrial module. The module ensures that the integrity of ICS software is under control by analyzing industrial protocols and protecting corporate networks comprehensively, detecting threats with the use of its high-performance AI-driven classifier.
Group-IB’s another innovation is THF Polygon. This platform is designed to detonate malware. It detects threats by performing behavior analysis of emails, files, and links and runs malware in an isolated environment. It is crucial to fully detonate the discovered payloads and extract all related IOCs and artifacts to be able to attribute the attacks.
Email remains a key system for initial compromise for cybercriminals. This problem affects businesses of any size. In response to this threat, Group-IB for the first time presented its cloud-based solution for the prevention of all types of email attacks — Atmosphere. Atmosphere aims to make cutting-edge technologies for detecting email threats affordable and easily deployable, while at the same time keeping the technology part of Threat Hunting Framework and offering not only qualitative filtering of emails, but also the rest of THF’s advantages: malware detonation, attack attribution and integration with other modules of the ecosystem.
For the first time, Group-IB has introduced a solution for protecting end hosts: Huntpoint. This module creates a complete timeline of events on the host, which is available both in real time and retrospectively, detects abnormal behavior, and blocks malicious files. What is more, it isolates hosts from the network and collects forensic data for further research.
The Huntbox module is responsible for fully automated analysis and correlation of network events. This module provides a full picture of threats within and beyond an organization’s network, helping to hunt for threats and identify malicious activity targeting the company. Group-IB Threat Hunting Framework capabilities are enhanced by the Decryptor module, which is designed to decrypt TLS/SSL traffic in the protected infrastructure.
Group-IB provides access to its internal tools for tracking hackers
Threat Intelligence & Attribution, which is one of the most heavily loaded Group-IB systems — it handles petabytes of data on adversaries and their tools and infrastructure, — has leaped forward. Today, TI&A marks the creation of a new type of solutions for collecting data on threats and attackers relevant to a specific organization. It helps analyze adversaries and their tools in order to proactively hunt for criminal groups and protect network infrastructure.
TI&A combines unique data sources and experience in investigating high-tech crimes and responding to complex multi-stage attacks worldwide to enrich all other Group-IB products with data for hunting for attackers and threats. The system stores data on threat actors, domains, IPs, and infrastructures collected over the last 15 years, including those that criminals attempted to wipe out. The extensive functionality of the system helps customize it to the threat landscape not only relevant to a particular industry, but also to a specific company in a certain country.
TI&A takes an adversary-centric approach to threat protection. The idea behind the system is that it hunts not only for threats, but also for the adversaries behind them. The data lakes operated by the system help quickly link attacks to specific groups or even individuals. TI&A helps promptly analyze and attribute threats that a company faces, detect leaks, insiders and compromised user accounts. Moreover, it identifies insiders who sell company data on underground resources and detects and thwarts attacks targeting companies and their customers regardless of industry.
The launch of TI&A on the market provides access to Group-IB’s internal tools, which were previously used only by Group-IB’s DFIR, threat hunting, and cyber threat intelligence teams. Every specialist who uses TI&A now has access to the largest collection of dark web data, an advanced hacker group profiling model, and a fully automated graph analysis tool that helps correlate data and attribute threats to specific criminal groups in seconds.
As such, TI&A makes it possible to detect attacks overlooked by common cyber defense tools. It helps understand how advanced adversaries behave and whether the protected infrastructure can counteract them. This approach helps motivate and improve internal cybersecurity teams as well as enhance their capabilities through an in-depth insight into threats targeting their organizations.
TI&A is a complex engineering system developed by Group-IB and integrated into a smart technological ecosystem that is capable of automatically halting targeted attacks on organization. The ecosystem provides security teams with tools for linking individual events, attributing threats, analyzing malicious code, and instantly responding to cyber incidents.