THREAT HUNTING WITH MENDEL

“Threat hunting,” or “cyber threat hunting” is the process of proactively and iteratively searching through networks and datasets to detect threats that evade existing automated tools and is done by a threat hunter or security analyst. It is essential for network security because it works to identify hidden threats within an existing set of network data.

Threat hunting utilizes manual techniques from the threat hunter and machine-assisted techniques, the combination of which aims to find Tactics, Techniques, and Procedures (TTPs) of advanced adversaries. While this methodology is both time-tested and effective, it is also time consuming, and can sometimes miss important clues in mountains of network data. In the article below, we will discuss not only what threat hunting is, but also how it can be made more efficient through the use of modern tools.

Download the article here.


About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

GREYCORTEX MENDEL DETECTS BADRABBIT

GREYCORTEX is happy to report that it is able to detect the BadRabbit ransomware. This ransomware appeared in Eastern Europe (Russia, Ukraine) but has begun to spread across several countries including South Korea, Poland, the Baltic, and regions. It uses an NSA-based exploit known as “EternalRomance” to enter networks and spreads by SMB port.

MENDEL is able to detect this ransomware in two different ways:

  • MENDEL’s integrated ruleset includes a rule specifically detecting the BadRabbit ransomware.
  • Independent from this IDS rule, MENDEL’s advanced artificial intelligence and machine learning detects the ransomware’s anomalous port sweep activity.

This detection capability demonstrates that MENDEL can identify unknown threats before rules are created in rules-based security tools. MENDEL provides network security teams vital extra time to protect their networks.

 

 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

MENDEL: SECURITY AND VISIBILITY IN NETWORK MANAGEMENT

Network management is a stressful proposition, comprising not only the administration of the network, but also maintaining its performance, provisioning devices, etc. With the number of devices in a network growing – due in part to IoT within the office and BYOD which come and go frequently, and the risks of advanced persistent malware, the stress is only increasing.

Luckily, GREYCORTEX MENDEL helps reduce the stress of network administration. According to recent studies, 76% of IT Professionals cite lack of visibility as a challenge in addressing issues in their networks. MENDEL offers full network visibility, up to, and including the application layer, without profiling a specific subnet or host. This means that whenever a new device enters the network, or a subnet or host is moved, identifying vulnerabilities or reconnecting appropriate devices is easy to accomplish.

MENDEL also helps network administrators improve their security, especially against advanced threats hiding within a network. It is common to use firewalls, antivirus, but also SIEMs, IPS, sandboxes, etc to protect a network. These various solutions all overlap for layered security, but each can be defeated.

Currently it takes 46 days to detect a network breach. MENDEL steps into these gaps by identifying anomalous network traffic activity, differentiating between human and machine activity, and integrating robust IDS rulesets to identify threats before they can do damage – often within hours. In some cases, like the recent WannaCry ransomware attack, MENDEL was able to identify the attack in a matter of minutes, well before it could start encrypting files.

MENDEL is based on machine learning and big data analysis. It installs in 30 minutes and can be configured in under two hours. It monitors networks using network traffic analysis without slowing traffic. Because deployment is painless, and network speed is preserved, a risk free 30 day trial is truly “risk free.” To find out more about MENDEL, or to see what may be hiding in your network from a 30 day trial, contact your local distributor or GREYCORTEX directly.

 

About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

“TALES FROM THE MALWARE LAB” IS LIVE!

Following the success of our video describing the WannaCry ransomware, we are happy to announce an ongoing series of YouTube videos: “Tales from the Malware Lab – Powered by GREYCORTEX.” In it, we will leverage our in-house malware lab, complete with the latest version of GREYCORTEX MENDEL to provide useful information about emerging network security threats in an easy-to-follow visual format.

 The videos will provide an overview of each threat’s activity within the network, and visualize these attacks from the network traffic analysis standpoint. We are releasing these videos as a public service to the greater network security community, which will benefit from this video-based approach to malware.

 The first video, addressing the “EternalRocks” malware, is available here: https://youtu.be/vI1lRi5e-SM


About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.

GREYCORTEX IN CYBER DEFENSE MAGAZINE

Martin Korec’s article “Integration May Answer Questions in Machine Intelligence” has been published in the most recent edition of Cyber Defense Magazine’s “Cyberwarnings Newsletter.” A .pdf of the issue is available here. We have included the full article below.

Integration May Answer Questions in Machine Intelligence

 

Introduction

You are probably familiar with terms “Artificial Intelligence” and “Machine Learning,” i.e. the idea that computers can be taught to learn, and then make predictions based on the data they are given. Artificial Intelligence/Machine learning tools present huge opportunities in many areas, especially in cyber security. The UK government considers it technology which is the engine of the digital revolution. But, some are skeptical. Gartner put Machine Learning (a subset of Artificial Intelligence) at the “Peak of Inflated Expectations” in its 2015 Hype Cycle. Simon Crosby of Bromium considers these tools to be a “pipe dream.”

What Are Artificial Intelligence and Machine Learning?

Machine Learning is a subset of Artificial Intelligence, and both address the capability of machines to be taught to make predictions based on “learned” data. Both are popular terms in marketing materials, and are often confused. Deloitte has decided that a better term is “Machine Intelligence” – describing it as “an umbrella term for a collection of advances representing a new cognitive era. We are talking here about a number of cognitive tools that have evolved rapidly in recent years: machine learning, deep learning, advanced cognitive analytics, robotics process automation, and bots, to name a few.” We’ll use Machine Intelligence here (partly because “Artificial Learning” didn’t work as well) to mean the use of data analytic/predictive tools in the network security context.

The Benefits of Machine Intelligence

The essential benefit in Machine Intelligence is that it can take truly massive amounts of data, analyze it in real time, and identify anomalous or malicious behaviors invisible to manual review, or which would not be accurately identified through static detection rulesets (which are also a hassle to set up). Of course, the more data a Machine Intelligence solution has, the more effectively it can do its job. Some have claimed prediction can be improved by over 90%. If the solution has limited data from only Netflow, it is limited in its effectiveness. If input data comes from the every layer of the network, then it can identify anomalies at each layer, and each device within each layer. This means the Machine Intelligence solution identifies behavior – like advanced persistent threats or insider attacks – that may be limited or very well hidden among massive volumes of network traffic, and which would be missed by a security team pre-programming logic in SIEM systems, even well thought-out ones (a limitation of SIEM systems), or working with an IDS ruleset alone.

Some Claim Machine Intelligence has Drawbacks

Advanced analytics have been around for 20 years or more, there must be something wrong with them, or we’d all be using them. Right? Naturally, as with anything created by humans, Machine Intelligence solutions can be defeated by other humans. However, there are several existing approaches, including classification algorithms, proven to successfully mimic security analyst behavior which can be used in design and testing to avoid defeat by new threat samples. A second criticism of Machine Intelligence solutions is that they are not “plug and play,” e.g. that they need analyst time to filter out false positives/e.g teach the system what is a threat and what isn’t. Failure to do so leads to excessive false positives and alert fatigue. Alert fatigue is a problem. A recent article suggests that over half of security professionals are missing alerts they should address. However, MIT research indicates that human/Machine Intelligence collaboration is actually beneficial and can reduce false positives by close to 85%. Furthermore, while Machine Intelligence solutions may not be “plug and play,” their implementation time is much lower as compared to SIEM systems (hours vs. months) and training the machine on false positives requires a very small actual time commitment (minutes a day).

Bringing Solutions Together

Is it possible to have the benefits of Machine Intelligence technology, but minimize the hassles? Is it possible to use Machine Intelligence in such a way that this technology is used for truly advanced analysis, reducing false positives and saving the security team’s time? Integrating several features/technology types into one solution mitigates several issues with Machine Intelligence technology, and creates a more efficient system. Specifically, integrating with IDS rules and network performance monitoring is an efficient means of improving network security by joining complimentary features and data sets.

Advantages

In such an integration, detection is more effective and false positives are reduced. Less time training the system is required, and information that is “trained” starts from a more accurate position.

Integration with an IDS ruleset specifically brings two benefits: The first is that the IDS, a list of existing rules and known signatures, helps the Machine Intelligence tools function more efficiently, by determining early in the data analysis that certain traffic matches known malicious code or patterns, creating a deeper chance for analysis of events that do not trigger an IDS alert. Secondly, this type of integration has the added benefit of identifying for the Machine Intelligence tools what particular viruses/malware/trojans, etc, look like. This means that the predictive analysis tools have more, and more accurate data upon which to build their analysis. This data is also available much more quickly than if the solution was completely self-educating, or assisted only by the security team.
This also applies to adding a performance monitoring capability. A more informed and more efficient Machine Intelligence solution exists because traffic data is integrated to help it spot things like too many communication partners, services which haven’t been used before, exceptional netw
ork application delays, changed MAC addresses, or new devices or services in the network.
Integration also benefits the security team, because integrated IDS data increases efficiency. Not only does the team spend less time training the system (see above) but it also means more accurate results, resulting in less risk of alert fatigue. Alerts that actually matter are less likely to be missed as a result of the process.
In summary, Machine Intelligence technology, despite what its detractors suggest, is here to stay. Though all providers may not be using its full capabilities, its potential is too great, and its benefits in terms of detection of advanced threats too tangible for it to be given up. But, it can be improved. An integrated approach; featuring several different types of input and analysis helps to streamline Machine Intelligence data analysis, making it more effective and improves the functionality of the integrated tools. This means more effective and more efficient network security, and more family time for security analysts.


About Version 2 Digital

Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.

Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About GREYCORTEX
GREYCORTEX uses advanced artificial intelligence, machine learning, and data mining methods to help organizations make their IT operations secure and reliable.

MENDEL, GREYCORTEX’s network traffic analysis solution, helps corporations, governments, and the critical infrastructure sector protect their futures by detecting cyber threats to sensitive data, networks, trade secrets, and reputations, which other network security products miss.

MENDEL is based on 10 years of extensive academic research and is designed using the same technology which was successful in four US-based NIST Challenges.