Threat Hunting

When an AI-based antivirus is no longer sufficient…

Threat Hunting?

Fortunately, at the time of writing, we cannot yet speak of war in our country. Or can we? That depends on your definition of “war.” Even within our region, companies are under constant attack. Hackers from all over the world have free access to not only our public IP addresses, but they can also send mail to any of us. You don’t even have to distinguish between personal or business related mails.

The intention of these hackers is usually to make money, but sometimes there is also a political motive behind it. It is very difficult to find this out, let alone prove it. The type of company and the consequences can raise some suspicions though.

Regardless of what they have in mind, the consequences are rarely minuscule.  

That is why we have all kinds of shields set up such as firewalls, email security and endpoint protection. The weakness of humans is exploited to gain themselves an access to the computer – with the network connected to it – through a backdoor. If you can’t count on the alertness of that user, how can you count on him or her to report his or her mis-click?

What we are looking for is a kind of camera system that detects and records every movement in the network. By making correlations between different actions, suspicious patterns can be recognized.

Something more technical… 

Mitre [email protected] is an American organization that closely monitors and maps the actions of hackers. An attack technique is a combination of various – in itself seemingly harmless – commands, most of which are also used by sysadmins.

Before encrypting an entire network, hackers search their way around a network, map out where the backups are, which servers are important and so on. Between the initial contact and the effective encryption, days, weeks and sometimes months go by. The key is to detect the hacker before the encryption happens but also before he had a chance to upload data.

EDR / XDR

The detection of these techniques, usually takes place in an EDR or XDR product. (Endpoint/eXtended Detection and Response) This piece of software that is sometimes an extension of an existing endpoint protection or sometimes an entirely separate product, acts as a kind of probe that stores every activity in an on-computer and/or cloud based database. The latter is usually called datalake. Depending on the product, you can immediately and automatically assign actions to certain triggers or you can program queries to generate alarms.

When comparing these products you will see that some AI based endpoint protection software can block multiple actions even before EDR has had to catch them. When we talk about the term XDR, we see that the interpretation can also be different.

Managed EDR

Suppose the system makes a detection that is almost certainly related to the presence of a hacker, then the desire is to remove this hacker from the network. The EDR tools will block the activity whether or not the hacker logs off, however, that does not guarantee that the hacker has not already installed loopholes. The hacker might have realized he was caught and accelerated the encryption process. Consequently, quick action in defense is appropriate. It is not obvious for everyone to free up the necessary resources at any time of the day or on weekends.

The technical teams of the involved vendors are trained for this and are ready 24×7 to carry out the effective countermeasures. We speak here of MDR, Guard or whatever the vendor wishes to use as a name for the service.

In 2019, Blackberry made the strategic move by acquiring Cylance, an AI company specializing in recognizing 0-day malware. Their technology excels in speed and efficiency. Their EDR/XDR story listens to the name Optics and is capable of detecting and immediately blocking hacker movements. With Blackberry Guard, a team from Blackberry will assist you 24 x 7 in the search for hackers.

In 2015, Surfright – the company behind Hitman Pro – was acquired by Sophos. Soon Sophos emerged as one of the most progressive players in the endpoint protection market and excels in Gartner’s leaders quadrant. With the addition of XDR, you can start a scavenger hunt through the history of movements in the network. No hacker can stay under the radar. With the addition of MDR (Managed Detection and Response) Sophos keeps an eye on your network 24 x 7.

Why choose Kappa Data?

Technical Expertise

Kappa data supports resellers and customers with extensive technical knowledge, training and guidance. Our certified technical and presales teams are always there for you!

Personal touch

At Kappa Data, you will enjoy a particularly personal and professional approach, from quick quotes to demos and customer-friendly service with your regular contacts. We are there for you.

Excellent service

Kappa Data is a value-added distributor that thinks along with you in a solution-oriented manner. We always ensure a good relationship between all parties and mediate where necessary in case of conflicts.

What our customers say

A trusted partner for over 20 years

Snijders Compuservice, Jef Snijders

Onze partners

Sorry, no posts matched your criteria.