By Brian Soldato
Organizations are being attacked daily by experienced and well-funded adversaries who are able to rapidly transform their methods to mask their activities. Known exploits along with malicious payloads are being used over and over again with only minor modifications to bypass even the best perimeter and endpoint solutions.
It’s no longer enough just to examine, analyze, and respond to network traffic, or just to isolate a subset of traffic on the endpoint—attacks are evolving, and security solutions are missing them. What a security solution doesn’t see, it doesn’t log, which leaves the organization blind to attacks.
Organizations must constantly “tune” their defenses and prepare for the future based on the threat intelligence available to them.
In particular, an organization must be able to collect all known and unknown exploits along with their malicious payloads to enable automated incident response readiness. Furthermore, those exploits and payloads must be used to determine crucial indicators of attack (IOAs) that are specific to its environment. This allows the organization to unlock its SOC team’s ability to update signatures against known and zero-day threats before the threats are detected by any security solution vendor.
Every day, the CAWS Cyber Threat Protection Platform crawls hundreds of thousands of URLs and files from a geographically distributed harness. Customers can also submit their own URLs and files to be crawled and harvested. Once CAWS finds an exploit and/or payload, the exploit/payload is harvested for validation against a virtual copy of the organization’s infrastructure. This allows for threat intelligence that is specific to the organization, saving time and avoiding false positives.
Since the CAWS Cyber Threat Protection Platform harvests the exploits and payloads as part of its process, the PCAP, SAZ, shell code, hashes, and much more are available to the organization for further analysis and threat hunting. Cyber Threat Impact (CTI) Product powered by the CAWS 2.2 Cyber Threat Protection Platform will now provide full malware classification along with static analysis on any payload found. The following are some of the high-level items provided in the analysis:
Malware family name
Reputation of the payload (suspicious or not)
First seen and last seen dates
AV detections including regular updates and historical perspective
Full threat analysis, including where the threat may live in memory, how it propagates, related URLs, hashes and exploits
And CAWS CTI doesn’t stop there. The difficult work of parsing out IOAs is automated and available immediately. Such IOAs can be consumed via the Rest API, which allows for automated threat mitigation with endpoint detection and response technology. This will help organizations protect against threats through new signatures, adjustments in behavioral algorithms, and even patching.
NSS Labs CAWS provides the world’s largest commercially available private exploit and payload repository, which provides customers with the most up-to-date and precise contextual threat intel available for advanced threat hunting. The platform integrates seamlessly with other solutions, such as SIEM, threat analytics platforms, endpoint, and incident response platforms, allowing you to correlate and hunt threats and reducing the likelihood of a successful cyberattack.
For more information or to schedule a demo, please visit: www.nsslabs.com
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.