Basis Technology Cyber Triage
0.00

Problems that solves

Shortage of inhouse software developers

Shortage of inhouse IT resources

Shortage of inhouse IT engineers

High costs of IT personnel

Values

Enhance Staff Productivity

Reduce Costs

Basis Technology Cyber Triage

Accelerate Incident Response with Automation

Description

Start the Endpoint Investigation Directly integrating with security orchestration, automation, and response (SOAR) and security information and event management (SIEM) systems, Cyber Triage investigations can start automatically based on an alert or analyst-initiated workbook. Requirements and integrations:
  • Integration with SOARs/SIEMs requires the Team version of Cyber Triage, which includes a REST API
  • Cyber Triage integrates with Demisto, DFLabs, IBM QRadar SIEM, IBM Resilient, Phantom, Splunk, and Swimlane and more
  • If we don’t currently support the integration you need, reach out; we can add the needed integration to our roadmap
Get Data From the Endpoint Cyber Triage’s targeted collection approach saves time because it copies the most important data from the system in one step and does not require the user to make a forensic image of the entire drive. Collection tool properties:
  • Runs on all versions of Microsoft Windows (XP and newer)
  • Requires no installation on target systems; it is pushed to live systems as needed or can run directly from a USB drive
  • Contained in a single executable, which makes it easy to deploy
  • Analyzes disk images in raw or E01 formats
  • Uses The Sleuth Kit® forensics library, thereby making collection less vulnerable to typical rootkits and does not modify file access times
Collected data:
  • Volatile data (including running processes, open ports, logged-in users, active network connections, and DNS cache)
  • Malware persistence mechanisms, including startup items and scheduled tasks
  • User activity, including what programs they ran, web activity, and logins
  • File content from suspicious files
  • File metadata from all files on the system
Identify Bad and Suspicious Items After data is collected from the target system, Cyber Triage automatically looks for evidence that an experienced responder would search for first. It looks for data that is anomalous and similar to past incidents. Each collected item is assigned a score based on its risk. Bad and suspicious items are shown to the user. Automated analysis techniques will find:
  • Files with malware based on results from multiple ReversingLabs engines
  • Known bad files and other items based on IOCs and blacklists
  • Startup programs, services, or drivers in uncommon locations or that are not signed
  • User accounts with abnormal behaviors and failed logins
  • Known good operating system and application files based on MD5 hash values and NIST NSRL and ignore them; this reduces the amount of data that needs to be analyzed and reviewed.
  • Encrypted archive files that could be from data exfiltration
Enables Analysts to Make Decisions Every host is different because each user has different usage patterns and technical expertise. When responding to an incident, responders need to make decisions about each host Cyber Triage helps them make those decisions. Cyber Triage helps by:
  • Having a built-in intrusion forensics workflow that allows users to quickly see what items are suspicious and mark items as suspicious
  • Allowing the user to pivot between correlated data types; they can start with a process and quickly see its network connections and remote host information, or look at the process’s executable file or how it started
  • Showing the current timeline of bad items; when an item is marked bad in the investigation workflow, it is shown in a small timeline, making it easy to compare a suspicious item with other bad items
  • Providing a full timeline of system activity, which allows the user to see what happened before and after a given event; this makes it easier to find related activities and put context around a suspicious event
  • Giving the user a file explorer view to see what else is in the suspicious file folder
  • Showing how common or rare an item is based on how often it was found in previous sessions
Find Other Hosts The host that you are analyzing could be the tip of an iceberg. Once you have one piece of evidence, it can be useful to start scoping the scale of the incident for other hosts. Cyber Triage allows you to scope incidents. Cyber Triage scopes by:
  • Queueing up a set of hosts that need data collecting and analyzing
  • Adding the hosts to the same “incident grouping,” which allows the user to correlate among them
  • Items marked as bad in one host will be marked as bad in others.