Group-IB Threat Hunting Framework (ранее Threat Detection Service, TDS)

The main articles are:

• Antiviruses
• Antispam technology
• Firewall
• Security Information and Event Management (SIEM)

Threat Hunting Framework (formerly Group-IB Threat Detection Service, Bot-trek Threat Detection Service (TDS)) is a comprehensive solution for protecting against complex cyber threats based on technologies to track cybercriminals, their tools and infrastructure.

2023: FSTEC halts F.A.C.C.T. software certificates for CII

On December 18, 2023, it became known that software systems for ensuring the security of the Russian company F.A.C.C.T. (a former division of Group-IB in the Russian Federation) may lose the certificate of the Federal Technical and Export Control Service (FSTEC). As a result, the use of products at critical information infrastructure (CII) facilities in Russia will become impossible. Read more here.

2021

As part of the solution for the protection of CII facilities

On July 6, 2021, Group-IB announced the signing of a cooperation agreement with the industrial holding of ROTEK JSC to ensure technological and cybersecurity of critical infrastructure facilities.

Within the framework of cooperation, all technological risks of customers associated with accident prevention are closed by the ROTEKA - PRANA software and hardware complex, and the development of Group-IB Threat Hunting Framework Industrial provides comprehensive protection of all segments of enterprises from complex cyber attacks of various ranges; both from pro-state hacker groups and financially motivated cyber crime.

The ROTEK - PRANA software and hardware complex has already been used in the fuel and energy complex: more than 3000 accidents are registered annually at the generation facilities of the unified energy system, of which more than 45% are on turbine and boiler equipment.

In a few hours of forced downtime due to an accident or cyber attack, the company may suffer losses of tens of millions of rubles. The joint decision will allow ACS and information security specialists to observe and take measures in advance to prevent incidents caused by both operational wear and tear of equipment and due to cyber attacks.

How the Group-IB Threat Hunting Framework works

How the Group-IB Threat Hunting Framework works - a system for protecting against complex targeted attacks and proactive threat hunting inside and outside the company's network perimeter in April 2021, TAdviser was told in Group-IB. Read more here.

As part of a joint cyber threat protection service with Credo-S

On February 19, 2021, Group-IB, an international company specializing in preventing cyber attacks, and the Russian system integrator CREDO-S launched a service to detect previously unknown threats and targeted attacks in the Security as a Service (SECaaS) format. Its technological basis is the Threat Hunting Framework (THF), a Group-IB solution that provides protection against a wide range of threats, including ransomware, exploits, banking Trojans, spies, backdoors, malicious scripts and hidden data channels, both inside and outside the protected perimeter. Within the framework of the MSSP (Managed Security Service Provider) partner program, CREDO-S and Group-IB will provide two lines of round-the-clock support and response to cyber incidents for the integrator's clients. Read more here.

2020

Based on a joint cloud "Cyber ​ ​ Threat Protection Service" with VimpelCom

On December 16, 2020, Group-IB, an international company specializing in the prevention of cyber attacks, announced that, together with Beeline Business (a structural unit of PJSC VimpelCom), it had launched the Cyber ​ ​ Threat Protection Service, a cloud cyber threat protection service for operator customers from the medium and large business segment. The service is based on the comprehensive Group-IB Threat Hunting Framework solution. Read more here.

Bringing the Threat Hunting Framework to Market

On November 26, 2020, Group-IB, an international company specializing in preventing cyber attacks, opened two classes of solutions for investigating cyber threats and hunting attackers - Threat Intelligence & Attribution and Threat Hunting Framework. The Group-IB smart ecosystem, which combines the company's proprietary cybersecurity technologies, was first presented at the CyberCrimeCon 2020 international conference.

The first premiere of this class was the comprehensive Threat Hunting Framework, designed to protect IT and technology networks from previously unknown threats and targeted attacks, search for threats both inside and outside the network, as well as investigate cybersecurity incidents and immediately respond to them in order to minimize consequences.

TI&A is able to flexibly form a threat map for a specific company, dynamically building links between disparate events and attributing the attack to a specific hacker group. The introduction of TI&A to the market marks the discovery of a different class of solutions for collecting threat data and attackers relevant to a particular organization, with the aim of researching, proactively hunting for hackers and protecting network infrastructure.

According to the Hi-Tech Crime Trends 2020-2021 analytical report on the study of high-tech crimes in the world, the merging of different layers of the cyber-criminal underground has led to threats that have resulted in an increase in damage from attacks. So, according to the smallest estimates of analysts, the total damage caused to companies in 45 countries from publicly known attacks by ransomware amounted to over $1 billion. The market for the sale of access to compromised infrastructure of companies grew at an explosive pace: over the year it increased 4 times and reached $6 189,388. The number of "sellers" soared to 63, among them - both representatives of cyber crime and pro-state attackers. The volume of the carding market associated with the theft of this bank cards increased by 116% compared to the previous period and came close to $2 billion. Under these conditions, the commercial sector and state-owned enterprises are forced to reassess their defense strategies, emphasizing hunting behind threats relevant to their field of activity.

Group-IB's sophisticated engineering developments - high-tech crime investigation and cyber attack prevention products Threat Hunting Framework and Threat Intelligence & Attribution - are integrated among themselves and integrated into a "smart" technology ecosystem capable of fully automating the stopping of targeted attacks on an organization, giving the security team tools to connect disparate events around an attack, threat attribution, malware analysis, and incident response. They are based on patented technologies and inventions of engineering teams and analysts of Group-IB.

As of November 2020, Group-IB has 33 patents (6 - USA, 5 - Netherlands, 4 - Singapore, the rest - Russia). All of them are issued for technological inventions, which form the basis of TI&A, THF and other innovative products of the company. In addition, Group-IB has 55 applications (14 - USA, 5 - Netherlands, 12 - Singapore, 10 - international, 14 - Russia).

The dynamics of the development of cybercrime signals the market that you should be able to reflect the bulk of threats automatically, but this is not enough, - comments Dmitry Volkov, CTO Group-IB, - Attackers with money, intelligence and resources will eventually learn to bypass any automated detection system. You need to be prepared for this, increasing the experience of hunting for threats with the help of "sharpened" tools for this. In this struggle, a simple lockdown is unacceptable: tomorrow you are attacked taking into account how you stopped the threat today. Hunting is a constant process built on the ability to use huge amounts of data, ranging from system events and traffic meta data to domains, hosts and profiles of attacking groups. To be able to work with this means to have the profession of "trethunter" - a hunter for cyber threats and hackers. This is the future of cybersecurity.

The Group-IB engineering team is guided by several principles when creating technologies. First, the systems and detection algorithms should "know" the attackers, and cybersecurity specialists should receive either a high-quality technical justification or a full intelligence context about the threat: who attacks, what is the motivation of the attackers, what are their tactics, what tools are used and what will potentially be used in further attempts attacks. The security system should detect and immediately block threats, but this is not enough. To build working cybersecurity strategies - detection is only the beginning of work.

Secondly, the process of enriching data with protection systems should be automated. To do this, the analysis mechanism goes beyond simple threat detection: it is extremely important to extract and completely run malicious code in a secure isolated environment, harvesting a "harvest" of indicators that will help further hunt for threats on the network. Third, hunting is replacing threat searches in order to find something that may have been missed in the past and could potentially be exploited by attackers in the future.

Group-IB Threat Hunting Framework is a solution for unified protection of the entire enterprise: from traditional IT segments to workplaces of remote employees and technological segments (OT-networks) of production enterprises.

The key tasks of the product are to detect previously unknown threats and targeted attacks, block detected threats and provide automated tools for detecting related threats both inside and outside the secure perimeter, as well as investigating and responding to cybersecurity incidents. The Threat Hunting Framework architecture includes several main functional modules, each of which carries a number of innovations and in its functionality goes beyond the existing product categories, essentially defining fundamentally different types of cyberattack protection tools.

Sensor is used to identify threats at the network level through deep analysis of network traffic and support for hundreds of network protocols. The solution detects threats and infected nodes by analyzing network traffic and provides protection not only to traditional IT segments, but also to industrial networks using its Sensor Industrial, which provides control over the integrity of software and firmware of APCS nodes by analyzing industrial protocols and comprehensive network protection, detecting threats with flexibly configurable policies and a special classifier using machine learning.

Another Group-IB innovation is Polygon's patented malicious code "knock" technology, which sets industry standards for file analysis. It detects threats through behavioral analysis of emails, files and link content and launches malicious code in an isolated environment, causing it to "knock" - the most complete execution, allowing you to obtain enriched attack indicators and attribute the detected threat.

Email is still a key system for the initial penetration of cybercriminals into the network of companies. This is a problem affecting businesses of any scale. Responding to this challenge, Group-IB introduced the Atmosphere cloud email protection solution, the main goal of which is to make advanced email threat detection technologies accessible and easy to implement, while leaving the technology itself part of the Threat Hunting Framework and providing not only high-quality filtering of malicious emails, but also all other advantages of the THF platform: complete detonation of malicious code, attribution of attacks and integration with other modules of the ecosystem.

Group-IB also introduced innovative protection for user workstations - Huntpoint. This module captures the complete chronology of events on the employee's computer, makes it available both for real-time surveillance and retrospectively, providing anomalous behavior detection, blocking malicious files, instant isolation of attacked hosts and collecting criminally relevant data for further research.

Huntbox is responsible for fully automated analysis and correlation of events in the network. This module provides a complete picture of what is happening inside and outside the network, helping to proactively hunt for threats and identify the actions of attacking groups aimed specifically at the company. Also, the capabilities of the comprehensive Group-IB Threat Hunting Framework are strengthened due to the functionality of the Decryptor module for TLSSSL decryption/traffic in the protected infrastructure. Support enciphering for Russian GOST protocols has been implemented.

Read more about Threat Intelligence & Attribution (TI&A) in this product article.

2019: Challenges to be solved. Architecture. Features

According to information for July 2019, Group-IB TDS provides a solution to key information security problems:

• Identify complex, early targeted attacks
• Prevention of financial and reputational damage
• Protect internal network, mail, and file storage
• Optimizing security processes and costs

Flexible Settings and Integration Schemes

• at the client's choice, the solution can be installed in monitoring mode or in threat blocking mode
• for critical and special objects and compliance, all data can remain inside the perimeter
• for small and medium-sized businesses, Group-IB experts will help you install and configure the solution as soon as possible
• for large business and network infrastructures that require complex architectural solutions, the Group-IB team develops customized customization schemes that take into account the specifics of the client and industry

Architecture

Architecturally, the solution consists of the following elements:

• TDS Sensor - analyzes network traffic, detects infections, extracts malicious links and files for analysis in TDS Polygon. By analyzing incoming and outgoing data packets, the sensor detects the interaction of infected devices with command centers, general network anomalies and unusual behavior of devices. For analysis, the sensor uses signatures and behavioral rules from an exclusive threat data system.
• TDS Polygon - Sandbox conducts behavioral analysis of objects in an isolated environment to identify previously unknown threats. This module analyzes files received by e-mail, downloaded from the Internet, placed on file storage or downloaded manually by analysts. Files are analyzed before they reach users' computers, which makes it possible to block their delivery and prevent infection.
• TDS Huntbox - a single platform manages all components of the complex, analyzes and correlates events. In synergy with other modules of the solution, it carries out the process of proactive detection of threats - Threat Hunting, centralized remote response to incidents, automatic collection of forensic data, retrospective analysis and restoration of the attack history.
• TDS Endpoint - The Workstation Agent (EDR) collects activity data on hosts to detect abnormal behavior and attacks. The collected data is sent for analysis, decision making and storage in Huntbox. From a single Huntbox interface, an EDR command can also be issued to stop a real-time attack - isolating the host or blocking a malicious process.
• SOC Group-IB - the specialists of the monitoring center monitor and analyze events, promptly notify the organization's specialists about critical threats by e-mail and phone, as well as give recommendations for their elimination. Support works around the clock, 365 days a year.

Additional features of the Group-IB TDS solution:

• Convenient web interface: managing all components of their single window complex, representative visualization of incidents.
• Detailed reports: maximum context and deep analysis, visual reflection by period and by event type.
• Communications: full Russian-language support, most of the issues are resolved in 10 minutes.

2018: Release of a joint solution with AMT Group

The company specializing Group-IB in prevention, cyber attacks together with a AMT Group system integrator and developer, in January 2018 announced the launch of a joint solution to ensure information security and protect against cyber threats within isolated segments of networks of large corporations, industrial enterprises, facilities ENERGY INDUSTRY and financial organizations.

As part of the technology collaboration, the partners integrated the Group-IB Threat Detection System (TDS) and InfoDiode products from AMT Group. Based on the results of multi-stage load testing - both in the Group-IB laboratory and in the "combat" mode - on the allocated sections of the company network - the quality of the joint solution and ensuring all the declared performance and integration indicators were confirmed. Read more here.

2014: Description of Bot-trek Threat Detection Service

Bot-trek Threat Detection Service (TDS) is a process outsourcing tool for log analysis, event classification, highlighting critical incidents and responding to identified threats.

Bot-trek Threat Detection Service, 2014

Development of an optimal diagram of the inclusion of sensors in the enterprise network, supply of equipment and advice on installation.

The system provides and supports:

• sensor administration and prompt signature updates by Group-IB employees
• manual analysis and classification of detected information security events, highlighting the most important
• access to the Group-IB SOC web interface for easy handling of identified incidents
• automatic notifications of detected threats
• 24-Hour Ticketing Support and Consultation to Address Identified Threats

System Operation Diagram, 2014