Dell’s Endpoint Intrusion Detection, Response
Wednesday, March 9, 2016 @ 11:03 AM gHale
Dell SecureWorks launched its Advanced Endpoint Threat Detection (AETD) Red Cloak, a fully-managed software as a service (SaaS) program that should be able to cut the time required to detect and respond to cyber attacks.
Studies have shown attackers can go undiscovered within a victim’s IT infrastructure for months or even years. In one instance, the Dell SecureWorks Incident Response team deployed AETD Red Cloak in a client’s environment and within 48 hours was able to discover attackers had compromised the environment 14 months earlier.
This fully-hosted endpoint security solution uses up-to-the-minute threat intelligence provided by experts from the Counter Threat Unit (CTU) research team.
“Historically, Red Cloak was used by our Incident Response (IR) team when it went out on IR engagements to uncover undetected malicious activity taking place in organizations’ IT environments,” said Aaron Hackworth, senior distinguished engineer with Dell SecureWorks’ CTU team. “However, Red Cloak was so successful in rooting out the threat actors that our Incident Response clients insisted we leave the Red Cloak solution installed in their IT environment to alert them to any future malicious activity. Those successes are what drove us to enhance the solution and make it available to help organizations around the world fight stealthy cyber-attacks.”
The Red Cloak solution works to catch attacks that don’t use malware. Once inside a network, attackers can evade traditional endpoint security controls by leveraging compromised credentials and tools native to the target’s environment, such as remote access services, endpoint management platforms and other legitimate system tools. This tactic ended up used to gain entry in more than half of the cyber espionage incidents Dell SecureWorks responded to last year.
To give organizations the earliest possible warning of compromise, AETD Red Cloak’s sensors search for forensic evidence of malicious activity while continuously collecting information about what is happening on the device, such as what programs are running, what commands end up executed, network connections, thread injection, memory inspection and more. The sensors send the collected data to the Counter Threat Platform, hosted off-premise, where it is analyzed using intelligence from Dell SecureWorks’ CTU researchers to spot attacker behavioral patterns and threat indicators.
The solution blends multiple views of system activity to see beyond static indicators such as IP addresses and domain names and uncovers the behaviors and techniques of cyber adversaries.