We've covered two AI-based next generation tools: deception networks and network monitoring.  This time we're going to use next generation enterprise forensics to go on a threat hunt. If you recall, we deployed an Attivo BOTSink deception network in the lab and added, last time, the MixMode Packetsled network monitor.  Both of these use true artificial intelligence with machine learning and deep learning. We have beaten the definition horse to death but in case you didn't pick up on it I discussed artificial intelligence in the last two parts of this four-part series.

The tool I'll introduce this time is a dream tool for anyone who has suffered through the tedium of forensic analysis on a dozen or so computers in a digital forensics incident response. In my experience it can take hours to image a single hard drive, a day or more to ingest it into the digital forensic tool and days to weeks to analyze it.  And that is just one disk.  If you have a dozen possibly compromised computers, multiply that by twelve and then add days or weeks to tie all of the analyses together.  You may have a different process (for example, ingest all twelve disks and analyze them together in the first pass) but whatever you use it is very time consuming. 

Moreover, this is dead box forensics.  At best you'll maybe get a memory snapshot but if you are looking at an event that took places days or even months in the past your memory snapshots are going to be limited in what they see. The tool I'm going to introduce will let you cut that analysis time dramatically. In fact, I've used it to do a full analysis of 1,400 computers on the network and get live rather than dead box forensics in just a couple of hours. The tool I'm talking about is Infocyte HUNT.  I have been using it in my lab and at a client for quite some time.  It cuts analysis time dramatically and it finds things that I might have missed.

Please register to continue.

Already registered? Log in.

Once you register, you'll receive:

  • News analysis

    The context and insight you need to stay abreast of the most important developments in cybersecurity. CISO and practitioner perspectives; strategy and tactics; solutions and innovation; policy and regulation.

  • Archives

    Unlimited access to nearly 20 years of SC Media industry analysis and news-you-can-use.

  • Daily Newswire

    SC Media’s essential morning briefing for cybersecurity professionals.

  • Learning Express

    One-click access to our extensive program of virtual events, with convenient calendar reminders and ability to earn CISSP credits.