Dmitry Volkov, CTOGroup-IB, a Singapore-based company, is one of the leading cybersecurity solution and service providers that helps in the detection, investigation and prevention of cyberattacks, online fraud, and IP protection. The company holds 17 years of experience in the field of cyberspace and assists banks and financial organizations, oil and gas companies, critical infrastructure facilities and telecom companies round the clock in any state of cyber incident emergency.
Group-IB has forged its experience with threat hunting & intelligence expertise to create an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyber threats. From day one, Group-IB’s specialists have painstakingly pieced together a unique knowledge base about hackers, cybercriminal groups, their tactics, and infrastructure, gathered during incident response operations and cyber investigations.
Group-IB has forged its experience with threat hunting & intelligence expertise to create an ecosystem of highly sophisticated software and hardware solutions designed to monitor, identify, and prevent cyber threats
The passionate group of experts at Group-IB offer comprehensive protection for IT infrastructures based on the client’s demand and the in-depth analysis of attacks and incident response. The company’s product portfolio comprises a wide range of cyber threat detection services and solutions that prevent oppressive cybercrimes and safeguard any organizational assets. Unlike other vendors, Group-IB’s solutions identify threat actors through numerous indicators and can see their attacks at the preparation stage. The firm’s understanding of specific threat attributes associated with criminal groups or individuals proves to be a vital factor that gives the company a competitive advantage while combating or preventing sophisticated cyberattacks. A noteworthy benefit of employing Group-IB’s solution set is the added benefit of correlating multiple data sources to form a collective intelligence that empowers clients with the much-needed cyber resilience against looming threats.
Exemplifying the merits of his organization’s products, Volkov narrates a use case of safeguarding corporate infrastructure with Group-IB Threat Detection System (TDS). The CTO says, “While doing incident response, Group-IB experts always employ TDS sensors, which helps to not waste time on diving into peculiarities of SIEM configuration settings, for example. During a recent incident response in APAC, TDS helped identify multi infection processes that lasted for years - the organization had suffered several malicious campaigns by the Ocean Lotus APT-group.” Thus, TDS Huntbox automatically accessed data from Group-IB Threat Intelligence system, which stores information about past and ongoing attacks, and correlated it with that particular incident. This enabled Group-IB experts to create the network map showing compromised hosts, which included domain controller, a couple of abandoned servers and several workstations. The identification of the compromised hosts and accounts, the reconstruction of the attack chronology, as well as the detection of the attackers’ infrastructure have enabled Group-IB experts to kick the cybercriminals out of the corporate network and ensure its cyber resilience for months ahead. Volkov recollects how his firm managed to safeguard numerous clients against such attacks, effectively nullifying the efforts of threat actors on a global scale.
To further enhance its value proposition, Group-IB is working closely with law enforcement worldwide in order to hinder the work of attackers and fraudsters and facilitate the resolution of clients' problems in the most efficient and speediest manner. As a matter of fact, the company has nurtured a group of experienced employees who possess extensive knowledge in cyber investigation, threat hunting, and data science. Collectively, Group-IB aspires to create a knowledge and resource pool of threat intelligence, in turn, always remaining a step ahead of the threat actors.
To further enhance its value proposition, Group-IB is working closely with law enforcement worldwide in order to hinder the work of attackers and fraudsters and facilitate the resolution of clients' problems in the most efficient and speediest manner. As a matter of fact, the company has nurtured a group of experienced employees who possess extensive knowledge in cyber investigation, threat hunting, and data science. Collectively, Group-IB aspires to create a knowledge and resource pool of threat intelligence, in turn, always remaining a step ahead of the threat actors.
May 29, 2020
Group IB News
KuppingerCole Analysts AG Names Group-IB a Product Leader for Threat Detection System
Group-IB Receives Funding from CSA to Develop a Cyber Investigation Solution for Singapore
SINGAPORE -- Group-IB, a global threat hunting and intelligence company headquartered in Singapore, has been awarded a grant under the Cyber Security Agency of Singapore's Cybersecurity Industry Call for Innovation powered by TNB Ventures. Group-IB will tap on the government funding to complete the development of its AI-driven cyber investigation solution uncovering hidden connections to d... dismantle cybercriminal underworld.
After a series of pitching and project evaluation rounds carried out by CSA and TNB representatives as well as the end-users from Singapore's private and public sector, Group-IB was named one of the 9 innovative awardees selected out of 87 submissions.
The solution that is being developed addresses critical cybersecurity challenges in detecting and predicting cyber threats from a myriad of sources, including discussions in the DarkWeb, correlating them with threat actors to establish their alleged identities. The solution is intended to help law enforcement (LE) officers, police cybercrime investigators, threat intelligence and DFIR specialists as well as SOC analysts. The solution, powered by Group-IB's proprietary cyber threat intelligence data collected throughout 17 years of incident response and investigations, will speed up cybercrime investigation process, shorten the time for assessing the severity of cyber threats, and will allow the prevention at early stages.
Group-IB is going to develop the solution on the premises of its Global HQ in Singapore. All intellectual property rights by way of patents and trademarks, associated with the project, will be registered and managed in Singapore. The project will be led by a team from Group-IB who has prior first-hand experience in the most complex incident response engagements and successful cyber investigations around the world.
Shafique Dawood, Group-IB's Head of Sales and Business Development in APAC and the project lead was quoted as saying “ "As cybersecurity professionals, we would like to highlight what an important milestone this is for Group-IB. Thanks to this grant, we'll be able to finalize our solution designed to help local government agencies and private companies with an assessment and insights into the imminent cyber threats, attribution, and early-stage prevention of cyberattacks. The collaboration between private cybersecurity companies and the government is essential in strengthening Singapore's cybersecurity posture and we are honored to receive support from CSA which plays a critical role in providing opportunities for cybersecurity companies to develop innovative solutions that address the cybersecurity challenges of key sectors in Singapore. Group-IB is strategically positioned for Singapore to leverage its technology in hailing a new era of cyber preparedness and the hunt for advanced cyber threats." Read more
After a series of pitching and project evaluation rounds carried out by CSA and TNB representatives as well as the end-users from Singapore's private and public sector, Group-IB was named one of the 9 innovative awardees selected out of 87 submissions.
The solution that is being developed addresses critical cybersecurity challenges in detecting and predicting cyber threats from a myriad of sources, including discussions in the DarkWeb, correlating them with threat actors to establish their alleged identities. The solution is intended to help law enforcement (LE) officers, police cybercrime investigators, threat intelligence and DFIR specialists as well as SOC analysts. The solution, powered by Group-IB's proprietary cyber threat intelligence data collected throughout 17 years of incident response and investigations, will speed up cybercrime investigation process, shorten the time for assessing the severity of cyber threats, and will allow the prevention at early stages.
Group-IB is going to develop the solution on the premises of its Global HQ in Singapore. All intellectual property rights by way of patents and trademarks, associated with the project, will be registered and managed in Singapore. The project will be led by a team from Group-IB who has prior first-hand experience in the most complex incident response engagements and successful cyber investigations around the world.
Shafique Dawood, Group-IB's Head of Sales and Business Development in APAC and the project lead was quoted as saying “ "As cybersecurity professionals, we would like to highlight what an important milestone this is for Group-IB. Thanks to this grant, we'll be able to finalize our solution designed to help local government agencies and private companies with an assessment and insights into the imminent cyber threats, attribution, and early-stage prevention of cyberattacks. The collaboration between private cybersecurity companies and the government is essential in strengthening Singapore's cybersecurity posture and we are honored to receive support from CSA which plays a critical role in providing opportunities for cybersecurity companies to develop innovative solutions that address the cybersecurity challenges of key sectors in Singapore. Group-IB is strategically positioned for Singapore to leverage its technology in hailing a new era of cyber preparedness and the hunt for advanced cyber threats." Read more
Group-IB Named a Representative Vendor in Gartner's 2019 Market Guide for Digital Forensics and Incident Response Services
SINGAPORE - Group-IB, a Singapore-based cybersecurity company that specializes in preventing cyberattacks, was recognized in Gartner's Market Guide for Digital Forensics and Incident Response Services1 (Gartner subscription required) for its Incident Response Retainer service. Gartner, the world's leading research and advisory company, identified Group-IB as a Representative Vendor in digi... ital forensics and incident response services.
"Given the external threat landscape, as well as the risk of insider threats, organizations should move from being reactive to proactive in their IR preparedness," Gartner said. "Incident response retainers are critical to organizations that need assistance responding to cybersecurity incidents."
When it comes to cybersecurity incident, every second counts. Time delays usually result in higher overall costs of a cyberattack. Group-IB's Incident Response (IR) Retainer service is delivered on a pre-negotiated agreement, concluded for a specific period of time, during which the company's client might request an emergency incident response in case the latter occurred without wasting time on formal procedures that normally accompany any contract signing. Apart from shorter incident response time, Group-IB Incident Response Retainer is indispensable in minimizing the impact of a potential breach and shortening the recovery period.
"Group-IB is excited to be recognized in Gartner's Market Guide for Digital Forensics and Incident Response Services, in our opinion, this reflects our determination to provide our customers with best-in-class products and solutions," comments Valery Baulin, the head of Group-IB's Digital Forensics Lab.
Group-IB's IR Retainer provides the customers with a guaranteed access to the company's IR team at any time throughout the contract period and ensures the full cycle of eradication, remediation and prevention services. As soon as a company purchases the service from a vendor, the latter proceeds with pre-IR assessment to get to know the client's infrastructure, meet the stakeholders, with whom they are supposed to interact in case an incident occurs and agree on all the related processes. Thus, at the time when an incident takes place, the IR team is no stranger to the company's information system, its technologies and environment, and already has some data required for an investigation, and the greater the completeness of the collected data is, the higher the likelihood of a successful investigation will be. Read more
"Given the external threat landscape, as well as the risk of insider threats, organizations should move from being reactive to proactive in their IR preparedness," Gartner said. "Incident response retainers are critical to organizations that need assistance responding to cybersecurity incidents."
When it comes to cybersecurity incident, every second counts. Time delays usually result in higher overall costs of a cyberattack. Group-IB's Incident Response (IR) Retainer service is delivered on a pre-negotiated agreement, concluded for a specific period of time, during which the company's client might request an emergency incident response in case the latter occurred without wasting time on formal procedures that normally accompany any contract signing. Apart from shorter incident response time, Group-IB Incident Response Retainer is indispensable in minimizing the impact of a potential breach and shortening the recovery period.
"Group-IB is excited to be recognized in Gartner's Market Guide for Digital Forensics and Incident Response Services, in our opinion, this reflects our determination to provide our customers with best-in-class products and solutions," comments Valery Baulin, the head of Group-IB's Digital Forensics Lab.
Group-IB's IR Retainer provides the customers with a guaranteed access to the company's IR team at any time throughout the contract period and ensures the full cycle of eradication, remediation and prevention services. As soon as a company purchases the service from a vendor, the latter proceeds with pre-IR assessment to get to know the client's infrastructure, meet the stakeholders, with whom they are supposed to interact in case an incident occurs and agree on all the related processes. Thus, at the time when an incident takes place, the IR team is no stranger to the company's information system, its technologies and environment, and already has some data required for an investigation, and the greater the completeness of the collected data is, the higher the likelihood of a successful investigation will be. Read more
Group-IB enhances data exchange operations by joining Anti-Phishing Working Group
Singapore – Group-IB, a global threat hunting and intelligence company headquartered in Singapore, has entered into a partnership with Anti-Phishing Working Group (APWG), an international coalition unifying the global response to cybercrime. As an APWG member, Group-IB represented by Computer Emergency Response Team (CERT-GIB) will now have access to the APWG eCrime Exchange (ECX), an onli... ine platform for sharing threat data, which will further enlarge the surface of the company’s telemetry and magnify the efficiency of its fight against phishing-related scams worldwide.
According to the data of CERT-GIB, the number of phishing website blockages increased by 71 percent in the second quarter of 2020 compared to the corresponding period a year earlier. The growth is largely attributable to the enhanced cooperation of CERT-GIB with multinational organizations whose main aim is data sharing for the purpose of containing cyber threats and fighting cybercrimes.
Adding APWG, one of the world’s largest and oldest anti-phishing alliances, on the list of its partners, Group-IB eyes to have a fuller picture of the global online threat landscape, sharing information on phishing URLs and emails as well as malicious IPs and domains within the organization, whose members include the world’s major cybersecurity vendors. As cybercriminals are known to use the same infrastructure to perform attacks on various brands, interchange of data considerably boosts the company’s capabilities in detecting and countering phishing attacks.
In addition to one of the world’s oldest and outstanding threat data repository, Group-IB will also benefit from the cooperation with a community of experienced specialists whose expertise can facilitate the resolution of not only technical but also judicial problems associated with phishing blockage.
“The data interchange is a crucial dimension of the global struggle toward a safer cyberspace to live in,” comments CERT-GIB head Alexander Kalinin. “Having partnered APWG, the largest organization that monitors and contains the growth of the so-called phishing population, Group-IB now has eyes literally everywhere, which means that Group-IB’s database and knowledge on cybercriminals’ infrastructures are now even broader.”
“APWG is excited to welcome Group-IB as a sponsoring member,” comments APWG Deputy Secretary-General Foy Shiver. “This partnership helps expand APWG’s data and research into international markets. As a sponsoring member Group-IB will help APWG’s member network to protect end users and track cybercriminal activities globally.” Read more
According to the data of CERT-GIB, the number of phishing website blockages increased by 71 percent in the second quarter of 2020 compared to the corresponding period a year earlier. The growth is largely attributable to the enhanced cooperation of CERT-GIB with multinational organizations whose main aim is data sharing for the purpose of containing cyber threats and fighting cybercrimes.
Adding APWG, one of the world’s largest and oldest anti-phishing alliances, on the list of its partners, Group-IB eyes to have a fuller picture of the global online threat landscape, sharing information on phishing URLs and emails as well as malicious IPs and domains within the organization, whose members include the world’s major cybersecurity vendors. As cybercriminals are known to use the same infrastructure to perform attacks on various brands, interchange of data considerably boosts the company’s capabilities in detecting and countering phishing attacks.
In addition to one of the world’s oldest and outstanding threat data repository, Group-IB will also benefit from the cooperation with a community of experienced specialists whose expertise can facilitate the resolution of not only technical but also judicial problems associated with phishing blockage.
“The data interchange is a crucial dimension of the global struggle toward a safer cyberspace to live in,” comments CERT-GIB head Alexander Kalinin. “Having partnered APWG, the largest organization that monitors and contains the growth of the so-called phishing population, Group-IB now has eyes literally everywhere, which means that Group-IB’s database and knowledge on cybercriminals’ infrastructures are now even broader.”
“APWG is excited to welcome Group-IB as a sponsoring member,” comments APWG Deputy Secretary-General Foy Shiver. “This partnership helps expand APWG’s data and research into international markets. As a sponsoring member Group-IB will help APWG’s member network to protect end users and track cybercriminal activities globally.” Read more
Quantum leap in cybersecurity: Group-IB brings new type of solution for threat hunting and attack prevention to market
Singapore - Group-IB, a global threat hunting and intelligence company, has revealed the results of its yearslong development of proprietary high-tech products for threat hunting and research ” Threat Intelligence & Attribution and Threat Hunting Framework. Altogether the solutions represent a new smart cybersecurity ecosystem uniting Group-IBs patented innovative technologies unveiled... d by Group-IB at CyberCrimeCon 2020, a global threat hunting and intelligence conference.
Group-IB has become the first company to offer a new type of solution called Threat Intelligence & Attribution. The system is designed to create and customize a cyber threat map for a specific company, correlate individual cybersecurity events in real-time, and attribute attacks to a particular threat actor. The creation of TI&A marks the emergence of a new type of solution for collecting data on threats and attackers relevant for a particular organization with the aim of examination and proactive hunting for threat actors, research, and protection of network infrastructure. Currently, there no analogues to TI&A on the international market.
Yet another innovation presented by Group-IB is Threat Hunting Framework “ a system for IT and OT networks that protects against unknown threats and targeted attacks, hunts for threats both within and outside the protected organization's perimeter, and helps investigate and respond to cybersecurity incidents and minimize their impact.
According to Hi-Tech Crime Trends 2020-2021, a report that provides an analysis of high-tech crimes worldwide, the merge of various cybercrime segments has led to the appearance of new threats, which resulted in increased damage as a result of attacks. Thus, analysts most conservative estimates suggest that the overall damage to companies in 45 countries caused by known ransomware incidents amounts to over $1 billion. The market for selling access to compromised corporate infrastructures has grown at an explosive pace: in one year it has increased four-fold reaching $6,189,388. The number of sellers has jumped to 63, with both cybercriminals and state-sponsored actors among them. Compared to the previous period, the size of the carding market, which is connected with the theft of bank card data, has grown by 116% nearing $2 billion. In the face of these challenges, public and private sector companies have to reevaluate their cybersecurity strategies and focus on hunting threats, relevant to their specific industry.
Today, Group-IB presented the result of the evolution of its proprietary high-tech crime investigation and cyberattack prevention product line, which includes two innovative solutions: Threat Hunting Framework (THF) and Threat Intelligence & Attribution (TI&A). The complex engineering systems are connected to each other brought together in a single smart ecosystem capable of automatically halting targeted attacks against organizations. The ecosystem provides security teams with tools for linking individual events, attributing threats, analyzing malicious code, and instantly responding to cyber incidents. It is based on the patented technologies developed by Group-IBs analysts and engineering teams.
Group-IB currently has 33 patents (including 6 in the United States, 5 in the Netherlands, 4 in Singapore, and elsewhere). All of them were issued for the technologies lying at the heart of TI&A, THF and the companys other innovative products. In addition, Group-IB has 55 patent applications (14 in the United States, 5 in the Netherlands, 12 in Singapore, and 24 more internationally).
The dynamic of cybercrime is signaling to the market that companies should be able to prevent most threats automatically, but this is not enough, says Group-IB CTO Dmitry Volkov. Smart threat actors with money and resources will eventually learn to bypass any automated detection system. You need to prepare for that by building your experience in hunting for threats using tools customized to this task. In this fight, blocking will not help: tomorrow you will be attacked based on how you stop the threat today. Hunting for threats is an ongoing process based on the ability to handle huge amounts of internal and external data lakes, ranging from system events and traffic metadata to domains, hosts, and hacker groups' profiles. To be able to work with this data means to be a professional threat hunter. This is the future of cybersecurity.
Group-IBs team of engineers base their development of cybersecurity technologies on several principles. Firstly, detection systems and algorithms have to be adversary-centric; this means that cybersecurity experts should receive alerts with either clear technical justification or full intelligence context on a given threat: who the attackers are, what their motivation is, what their tactic is, and what IOCs and TTPs are expected to be used in further attacks. When possible, a solution has to block threats immediately, but detection and blocking is not enough. This is only the beginning of building effective security systems.
Secondly, the enrichment process has to be fully automated and should provide as much context related to IOCs and TTPs as possible. To achieve that, an analysis engine must go beyond simple threat detection: it is crucial to extract and fully detonate discovered payloads in a safe isolated environment, harvesting indicators of compromise that help in subsequent threat hunting activities. Thirdly, threat hunting is a crucial process of proactive searching for something that could have been missed in the past and potentially might be missed in the future.
Detection is never enough
Group-IB Threat Hunting Framework (THF) is the first all-in-one solution for protection of both IT and OT networks. The fact that Group-IB AI-driven Threat Hunting Framework, the only of its kind, serves as a single cybersecurity solution and unites standards for two different network segments is a quantum leap in cybersecurity market that changes the rules inside the industry.
The new products key goals are the detection of previously unknown threats and targeted attacks, the containing of detected threats and automation of instruments for identifying links between threats both inside and outside of the protected perimeter. The THF has a patented malware detonation technology that goes beyond traditional sandboxing and sets up new industry standards for file analysis solutions and an innovative endpoint module for real-time host protection and malicious behavior detection with a unique patented server-side classifier. Threat Hunting Framework architecture has several main modules, each of which is innovative in its nature and whose functionality goes beyond the existing product categories defining absolutely new type of cybersecurity solutions.
THF Sensor is designed to identify threats at the network level thanks to an in-depth analysis of network traffic. The solution identifies threats and infected hosts by analyzing the network traffic protecting not only IT segment of the network, but also OT network with the help of its Sensor Industrial module. The module ensures that the integrity of ICS software is under control by analyzing industrial protocols and protecting corporate networks comprehensively, detecting threats with the use of its high-performance AI-driven classifier.
Group-IB's another innovation is THF Polygon. This platform is designed to detonate malware. It detects threats by performing behavior analysis of emails, files, and links and runs malware in an isolated environment. It is crucial to fully detonate the discovered payloads and extract all related IOCs and artifacts to be able to attribute the attacks.
Email remains a key system for initial compromise for cybercriminals. This problem affects businesses of any size. In response to this threat, Group-IB for the first time presented its cloud-based solution for the prevention of all types of email attacks ” Atmosphere. Atmosphere aims to make cutting-edge technologies for detecting email threats affordable and easily deployable, while at the same time keeping the technology part of Threat Hunting Framework and offering not only qualitative filtering of emails, but also the rest of THFs advantages: malware detonation, attack attribution and integration with other modules of the ecosystem.
For the first time, Group-IB has introduced a solution for protecting end hosts: Huntpoint. This module creates a complete timeline of events on the host, which is available both in real time and retrospectively, detects abnormal behavior, and blocks malicious files. What is more, it isolates hosts from the network and collects forensic data for further research.
The Huntbox module is responsible for fully automated analysis and correlation of network events. This module provides a full picture of threats within and beyond an organizations network, helping to hunt for threats and identify malicious activity targeting the company. Group-IB Threat Hunting Framework capabilities are enhanced by the Decryptor module, which is designed to decrypt TLS/SSL traffic in the protected infrastructure.
Group-IB provides access to its internal tools for tracking hackers
Threat Intelligence & Attribution, which is one of the most heavily loaded Group-IB systems ” it handles petabytes of data on adversaries and their tools and infrastructure, ” has leaped forward. Today, TI&A marks the creation of a new type of solutions for collecting data on threats and attackers relevant to a specific organization. It helps analyze adversaries and their tools in order to proactively hunt for criminal groups and protect network infrastructure.
TI&A combines unique data sources and experience in investigating high-tech crimes and responding to complex multi-stage attacks worldwide to enrich all other Group-IB products with data for hunting for attackers and threats. The system stores data on threat actors, domains, IPs, and infrastructures collected over the last 15 years, including those that criminals attempted to wipe out. The extensive functionality of the system helps customize it to the threat landscape not only relevant to a particular industry, but also to a specific company in a certain country.
TI&A takes an adversary-centric approach to threat protection. The idea behind the system is that it hunts not only for threats, but also for the adversaries behind them. The data lakes operated by the system help quickly link attacks to specific groups or even individuals. TI&A helps promptly analyze and attribute threats that a company faces, detect leaks, insiders and compromised user accounts. Moreover, it identifies insiders who sell company data on underground resources and detects and thwarts attacks targeting companies and their customers regardless of industry.
The launch of TI&A on the market provides access to Group-IB's internal tools, which were previously used only by Group-IB's DFIR, threat hunting, and cyber threat intelligence teams. Every specialist who uses TI&A now has access to the largest collection of dark web data, an advanced hacker group profiling model, and a fully automated graph analysis tool that helps correlate data and attribute threats to specific criminal groups in seconds.
As such, TI&A makes it possible to detect attacks overlooked by common cyber defense tools. It helps understand how advanced adversaries behave and whether the protected infrastructure can counteract them. This approach helps motivate and improve internal cybersecurity teams as well as enhance their capabilities through an in-depth insight into threats targeting their organizations.
TI&A is a complex engineering system developed by Group-IB and integrated into a smart technological ecosystem that is capable of automatically halting targeted attacks on organisation. The ecosystem provides security teams with tools for linking individual events, attributing threats, analyzing malicious code, and instantly responding to cyber incidents. Read more
Group-IB has become the first company to offer a new type of solution called Threat Intelligence & Attribution. The system is designed to create and customize a cyber threat map for a specific company, correlate individual cybersecurity events in real-time, and attribute attacks to a particular threat actor. The creation of TI&A marks the emergence of a new type of solution for collecting data on threats and attackers relevant for a particular organization with the aim of examination and proactive hunting for threat actors, research, and protection of network infrastructure. Currently, there no analogues to TI&A on the international market.
Yet another innovation presented by Group-IB is Threat Hunting Framework “ a system for IT and OT networks that protects against unknown threats and targeted attacks, hunts for threats both within and outside the protected organization's perimeter, and helps investigate and respond to cybersecurity incidents and minimize their impact.
According to Hi-Tech Crime Trends 2020-2021, a report that provides an analysis of high-tech crimes worldwide, the merge of various cybercrime segments has led to the appearance of new threats, which resulted in increased damage as a result of attacks. Thus, analysts most conservative estimates suggest that the overall damage to companies in 45 countries caused by known ransomware incidents amounts to over $1 billion. The market for selling access to compromised corporate infrastructures has grown at an explosive pace: in one year it has increased four-fold reaching $6,189,388. The number of sellers has jumped to 63, with both cybercriminals and state-sponsored actors among them. Compared to the previous period, the size of the carding market, which is connected with the theft of bank card data, has grown by 116% nearing $2 billion. In the face of these challenges, public and private sector companies have to reevaluate their cybersecurity strategies and focus on hunting threats, relevant to their specific industry.
Today, Group-IB presented the result of the evolution of its proprietary high-tech crime investigation and cyberattack prevention product line, which includes two innovative solutions: Threat Hunting Framework (THF) and Threat Intelligence & Attribution (TI&A). The complex engineering systems are connected to each other brought together in a single smart ecosystem capable of automatically halting targeted attacks against organizations. The ecosystem provides security teams with tools for linking individual events, attributing threats, analyzing malicious code, and instantly responding to cyber incidents. It is based on the patented technologies developed by Group-IBs analysts and engineering teams.
Group-IB currently has 33 patents (including 6 in the United States, 5 in the Netherlands, 4 in Singapore, and elsewhere). All of them were issued for the technologies lying at the heart of TI&A, THF and the companys other innovative products. In addition, Group-IB has 55 patent applications (14 in the United States, 5 in the Netherlands, 12 in Singapore, and 24 more internationally).
The dynamic of cybercrime is signaling to the market that companies should be able to prevent most threats automatically, but this is not enough, says Group-IB CTO Dmitry Volkov. Smart threat actors with money and resources will eventually learn to bypass any automated detection system. You need to prepare for that by building your experience in hunting for threats using tools customized to this task. In this fight, blocking will not help: tomorrow you will be attacked based on how you stop the threat today. Hunting for threats is an ongoing process based on the ability to handle huge amounts of internal and external data lakes, ranging from system events and traffic metadata to domains, hosts, and hacker groups' profiles. To be able to work with this data means to be a professional threat hunter. This is the future of cybersecurity.
Group-IBs team of engineers base their development of cybersecurity technologies on several principles. Firstly, detection systems and algorithms have to be adversary-centric; this means that cybersecurity experts should receive alerts with either clear technical justification or full intelligence context on a given threat: who the attackers are, what their motivation is, what their tactic is, and what IOCs and TTPs are expected to be used in further attacks. When possible, a solution has to block threats immediately, but detection and blocking is not enough. This is only the beginning of building effective security systems.
Secondly, the enrichment process has to be fully automated and should provide as much context related to IOCs and TTPs as possible. To achieve that, an analysis engine must go beyond simple threat detection: it is crucial to extract and fully detonate discovered payloads in a safe isolated environment, harvesting indicators of compromise that help in subsequent threat hunting activities. Thirdly, threat hunting is a crucial process of proactive searching for something that could have been missed in the past and potentially might be missed in the future.
Detection is never enough
Group-IB Threat Hunting Framework (THF) is the first all-in-one solution for protection of both IT and OT networks. The fact that Group-IB AI-driven Threat Hunting Framework, the only of its kind, serves as a single cybersecurity solution and unites standards for two different network segments is a quantum leap in cybersecurity market that changes the rules inside the industry.
The new products key goals are the detection of previously unknown threats and targeted attacks, the containing of detected threats and automation of instruments for identifying links between threats both inside and outside of the protected perimeter. The THF has a patented malware detonation technology that goes beyond traditional sandboxing and sets up new industry standards for file analysis solutions and an innovative endpoint module for real-time host protection and malicious behavior detection with a unique patented server-side classifier. Threat Hunting Framework architecture has several main modules, each of which is innovative in its nature and whose functionality goes beyond the existing product categories defining absolutely new type of cybersecurity solutions.
THF Sensor is designed to identify threats at the network level thanks to an in-depth analysis of network traffic. The solution identifies threats and infected hosts by analyzing the network traffic protecting not only IT segment of the network, but also OT network with the help of its Sensor Industrial module. The module ensures that the integrity of ICS software is under control by analyzing industrial protocols and protecting corporate networks comprehensively, detecting threats with the use of its high-performance AI-driven classifier.
Group-IB's another innovation is THF Polygon. This platform is designed to detonate malware. It detects threats by performing behavior analysis of emails, files, and links and runs malware in an isolated environment. It is crucial to fully detonate the discovered payloads and extract all related IOCs and artifacts to be able to attribute the attacks.
Email remains a key system for initial compromise for cybercriminals. This problem affects businesses of any size. In response to this threat, Group-IB for the first time presented its cloud-based solution for the prevention of all types of email attacks ” Atmosphere. Atmosphere aims to make cutting-edge technologies for detecting email threats affordable and easily deployable, while at the same time keeping the technology part of Threat Hunting Framework and offering not only qualitative filtering of emails, but also the rest of THFs advantages: malware detonation, attack attribution and integration with other modules of the ecosystem.
For the first time, Group-IB has introduced a solution for protecting end hosts: Huntpoint. This module creates a complete timeline of events on the host, which is available both in real time and retrospectively, detects abnormal behavior, and blocks malicious files. What is more, it isolates hosts from the network and collects forensic data for further research.
The Huntbox module is responsible for fully automated analysis and correlation of network events. This module provides a full picture of threats within and beyond an organizations network, helping to hunt for threats and identify malicious activity targeting the company. Group-IB Threat Hunting Framework capabilities are enhanced by the Decryptor module, which is designed to decrypt TLS/SSL traffic in the protected infrastructure.
Group-IB provides access to its internal tools for tracking hackers
Threat Intelligence & Attribution, which is one of the most heavily loaded Group-IB systems ” it handles petabytes of data on adversaries and their tools and infrastructure, ” has leaped forward. Today, TI&A marks the creation of a new type of solutions for collecting data on threats and attackers relevant to a specific organization. It helps analyze adversaries and their tools in order to proactively hunt for criminal groups and protect network infrastructure.
TI&A combines unique data sources and experience in investigating high-tech crimes and responding to complex multi-stage attacks worldwide to enrich all other Group-IB products with data for hunting for attackers and threats. The system stores data on threat actors, domains, IPs, and infrastructures collected over the last 15 years, including those that criminals attempted to wipe out. The extensive functionality of the system helps customize it to the threat landscape not only relevant to a particular industry, but also to a specific company in a certain country.
TI&A takes an adversary-centric approach to threat protection. The idea behind the system is that it hunts not only for threats, but also for the adversaries behind them. The data lakes operated by the system help quickly link attacks to specific groups or even individuals. TI&A helps promptly analyze and attribute threats that a company faces, detect leaks, insiders and compromised user accounts. Moreover, it identifies insiders who sell company data on underground resources and detects and thwarts attacks targeting companies and their customers regardless of industry.
The launch of TI&A on the market provides access to Group-IB's internal tools, which were previously used only by Group-IB's DFIR, threat hunting, and cyber threat intelligence teams. Every specialist who uses TI&A now has access to the largest collection of dark web data, an advanced hacker group profiling model, and a fully automated graph analysis tool that helps correlate data and attribute threats to specific criminal groups in seconds.
As such, TI&A makes it possible to detect attacks overlooked by common cyber defense tools. It helps understand how advanced adversaries behave and whether the protected infrastructure can counteract them. This approach helps motivate and improve internal cybersecurity teams as well as enhance their capabilities through an in-depth insight into threats targeting their organizations.
TI&A is a complex engineering system developed by Group-IB and integrated into a smart technological ecosystem that is capable of automatically halting targeted attacks on organisation. The ecosystem provides security teams with tools for linking individual events, attributing threats, analyzing malicious code, and instantly responding to cyber incidents. Read more
Group-IB TDS, trusted by banks, financial organizations, and industrial enterprises in dozens of countries in Western Europe, Africa and South-Eastern Asia, embodies adversary-centric approach and ensures protection against the most complex targeted attacks and advanced persistent threats (APTs), effective automated response and mitigation in a single platform. This adversary-centric approach is implemented through TDS enrichment with information from Group-IB's attribution-based Threat Intelligence system that holds the most up-to-date data on indicators of compromise, attackers and their TTPs, securing precise attribution of cyberattacks to a specific threat actor.
Group-IB TDS includes for major modules “ TDS Sensor, TDS Polygon, TDS Decryptor, TDS Huntpoint, TDS Huntbox “ that ensure correlation of internal and external telemetry data for effective threat hunting and analysis that can detect sophisticated attacks at the preparation stage.
"Group-IB is a provider of high-quality threat intel, which is also used by their products as well as shared with Cyber Threat Alliance, global CERTs, Europol, Interpol, etc.," KuppingerCole Analysts AG said in its report. "Group-IB's TDS is one of the most feature-rich NDR solutions in the market. It exceeds expectations for NDR functionality ¦ Organizations that need a full range of NDR capabilities, especially for industrial applications, should consider Group-IB TDS."
In its report, KuppingerCole Analysts AG, in particular, highlighted Group-IB TDS' ability to detect lateral movement and communications with attackers' CnC servers thanks to anomaly detection algorithms (such as domain generation algorithms analysis) and gave credits to TDS analyzing malware leveraging unsupervised machine learning models.
"Group-IB is honored to have its TDS listed in KuppingerCole Analysts AG 'Leadership Compass for Network Detection and Response,'" comments Group-IB CTO and Threat Intelligence head Dmitry Volkov. "Masterminding its Threat Detection System, Group-IB sought to create a single solution for the protection of both corporate and industrial networks that would combine threat hunting with automated incident management and response. As a result, one of a kind solution emerged that is capable of distinguishing relevant attacks and attackers' infrastructures at a preparation stage and whose constant enrichment with threat intelligence data ensures precise correlation and attribution of threats." Read more