Threat hunting: finding hacker traces on systems

We check your infrastructure for traces of hacking attacks. Either targeted for a specific attacker group or large-scale for typical traces.

Threat Hunting - Be one step ahead of the hackers

Threat hunting means proactive and structured scanning of collected data from SIEM, EDR or other security systems, rather than waiting for an alert and then investigating. Endpoints can also be searched for known traces of attacks (Indicators of Compromise, IOCs).

Starting point of hunting is Locard's rule that a perpetrator always leaves traces at the scene, you "just" have to find them. Based on threat intelligence, we collect information on how attackers specifically proceed, perform these techniques in our lab, and observe what traces are left behind. On this basis, we formulate hypotheses, which we then verify in your environment.

This innovative approach complements the usual reactive security methods to a truly holistic security concept!

Two approaches

Top-Down

You already know of certain threats or attack vectors that could affect your business, or you want to identify such "Indicators of Compromise" (IOCs) and "Tactics, Techniques and Procedures" (TTPs) via threat intelligence. We'll tell you if these threats are already impacting your systems and optimize rules for better automated detection in the future.

Bottom-Up

Bottom-Up does not start from a specific threat or hypothesis. We examine what data has been collected from your different systems so far and what we can read from it to identify past or active threats. Based on these data, we develop and write appropriate rules that will help you better detect future threats in your environment.

Top-down is targeted and clear, bottom-up is more customized to your organization and less predictable. Both approaches test the functionality and efficiency of your tools and data, and highlight any flaws such as missing files, systems, or insufficient log sizes.

With threat hunting, you not only get better rules for automated threat detection, but also a solid assessment of the usability of your data and tools for a potential incident.

Ready to go hunting?

Let's talk about the benefits and further details of threat hunting or a compromise assessment in a web meeting.

Yes, let's start

Compromise assessments

On average, it still takes over a month to detect a successful cyberattack. Attackers deliberately fly under the radar, using dual-use tools called Possibly Unwanted Applications (PUAs) to remain undetected by antivirus solutions and working slowly and carefully to avoid causing anomalies in network traffic.

If they are discovered at some point, hundreds or even thousands of systems could already be affected. Manual forensic analysis of such a number is extremely time-consuming and very expensive. A Compromise Assessment can reliably and cost-effectively find out if attackers have been on your network and which systems are infected.

We are co-developers of Thor APT Scanner, which was created for exactly such scenarios: Scanning many systems in parallel for attacker activity, detecting not only common traces, but also unknown threats as well as Advanced Persistent Threats.

Thor has 20 different modules and 12.000 signatures to detect traces of attack tools and activity in logs, user accounts, sessions, network connections and many other places.

Thor's signatures are regularly updated by security experts, whether through our own findings, threat intelligence feeds, or publications from other security companies such as Mandiant or Crowdstrike.

Reasons for a Compromise Assessment

Current incident

You have unwanted visitors, but don't really know where the hackers have infiltrated and how many systems are already affected? A compromise assessment is a very efficient solution here.

Individual initiative

Companies are being hacked all around you, only you have no alerts. Is it because you're not affected or because you just don't see the attacks? A compromise assessment provides clarity.

Look before you leap

Do you need to open up your IT to partners or integrate an acquired company? Check the status quo of that new friend in a compromise assessment before letting the wrong people in.

The process of a compromise assessment

Scope definition and customizing

We determine your individual needs in a kickoff and review any tools you may already have that can be used for the assessment.

Then, depending on your network, type and number of systems and other conditions, we jointly select the appropriate tools and licenses and adapt the scanning rules and signatures accordingly. This can also include information from you, for example your own findings about the attack or OSINT (Open Source Intelligence) information.

< >

Configuration and distribution

The tools used are now configured accordingly and distributed on all required systems. You receive the necessary know-how through detailed instructions or direct support from us.

Then the scan starts on the systems and collects traces, evidence and artifacts.

< >

Analysis and report generation

A company-wide scan delivers a sheer overwhelming amount of data, most of which is not self-explanatory but has to be checked, correlated and interpreted by specialists.

Our forensic experts have many years of experience and a great deal of know-how. They select the relevant results, formulate them into comprehensible explanations and supplement them with actionable recommendations. In this way, employees outside the security department also have the chance to understand the results.

< >

Decision and IR measures

Creating documentation is not the last phase in the incident response process. Fixing security problems and cleaning up systems is a complex task.

We support you with our incident response services in the decision-making process for the next steps and in the implementation of the planned measures.

< >