FireTower Attack Detection Task
Anti-Virus security solutions from Enterprise Protection Platforms (EPPs) employ signature-based detection methodology and cannot detect advanced attacks and Zero-day attacks that are previously undiscovered and have no associated signature.
Most anti-virus software have been enhanced with additional measures to combat Zero-day threats such as reputation database and behavior analysis and to warn users of potential dangers but they require users to make their own decision.
FireTower is an endpoint detection and response (EDR) tool. EDR tools have become a critical component of enterprise security architecture to combat zero-day attacks and targeted attacks.
FireTower detects zero-day and suspicious threats in real-time by automatically discovering all persistence mechanism change events at endpoint computers and stacking to a centralized enterprise threat database at FireTower server.
The Discovery task logs all existing “persistence mechanisms” including associated metadata, digital certificate and hash values of target binary files (MD5, SHA-1 and SHA-256). The discovery task will continue to monitor the persistence mechanisms in real-time and trigger automatic authentication on all persistence mechanism change events.
A cloud-based Autorun Setting Repository (ASR) is used for persistence mechanism authentication. ASR provides detection scheme with ratings for persistence mechanisms such as Autorun entries and identifies them as known good, known bad, or unknown (zero-day):
- Green: Autorun whitelist database kept at ASR
- Red: Autorun blacklist from cloud-based 60+ Anti-virus engines
- Yellow: Zero-day Entries, could be good or bad
ASR allows support professionals and digital forensics investigators to quickly disregard the majority of good Autorun entries and focus on a smaller list of questionable or possibly malicious entries.
FireTower detection task delivers and stacks all persistence mechanisms from the networked endpoints with an Inter-Host Intrusion Prevention System (IHIPS) database maintained by the FireTower service. The FireTower service can be hosted as an application on either an internal drive or USB device hosted on a Windows or a Linux computer (desktop or server OS). The computer can be either an on-premise machine or cloud-based.
This enterprise threat database could be used to analyze malware kill chains and multi-stage attack artifacts, alert persistence mechanism exception relative to a group template, identify possible malware distribution (yellow and red) and all at-risk endpoints
- Persistence Mechanism Primer
- FireTower Security Solution Page
- Armchair tour to Cyber Console Attack Detection UI
- Hands-on of FireTower Security Operations:
- Get hands-on experience with the unique EDR capabilities of Inter-Host Intrusion Prevention System by experimenting Cyber Console GUI through a Sampan Security, Inc. demonstration network on demand and on your computer.
- Download and execute WinCyCon software (digitally signed by Sampan Security, Inc.) and auto-connect you to the network: WinCyConx64.exe for x64 and WinCyConx86.exe for x86 (Windows Desktop XP/Vista/7/8/10 or Server 2008/2012)