Whether it be a real-life criminal case or a piece of classic detective literature, one thing that seems to remain constant is that evidence makes or breaks a case. Even with the best detectives on the scene, it’s usually one critical piece of evidence that makes all the difference. Along with someone who knows how it fits into the overall puzzle of course.
This scenario doesn’t change in the digital landscape. Identifying a potential breach and rebuilding the crime scene requires both the evidence of what occurred as well as the expertise to piece it together. Even the most clever and competent cyber-criminals leave evidence of their activities; if you can collect it and know where to look and how to collect it.
This is where Cubro and Witfoo can help augment your security posture and assist forensic teams in identifying, understanding, and remediating breaches on your network. Cubro and Witfoo jointly work to access and record all network events occurring on the wire, identify Indicators of Compromise (IOCs), and present a detailed representation of the attack path.
Cubro is the visibility and date generation layer that gathers and forwards all the evidence in the form of network telemetry, including all L2-L4 communications. Not stopping there, Cubro further enriches the data with application detection from its Deep Packet Inspection engine as well as adding hostname resolution, GeoIP information, user account information, and threat detection data. This provides all the data granularity that Witfoo needs to rebuild the crime scene and answer the questions of “who, what, when, and where?” with the best evidence possible.
Witfoo is your star detective, encompassing decades of investigative expertise and methodology pulled from law enforcement backgrounds. Witfoo Precinct leverages the data provided by Cubro to establish all connections starting from an Indicator of Compromise and the initial victim machine to tying in connections to all other involved hosts. This not only includes the initial ingress vector but outbound connections, indicating potential data exfiltration, and lateral movement.
This allows the user to retrace the attacker’s steps through the network, pinpointing vulnerable services and the methods used for persistence and privilege escalation. With this knowledge IR teams can shut down the cyber kill-chain, remediate any vulnerabilities and remove footholds anywhere they may be present.
The joint solution brief provides more information on how Witfoo and Cubro can help security teams collect and centralize high fidelity data for security incident detection and response.
Cubro network visibility solutions remove network monitoring ‘blind spots’ to provide enhanced visibility and control of all data transiting a company’s network. Cubro’s solutions are instrumental in the successful outcomes of IT initiatives such as 5G/4G/3G, customer experience management and service assurance, digital transformation, data security, virtualised Data Centres and software-defined networking/NFV.
Cubro is recognised as one of the fastest-growing companies in Austria. The company was founded in 2003 in Vienna, Austria. Cubro has a global presence with offices in different geographic locations to serve customers across different time zones. Cubro delivers unrivalled solutions to Service Providers and Enterprises in both the private and public sector. For more information, please visit https://www.cubro.com/en/.
Built by veterans of the military, law enforcement and cyber security, WitFoo is dedicated to delivering sustained success to the practitioners of cyber security operations.
Thousands of hours of ongoing research in the trenches with analysts, investigators, managers and executives led to the forming of WitFoo and the subsequent work. Secure together, WitFoo delivers the tools and data that allow for collaborative cybersecurity and prosecution of cyber criminals, resulting in the deterrence and prevention of cyber crime. For more information on Witfoo and Precinct visit www.witfoo.com.