While a security issue is happening, many businesses find it difficult to comprehend harmful activity and its implications. It consumes valuable time and materials that the defence needs to contain the attack and reduce damage. A fresh open source solution designed to make suspicious activity detection by businesses more visible promises to lessen this discomfort.
The detection visualisation tool Detectree was created by WithSecureTM (formerly F-Secure company), and it is used by cyber security defence teams (also known as blue teams). Finding the connections between the suspicious activities on an endpoint is crucial for responders, according to Tom Barrow, a senior threat hunter for WithSecure’s managed detection and response service, WithSecure Countercept.
“Visibility is always a priority, but it’s absolutely vital when responding to an incident,” explained Barrow. “Time is always working against incident responders. And looking through rows of text data and making connections between them and the suspicious activity under investigation is time spent not remediating the problem, which is a real waste when you’re under pressure to stop an attack.”
For instance, an analyst would generally need to manually recreate the sequence of events from log data in order to determine the source of a questionable process. The longer the chain, the more time and effort are required to manage it. Additionally, the approach has the potential to overburden security teams and create issues like alert fatigue and burnout given the volume of security warnings that blue teams with large firms may encounter—roughly 11,000 per day, according to recent research*.
By organising log data into a graphic that depicts linkages between the suspicious behaviour observed and any processes, network destinations, files, or registry keys associated to that detection, Detectree was created to assist blue teams in streamlining their investigation work. Responders can view the visualisation to examine not only the connections but also the nature of the connections, such as interactions, parent-child relationships, and process injections, rather than manually combing through text-based data to reassemble a sequence of events.
Responders can communicate data with key stakeholders in an easy, straightforward way and immediately understand the context around a detection by relying on the visualisation, ensuring that everyone who needs the information has access to it.