Defense against APT compromises
Advanced cyberintelligence
Detecting the unknown
Highlights
Advanced Persistent Threats
• Effective protection against
APT compromises: Protection in
Nowadays, cyber attacks are more sophisticated and targeted than ever. Threats have
evolved from known, isolated and unfocused to very sophisticated, persistent and
targeted. These new types of threats are known as APT (Advanced Persistent Threats). • Unknown threats detection
APT’s level of sophistication, premeditation and persistence has caused the traditional
detection and protection mechanisms focused on detecting and blocking known threats
to become ineffective.
the intrusion and persistence phases.
by behavior analysis and without
signatures.
• Tailor-made detection: develop
your own capabilities for detecting
targeted threats.
• Accelerate the investigation
cycles: facilitate threat detection
APTs do not look for short term benefits, they remain unnoticed and constant until
they accomplish their objective. Their aims have a very high impact and the attacked
organizations rarely know that they are the target of the attacks nor its origin. The
objectives of ATPs can be financial, military, technical or political and they predominantly
affect organizations in strategic sectors or those dealing with sensitive information. To detect an APT compromise, presents an enormous complexity, and in practice can be
compared with looking for a needle in a haystack.
by the security analyst team (threat
hunting) simplifying the data analysis
processes.
• Obtain complete and informed
visibility of non-legitimate information
movements within your organization.
• Fast and easy deployment
using low intrusive technology.
One in every five
companies has suffered
an APT compromise.
94% of the respondents
believe that these types of
attacks represent a threat for
economic stability and national
security.
More than 80% consider
that their company has not
updated its protection against
these types of threats.
63% think that it is only
a matter of time until their
company will be targeted by an
APT attack.
* Source: ISACA’s global cybersecurity survey of more than 1,500 security professionals
Anticipating a cyber secure world
www.s2grupo.com
What is it, and How does it work?
Investigate, detect, and stop
compromises by APTs targeting
your organization
CARMEN is a European capability to detect advanced persistent
threats (APTs), specifically the malware associated with these threats.
CARMEN was developed by S2 Grupo, and supported by the Spanish
National Center of Intelligence, based on their vast experience in the
field of advanced surveillance, and protection.
the objective of identifying information exfiltration or communications
with C&C systems with protocols such as HTTP, DNS or SMTP (the
most common for these types of communications) as well as common
maintenance mechanisms or information theft on the corporate network
(lateral movement).
CARMEN monitors incoming network traffic to identify and stop threats
at the intrusion phase applying advanced sandboxing techniques.
With this objective, network traffic is acquired both passively (via
sniffing and protocol dissection, e.g., Passive Proxy) or processing
logs (e.g. HTTP proxy), and then normalized and stored. Thereafter,
the automatic, semi-automatic and manual analysis may start, turning
CARMEN into a tool to support the security analyst decision-making,
allowing finding the needle in a haystack, and prioritizing the elements
to be analyzed from the entire volume of acquired data.
However, nowadays it must be assumed that protecting the perimeter
is not enough and it should be presumed that threats may have already
passed the intrusion phase.
For this reason, CARMEN focuses on processing and analyzing
outgoing network traffic (Command & Control and exfiltration) with
In order to help the security analyst CARMEN works on several
areas: misuse detection, behavior analysis and anomaly detection,
both statistical and knowledge based (this last aspect is especially
interesting because it allows the exchange of information and the
sharing of intelligence related to advanced malware). In this manner,
Anticipating a cyber secure world
the data related to the acquired and stored network traffic is analyzed,
in order to find behavioral patterns, which with higher or lower
probabilities indicate the exfiltration of information, or alternatively the
communication with C&C servers, or a suspicious lateral movement.
www.s2grupo.com
DATASHEET
Capabilities
• Non-intrusive system. Passive information acquisition
of network protocols such as HTTP, HTTPS, DNS, SMTP or
NETBIOS.
• Breach detection using advanced Sandboxing techniques,
detonating files identified as suspicious in a previous triage
stage.
• Misuse detection by identifying access to non-legitimate
destinations. Catalog of Indicators of Compromise, support for
OpenIOC.
• Lateral movement detection analyzing non-legitimate or
suspicious traffic between endpoints.
• Powerful interface for the development of Plugins
with extensions in Python, which allows customizing the
detection capabilities to the singularities of a targeted threat.
• Support for investigations during the entire life cycle by
facilitating the Threat Hunting process.
• Alarms triggered by anomaly detection with all the
contextual information, that leads to a new investigation or
complements an existing one. • Statistical anomaly detection outlining malware activity
among the huge volume of legitimate traffic.
• Time series anomaly detection using heat maps and
• Exfiltration detection without external movement
in which information is not directly exfiltraded but moved to an
asset that can be reached from the internet.
patterns of recurrent connections.
• Behavior analysis by identifying network traffic patterns,
• Integration with honeypots. Deploy a honeypot network
• URL anomaly detection by entropic analysis.
• Integration with eMas Incident Handling for Incident
from the pre-designed catalog of analyzers or customized by the
user.
within your organization and receive and manage alerts with
CARMEN.
Management.
• Anomaly detection and improper use at the
endpoint, correlation with network activity .
Anticipating a cyber secure world
www.s2grupo.com
Architecture
CARMEN is deployed an appliance with different hardware
specifications depending on the volume of data that needs to be
processed and the required network interfaces to be connected.
analysis functions, as well as responding to more complex scenarios
with multiple collection and processing nodes connected to a central
analysis node.
CARMEN’s flexible architecture allows a centralized deployment with
just a single node, which performs the collection, processing and
RIC (Shared Intelligence Network)
Advanced threats evolve very fast and the protection mechanisms
must do so at the same pace. Sharing intelligence is crucial for their
detection and this is RIC’s objective.
The Shared Intelligence Network is conceived as a collaborative
environment where users can download new capabilities that have
been previously evaluated and validated.
Benefits
Protect sensitive business
information, intellectual
property and critical assets in
your organization
Avoid reputation loss
and brand damages
Reduce financial impact
due to information theft
Get full visibility and
awareness of non - legitimate
information movement within
your organization
Request a demo
For more information about how CARMEN can help you to keep your
organization secure contact your account executive or request a demo.
[email protected]
(+34) 902 882 992
www.s2grupo.com
carmen.ds.en.1.3
Anticipating a cyber secure world
Anticipating a
www.s2grupo.com
cyber secure world