Frequently Asked Questions
Threat hunting is a proactive form of cybersecurity designed to hunt down compromised assets/applications, malware, vulnerabilities, and more — residing on the devices, nodes, and endpoints hidden throughout your network.
The practice of threat hunting exposes the "really bad stuff" (organization-crippling breaches, attacks, malware, ransomware, and more) that most defensive cybersecurity tools — including antivirus, EDR, EPP, UEBA, and even hardware tools — often miss.
Threat hunting is considered (at least traditionally) an extremely specialized skillset and services-heavy process — requiring multiple cybersecurity analysts, resources, and internal assets, plus days, weeks, and sometimes months of manual threat hunting.
Infocyte HUNT automates and simplifies the threat hunting process, helping you identify and investigate threats faster and more efficiently.
Infocyte HUNT uses a forensic methodology that is radically different from other threat hunting solutions. Other hunting tools rely on analyzing event based security logs from cumbersome sensors and software installed on the endpoint.
Rather than analyzing logs, Infocyte directly inspects volatile memory in the host in order to gather primary data including rootkit hooks, malware persistence mechanisms, application vulnerabilities, and other digital forensics artifacts.
Those familiar with agentless vulnerability scanners will be familiar with how Infocyte HUNT is architected. By deploying lightweight dissolvable agents, HUNT sweeps thousands of endpoints, spending only a few moments on each host.
This sweep gathers forensic data from each host, even those without conventional detection tools installed. The collected forensic data, when combined with Infocyte's analysis automation, provides a more comprehensive picture of the state of endpoints almost immediately.
Additionally, Infocyte HUNT is the only solution that can meaningfully facilitate compromise assessments. By automating the process of finding threats in live volatile memory, and combining that with cloud-based threat intelligence, Infocyte equips security operations teams and security assessors with the power to forensically evaluate the state of the network, without the lengthy manual process involved in traditional digital forensics.
No other technology approaches automated, scalable threat hunting from a forensic standpoint. Infocyte stands alone in this approach.
We call it Forensic State Analysis (FSA).
Request a demo of our threat hunting platform to see Infocyte HUNT in action.
Most users are capable of deploying Infocyte within 1 business day and can begin hunting threats immediately. Infocyte HUNT scans up to 5,000 nodes/hour, per scanner.
Infocyte HUNT is an agentless threat hunting solution that utilizes Forensic State Analysis (FSA) to perform deep host inspections of devices and endpoints.
We start by assuming endpoints are already compromised and seek to validate using a variety of forensic and threat hunting techniques. Automated forensic collection, threat intel enrichment, and deep analysis workflows to dig into anomalies and outliers help hunters find what purely automated detection misses.
Unlike analytics (UEBA/UBA) solutions, Infocyte pulls proprietary forensic data rather than relying on existing security logs from sensors (IDS, AV, EDR, etc.) that may fail to alert your security team of the attack.
Log analysis approaches are generally expensive, difficult to manage, and error-prone. They require in depth knowledge of adversary tactics and how those tactics present themselves in the logs of your security solutions.
Log analysis approaches can be an effective security stack component for those able to commit the monetary and expert resources needed to realize full value from them. Infocyte complements and strengthens these tools via ongoing forensic inspection and baseline-independent analysis to find the threats that elude traditional log analysis – all without the need for specialized knowledge.
Surveys get deployed to the endpoints to run their scan. The survey modules are ~1 MB and return 1-2 MB of data back to our threat hunting application. (By comparison, the average website a user would navigate to is 1.6 MB.)
Surveys run as a single thread and at low priority, so they don't interfere with critical systems and processes. Once the Infocyte HUNT survey is complete, the survey deletes itself from your endpoint, so there is no leftover agent.
Gartner classifies our threat hunting software as “agentless” in that regard.
Infocyte HUNT requires an Active Directory Service account with local administrative rights to the hosts you intend to scan.
Firewalls should be open on typical remote management protocols and HTTP/HTTPS between the hunt server and the scanned hosts.
As Infocyte HUNT discovers potential threats on your networked endpoints, our AI-powered threat intelligence engine, Incyte™, analyzes and assigns a "Threat Score" to each result.
The Incyte Threat Score is a numerical representation of potential risk each threat poses to your network, based on behavioral characteristics, millions of samples of malicious code, and our own primary threat intelligence data.
Threat Scores range from 0 to 10 and and are calculated using machine learning and our threat scoring methodology. Characteristics which may influence the Threat Score assigned to each result, include:
- + if it is part of the Infocyte cloud blacklist or local blacklist
- = if it is part of the Infocyte cloud whitelist or local whitelist
- + if it is not part of a package manager (linux)
- - if it is part of the package manager
- + if it is not digitally signed
- - if it has an embedded digital signature
- - if it is part of OS digital signature catalog
- - if it is determined to be not malicious by Infocyte analysis
- + if automated analysis was unable to determine maliciousness
- + if automated analysis finds suspicious behavior characteristics
- + if antivirus data (3 or more) identifies it as malicious
Our Threat Score is designed to help security teams quickly and easily identify hidden and persistent threats hiding on their network.