Identify attackers in action

Understand the Most Sophisticated Attacks

Attackers are becoming more sophisticated and the techniques they use are much stealthier, harder to detect, and take increasingly longer to remediate.

By autonomously forging relationships between event data coming from an organization's existing telemetry sources, the Kognos XDR Investigator is the only solution that allows organizations to trace laterally moving campaigns, living off the land binaries, and insider threats–regardless if they are active campaigns, attempted campaigns, or failed campaigns.

Laterally Moving Campaigns

Trace an Attacker’s Path as the Attacker Moves within Your Infrastructure.

Malicious actors are getting more sophisticated and are able to laterally move across an organization's environment, making their campaigns difficult to detect from addressing alerts alone.

How Attacks Propagate:

These attackers typically enter the infrastructure using stolen credentials, phishing attacks, exploiting vulnerable servers, and establish a foothold in a handful of machines.

They are extremely stealthy and take their time:

Doing reconnaissance
Dumping credentials
Escalating privileges
Remaining hidden by employing various persistence mechanisms

As attackers collect more information and gain confidence with the infrastructure, they start laterally moving from machine to machine, using protocols like WMI, WinRM, Remote Desktop, etc. They continue to employ these techniques until they reach their desired outcome.

Living off the Land Binaries

Trace an Attacker’s Path as the Attacker Lives Off Your Environment.

Living off the land is a technique that’s been in use in the past - but is becoming prevalent amongst sophisticated adversaries to stay under the radar as much as possible. In these cases, the attackers are using legitimate binaries native to the operating systems for various nefarious purposes to evade detection.

What an attacker can do living off the land binaries:

LoTL binaries can be used by attackers for a plethora of tactics and techniques, including:

Executing code as in PowerShell or VB scripts of WMI
Credential dumping with tools like procdump
Scheduling jobs with Task Scheduler
Modifying registry keys
Copying or moving files
...and the list goes on and on

Given that most of these tools are also used for legitimate purposes, it becomes extremely hard for most detection systems to discriminate against such behavior. Kognos uses the power of relationships to look at the suspicious use of these binaries cumulatively to detect even the subtlest of attacks with great accuracy.

Insider Threats

Trace the Attack Path as the Insider Moves within Your Infrastructure.

Malicious insiders are one of the hardest groups of adversaries to detect. They are inside your environment and can blend in with the rest of the users. Firewalls and IDS products are often deployed at the perimeters of an enterprise and are completely blind to people who are already inside and using the infrastructure legitimately.

Malicious insiders could be current and former employees, contractors, partners or service providers who have/had a legitimate reason for using the infrastructure, but have malicious intent.

What malicious insiders do:

Financial gain is a primary motivator for a majority of insider threats. These adversaries typically focus on exfiltrating intellectual property, employee information, customer data and other valuable information. Disgruntled employees might also delve into data destruction, defacement or other destructive activities.

Kognos platform is built to trace the subtlest of suspicious behavior. Given we are tracing the entire activity of the user, we can cumulatively look at the insider’s activity to bubble up possible threats. Use of abnormal tools, excessive movement of data, abnormal use of external domains are all traced by the Kognos platform.

The Kognos XDR Investigator autonomously forges relationships between event data coming from an organization's existing telemetry source to trace the attackers path, hunt down suspicious activity, and investigate the chain of events to identify the complete attack campaign.

"Kognos is the only solution I’ve seen that really brings you the full picture of what’s unfolding."

V. Jay LaRosa

Global Security Architecture, TikTok

Kognos continuously monitors billions of relationships to detect suspicious behavior. Once detected, Kognos uses an AI powered inquiry engine to ask thousands of forensic questions per second to fully contextualize the attack and present the findings as complete attack campaigns, allowing the analyst to respond in real-time.

Request a Demo