Introducing the Threat Detection and Incident Response Bundle

Organizations require versatile solutions to counter threats to their critical IT assets effectively. WetStone’s Threat Detection and Incident Response (TDIR) Bundle offers a robust suite of tools designed to address both threat detection and incident response needs. Here’s an overview of its key capabilities: 

  • Threat Detection: 
    • Gargoyle Enterprise Manager (GEM) is the cornerstone of the TDIR Bundle, providing advanced capabilities for the monitoring of organizational endpoints and servers detecting malicious software and potentially unwanted programs (PUPs) frequently leveraged by malicious insiders. GEM’s effectiveness lies in its comprehensive scanning features that operate both on-demand and at scheduled intervals, ensuring a robust defense against both new and internal threats. GEM’s detailed reporting turns scan results into actionable intelligence allowing digital forensic incident response teams to begin their investigation and response.  
  • Incident Response and Evidence Collection: 
    • Often the first step after a threat has been detected or an incident has occurred is to investigate the machines involved.  Many traditional methods of digital evidence collection can result in the loss of volatile data, leaving gaps in the investigation. US-LATT (USB Live Acquisition Triage Tool) provides DFIR teams with an easy to use tool  for rapid data collection and preliminary analysis from Microsoft Windows systems during or immediately following those cyber incidents. The acquisition of evidence like physical memory, screenshots, running processes along with disk images can be taken back to a forensic lab for additional analysis. 
  • Investigating the impact: 
    • After the acquisition of data from the systems identified by  GEM, Gargoyle MP  can be leveraged to aid forensic investigators and incident response teams in assessing the intent, motives, sophistication, and  capabilities of the insider threat or cybercriminal. Gargoyle MP enables deeper analysis through the use of YARA rules and the incorporation of hashes into a custom dataset for the purpose of detecting the presence of recently disclosed malware samples or other files of interest.  Additionally, analysts can implement Gargoyle MP’s whitelisting features to exclude any application considered acceptable or not relevant to the investigation. 
    • If known data hiding or steganography programs were identified by GEM or if steganography use is suspected despite the absence of such applications, StegoHunt MP can triage the evidence collected by US-LATT.  It examines potential carrier files for patterns, irregularities and discrepancies indicative of steganography. Upon identifying likely carrier files, StegoAnalyst, a component of the StegoHunt Suite, is used to conduct visual steganalysis. This process entails a detailed examination of the structure and statistical characteristics of the suspect files to refine the target set further and validate the presence of data hiding activities. 

Benefits

  • Actionable Insight:  GEM scans of network endpoints, coupled with detailed reporting, seamlessly integrates into incident response processes, empowering DFIR teams to quickly take actions to safeguard their environment and preserve evidence. 
  • Improved Incident Response Efficiency: As part of the TDIR bundle, US-LATT can triage and acquire evidence from a live system ensuring no vital data is lost, promoting efficient and thorough analysis. 
  • Enhanced Threat Identification and Investigation:  The TDIR bundle provides  DFIR teams with comprehensive datasets for detecting malware, potentially unwanted programs and data hiding applications, offering a complete picture of active threats. The integration of custom datasets and YARA rules further enhances the threat detection capabilities of the TDIR bundle. 

What’s included:

The TDIR Bundle by WetStone includes: 

One Gargoyle Enterprise Manager (GEM) 12-month subscription license. For information on options regarding the number of concurrent endpoint scans, please contact WetStone sales.  

Four subscription licenses of US-LATT, including the configuration utility and four USB 3.2 Gen 2 flash drives. 

One US-LATT analysis and reporting subscription license  

In addition to the four US-LATT licenses and hardware devices the bundle comes with four  ten-day incident response US-LATT licenses. These temporary licenses enable organizations to utilize their own WetStone-approved devices with US-LATT for ten days. This flexibility is especially useful in remote locations without a WetStone-issued hardware device or to expand acquisition capabilities beyond the included four US-LATT devices during critical incidents. 

One 12-month subscription license for Gargoyle Investigator MP (FLASH upgrade available) 

One 12-month subscription license for StegoHunt MP (FLASH upgrade available)  

Contact sales@wetstonelabs.com for further information and pricing.