How Does LinkShadow Provide Investigation Capabilities post-Breach?

The NDR module in LinkShadow continuously analyzes network traffic, extracting metadata and ingesting it into the Advanced AI-based analytics engine. The AI-powered platform then analyzes each bit of the traffic received based on the protocol with which the traffic was initiated. Multiple checks are applied to the received traffic, including but not limited to identifying known-bad destinations, abnormal protocol behaviors, or unusual types of connections reported by the internal machine learning engine. The outcome of these checks may result in a defined detection, or it may not.

When there are detection matches, LinkShadow assigns a specific score to the detection, also referred to as an anomaly in LinkShadow terms. If the anomaly is user-based, the score is appended to the affected user. If the anomaly is entity-based, the score is appended to that entity. This scoring mechanism allows LinkShadow administrators to quickly identify which internal entities or users they need to focus their investigation on.

Apart from network traffic, LinkShadow can also utilize information received from external third-party security systems such as EDR, vulnerability scanners, SIEM, NGFW, etc., mainly for two reasons:

• Calculating threat risk assessments of entities based on information received from external third-party security systems.
• Providing a single pane of glass in the investigation window that displays LinkShadow detections and detections from external systems all in the same view, thereby allowing SOC analysts to perform quick correlation.

Each of these anomalies has a detailed description within the investigation window. Along with the description, the platform also provides detailed information about the ideal response for that type of anomaly. This ideal response is annotated as Recommended Action, which can include:

• Taking immediate mitigation actions like isolation or blocking.
• Verifying with the application team the genuineness of the detected event.
• Verifying with the system user the genuineness of the detected event.

Using Shadow360 for post-breach investigation

Other than the Assets investigation and User investigation areas, LinkShadow also has a unique central core for data retention, which is called as “Shadow360”.

Customers can use Shadow360 to perform complex searches out of the captured network traffic and data exchanged from the integrated third-party systems.

Some of the examples that can be related here and not limited to can be:

• For a specific period, show the Oracle DB traffic destined to the Database server which has the purge command.
• Show all the filenames that were part of SMB file access related to a specific user.
• Show all connections that had a data transfer and were destined to the Internet from the corporate network.
• Show all Remote Desktop connections that were destined to the Internet from the corporate network.

The above picture shows the capability to create a custom search to show all RDP connections as well as ORACLE traffic with SQL batch operation that contains “purge”.

MITRE ATT&CK mapping

Together with the complex search criteria, Shadow360 can also map the various detected anomalies as per MITRE ATT&CK matrix framework as shown below.

Ideally what would take for a consultant to gather information from multiple security systems and document them, LinkShadow is able to map all the detected information based on the MITRE ATT&CK framework within seconds.

Kill Stage mapping

Apart from the MITRE ATT&CK mapping, Shadow360 can also present to the analysts the attack stages of all the anomalies of an entity in a chronological manner as shown below: