Advanced Threat Monitoring (ATM)
Advanced Threat Monitoring is a truly intelligent service. We combine hardware, software, advanced sensors and process innovation with the expert tradecraft of analysts who identify and manage high confidence threat indicators. You gain comprehensive visibility of the risks to your IT assets and critical network infrastructure because we integrate our service with your existing corporate security environment. We see the adversaries—and attacks—that standard tools cannot detect.
We use the Cyber Kill Chain® process to continuously analyze malicious network events, first spotting patterns to enable an intelligence-driven response, and then identifying, countering, and mitigating the threat.
While commercial off-the-shelf threat detection sensors depend on known signature-based threats, Advanced Persistent Threats actors use these same tools in their testing ground ensuring they avoid detection. Our Advanced Threat Monitoring fills this gap by generating advanced detections based upon the behaviors of adversaries and cyber threat indicators.
When we spot a threat, you are alerted: we notify you of adversarial tactics, techniques, and procedures observed at your internet points of presence and provide tactical and strategic mitigation steps to minimize the risk and thwart the attack.
The entire process is flexible, scalable , and customizable to your business:
- Passive network sensors accommodate different network loads and permit complex, near-real-time detection with no disruption of network traffic
- Secure, flexible, and scalable Linux platform allows easy creation of new detection or situational awareness capabilities
- APT command and control channel detection from our constantly evolving intelligence
- Network situational awareness logs enriched with information about particular security events and threats
DNS Blocking – Advanced Threat Blocking
A common APT tactic is to use malware to gain control over your Enterprise, this occurs at the Command and Control (C2) stage of the Cyber Kill Chain®. The malware will beacon out to the attacker’s infrastructure, giving the attacker “hands on keyboard” and the ability to install additional malware or potentially remotely control the targeted machine.
DNS Threat Blocking, the last chance to block an APT, is part of a process that begins with a 30-day period of passive monitoring of your network. This lets us distinguish between bad domain requests and legitimate network traffic. Once we activate active blocking of bad domain requests, we also maintain an exception list customized for your business.
We identify malicious requests using a list of evolving malicious APT domains developed by our Computer Incident Response Team (CIRT) based on years of analysis of APT attacks against Lockheed Martin. When we block a malicious request, you users will receive a generic error message while your security team receives an alert that there are active Command and Control beacons on your network. We block such requests by directing them to secure, geographically dispersed Lockheed Martin DNS Servers. No additional infrastructure is required; by pointing a DNS request to our infrastructure, any known malicious DNS requests can be monitored and denied.
- Network based analytics utilizing the Cyber Kill Chain® and Intelligence Driven Defense® life cycle
- Custom malware signatures, behavioral detection methods and detection of advanced file exploits
- Extensive knowledge of adversarial campaigns, their tactics, techniques, and procedures
- Detection and alerting on covert malicious command and control channels
- Custom developed reports with tactical and strategic mitigation guidance
- E-mail body
- E-mail links
- E-mail attachments
- Domain Name System (DNS) transactions
- Remote Desktop Protocol (RDP)
- Hypertext Transfer Protocol (HTTP)
- Secure Socket Layer (SSL) inspection
- File Transfer Protocol (FTP)
- Covert Command & Control channels (C2)
- Firewall traffic
DNS Blocking Highlights:
- Alerts of potential C2 beacon activity on your network
- Seamless integration with existing infrastructure
- Operates without noticeable impact to end users
- Monthly DNS managed service summary reports
- Assistance implementing an employee communication plan with instructions on how to contact IT support