Group-IB TDS Summary
- 1 General
- 2 Architecture
- 3 Integration with network traffic
- 4 Integration with a mail message system
- 5 Typical integration schemes
Group-IB Threat Detection System (TDS) is a comprehensive solution designed to hunt for threats and respond efficiently to complex targeted attacks in corporate networks. It identifies infections that are overlooked by standard security tools: anti-viruses, firewalls, and intrusion prevention systems. TDS significantly reduces the risks faced by organisations by quickly identifying and preventing theft, financial fraud, espionage attempts, leakage of confidential information, and other incidents. As a component of Group-IB’s early warning system TDS benefits from other products, which contribute to its effectiveness. It is born out of our incident response expertise, skills in detecting malware and threat intelligence foundation. It uses unique threat intelligence data on hacking activities, including data on perpetrators’ TTPs, the emergence of new malicious programs, C&C server addresses to ensure unparalleled detection of modern cyberthreats. Currently, more than 200 financial, industrial and government organizations are using the solution.
The solution applies the following techniques to detect threats:
- Signature analysis of traffic using special signatures developed by Group-IB experts;
- Machine learning to detect traffic anomalies;
- In-depth behavioral analysis of files to identify previously unknown malware.
Group-IB TDS effectively detects all core types of malware spread and controlled via computer networks:
- Banking and mobile Trojans;
- Malware used to perform targeted attacks;
- Remote access Trojans and backdoors;
- Exploits for browsers and plugins;
- DDoS and spam bots;
- Exploits for vulnerabilities in network services and applications.
The solution architecture includes the following components:
- TDS Sensor
The Sensor analyses incoming and outgoing data packets. It helps detect communication between infected devices and criminals' C&C servers, network anomalies, and unusual device behavior. The sensor uses proprietary signatures and behavioural rules.
- Constantly updated databases - cyber threat intelligence data and information from our digital forensics system
- Unified interface with a ticket system
- Integration with mail/icap
- Traffic analysis up to 20 Gb/s
- Virtual installation/HW Appliance
- Integration with SIEM and other systems
Dimensions and other basic characteristics of the TDS Sensor product range are provided in Table 1.
|Dimensions (HхWхD) in mm||43 х 434 х 552||43 х 434 х 552||43 х 434 х 768|
|Power supply||1x 250W||1x 250W||2x 550W|
|Network interfaces for traffic reception||1x 1000BASE-T||4x 1000BASE-T and/or SFP||4x 1000BASE-T and/or SFP|
|Peak rate, Mbit/s||250||1000||5000|
Table 1. TDS Sensor parameters.
- TDS Polygon
TDS Polygon performs behaviour analysis of suspicious objects in a safe environment. Files received via email or downloaded online are checked before they appear on the user's computer. The use of machine learning technologies helps detect previously unknown malware and block its delivery without using signatures.
- Patented sandbox detection technology
- User behaviour emulation
- Specially designed samples to detect 0-Day vulnerabilities and various types of malware
- Analysis of files with modified extensions
- Patented low-level monitor that detects all possible actions, including code execution at the CPU level
- Decryption of password-protected archives with a password in email body/attached file or dictionary-based password
- Retrospective analysis
Dimensions and other basic characteristics of the TDS Polygon product range are provided in Table 2.
|TDS Polygon Cloud||TDS Polygon Standard||TDS Polygon Enterprise|
|Dimensions (HхWхD) in mm||-||43 x 434 x 678||43 x 434 x 678|
|Power supply||-||2x 550W||2x 550W|
|Peak performance in files per day||-||9000||19000|
Table 2. TDS Polygon parameters.
- Security operations centre
Group-IB's SOC team tracks and analyses events detected by TDS Sensor and TDS Polygon. TDS-SOC experts immediately notify the client's specialists about critical threats via email and telephone and give them recommendations on eliminating these threats. The support service works 24/7/365. Group IB's TDS-SOC is used by default. SOC can also be deployed within the client's network.
- TDS Huntbox
Central module for monitoring, events storage and automatic updates of all TDS components. TDS Huntbox can be installed ob-premise in Customer's infrastructure. Huntbox integrates with all TDS components (Sensor, Polygon, Endpoint) and greatly imporves TDS functionality due to new features implemented:
- Orchestration of all TDS components, and single management interface
- Big-data analysis, discovery of new attackers' instruments and infrastructure.
- Storage for complete logs and analytical information linked to exact incident
- Incident visualization on early attack stage
- Remote and centralized Incident Responce on Endpoints.
- Internal threat hunting (roadmap)
- Criminalistic data harvesting for further incident investigation
- Flexible integration scheme
- On-Premise / Cloud / Hybrid
- Different types of integration with Group-IB infrastricture (Isolated, Update-Only, Full feature with inhouse monitoring, GroupIB SOC)
Integration with network traffic
The system analyses traffic sent to TDS Sensor from different sources:
- SPAN/RSPAN traffic
- SPAN/RSPAN traffic in GRE tunnels
- ICAP (traffic files)
ICAP integration allows the user to set up a blocking mode, in which malicious attachments cannot be downloaded.
Integration with a mail message system
The following methods for message collection are used in order to perform behavioral analysis:
- Message collection via SMTP
- Message collection using the Blind Carbon Copy (BCC) feature via POP3/IMAP
The blocking mode can be implemented through TDS Sensor integration in MTA (Mail Transfer Agent) mode. The internal MTA mode makes it possible to configure the mail infrastructure of any complexity - with any number of mail servers and setting up various forwarding rules. The mode also ensures fault tolerance and load balancing.
Typical integration schemes
Mirrored traffic and traffic content analysis mode
In this mode TDS Polygon performs passive monitoring of mail attachments without affecting message delivery. The test objects are provided by TDS Sensor and sent to the TDS Polygon Cloud.
Mirrored traffic and traffic content analysis mode in a GRE tunnel
TDS Sensor supports GRE tunnels. When using SPAN/RSPAN directly is not possible due to L3 equipment between the sensor and mirroring equipment, or when there is a need to receive traffic from a VM farm, GRE encapsulaton can be used to direct SPAN traffic to TDS.
Mail analysis mode
The following methods for message collection are used in order to perform behavioral analysis
- Message collection via SMTP
- Message collection using the Blind Carbon Copy (BCC) feature
Receiving emails via SMTP
With this type of integration, TDS Sensor acts as an MTA (or SMTP Relay), receiving copies of all incoming mail via SMTP. The only difference with the blocking mode is that instead of being forwarded, emails are only analysed.
Scheme 3: TDS Sensor + TDS Polygon — analysis of mirrored traffic, mirrored emails and communication channel files.
Message collection using the Blind Carbon Copy (BCC) feature
This kind of integration involves creating an additional email account, where all incoming mail is copied. TDS Sensor is linked to the email account and collects all messages for analysis.
Scheme 2: TDS Sensor + TDS Polygon — analysis of mirrored traffic, mirrored emails and communication channel files.
Receiving mail via SMTP with blocking (inline mode)
This is the main email-integration mode. Emails go through the TDS Sensor as through SMTP Relay and are delivered after they are analysed. This means that malicous emails are blocked. Fault tolerance is ensured at the DNS level, SMTP-server level, where several relays are set up, or at the VRRP level when several devices share a virtual IP address.
Scheme 4: TDS Sensor + TDS Polygon — email analysis with malware blocking
All of the schemes above can be implemented both using TDS Huntbox and without it, for example, working directly through SOC Group-IB.
Analysis of file storage copies
The mode involves behavioural analysis of stored and/or volatile files within file storages using TDS Polygon. Connection to the storage is implemented using the TDS Sensor module and supports two options for working with file objects:
- Scanning all stored objects, incl. mutable objects or objects to which access is being requested
- Scanning only mutable objects or objects to which access is being requested - from the moment of integration
Before changing the object or sending it to the user upon request, TDS Sensor downloads the file and sends it to TDS Polygon for analysis. Upon receipt of the verdict, the analyzed object will be either placed back into the file storage, or, if a positive verdict is received (the file is malicious), the object will be deleted.
Currently, the following integration protocols are supported:
схема с файловыми шарами
All the above-mentioned schemes can be implemented both using TDS Huntbox and without it working directly through Group-IB SOC.
For more information about TDS, please visit the main page (authorisation required). If you have any queries about the authorisation process, please email us at: