Group-IB TDS Summary

General

Group-IB Threat Detection System (TDS) is a comprehensive solution designed to hunt for threats and respond efficiently to complex targeted attacks in corporate networks. It identifies infections that are overlooked by standard security tools: anti-viruses, firewalls, and intrusion prevention systems. TDS significantly reduces the risks faced by organisations by quickly identifying and preventing theft, financial fraud, espionage attempts, leakage of confidential information, and other incidents. As a component of Group-IB’s early warning system TDS benefits from other products, which contribute to its effectiveness. It is born out of our incident response expertise, skills in detecting malware and threat intelligence foundation. It uses unique threat intelligence data on hacking activities, including data on perpetrators’ TTPs, the emergence of new malicious programs, C&C server addresses to ensure unparalleled detection of modern cyberthreats. Currently, more than 200 financial, industrial and government organizations are using the solution.

The solution applies the following techniques to detect threats:

  • Signature analysis of traffic using special signatures developed by Group-IB experts;
  • Machine learning to detect traffic anomalies;
  • In-depth behavioral analysis of files to identify previously unknown malware.

Group-IB TDS effectively detects all core types of malware spread and controlled via computer networks:

  • Banking and mobile Trojans;
  • Malware used to perform targeted attacks;
  • Remote access Trojans and backdoors;
  • Exploits for browsers and plugins;
  • DDoS and spam bots;
  • Exploits for vulnerabilities in network services and applications.

Architecture

The solution architecture includes the following components:

  • TDS Sensor

The Sensor analyses incoming and outgoing data packets. It helps detect communication between infected devices and criminals' C&C servers, network anomalies, and unusual device behavior. The sensor uses proprietary signatures and behavioural rules.

System features:

  • Constantly updated databases - cyber threat intelligence data and information from our digital forensics system
  • Unified interface with a ticket system
  • Integration with mail/icap
  • Traffic analysis up to 10 Gb/s
  • Virtual installation/HW Appliance
  • Integration with SIEM and other systems


Dimensions and other basic characteristics of the TDS Sensor product range are provided in Table 1.

TDS-250 TDS-1000 TDS-5000
Form factor 1U 1U 1U
Dimensions (HхWхD) in mm 43 х 434 х 552 43 х 434 х 552 43 х 434 х 768
Power supply 1x 250W 1x 250W 2x 550W
Network interfaces for traffic reception 1x 1000BASE-T 4x 1000BASE-T and/or SFP 4x 1000BASE-T and/or SFP
Peak rate, Mbit/s 250 1000 5000

Table 1. TDS Sensor parameters.


  • TDS Polygon

TDS Polygon performs behaviour analysis of suspicious objects in a safe environment. Files received via email or downloaded online are checked before they appear on the user's computer. The use of machine learning technologies helps detect previously unknown malware and block its delivery without using signatures.

System features:

  • Patented sandbox detection technology
  • User behaviour emulation
  • Specially designed samples to detect 0-Day vulnerabilities and various types of malware
  • Analysis of files with modified extensions
  • Patented low-level monitor that detects all possible actions, including code execution at the CPU level
  • Decryption of password-protected archives with a password in email body/attached file or dictionary-based password
  • Retrospective analysis


Dimensions and other basic characteristics of the TDS Polygon product range are provided in Table 2.

TDS Polygon Cloud TDS Polygon Standard TDS Polygon Enterprise
Form factor Cloud 1U 1U
Dimensions (HхWхD) in mm  -  43 x 434 x 678 43 x 434 x 678
Power supply  -  2x 550W 2x 550W
Peak performance in files per day  -  9000 19000

Table 2. TDS Polygon parameters.


  • Security operations centre

Group-IB's SOC team tracks and analyses events detected by TDS Sensor and TDS Polygon. TDS-SOC experts immediately notify the client's specialists about critical threats via email and telephone and give them recommendations on eliminating these threats. The support service works 24/7/365. Group IB's TDS-SOC is used by default. SOC can also be deployed within the client's network.


  • TDS Huntbox

Central module for monitoring, events storage and automatic updates of all TDS components. TDS Huntbox can be installed ob-premise in Customer's infrastructure. Huntbox integrates with all TDS components (Sensor, Polygon, Endpoint) and greatly imporves TDS functionality due to new features implemented:

General features

  • Orchestration of all TDS components, and single management interface
  • Big-data analysis, discovery of new attackers' instruments and infrastructure.
  • Storage for complete logs and analytical information linked to exact incident
  • Incident visualization on early attack stage
  • Remote and centralized Incident Responce on Endpoints.
  • Internal threat hunting (roadmap)
  • Criminalistic data harvesting for further incident investigation
  • Flexible integration scheme
    • On-Premise / Cloud / Hybrid
    • Different types of integration with Group-IB infrastricture (Isolated, Update-Only, Full feature with inhouse monitoring, GroupIB SOC)


  • TDS Decryptor

Дополнительный опциональный модуль продукта Group-IB Threat Detection System (TDS), представляющий собой программно-аппаратный комплекс, предназначенный для вскрытия и анализа* содержимого шифрованных сессий, позволяющий повышать видимость и уровень контроля трафика защищаемой инфраструктуры, а также качество обнаружения целевых атак.

Integration with network traffic

The system analyses traffic sent to TDS Sensor from different sources:

  • SPAN/RSPAN traffic
  • SPAN/RSPAN traffic in GRE tunnels
  • ICAP (traffic files)

ICAP integration allows the user to set up a blocking mode, in which malicious attachments cannot be downloaded.

Integration with a mail message system

The following methods for message collection are used in order to perform behavioral analysis:

  • Message collection via SMTP
  • Message collection using the Blind Carbon Copy (BCC) feature via POP3/IMAP

The blocking mode can be implemented through TDS Sensor integration in MTA (Mail Transfer Agent) mode. The internal MTA mode makes it possible to configure the mail infrastructure of any complexity - with any number of mail servers and setting up various forwarding rules. The mode also ensures fault tolerance and load balancing.

Typical integration schemes

Mirrored traffic and traffic content analysis mode

SPAN traffic analysis. Incident processing via TDS SOC


In this mode TDS Polygon performs passive monitoring of mail attachments without affecting message delivery. The test objects are provided by TDS Sensor and sent to the TDS Polygon Cloud.

Mirrored traffic and traffic content analysis mode in a GRE tunnel

GRE SPAN traffic analysis. Incident processing via TDS SOC


GRE SPAN traffic analysis. Incident processing via TDS Huntbox


TDS Sensor supports GRE tunnels. When using SPAN/RSPAN directly is not possible due to L3 equipment between the sensor and mirroring equipment, or when there is a need to receive traffic from a VM farm, GRE encapsulaton can be used to direct SPAN traffic to TDS.

Mail analysis mode

The following methods for message collection are used in order to perform behavioral analysis

  • Message collection via SMTP
  • Message collection using the Blind Carbon Copy (BCC) feature


Receiving emails via SMTP

With this type of integration, TDS Sensor acts as an MTA (or SMTP Relay), receiving copies of all incoming mail via SMTP. The only difference with the blocking mode is that instead of being forwarded, emails are only analysed.

SMTP copy analysis. Incident processing via TDS SOC


Scheme 3: TDS Sensor + TDS Polygon — analysis of mirrored traffic, mirrored emails and communication channel files.

Message collection using the Blind Carbon Copy (BCC) feature

This kind of integration involves creating an additional email account, where all incoming mail is copied. TDS Sensor is linked to the email account and collects all messages for analysis.

BCC mailbox analysis. Incident processing via TDS SOC


Scheme 2: TDS Sensor + TDS Polygon — analysis of mirrored traffic, mirrored emails and communication channel files.


Receiving mail via SMTP with blocking (inline mode)

This is the main email-integration mode. Emails go through the TDS Sensor as through SMTP Relay and are delivered after they are analysed. This means that malicous emails are blocked. Fault tolerance is ensured at the DNS level, SMTP-server level, where several relays are set up, or at the VRRP level when several devices share a virtual IP address.

MTA mode. Incident processing via TDS SOC


Scheme 4: TDS Sensor + TDS Polygon — email analysis with malware blocking

MTA mode. Incident processing via TDS Huntbox


All of the schemes above can be implemented both using TDS Huntbox and without it, for example, working directly through SOC Group-IB.

Analysis of file storage copies

The mode involves behavioural analysis of stored and/or volatile files within file storages using TDS Polygon. Connection to the storage is implemented using the TDS Sensor module and supports two options for working with file objects:

  • Scanning all stored objects, incl. mutable objects or objects to which access is being requested
  • Scanning only mutable objects or objects to which access is being requested - from the moment of integration

Before changing the object or sending it to the user upon request, TDS Sensor downloads the file and sends it to TDS Polygon for analysis. Upon receipt of the verdict, the analyzed object will be either placed back into the file storage, or, if a positive verdict is received (the file is malicious), the object will be deleted.
Currently, the following integration protocols are supported:

  • WebDav
  • SMB
  • FTP
  • NFS
  • SSHFS


схема с файловыми шарами


All the above-mentioned schemes can be implemented both using TDS Huntbox and without it working directly through Group-IB SOC.


For more information about TDS, please visit the main page (authorisation required). If you have any queries about the authorisation process, please email us at:

info@group-ib.com.


Content