GROUP-IB THREAT DETECTION SYSTEM (TDS)
TDS DECRYPTORgroup-ib.com
THE COMPLETE THREAT DETECTION SYSTEM (TDS) SOLUTION INCLUDES FOUR MAIN MODULES
TDS is a comprehensive solution designed to detect unknown threats and targeted attacks, hunt for threats both within and beyond the protected perimeter, and help investigate and respond to cybersecurity incidents.
TDS detects infections overlooked by traditional security tools such as antivirus software, firewalls, and intrusion prevention systems.
KEY ADVANTAGES:• More accurate detection of unknown threats
and self-learning through feedback from each individual module
• Automated Threat Hunting• Comprehensive solution that functions
as a single unit and does not require any integration steps or correlation of events between different detection components
• Data integrated from Group-IB Threat Intelligence
• Includes 24/7 Threat Hunting; event monitoring; notifications via a ticket system, email and phone calls; and incident investigation and response services from CERT-GIB experts with years of experience
• Flexible deployment and user friendly• Includes incident insurance from international
insurers
TDS HuntboxUnified system for managing detection infrastructure, automated analysis, event correlation, and Threat Hunting.
TDS Sensor
TDS Polygon
TDS Huntpoint
TDS Decryptor
CERT-GIB
Module for in-depth network traffic analysis and threat detection at network level.
Module for launching files and links and their dynamic analysis to detect both known and unknown threats in isolated environments.
Agent for detecting threats on hosts, recording the full timeline of system events, blocking anomalous behavior, isolating hosts, and collecting forensically relevant data.
TECHNICAL APPROACHES:• In-depth analysis of network traffic to detect
anomalies and malicious traffic• Behavioral analysis of files and links in isolated
sandboxes• Detection of anomalies in user and computer
program behavior• Automated hunting for unknown threats• Examination of indicators provided by Threat
Intelligence• Correlation of events collected by TDS
as a whole
DETECTION OF THREATS AT VARIOUS ATT&CK MATRIX STAGES:• Zero-day threats• Exploits, Trojans, backdoors, and malicious
scripts for desktop, server, and mobile platforms
• Covert channels• Fileless threats• Living off the land (LotL) attacks
Additional component for decrypting TLS/SSL traffic in the protected infrastructure.
Managed security service for Group-IB solutions by cybersecurity and malware analysts. CERT-GIB is authorized by Carnegie Mellon University and is a member of FIRST, Trusted Introducer, and IMPACT.
Group-IB Threat Detection System (TDS)
TDS Decryptor is an optional hardware and software module for the Group-IB Threat Detection System (TDS). It extracts and analyzes* the contents of encrypted sessions to improve detection quality and increase the visibility of and control over traffic in the protected infrastructure.
* Requires integration with TDS Sensor.
TDS DECRYPTOR
CHARACTERISTICS:• Decryption of SSL/TLS sessions in any
application• Interception of SSL/TLS traffic regardless of the
port used• Flexible integration options that do not affect
business processes• Prompt support for modern encryption
standards and algorithms• Support for clustering• Operation in L2 (bridge) and L3 (router) modes• Mirroring of decrypted traffic to external
analyzing systems, including TDS
MAIN FEATURES OF TDS DECRYPTOR:• Installation in inline mode TDS Decryptor integrates into the customer’s
network streams in order to detect initiations of SSL/TLS sessions, replace certificates (man-in-the-middle) for these sessions, and decrypt SSL traffic, thereby increasing the visibility of and control over traffic in the protected infrastructure.
• Intellectual detection of SSL/TLS sessions Detection of encrypted traffic regardless of the
ports used by using a large array of signatures.
• Certificate replacement To replace certificates, TDS Decryptor can use
both self-signed certificates and certificates issued by a certification authority. To ensure that the solution’s integration is transparent and that business processes are uninterrupted, either a TDS Decryptor certificate or one from the certification authority that issued the TDS Decryptor certificate should be installed on the customer’s device.
• Two operation modes — Transparent mode (bridge): In this mode, TDS Decryptor functions at layer 2 of the OSI model and is invisible for the user network.
— Gateway mode (router): In this mode, TDS Decryptor functions at layer 3 of the OSI model, acting as a gateway for the user network.
• Subsystem of exceptions It is possible to add exceptions at both kernel and
application level. Whitelisting and blacklisting can be done both at network level and at the level of online resources. If there are resources to which it is impossible to connect due to TDS Decryptor, they are automatically excluded from proxying.
• Transfer of a copy of proxied network traffic TDS Decryptor can mirror both decrypted and
unencrypted traffic to external cybersecurity systems for further analysis.
• Reverse-Proxy It is possible to control the encrypted traffic
of external internet users when they access corporate resources.
• Encryption standards and algorithms Prompt and comprehensive support for standards
and more than 100 cipher suites and key exchange mechanisms, including:
— All modern cipher suites (RSA, DHE, ECDHE, ChaCha, Camilla, etc.)
— Support for TLS 1.1 - 1.3 (including RFC 8446) and SSL handshake