GROUP-IB THREAT DETECTION SYSTEM (TDS)
TDS SENSORgroup-ib.com
TDS is a comprehensive solution designed to detect unknown threats and targeted attacks, hunt for threats both within and beyond the protected perimeter, and help investigate and respond to cybersecurity incidents.
TDS detects infections overlooked by traditional security tools such as antivirus software, firewalls, and intrusion prevention systems.
THE COMPLETE THREAT DETECTION SYSTEM (TDS) SOLUTION INCLUDES FOUR MAIN MODULES
KEY ADVANTAGES:• More accurate detection of unknown threats
and self-learning through feedback from each individual module
• Automated Threat Hunting
• Comprehensive solution that functions as a single unit and does not require any integration steps or correlation of events between different detection components
• Data integrated from Group-IB Threat Intelligence
• Includes 24/7 Threat Hunting; event monitoring; notifications via a ticket system, email and phone calls; and incident investigation and response services from CERT-GIB experts with years of experience
• Flexible deployment and user friendly
• Includes incident insurance from international insurers
TDS HuntboxUnified system for managing detection infrastructure, automated analysis, event correlation, and Threat Hunting.
TDS Sensor
TDS Polygon
TDS Huntpoint
CERT-GIB
Module for in-depth network traffic analysis and threat detection at network level.
Module for launching files and links and their dynamic analysis to detect both known and unknown threats in isolated environments.
Agent for detecting threats on hosts, recording the full timeline of system events, blocking anomalous behavior, isolating hosts, and collecting forensically relevant data.
TECHNICAL APPROACHES:• In-depth analysis of network traffic to detect
anomalies and malicious traffic
• Behavioral analysis of files and links in isolated sandboxes
• Detection of anomalies in user and computer program behavior
• Automated hunting for unknown threats
• Examination of indicators provided by Threat Intelligence
• Correlation of events collected by TDS as a whole
DETECTION OF THREATS AT VARIOUS ATT&CK MATRIX STAGES:• Zero-day threats
• Exploits, Trojans, backdoors, and malicious scripts for desktop, server, and mobile platforms
• Covert channels
• Fileless threats
• Living off the land (LotL) attacks
Managed security service for Group-IB solutions by cybersecurity and malware analysts. CERT-GIB is authorized by Carnegie Mellon University and is a member of FIRST, Trusted Introducer, and IMPACT.
Group-IB Threat Detection System (TDS)
MAIN FEATURES OF TDS SENSOR:Detection of malicious files and threats in encrypted traffic
In case of integration with the TDS Decryptor or any other SSL/TLS MITM solution, TDS Sensor provides signature- and anomaly-based encrypted traffic analysis, as well as behavioral analysis of files.
Network traffic analysis using signaturesDetection of attacks by searching for certain patterns in network traffic (such as byte sequences) known commands or sequences of commands used by malware.
Analysis of network anomalies Use of machine learning algorithms to detect covert channels and anomalies in network traffic, such as DGAs (Domain Generation Algorithms) or tunnels in application layer protocols.
Extraction of files from network trafficExtraction of files from traffic, determination whether they are suspicious, and their transfer to TDS Polygon for behavioral analysis.
CHARACTERISTICS:• Traffic analysis up to 10 Gbit/s• Continuously updated signature databases and
machine learning models powered by our threat intelligence system and forensic investigations
• Interface with a ticket system in Group-IB SOC (optional)
• Internal threat classifier• Integration with email*• Integration with ICAP proxy/DLP*• Integration with file storage systems*• Different SW/HW/Virtual supply options• Integration with SIEM and other systems
* Used for behavioral analysis of artifacts in conjunction with TDS Polygon.
CENTRALIZED MANAGEMENTTDS Huntbox provides a graphic interface for managing TDS modules installed in the protected infrastructure. It is a single storage location for incident data and allows for advanced searches by all indicators in all system events and alerts. The solution’s functionality also includes:
1. Threat Hunting2. Incident response3. Event correlation and remote forensics
Dynamic analysis of emailsAnalysis of emails (including attachments and links) in terms of malicious content and its transfer to TDS Polygon for analysis. If necessary, the system searches for archive passwords and opens them. In addition, it works with links, including short links, redirecting links, and links to file storage systems. The system supports an inline mode to block malicious emails.
Blocking of downloadable filesIntegration with ICAP proxy solutions to block downloadable malicious objects in conjunction with TDS Polygon.
File storage analysisExamination and selective blocking of file storage contents based on the presence of malware in conjunction with TDS Polygon.
Collection of network activity informationComplete log of user network activity in HTTP/HTTPS and DNS protocols.
TDS Sensor is a Group-IB Threat Detection System (TDS) module designed to analyze incoming and outgoing data packets. TDS Sensor uses proprietary signatures and an anomaly detection machine-learning engine to detect general network anomalies, unusual device network behavior, interaction between infected devices and attackers’ C&C servers. This module also extracts files from different sources for further analysis in TDS Polygon.
TDS Sensor
TECHNICAL REQUIREMENTS FOR A TDS SENSOR VIRTUAL MACHINE*
ОЗУ 32 GB network at least 2 network interfaces: for the sensor management port and for mirrored traffic reception.
CPU CPU 4 cores, each core can have 2 threads HDD 480 GB
* Calculated for a load of 250 Mbit/s on a SPAN interface.
TDS-250 TDS-500 TDS-1000 TDS-2000 TDS-5000 TDS-10000
Peak performance, Mbit/s 250 500 1000 2000 5000 10000
Monitoring ports (SPAN)4x 10/100/1000
BASE-T4x 10/100/1000
BASE-T4x 10/100/1000
BASE-T
4x 1000 BASE-T/ 2x 10GBASE-SR/
LR
4x 1000 BASE-T/ 2x 10GBASE-SR/
LR
4x 1000 BASE-T/ 2x 10GBASE-SR/
LR
Network ports (LAN)2x 1000 BASE-T
2x 1000 BASE-T
2x 1000 BASE-T
2x 1000 BASE-T
2x 1000 BASE-T
2x 1000 BASE-T
IPMI port (rear panel) 1 1 1 1 1 1
Form factor 1U 1U 1U 1U 1U 1U
Storage capacity 2 x 1,2 TB SAS 2x 1,2 TB SAS 2x 1,2 TB SAS 2x1,2 TB SAS 2x 1,2 TB SAS 2x 1,2 TB SAS
USB ports (rear panel) 2 2 2 2 2 2
USB ports (front panel) 2 2 2 2 2 2
Serial ports (rear panel) 1 1 1 1 1 1
VGA ports 1 1 1 1 1 1
AC power supply in Watts 1 х 250 1 х 250 1 х 250 2 х 550 2 х 550 2 х 750
Maximum power consumption in Watts
235 235 235 517 517 705
Dimensions in mm 43 х 434 х 552 43 х 434 х 552 43 х 434 х 552 43 х 434 х 678 43 х 434 х 678 43 х 434 х 678
Appliance weight in kg 11 11 11 16 16 16
Heat Dissipation (max) 1039 BTU/h 1039 BTU/h 1039 BTU/h 2x 2107 BTU/h 2x 2107 BTU/h 2x 2107 BTU/h
Certificates of conformityТР ТС 004/2011ТР ТС 020/2011
ТР ТС 004/2011ТР ТС 020/2011
ТР ТС 004/2011ТР ТС 020/2011
ТР ТС 004/2011ТР ТС 020/2011
ТР ТС 004/2011ТР ТС 020/2011
ТР ТС 004/2011ТР ТС 020/2011
Compliance with standards RoHS, WEEE RoHS, WEEE RoHS, WEEE RoHS, WEEE RoHS, WEEE RoHS, WEEE
Operating temperature
10 °C to 35 °C (50°F to 95°F) with no direct
sunlight on the equipment
10 °C to 35 °C (50°F to 95°F) with no direct
sunlight on the equipment
10 °C to 35 °C (50°F to 95°F) with no direct
sunlight on the equipment
10 °C to 35 °C (50°F to 95°F) with no direct
sunlight on the equipment
10 °C to 35 °C (50°F to 95°F) with no direct
sunlight on the equipment
10 °C to 35 °C (50°F to 95°F) with no direct
sunlight on the equipment
Operating relative humidity
0% to 80% Relative
Humidity with 29 °C (84.2°F) maximum dew
point
0% to 80% Relative
Humidity with 29 °C (84.2°F) maximum dew
point
0% to 80% Relative
Humidity with 29 °C (84.2°F) maximum dew
point
0% to 80% Relative
Humidity with 29 °C (84.2°F) maximum dew
point
0% to 80% Relative
Humidity with 29 °C (84.2°F) maximum dew
point
0% to 80% Relative
Humidity with 29 °C (84.2°F) maximum dew
point