GROUP-IB THREAT DETECTION SYSTEM (TDS)

TDS DECRYPTORgroup-ib.com

THE COMPLETE THREAT DETECTION SYSTEM (TDS) SOLUTION INCLUDES FOUR MAIN MODULES

TDS is a comprehensive solution designed to detect unknown threats and targeted attacks, hunt for threats both within and beyond the protected perimeter, and help investigate and respond to cybersecurity incidents.

TDS detects infections overlooked by traditional security tools such as antivirus software, firewalls, and intrusion prevention systems.

KEY ADVANTAGES:• More accurate detection of unknown threats

and self-learning through feedback from each individual module

• Automated Threat Hunting• Comprehensive solution that functions

as a single unit and does not require any integration steps or correlation of events between different detection components

• Data integrated from Group-IB Threat Intelligence

• Includes 24/7 Threat Hunting; event monitoring; notifications via a ticket system, email and phone calls; and incident investigation and response services from CERT-GIB experts with years of experience

• Flexible deployment and user friendly• Includes incident insurance from international

insurers

TDS HuntboxUnified system for managing detection infrastructure, automated analysis, event correlation, and Threat Hunting.

TDS Sensor

TDS Polygon

TDS Huntpoint

TDS Decryptor

CERT-GIB

Module for in-depth network traffic analysis and threat detection at network level.

Module for launching files and links and their dynamic analysis to detect both known and unknown threats in isolated environments.

Agent for detecting threats on hosts, recording the full timeline of system events, blocking anomalous behavior, isolating hosts, and collecting forensically relevant data.

TECHNICAL APPROACHES:• In-depth analysis of network traffic to detect

anomalies and malicious traffic• Behavioral analysis of files and links in isolated

sandboxes• Detection of anomalies in user and computer

program behavior• Automated hunting for unknown threats• Examination of indicators provided by Threat

Intelligence• Correlation of events collected by TDS

as a whole

DETECTION OF THREATS AT VARIOUS ATT&CK MATRIX STAGES:• Zero-day threats• Exploits, Trojans, backdoors, and malicious

scripts for desktop, server, and mobile platforms

• Covert channels• Fileless threats• Living off the land (LotL) attacks

Additional component for decrypting TLS/SSL traffic in the protected infrastructure.

Managed security service for Group-IB solutions by cybersecurity and malware analysts. CERT-GIB is authorized by Carnegie Mellon University and is a member of FIRST, Trusted Introducer, and IMPACT.

Group-IB Threat Detection System (TDS)

TDS Decryptor is an optional hardware and software module for the Group-IB Threat Detection System (TDS). It extracts and analyzes* the contents of encrypted sessions to improve detection quality and increase the visibility of and control over traffic in the protected infrastructure.

* Requires integration with TDS Sensor.

TDS DECRYPTOR

CHARACTERISTICS:• Decryption of SSL/TLS sessions in any

application• Interception of SSL/TLS traffic regardless of the

port used• Flexible integration options that do not affect

business processes• Prompt support for modern encryption

standards and algorithms• Support for clustering• Operation in L2 (bridge) and L3 (router) modes• Mirroring of decrypted traffic to external

analyzing systems, including TDS

MAIN FEATURES OF TDS DECRYPTOR:• Installation in inline mode TDS Decryptor integrates into the customer’s

network streams in order to detect initiations of SSL/TLS sessions, replace certificates (man-in-the-middle) for these sessions, and decrypt SSL traffic, thereby increasing the visibility of and control over traffic in the protected infrastructure.

• Intellectual detection of SSL/TLS sessions Detection of encrypted traffic regardless of the

ports used by using a large array of signatures.

• Certificate replacement To replace certificates, TDS Decryptor can use

both self-signed certificates and certificates issued by a certification authority. To ensure that the solution’s integration is transparent and that business processes are uninterrupted, either a TDS Decryptor certificate or one from the certification authority that issued the TDS Decryptor certificate should be installed on the customer’s device.

• Two operation modes — Transparent mode (bridge): In this mode, TDS Decryptor functions at layer 2 of the OSI model and is invisible for the user network.

— Gateway mode (router): In this mode, TDS Decryptor functions at layer 3 of the OSI model, acting as a gateway for the user network.

• Subsystem of exceptions It is possible to add exceptions at both kernel and

application level. Whitelisting and blacklisting can be done both at network level and at the level of online resources. If there are resources to which it is impossible to connect due to TDS Decryptor, they are automatically excluded from proxying.

• Transfer of a copy of proxied network traffic TDS Decryptor can mirror both decrypted and

unencrypted traffic to external cybersecurity systems for further analysis.

• Reverse-Proxy It is possible to control the encrypted traffic

of external internet users when they access corporate resources.

• Encryption standards and algorithms Prompt and comprehensive support for standards

and more than 100 cipher suites and key exchange mechanisms, including:

— All modern cipher suites (RSA, DHE, ECDHE, ChaCha, Camilla, etc.)

— Support for TLS 1.1 - 1.3 (including RFC 8446) and SSL handshake