NetWitness Community

JavierPalazzo · ‎2017-02-15

Hi,

Does anyone know if Security Analytics (Netwitness) can help us finding this new attacks?

links about the attack:

https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/

http://www.computerworld.com/article/3167533/security/invisible-memory-based-malware-hit-over-140-banks-telecoms-and-government-agencies.html

Thank you!

Javier

EricaChalfin · ‎2017-02-15

fKgvtlSI7FTdVQGoHp2ZZr6jqMj4j9o9qF3O8bjXXwQ=‌,

Since this question relates to NetWitness, I've moved your post to the https://community.rsa.com/community/products/netwitness?sr=search&searchId=3c9d3075-1c82-42a7-9388-218a63ab3f9a&searchIndex=0‌ product space for you to get an answer.

Regards,

Erica

IshtiyaqShah · ‎2017-02-15

Hi Javier,

regards to detecting malware, there are two ways Network layer and Endpoint layer in Netwitness suite of products. For actual identification of any malware executable which is fileless in nature can be identified by RSA netwitness endpoint. The comparison of disk and memory provides the necessary detection capabilities to conclude on such detonations on endpoints. Also, our endpoint provides the network connection visibility in addition to threat intel feeds and IIOCs for further analysis and forensics on such executables.

in nutshell, you will not be able to detect and conclude fileless malware at packet or log layer without the actual netwitness endpoint. This is a complete story and all threads need to be matched.

JavierPalazzo · ‎2017-02-15

Hi, Ishtiyaq, thank you!

I'll try with another tool.

Thanks!

NetWitness Community

Fileless Attack