The Ava team included Hani Mustafa, David Buchmann (Data Scientist / Security Researcher), Zach Garcia (Cybersecurity Analyst), Neena George (Systems Engineer), and Yogan Patel (Systems Engineer). The small team of five with the 2-year old software faced teams as big as 30 participants with (multiple) products that have been very successful.
Large company networks are constantly under attack. With million of events happening on a daily basis, a SOC Analyst needs leads to potential high priority events to focus on. Once the SOC Analyst has found something of interest, they need to quickly understand the full context to determine whether to dismiss the event and move on to the next, or to dig deeper.
With Reveal at DreamPort, the machine learning sensors triggered when software ran for the first time and the instant an unusual event occurred, allowing us to detect multiple attacks immediately. It was easy to see if hosts connected to C2 (command and control) servers or malware delivery IPs with no human interaction.
Once the team had a lead on what kind of activity to look for, it was easy to find the evidence they needed and figure out what happened using the power search. While some tools are either optimized for incident response or for detection, Reveal has the versatility and benefit to do both.
Overall, the Ava team were easily able to see the narrative play itself out in real-time starting with the suspicious activity of a few HQ employees (e.g. use of unauthorized USB devices, copying and moving sensitive files, unauthorized ‘shadow IT’ behavior, and showing signs of flight risk) and culminating in a wide-spread ransomware attack and data exfiltration attempt.
Our competitors had limited visibility during the competition. Although the competitors were able to detect the occurrence of malicious activity on the network, they were struggling to correlate events from various log sources and unable to extract context. The lack of context also meant that they could not see what was coming.
Ava Reveal was effortlessly able to identify the true insider threat very early on. Within the first 30 minutes, the Ava team had identified the first clues of the biggest insider threat risk. Had this been a real-world scenario, Reveal would have given the clear insight needed to take preemptive action and would have prevented this attack all together by locking the individual out of their PC and removing all access. The rules of the competition, however, prevented us from locking / blocking any users.