When you’re under attack, the biggest danger you face is typically not the initial breach. It’s what the attacker does after that initial breach—moving laterally across your environment to get access to your most valuable systems and data.
That’s why you and your team are constantly under so much pressure to detect the presence of any threats in your environment ASAP and interdict them before more harm is done.
Fortunately, you now have a powerful and highly reliable way to catch malicious threat actors in your environment before they can do the harm they seek to do: Secureworks® Hands-on-Keyboard Detector (HoK).
How it works
Our innovative new HoK solution applies a two-step process to the real-time detection of malicious threat activity on your network.
First, HoK acts as a sort of detection aggregation system, bringing together alerts and indicators from other data sources in order to target keyboard sessions with a sufficiently high “suspicion level.” It’s important to note that the numerous individual threat indicators that HoK uses to target a suspicious keyboard session can all be low or medium severity—because HoK is not sending a high alert to the SecOps dashboard based on those indicators alone. It is only using those indicators as data for the algorithm that determines which keyboard session(s) to target for observation.
Second, HoK quickly determines whether a keyboard session that has been targeted for observation is actually doing something problematic or not. Here’s where HoK’s alerting becomes definitive. Thanks to machine learning that has been trained using more than 3.3 trillion events from our 16-petabyte-plus data lake, HoK can accurately ascertain if a keyboard session is attempting a malicious action—such as using newly created credentials to access a highly restricted administrative server.
If HoK does detect such potentially malicious activity in a keyboard session that’s already under suspicion, it immediately alerts your SecOps team with precise information about where the malicious threat activity is occurring. So, you can take immediate action to stop malicious threat actors in their tracks.
Why should you care?
Secureworks Hands-on Keyboard Detector is more than just a nifty new piece of technology. As part of your Taegis® XDR implementation, it offers three high-value benefits:
- Rapid notification of malicious “remote control” activity on your network, even when you’ve failed to prevent or detect the original breach.
- Ability to detect the malicious activity that may follow a breach achieved using a “zero-day” exploit—thereby protecting your organization from attacks that it might otherwise respond to too slowly.
- High confidence in the HoK alert “signal” with an extremely low rate of false-positive “noise.”
Secureworks® began developing HoK while researching the BRONZE SPIRAL operators of the SUPERNOVA web shell during the SolarWinds Orion compromise of 2020. The HoK detector identifies malicious activity when threat actors are ‘living off the land’ using system administration tools that may go unnoticed by other endpoint technologies. This adds a new layer of protection to the Secureworks Taegis platform that further enhances its automated threat-detection capabilities and better protects the enterprise.
This detector has already protected several customers in the wild who otherwise may not have known that malicious threat actors were beginning to exploit their systems. In one case, for example, HoK identified indicators of an attacker actively ‘living off the land’ in a client’s environment as the result of a SocGholish malware infection that their SecOps team might have otherwise missed. With a clear alert from HoK, the client was able to interdict the malicious activity and quickly remediate their way to safety.
If you’re a Secureworks customer using Taegis™ XDR or Taegis™ ManagedXDR, our patent-pending HoK technology is already working for you. If you’re not a Secureworks customer, you’ve just read about yet another reason that you should be. Try Taegis today!