Carmen is the 100% European capability for the detection of advanced cyber-attacks and compromises by Advanced Persistent Threats, developed by S2 Grupo in collaboration with the CCN
Detecting compromises by APT
The level of sophistication of the threats that organizations face today has meant that traditional protection mechanisms are no longer effective. By using the main channels of communication with the outside world, the most sophisticated threats go unnoticed in the communications with their command and control servers to exfiltrate information pretending to be legitimate users. As the number and volume of legitimate communications is increasing, it is necessary to incorporate new capabilities that facilitate the performance of security teams in the Threat Hunting process.
Carmen protects organizations by acquiring, processing and analyzing their network traffic: the occurrence of misuse, detection of anomalies or intrusion attempts are identified, organized and interpreted to facilitate the performance of the security analyst team supporting the research process (Threat Hunting).
It has capabilities for protecting during the intrusion phase (Breach Detection), by detecting habitual mechanisms of infection, like watering holes or exploit kits, as well as the detection of mail scams specially directed to the organization as is spear phishing using processing techniques based on both static and dynamic behavior.
It incorporates capabilities for detecting threats in the persistence stage, under the premise that the organization is compromised, by identifying external movements, such as exfiltrations or communications with command and control systems, lateral movements between teams or information theft in the corporate network.
It allows the identification of improper uses, detection of anomalies and analysis of the behavior of communications in the organization, offering the team of security analysts the ability to filter and iterate prioritization of information acquired and processed automatically. Likewise, it facilitates the exploration of the different relationships between the different flows of information processed, as well as the assisted investigation against possible evidences of intrusion.
By analyzing the automatically generated alerts, parameterized programming and execution of the different analyzers or consulting the records of the acquired protocols, the organization’s team of security analysts has the necessary mechanisms to identify situations that may threaten the security of the organization and cause exfiltrations of information.
The identification of possible threats is structured by the members of the team of analysts, through the setting up of investigations that can be both public and confidential. These investigations make it possible to differentiate the legitimate activity of the organization from the evidence of malicious activities in the external servers as well as in the local teams.
As advanced threats evolve rapidly by adapting to changes in the organization and to the tools that seek to identify them, Carmen provides a development environment for the incorporation of new analysis and detection capabilities that can be tailored to the specific needs of the moment by offering a flexible environment with high adaptability to the team of security analysts.
These analytical capabilities can be expanded through open public sources with compromise indicators, malicious domain blacklists, or static analysis rules. It also allows the incorporation of new analysis capabilities through its own shared intelligence network or generate new elements that facilitate the investigation in the user interface itself.
Download aditional documentation