New Detectree open-source tool ‘connects the dots’ between suspicious activities during a cyber attack
- Published: Tuesday, 26 July 2022 09:56
Many companies struggle to understand malicious activity and their impacts while a security incident is in progress. It eats up precious time and resources that defenders need to contain the attack and minimize damage. However, a new open-source tool built to increase visibility on suspicious activities detected by organizations aims to relieve this pain.
Detectree, developed by WithSecure (formerly known as F-Secure business), is a detection visualization tool for cyber security defense / defence teams (also known as blue teams).
According to Tom Barrow, a senior threat hunter for WithSecure’s managed detection and response service, WithSecure Countercept, finding the links between the suspicious events on an endpoint is paramount for responders:
“Visibility is always a priority, but it’s absolutely vital when responding to an incident,” explained Barrow. “Time is always working against incident responders. And looking through rows of text data and making connections between them and the suspicious activity under investigation is time spent not remediating the problem, which is a real waste when you’re under pressure to stop an attack.”
Detectree was designed to help blue teams simplify investigative work by structuring log data into a visualization that shows relationships between the suspicious activity detected and any processes, network destinations, files, or registry keys connected to that detection. Rather than manually sorting through data represented as text to reconstruct a chain of events, responders can look at the visualization to see not only the connections, but the nature of the connections, including interactions, parent-child relationships, and process injections. Relying on the visualization lets responders quickly see the context surrounding a detection and share that data with relevant stakeholders in a simple, intuitive way to ensure the information is accessible to everyone that needs it.
“Even the most experienced, skilled blue teams need tools to help them do their jobs well. Detectree is a simple tool, but it’s addressing real pain points that make work unnecessarily difficult and time consuming for security teams,” he said.
Detectree is now available for download on WithSecure Countercept’s Github page.