Our Software – RSA ECAT

RSA ECAT software is an enterprise malware threat detection and response solution that enables you to easily detect, monitor and protect your environment from undesirable software and the most elusive malware — including deeply hidden rootkits, Advanced Persistent Threats (APTs), Metasploit’s Meterpreter and viruses.

With ECAT, analysts and incident response teams don’t waste time filtering through background noise and false positives. With the industry’s broadest whitelisting and software reputation services built in and powerful enterprise-wide anomaly detection, known good files are quickly identified and added to the baseline, highlighting truly malicious activity for immediate attention.

In one integrated package, ECAT provides:

• Detection
• Analysis
• Remediation
• Forensics

for all Windows environments, scaling up to 20,000 endpoints per ECAT server.

ECAT Feature Summary:

Agent

• Custom low-level access parsers for disk, memory access, registry access
• Live code integrity check to find malware code hiding in trusted applications
• Internal structures and code validation (SSDT, IAT/EAT, IDT, DKOM, inline hooks, etc.)
• Remote memory dumps compatible with the Volatility memory forensics framework
• Abnormal network communication patterns recognition
• Active tracing for network connections, module loading, file and registry access.
• Small disk footprint
• SSL encrypted communications authenticated through certificates
• Optional integrated remediation agent
• MFT Viewer: Locate and remotely download hacked and deleted files in a forensically sound manner

Server

• Integration with OPSWAT Metascan using 6 or more different antivirus engines
• External code signing validation. The certificate chain and root authorities are validated at the server level to avoid being fooled at the workstation level
• Enterprise environment correlation to quickly find all instances of malware running among thousands of machines
• Complete and easy to use file and memory whitelisting system
• Built-in monitoring and alerting system
• Built-in reporting and exporting system to standard industry formats
• NIST, NSRL and Bit9 GSR integration for whitelisting.
• Custom hashlist support for incorporating homegrown and custom apps into whitelisting

See a technical description of how ECAT deals with malware like Stuxnet or download the ECAT datasheet.

The ECAT workflow to find unknown malware in large environments is:

1. Deploy and Scan

The ECAT agent is a self-contained executable deployed on servers and workstations that you want to assess or monitor. It coexists peacefully with existing security solutions.

Once deployed, the agent reports to a centralized ECAT server from which it receives instructions. When a scan is requested, using a set of low-level functions, it performs an inventory of all running processes and drivers and conducts a number of checks in order to identify behavior related to malware.

Among these checks, the agent validates Windows kernel internal structures, searches for signs of malware trying to conceal its presence, scrubs the memory for Metasploit traces and validates integrity of key kernel and user modules.

2. Assess

The information gathered during the scan process is sent to a centralized server for analysis. Unknown files are automatically downloaded from the scanned computers and run through OPSWAT Metascan Antivirus to find viruses missed by the corporate antivirus solution.

The ECAT console presents the operator with a complete view of the scanned computers along with a machine suspect level (MSL) indicator for identifying which computers should be investigated first.

Whenever possible, ECAT correlates a suspicious behavior with its author: a driver, a process, a DLL or a memory block (floating code). ECAT then displays contextual intelligence about the author:

• Metadata: file time, file size, file attributes, MD5
• Code signing information and validation
• Correlation across the environment
• Bit9 threat level
• Known anomalies database correlation

A suspicious module can be whitelisted, blacklisted or graylisted by the operator. Once categorized, the module is then considered as such for the whole environment. The operator can also add a comment to be later included in the report.

To accelerate the whitelisting process a scan of a clean computer (usually from a standard enterprise image) should be conducted as a baseline.

3. Remediate

ECAT has an optional remediation module sold as an Incident Pack license. If a scan determines an endpoint is compromised with malware that the AV missed and which can be identified by the remediation module, the remediation agent can be pushed out by the operator to clean the endpoint.

4. Monitor

The ECAT agent can be configured to perform a scan at scheduled time intervals.

When a change occurs, the Machine Suspect Level (MSL) of the affected computer rises and the operator can quickly pinpoint the cause. Recurrent assessment processes will flag newly installed executables or malware.

ECAT does not block new applications from executing. Maintenance scans can therefore be run multiple times per day for only a few minutes at a time.

5. Forensics data gathering and analysis

ECAT includes a set of tools to gather key information needed for a complete forensic analysis and cybercrime investigation. Key amongst these tools are:

• Full memory downloads: ECAT can pull down from a suspect machine a complete live memory dump for further analysis.
• MFT Viewer: Locate and remotely download hacked and deleted files in a forensically sound manner

For more information on ECAT and how ECAT can detect compromised systems in your environment, contact us for a demonstration or evaluation, download the ECAT datasheet or download our whitepaper.

You can get an overview of ECAT in this video:

Or watch ECAT in action here: