The company’s Continuous Compromise Assessment model enables organizations to measure compromise in real time by using automation to alert cyber teams to unusual activity. When something out of the ordinary is detected, an incident is created and automatically triggers the hunt.
Teams receive actionable information about who was impacted, when the incident took place and how best to respond before it escalates to a bigger problem.
Ricardo Villadiego, Lumu founder and chief executive, compared the company’s technology to traditional defensive approaches:
“Defensive technologies rely on rules, heuristics and outliers to find threat actors but these technologies lack one essential component that is essential to the threat hunting practice: the creativity of the practitioners defending networks. Effective threat hunting requires the foresight of humans and the tools have to amplify what humans are capable of. Our new capabilities help threat hunters do their job better by finding attacks that circumvent detection capabilities in cybersecurity products and managed security services.”
A Closer Look at Lumu for Threat Hunting
This is how Lumu for Threat Hunting helps threat hunters:
- Incidents: Provides coordinates and information from endpoints to trigger your threat hunting exercise.
- Playback: Lumu stores two years of metadata and compares prior metadata with new threat intelligence to defend against zero-day threats and emerging attacks.
- Global Mitre matrix: Gives a detailed view of the tactics and techniques attackers are using to target your organization to prioritize threat hunting and red team exercises.
- Threat triggers: Contains Indicators of Compromise (IoCs) related to an incident as reported by Lumu’s threat intelligence engines or third-party sources.
- Compromise radar: Shows threat hunters contact patterns to help distinguish occasional contact from persistent and automated attacks.
- Attack distribution: Enables prioritization by uncovering which areas of the organization are most affected by threat actors.
- Operational timeline: All incidents contain a timeline section where teams can track the steps of the resolution flow.
- Email reports: Each incident provides the ability to email all of the details of what happened and what actions were taken directly to your CISO and others as needed.
- Response automation: Connect Lumu with your existing cyber stack to take automated actions against active threats.
Lumu maintains a program for managed service providers through which it offers unified threat visibility, automated threat response and the ability to get more from existing tools. The company’s platform is available to MSPs at three different levels of performance.
Since emerging from stealth mode in February 2020, Lumu has raised $25.5 million, with the latest round of $8 million taking place a year ago, followed two months later by $10 million in debt financing.
Lumu Tracks Ransomware Activity
Lumu also said it will release an update to its 2023 Ransomware Flashcard. Key findings for threat hunting teams include:
The most prevalent ransomware precursors (Qakbot, Phorpiex, Emotet, Cobalt Strike, Ursnif, Dridex and ZLoader)
Which ransomware precursors active cybercrime gangs are using:
- ALPHV/BlackCat, one of the groups behind the recent cyberattack on Estée Lauder, is using Emotet.
- BlackBasta, an offshoot of Conti and behind the recent ransomware attack on multinational tech firm ABB, is using Qakbot.
- Conti is using Qakbot and Emotet, BitRansomware is using Phorpiex, Egregor is using Qakbor and Ursnif.