HYACINTH
Hyacinth is a SOC validation tool, which was created to solve the challenges faced by organizations when detecting new and advanced cyber-attacks from various threat groups.
Unlike traditional traffic-based simulators that are used to test SOC environments, Hyacinth emulates the malwares or malicious behaviour on the endpoint using an agent. This makes the attack simulations as real as possible and helps audit SOC deployments and in checking readiness to handle sophisticated attacks.
Real Life attacks are performed without any side effects from the malwares used for this exercise.
Everything from malicious links to advanced malwares including malicious behaviour of employees can be emulated through hyacinth which makes it truly robust and an advanced tool to test your defences against cyber-attacks.
Adversary Emulation with Hyacinth
Hyacinth: Automatic Adversary Emulation Platform
Hyacinth is an automatic adversary emulation tool that simulates the attack on your internal network using a variety of tactics and techniques defined in the Mitre Attack Matrix. It performs post-compromise adversarial behaviour inside your organization’s network to test your security controls.
Key Features List:
- Completely automatic
- Decision Engine to choose exploits
- Cross-Platform
- Modern exploits as seen in the wild
- Run-on single or multiple machines
- Customizable to setup your scenarios
- Ability to upload custom exploit scripts
- Seamless updates and support
- Compete logs and reports to show how the attack was performed
Emulation Capabilities
Compared to regular Adversary Emulation tools, Hyacinth doesn’t complicate what you need to run and how. It's a fire and go check the logs. Hyacinth’s modular architecture allows it to support any platform and can run customizable attack simulations easily. Choose your exploits, Run and watch how Hyacinth quickly runs the exploits leaving traces which your SIEM system should detect. Hyacinth also supports various procedures to not trigger the SIEM while running and can be used to test your security thoroughly.
Key Benefits of Hyacinth:
- To Audit and Improve your technologies deployed for Cyber Threat Detection and Response Capabilities.
- To Improve SOPs and Response Times against real-time sophisticated cyber-attacks.
- To conduct cyber security drills in your organization.
- To conduct SOC Maturity Assessments (Refer to Appendix C)
- Emulate attacks that can test the effectiveness of endpoints (Desktops, Servers, Supported Embedded devices), Networking boxes (Routers, Switches), Perimeter security devices (Firewall, UTM, IDS) and log analysis tools (SIEM)
Most Popular Use Cases:
Ransomware attack Emulation and Protection
Hyacinth will emulate real life ransomware attacks with advanced features such as polymorphism and AV detection and bypass without actually causing any harm to the system files. This is done by targeting a single directory or group of files created specifically for this exercise.
Unlike other traditional traffic-based simulations, hyacinth actually makes use of deploying true malwares without any side-effects. This makes sure the technologies and processes implemented are up to the mark and gaps are identified immediately and improved.
Detecting Insider Fraud or Lateral Movement Attacks
If the attacker is already inside and is trying to perform lateral movement attacks or there is an insider who is trying to gain privileges maliciously, he will have to perform certain actions and run some commands or payloads to achieve this. Traditional logging mechanisms and detection tools may not be able to detect these kinds of attacks.
Hyacinth can emulate such attacks to check if the security tools are sufficient to detect and respond to such attacks.
Crypto Miner
Several Threat groups would like to take advantage of web application or network vulnerability to inject crypto mining payload into servers or generic computers for mining bitcoins or other crypto currencies
Hyacinth can emulate crypto mining payloads that connect to a malicious host as well as connect to mining pools to emulate mining activity. A good EDR or AV should be able to detect the behaviour of this payload as mining and stop it or quarantine it.
Malicious bots or C&C
Hyacinth can emulate malicious communication to known and unknown C&C networks. A good Threat intel and SIEM alerting mechanism should be able to detect such communication and report it.
Deliverable
Key Benefits of Hyacinth:
- Attack Matrix Overview
- Red Team vs Blue Team Presentation
- Recommendation Report
- SIEM use case consultancy (Will be charged extra if needed)