Tag: Incident Response

Binalyze Raises €1.5m from Earlybird to Innovate DFIR

Tallinn, ESTONIA – February 18, 2021 – Binalyze, the leading provider of advanced Digital Forensics and Incident Response (DFIR) solutions, today announced it has raised €1.5 million in pre-seed funding led by Earlybird Digital East Fund. The funding will be used to accelerate the company’s growth and expansion across the US and Europe.

This investment round, and in particular the participation of Earlybird, an early investor in multi-billion dollar companies in the region such as UiPath and Peak, reaffirms Binalyze’s potential to disrupt the DFIR market and replace the incumbent solutions. With its unique approach, Binalyze provides the market’s fastest and most comprehensive evidence collection, triage, and Incident Response (IR) investigation platform.

“Today, speed is the number one priority for every business. Recent studies demonstrate it takes just a few hours for a threat actor to get what they need once they find a gap in your systems,” commented Emre Tinaztepe, CEO and Founder of Binalyze. “With a single click, Binalyze AIR creates a well-structured digital forensics report in under 10 minutes. Even better, you can fully automate this process by integrating AIR with any SIEM/SOAR solution on the market!”

The recent addition of the TimelineIR and Patrol product modules signals the continuation of an ambitious development roadmap that will redefine digital forensics. The additional capital provided by Earlybird Digital East will enable Binalyze to accelerate product development and build out global infrastructure and service capabilities to complement its world-class engineering team.

“With smarter cyber-attacks, the rising number of endpoints, and remote working becoming the default, enterprises need continuous breach detection and rapid incident response to prevent disasters” said Mehmet Atici, Partner at Earlybird Digital East. “Existing solutions in the market fall short of expectations when it comes to speed, precision, and automation capabilities. Binalyze solves a critical pain point by enabling enterprises and managed service providers to rapidly and remotely collect forensically sound evidence and automate incident response.”

“We are excited to partner with Emre and the Binalyze team on their journey to become a category-defining player in the emerging DFIR market.”

To read more about Binalyze, visit our blog, follow us on Twitter, or check us out on LinkedIn

About Binalyze

Founded in 2018, Binalyze has quickly earned a reputation within the DFIR community as a trusted and innovative company. The company aims to create simple, smart, and high-performance solutions that meet modern Digital Forensics and Incident Response needs. Binalyze’s team of researchers and security experts is redefining DFIR for the benefit of businesses worldwide.

Founded by Emre Tinaztepe, the company has grown to a team of 20 with headquarters in Estonia and an office in the US. For more information, visit https://www.binalyze.ai/

About Earlybird Digital East

Earlybird Digital East invests in ambitious technology ventures hailing from Emerging Europe. With over $400m in committed capital, the firm’s portfolio includes some of the most successful startups in the region, including UiPath. Earlybird Digital East is one of the three autonomous, dedicated, and specialized teams within the Earlybird family, which currently has over $1 billion under management, seven IPOs, and 24 trade sales. Further information is available at https://www.earlybird.com

Meet TimelineIR

Some history;
Digital forensics is 40 years old, so are the methods…”

Do you remember how much time you spent acquiring an image, taking it to your lab, processing it with powerful machines running traditional forensics solutions in order to get a timeline of events that took place? Editing CSV files, exporting Event Logs, dealing with time zones, trying to combine them into one large file, using open source tools, spending hours, and hours, and hours if not days, losing the most precious resource of all: “Time”. Now, it is time to change it!

Let me begin with how it started. We released IREC TACTICAL almost 3 years ago to address the problems of our industry. The concept was simple: Changing IR evidence acquisition into a 1-click job. So we would speed up, decrease the need for communication and make the “collection” phase of IR easier than ever.

Although easy to describe, it was not a simple task. Did we manage it? With the great support of our users, we absolutely did! There is now a solution for 1-click evidence collection. With IREC TACTICAL, you can collect more than 260 different pieces of evidence with the click of a mouse. Besides collecting almost everything you would need to understand what went wrong on that endpoint, it also creates a self-contained HTML report, time-stamps it for non-repudiation and protects the collected evidence against ransomware modifications!

Era of Automated IR

TACTICAL was great and it still has a heavy development roadmap that adds great features with every new release. However, in cases we were involved, there was one another huge problem: Remote evidence collection and the lack of automation. When you have one endpoint, you can collect evidence one way or another. Make some phone calls, send some emails, ask IT admins and finally RDP into the machine and run IREC. But if there is more than one endpoint located in different places, continents and time zones, the responders still had a lot to do alongside scratching their head. So we developed Binalyze AIR, the most comprehensive automated IR and remote forensics solution on the market that can integrate with any RESTful trigger source.

Once integrated (that takes only 5 minutes), 03:00 AM in the morning, your SIEM creates an alert and, voila, AIR starts doing its job automatically! Just like having a 24/7 available first responder waiting for your call, going to the crime scene, capturing photos of every single corner in just minutes. When your analysts arrive in the morning they have all the evidence of what happened on that endpoints. But what happens if more than one endpoint involved in the case? Just like having 2 crime scene photos captured from different places in different time zones. You spend hours combining these two together. What if you have 3, 4, 5 of these… You already know the answer. This was the question we were asked by a significant number of our customers that led to the development of TimelineIR.

Meet TimelineIR

I am sure you can name a bunch of solutions that can create a timeline starting from traditional forensics solutions to open source command line tools. They are all great but if the clock is ticking, you need something much faster and easier! Something that won’t fight against you, something that will speed you up and show you what you need without making you deal with nitty-gritty details…

TimelineIR is the brand new feature of Binalyze AIR that:

  • Creates a timeline investigation “remotely” in just 5 minutes,

  • Collects almost everything from an endpoint that has a timestamp attribute. To name a few, Processes, DLLs, Shellbags, Shimcache entries, Prefetch files, Browser History for all major browser, Relevant Event Logs, Autorun Entries, Services, Downloaded Files, Recycle Bin, SRUM and so on…

  • Presents this is in a web-based interface, that is ultra-optimized for speed and ease of use,

  • Lets you flag events making them immediately visible to the other analysts working on the same investigation,

  • Enables filtering for specific events based on event type, date and time, computer name, user name and event data,

  • Lets analysts add milestones based on what they hear from the affected users or customers,

  • Decreases the time of investigation by multitudes,

  • Thus, fixing the biggest problems of Enterprise IR Investigations.

Action!

Having all these said, now it is time to showcase how easy it is.

  1. Create an investigation named “First Investigation”,

  2. Select the timezone of the investigation,

  3. Add an endpoint to investigation,

    air-timelineir

  4. Wait for the processing of forensic evidence to complete in “5 minutes”,

    air-timeline-investigation

  5. Easily navigate by dragging the green arrow in the navigation band or click it for selecting the target date,

  6. Flags some events, mark some of them to be reported,

  7. Click a flag for time traveling,meet-timelineir

  8. Add milestones that would provide useful for a better understanding of the case,air-investigation

  9. When required, enrich your investigation by adding new endpoints.air-endpoints

Try it now!

Feeling excited? Download AIR now and easily create a timeline investigation using the link below:

{{cta(‘cea177d3-11e7-42f2-a4b1-8007f735fad0’)}}

Ransomware Attacks: Plan or Pay

Ransomware is not new but it continues to be one of the biggest challenges for every kind of organization in recent years. There were a total of 308 million ransomware attacks in 2020. This means a 62 percent increase from 2019. At the same time, ransom payments are also increasing. In the first quarter of 2021, the average of ransom payments was over $220,000.

SUNBURST Back Door knocking on the World’s Front Door

FireEye has uncovered a malicious campaign that gains access to victims via trojanized updates to Orion, SolarWinds’ IT monitoring and management software.

While the fireworks are only visible to us now, the fuse for this malicious campaign was lit in March 2020. SUNBURST is the product of highly evolved cyber criminals that resulted with significant lateral movement and data theft.

Nationwide Damages

The malicious campaign that compromised just one piece of the SolarWinds IT toolkit potentially gained access to multiple entities nationwide including government agencies, telecommunications companies, top accounting firms and big players from the private sector. Unfortunately, this still only represents a small piece of the extraordinary array of possible SolarWinds’ customers.

SUNBURST Backdoor: ‘update is available, click here to download’

In the spring of 2020 IT staff got a pop up notification from a trusted popular software provider to install a new update and so with one click around 18,000 customers across various government and private organizations downloaded the update and with that the silent game began.

Little did they know that the new update came with a Trojan, secret malicious code, that stayed in their system silently for a couple of weeks, just observing while the victims carried on with their hardworking jobs oblivious to the threat. When the time was just right, SUNBURST sprang into action inside thousands of computer networks in government, technology and telecom organisations across North America, Europe, Asia and the Middle East opening the door for its creator to enter as well. According to BBC the damages are not yet known, but for months the professional cyber criminal team could spy and keep on stealing information of different organisations worldwide.

 

DFIR Guide

Download our DFIR Guide and learn more how you can elevate your incident response processes.

{{cta(‘b738efd9-03c6-4b79-8e63-1667724d6ddc’,’justifyleft’)}}

 

SUNBURST: It’s time to take an initiative

Attacks of this nature don’t just affect the infected organisations, they also deal a blow to the entire cyber-security space by undermining trust in our solutions and planting seeds of doubt in users’ minds.

At Binalyze, our core mission is to help our users and the DFIR community to respond faster. As part of this mission we have decided to give support to SUNBURST damaged entities and we hope that this initiative will be supported by other cyber security vendors and professionals.

Today we are releasing a version of Binalyze AIR with the codename SUNBURST that will enable anyone to identify their exposure to the attack and pinpoint their network vulnerability in under an hour.

This version is available FREE OF CHARGE for 15-days and 25,000 endpoints to help all organizations potentially affected by SUNBURST.

Heads up for the DFIR community

To investigate this SUNBURST breach it will take a lot of time, research and financial resources, just when we were getting ready for the Christmas and New Year holidays. Now instead of planning a cosy vacation you have to respond to the biggest breach of the year and plan your DFIR strategies and methods, working hours of overtime trying to manage breach damages.

Binalyze is the fastest evidence collection, triage, and IR investigation platform that now also contains the YARA Rules for SUNBURST thanks to our colleagues at FireEye. We are here to give support to any DFIR community member requesting it that has clients damaged by the hack to help speed up the investigation process and ease your workload.

Over the next few days, we will post videos and blogs sharing DFIR methods and tactics that we believe will be useful to the DFIR community. If you have or had a trojanized version of SolarWinds Orion on your infrastructure, Stroz Friedberg have released this excellent document with advice for a risk-based approach to the situation. Click here for more details.

We are all striving for a safer cyber world and taking our part in this global effort.

Stay safe.