At-a-Glance
Cisco AMP Threat Grid Malware
Analysis and Intelligence for EnCase
Use AMP Threat Grid To Gain Full Insight Into Unknown
Threats Identified By EnCase—With A Right-Click
EnCase Enterprise: Network-Enabled Incident Response
Guidance Software is recognized worldwide as the industry leader in
digital investigative solutions. Its EnCase Enterprise platform is used by
numerous government agencies, more than 65 percent of the Fortune
100, and more than 40 percent of the Fortune 500, to conduct digital
investigations of servers, laptops, desktops, and mobile devices.
Gain deep insight into
unknown threats identified
by EnCase products.
Access Threat Grid results
in the EnCase Enterprise
interface.
Be proactive and improve
your security. Download
insightful malware analysis
reports and detailed
analysis JSON files from
AMP Threat Grid.
Built on the EnCase Enterprise platform are the market-leading
electronic discovery and cybersecurity solutions EnCase Cybersecurity
and EnCase Analytics. They empower organizations to perform sensitive
data discovery for compliance purposes, conduct speedy and thorough
security incident response, and reveal previously hidden advanced
persistent threats or malicious insider activity.
AMP Threat Grid Advanced Malware Analysis
Threat Grid is a unified malware analysis and threat intelligence solution
that’s revolutionizing how organizations use accurate and contextrich intelligence to better defend against targeted and advanced
cyberattacks.
Threat Grid crowdsources large volumes of malware and performs
advanced analysis in the cloud to identify important behavioral indicators
and make near real-time remediation possible. Threat Grid provides
full global context to help operators understand the attack metrics and
see whether other organizations have been affected. Threat Grid also
provides behavioral indicators and Threat Scores so that analysts may
quickly prioritize incidents and download detailed information and reports
to better prepare against future attacks. Threat Grid’s API simplifies
sample submission and intelligence integration with EnCase to improve
the effectiveness of the security infrastructure.
After EnCase Cybersecurity or EnCase Analytics has identified an
unknown threat on an endpoint, Threat Grid provides in-depth analysis
and correlates the attack-related artifacts with all other known malicious
activities to help analysts quickly determine if malware resides in other
parts of the network or if the incident should be closed. (See Figure 1.)
© 2016 Cisco and/or its affiliates. All rights reserved.
At-a-Glance
Figure 1. AMP Threat Grid Analysis from Inside EnCase Enterprise
Search File Hash Value in ThreatGRID
Upload File to ThreatGRID for Analysis
AMP Threat Grid + EnCase: A Sample Scenario
Analysis with One Click
After EnCase has identified an unknown threat, the operator simply
right-clicks on the file to automatically query Threat Grid* for multiple
forensic indicators gathered during the virtual infection.
Information describing when the related sample was analyzed and its
Threat Score are displayed in the EnCase Records tab. The Threat
Score is in the Value field and indicates the severity and confidence
levels of the sample based on its unique behavioral indicators (no
malware signatures are required). Threat Grid downloads the full
analysis report for the suspected malware along with the path in the
Location field. If the sample has never been analyzed, the same rightclick function will allow the analyst to submit the file to Threat Grid for
analysis. (See Figure 2.) Integrated investigative functions include:
• Search Highlighted IP Address, Highlighted Domain, File Hash Value,
and Tagged File Hash Values in Threat Grid
• Upload File to Threat Grid for Analysis
Figure 2. Matched Analysis Results in the EnCase Records Tab
*Subscription required for additional volumes.
© 2016 Cisco and/or its affiliates. All rights reserved.
At-a-Glance
Interested in trying our solution
for yourself? Request a demo at
http://cs.co/TG4Encase
For more information on AMP Threat
Grid visit: www.cisco.com/go/amptg
Get Detailed Analysis in AMP Threat Grid
If the initial result requires further investigation, the detailed analysis
results in the Threat Grid portal are available for review. The Threat Grid
workflow menu provides options for you to see various sections of the
report and extract artifacts of interest from the Threat Grid portal.
Analyze Network Activity
If applicable, detailed network communications of the malware is
displayed. For example, determining the exact URL paths of HTTPbased Command and Control (C2) activity including a highly suspect
User-Agent string is possible using Threat Grid’s network analysis.
Correlate for the Big Picture
Threat Grid correlates samples based on multiple artifacts, each of
which provides areas for analysts to see the full context of a threat
and identify related samples in Threat Grid’s enormous global content
repository. For example, investigating the IP address and domain yields
additional details, including all other connected samples.
Download Analysis Results
Analysts may download all analysis objects such as disk and registry
artifacts as well as full network packet captures for each submission
from the Threat Grid portal for detailed offline review. (See Figure 3.)
Figure 3. Downloadable Analysis Reports and JSON Files
Free AMP Threat Grid Trial for EnCase Users
Threat Grid Malware Analysis and Intelligence for EnCase is available for
download at no cost from the EnCase App Central Store. As an EnCase
user, you can contact TGsales@cisco.com for your free 30-day trial of
Cisco AMP Threat Grid.
© 2016 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of
Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/
go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner
does not imply a partnership relationship between Cisco and any other company. (1110R)
C78-733956-01 03/16
