WithSecure Oyj: New Open Source Tool Links Suspicious Activity During Cyberattack
Detectree simplifies data analysis for blue teams to reduce response times, reduce alert fatigue, and improve communication during a security incident.
Helsinki, Finland – July 21, 2022: Many organizations struggle to understand malicious activity and its effects when a security incident is in progress. This consumes valuable time and resources defenders need to contain the attack and minimize damage. However, a new open-source tool designed to increase visibility into suspicious activity detected by organizations aims to ease that pain.
Detectordevelopped by WithSecure™ (formerly known as F-Secure business), is a detection visualization tool for cybersecurity defense teams (also known as blue teams). According Tom Barrowa senior threat hunter for WithSecure’s managed detection and response service, WithSecure CounterceptFinding the links between suspicious events on an endpoint is essential for responders.
“Visibility is always a priority, but absolutely vital during incident response,” Barrow explained. “Time is always against incident responders. And looking through rows of textual data and making connections between it and the suspicious activity under investigation is time spent not resolving the problem, which is a real waste when you’re under pressure to stop an attack.”
For example, if an analyst tries to find the cause of a suspicious process, they usually have to go through the log data and manually reconstruct the chain of events. The longer the chain, the more difficult and time-consuming it becomes to manage. And given the number of security alerts Blue Teams in large enterprises can face – around 11,000 per day according to a recent study* – it’s a process that can overwhelm security teams and exacerbate issues such as Alert fatigue and burnout.
Detectree was designed to help blue teams simplify investigative work by structuring log data into a visualization that shows relationships between detected suspicious activity and any processes, network destinations, files, or registry keys connected to it. this detection. Rather than manually sorting the data represented as text to reconstruct a chain of events, stakeholders can consult the visualization to see not only the connections, but also the nature of the connections, including interactions, parent-child relationships and process injections.
Relying on visualization allows responders to quickly see the context surrounding a detection and share that data with relevant stakeholders in a simple and intuitive way to ensure the information is accessible to everyone who needs it. .
“Even the most experienced and skilled blue teams need tools to help them do their job well. Detectree is a simple tool, but it tackles real issues that make work unnecessarily difficult and time-consuming for security teams,” he said.
Detectree is now available for download at With the Secure Countercept Github page.
More information about Detectree is available on the WithSecure Labs page: https://labs.withsecure.com/tools/detectree