Backstory: The forward-thinking solution for threat hunting

Backstory is a new threat hunting platform, developed by Chronicle. Leveraging Google, Cloud and Threat Feed technologies it provides analysts the ability to deep dive into accessible and enriched logs.

It gives companies 12 months of hot storage with sub-second search ability. It takes what Google Search does and gives it to the security industry. “How many devices accessed this IP address in the past 12 months” can be answered in the click of your fingers and this is something the cybersecurity industry hasn’t really seen before.

Nowhere to hide for malicious actors

While that is a feat in itself Backstory takes this further; it takes IOC (Indicator of Compromise) feeds from multiple sources (including Government agencies and VirusTotal) and can apply this to data it ingests. All ingested data gets indexed so Backstory will automatically retro-search the indexed data every time it sees a new IOC.

This means there’s truly nowhere to hide for malicious actors; the moment they are on the radar an analyst can quickly pivot off this information to provide a detailed timeline of when an environment became first infected and all the other devices involved. This provides you 100% coverage from those ‘low and slow’ type of infections.

Backstory presents this data in such a way that the analyst gets a comprehensive view of what happened before and after, from all log sources ingested into the platform. Well thought out visualisation of this data makes is easy to identify interesting patterns of behaviours:

Backstory screenshot

In the screenshot above it’s clear to see all that in action. In one simple view, we can see a rare domain, the process that interacted with it and then clear beaconing activity; streamlining an analyst workflow.

As for what data can be consumed by the platform, Backstory made it clear there are not really any limits. All Backstory needs to do is index the data and if it can’t do that straight away the Backstory team will support the end user to get their data ingested on to the platform; this functionality is then added to the product meaning everybody gets the benefit. Even in its infancy Backstory can take in DHCP, DNS, Proxy and EDR – with most of the major players already supported.

The impressive speed capability isn’t just limited to data search but extends to the ingestion too as Backstory can rapidly scale out dynamically. Log collection is simple too, adopting a containerised approach with multiple ingestion methods. If you’ve already got existing solutions, Backstory can also consume feeds from these giving businesses the freedom to migrate to the cloud or augment with their existing SIEMs.

What does this mean?

Unlimited log collection and storage, sub-second query responses across entire log data sets, clean informative presentation of data will all associated contextual data on hand. All scalable and readily available in the cloud.

By Nathan Webb
Cyber Security Analyst

News

Cyberseer is Proud to Announce its Partnership with Chronicle to Become One of The UK's First MSSPs to Power it's Managed Security Service

Demo

Our forensic analysts would be delighted to give you a demo of Backstory and answer any questions that you may have.

Downloads

White papers, data sheets and more information on the technologies that we use and the services that we provide are available here.