Review: Mantix4 provides threat hunting as a service

Given the insidious nature of advanced threats, it’s almost a certainty that every organization of any size will eventually be hacked or compromised, regardless of what or how many cybersecurity defenses are in place. In response, the somewhat new concept of threat hunting is becoming an increasingly important part of cybersecurity defenses.

But true threat hunters are rare, even compared with the shortage of other IT workers and cybersecurity personnel. Threat hunters are trained to look at a variety of factors within a network from traffic and DNS records to SIEM reports and almost everything else. The best hunters examine that data to come up with hunches about things that don’t quite feel right. They then set out to track down and uncover threats within their network that may have eluded other analysts and security programs.

We have reviewed quite a few threat hunting programs in the past. However, almost all of them were designed as tools to help threat hunters do their jobs. The problem with that is that it requires organizations to have threat hunters in the first place. Otherwise, it’s like handing a sleek new rifle to someone who has never shot a gun before, and sending them off into the woods with the expectation that they will bring back dinner.

The Mantix4 platform (named after the apex predator of the insect kingdom the praying mantis) seeks to solve the people problem. While the program provides robust threat hunting tools for use by clients, the company also employs a team of experts to hunt on their behalf. It takes threat hunting into the software as a service (SaaS) realm.

Mantix4 was originally designed for the Canadian government’s Department of Public Safety, which is the equivalent of the Department of Homeland Security in the United States. In Canada, Mantix4 helps to defend networks sitting in ten sectors considered critical infrastructure, rooting out threats that might bypass more traditional protection.

The system is deployed as two components. The first part is comprised of observer sensors that sit at critical points within a protected network, either alongside routers or at network gateways, though they can be deployed almost anywhere depending on the need. The sensors are lightweight enough to be housed inside a virtual machine, or within a network server with additional bandwidth. However, because the observer sensors process and record a lot of traffic, the best deployment is probably going to be as a small appliance that hosts nothing else, something the company provides. The sensors can be set to work inline, or to passively sniff network traffic.

The second part is the analytics server, the brains of the system, to which the observer sensors report. It is hosted in a secure datacenter run by Mantix4 so that it can be kept constantly updated with the latest features and patches, and to ensure that it has enough power to process whatever data the sensors are sending it. In most cases, Mantix4 is up and running in less than a day. Government agencies or especially cautious organizations can opt to instead host the analytics server themselves, but would need to give Mantix4 access to it to take advantage of SaaS threat hunting, and to keep the server up to date with the latest program updates and patches.

Most deployments of Mantix4 only require one or two observer sensors. Our test environment had a single sensor. Mantix4 officials said that their largest deployment has about 20 sensors, deployed for a group with a widely distributed workforce in quite a few geographically dispersed locations. Pricing for Mantix4 is a monthly subscription fee that is based on the number of employees at an organization, plus a nominal fee for each sensor.

The testing for Mantix4 involved using the tools for threat hunting as a user would, as well as observing the 20-person threat hunting team at the company uncover threats as they would for the service. Users get both options with each deployment. They can access the threat data anytime through a web portal, and each client gets about an hour of guaranteed threat hunting on their behalf every day. Some clients also opt to sponsor more threat hunting time.

The main interface for Mantix4 is extremely visual. At the topmost level, users get a real-time picture of all inbound and outgoing traffic across their network overlaid on a globe and map that shows geographical information. It looks a bit like a Star Wars blaster fight with all the packets zooming past. When you drill down, the less visual, but still highly interactive, important data is accessible.

John Breeden II/IDG

Mantix4 makes it extremely easy for threat hunters to create hunches about suspect network activity. Right clicking on any type of data brings up new options for filtering. You can keep working with the filters until you uncover something suspect. We quickly zeroed in on a two-way conversation that had taken place between a local client and an unnamed server in China. The communication was taking place on a very high port up in the 400s that was likely unused for anything else. Although the interaction was extremely brief, and not enough to trigger other installed security programs, it didn’t look right.

John Breeden II/IDG

Using the graphical interface, we were able to inspect all aspects of the suspicious behavior, even catching events that were seemingly unrelated, at least at first. We first investigated the user in question, but found no indication of other suspect activity. Then we searched for other network clients that were communicating with the nameless server in China, but also came up empty. Finally, we looked for any communications taking place at that high-numbered port. Here, more events came into focus, as other little bursts of communications were revealed across the network on that same port. They were going to other nameless servers, but all of them were within China.

That information fostered more investigation and revealed a hole in network defenses that was being exploited, and how that feat was being accomplished. Likely, this was the setup phase for a larger campaign, or a configuration of exfiltration points for a future attack.

John Breeden II/IDG

Armed with this information, users could plug the hole and take steps to prevent similar types of attacks or pre-attacks from the same adversary. Had the Mantix4 internal teams found this exploit first, a report would have been generated for the client. Reports are highly detailed and show exactly how a hidden attack is taking place, possible targets and recommendations on how to fix the issue.

John Breeden II/IDG

As part of their SaaS offering, the staff at Mantix4 can walk clients through threat reports, demonstrating how the program was used to uncover specific incidents. Over time, this can help a client’s IT team learn how to conduct threat hunting on their own using the software tools, while always keeping the SaaS hunting in place as a reliable and expert backup.

John Breeden II/IDG

Whether used as the primary threat hunting activity on a network, or as a backup for local hunters, having critical threat hunting offered as a service really sets the Mantix4 offering apart from most others. Mantix4 works great as tool to aid local threat hunters, but also as a way to offload or offset that increasingly important security function to trained hunters who know how to bag the most dangerous, hidden threats – ones that may already be roaming around inside a supposedly secure network.