Compromise Overview - Lumu Portal

Compromise Overview

Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools.

In this section of the Lumu Portal, you have access to the dashboard and details on the activity and distribution of the Indicators of Compromise (IoC) that Lumu identified in your organization. IoCs are evidence that the system is compromised.

The Overview dashboard offers a general outline of the incidents (1) and two data visualizations: Activity (2) and Distribution (3). You can filter each view by predefined date ranges (4) or click to go to the report for more filtering options and details. The overview also shows the information on active Collectors, such as Virtual Appliances, Agents, and a summary of Spambox metadata collection (5).

Compromise Overview dashboard Compromise Overview dashboard

Activity Report

In this area, Lumu provides comprehensive and detailed visibility into the various compromise activities (IoCs) detected in your network, along with all context information for in-depth analysis, which allows you to visualize how and when your network is being compromised.

Filter the threat activity by label (1) or by date. The default date range is the last 7 days. Click on each card (2) to remove or add that threat type from the graph. Hover over any point on the graph (3) to see the breakdown of the types of compromise detected during that day.

Dashboard of compromise activity - threat centered Dashboard of compromise activity - threat centered

The Threat Summary shows the list of IoCs grouped by the adversary’s IoC. You can filter this dashboard by IoC or type (1). In this section, you find detailed adversary information such as their IoC and threat types (2), threat details (3), the last time Lumu found this threat in your network metadata (4), and the total contacts between the IoC and your infrastructure (5).

Details of compromise activity Details of compromise activity
Note that some features, such as end-point level visibility, are only available for Lumu paid subscriptions. For more details, consult Lumu Offerings.
Click on a domain shown in the Threat Summary area to open the Compromise Radar (1) to have a preview of the compromising behavior. Depending on your Lumu subscription, this view will present specific details of the endpoint affected. Click on the magnifying glass (2) to go to the Compromise Context feature and receive deeper insights.

Compromise Radar for adversary activity details Compromise Radar for adversary activity details

Compromise Context

Compromise Context allows threat researchers and incident responders to enrich confirmed compromise information and understand how a particular compromise is spreading. Implement the proper response to the most critical compromise questions.

Compromise Context arms your security team with factual compromise data that enables them to immediately implement a precise response to threats in a timely manner.

The Detail area of the Compromise Context includes links to external resources (1), threat triggers, related files (2), Compromise Radar (3), Attack Distribution(4), and Spambox correlation (5).

Compromise Context -  threat details Compromise Context - threat details

The Compromise Radar unveils the nature of attacks and their behavior by analyzing how your assets are communicating with adversarial infrastructure, allowing security analysts to differentiate occasional contact from persistent and automated compromises.

Around the Compromise Radar, you have the hour of the day from 0h to 23h (1). The numbers inside the circle represent the total contacts during each hour. The colors (2) represent the day of the week, which you can click to hide or show on the radar to check for patterns. You also have context information (3) regarding the affected timestamp, labels, and endpoints.

Compromise Radar Compromise Radar
During incident response, prioritize compromises that have multiple contacts detected, as they have had more chances of having been successful in compromising your infrastructure.

The Attack Distribution is a dynamic visualization tool that enables Lumu Insights and Lumu Defender customers to track and measure critical environments such as SWIFT, PCI-DSS, IOTs devices to take immediate action. You can click on the zoomable chart (1) to drill deeper into your labeled threat activity, revealing how a specific compromise has spread inside an organization’s network. Use the zoomable timeline (2) of the attack to drill down and check when the attack affected each labeled asset.

Attack Distribution Attack Distribution

The Spambox section can help you understand who adversaries are attempting to compromise in your organization and how they are being targeted.

Spambox correlationSpambox correlation
Consult our Spambox documentation to learn more about this feature.

Within the Context tab, you can learn more about why Lumu classified the event as a compromise by reviewing the Threat Triggers and Related Files (1) and downloading these resources (2) to facilitate the configuration of policies that address these compromises using your current cybersecurity strategy.

This section also offers actionable steps for responding to each incident, with integrated links (3) to related articles by leading security researchers covering a particular threat. We also provide Lumu Incident Response Playbooks (4) based on the National Institute of Standards and Technology (NIST) Framework, which includes best practices for how to use Lumu to respond to specific attacks.

Compromise Context Compromise Context

Lumu automates and operationalizes the MITRE ATT&CK® Matrix by presenting it for each compromise found on the portal, helping organizations spot gaps in defenses, identify priorities, and make more accurate decisions about impending risks. The automated ATT&CK Matrix is included with Lumu paid subscriptions.

Compromise Context Compromise Context
To learn more about the ATT&CK Matrix feature, consult our documentation.

Distribution

A comprehensive view of your compromise level through the distribution of malicious activities detected in your organization according to the endpoints and assigned labels. Filter (1) the compromise information displayed by label or date and zoom (2) into the chart, which allows you to have visibility into how compromises spread among your assets, so you can  focus efforts on what an organization considers critical for a successful cyberdefense strategy.

Compromise Distribution dashboard Compromise Distribution dashboard
Assign labels to your traffic to help easily identify the compromise distribution across your infrastructure, and prioritize incidents in a way that makes sense for your organization.

Distribution Summary shows details on the distribution of attacks grouped by endpoints. You can filter the compromise distribution by label and period (1) and endpoint or threat type such as malware, spam, phishing, etc. (2). This section includes information such as the endpoints affected (3), the labels (4), the collector that captured the metadata (5). You also have trend visualizations showing the IoCs’ distribution by each endpoint by threat type (6). Other information provided in this section includes the total contacts (7) between IoCs and your infrastructure.

Compromise distribution summary Compromise distribution summary

Note that for Lumu Free customers, this distribution area will display limited information regarding the endpoints affected.

To take full advantage of Lumu’s Continuous Compromise Assessment, correlating diverse sources such as net flows, upgrade to a Lumu paid subscription for detailed collection with your premise, cloud, and remote environments.
Click on an endpoint on the list to see its distribution details (1), such as when and how often this endpoint was compromised and the type of attacks and adversary information (2).
Details of the compromise distribution Details of the compromise distribution

Incident Response

We recommend being familiar with Lumu’s Incident Response Playbooks based on the National Institute of Standards and Technology (NIST) Framework that include best practices for how to use Lumu to respond to specific attacks.

To know more about Lumu Portal:
  1. Incident Management
  2. Collectors
  3. Labels
        • Related Articles

        • Lumu Portal

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. The Lumu ...
        • Spambox

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...
        • Incidents

          The Lumu Portal offers a centralized and intuitive way to manage your incidents, track their statuses, and review which incidents have been solved—for simpler and faster activation of response processes. In this view of the Lumu Portal, you can stay ...
        • Labels

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. Labels ...
        • MITRE ATT&CK Matrix

          The MITRE Corporation is a nonprofit organization founded in 1958 that supports various U.S. government agencies at the highest levels. MITRE ATT&CK®, which stands for Adversarial Tactics, Techniques, and Common Knowledge, is a comprehensive matrix ...