Lumu Playback

Lumu Playback

The cybersecurity industry has developed numerous methods to defend against zero-day threats and emerging attacks. However, many attacks still slip through undetected due to the increasingly sophisticated evasion tactics employed by cybercriminals. A prime example of this are Advanced Persistent Threats (APTs).
According to IBM's 2022 breach report, the mean time to detect a breach was 207 days, that is almost 7 months. 

Attackers are highly resourceful in discovering innovative methods to infiltrate and compromise the networks of unsuspecting organizations. What if your network is breached by a technique so cutting-edge that no one in the cybersecurity industry has identified its indicators of compromise (IoCs) yet? In cases like this one, Lumu's real-time analysis of metadata may not reflect the actual cybersecurity state of the network, which may allow adversaries to remain active and undetected. This is when Lumu Playback comes into play, so your organization can take a proactive approach against insidious attackers and precursors, instead of reacting when the adversary reveals itself along with the damage it has caused.  

What is Lumu Playback? 

Lumu Playback® allows Lumu to store and log up to two years of network metadata and analyze it retroactively. This means that older data that didn't show signs of compromise at the time can be analyzed later while considering new findings, information, and detected IoCs to reveal potential incidents and compromise. It also allows Lumu customers to run queries on stored metadata logs for compliance, forensic investigations, and threat hunting exercises.

How does Lumu Playback work? 

Lumu can store and log up to two years of metadata and run automated analysis on it to cross check with more recent intelligence and thousands of new IoCs confirmed and verified by various intelligence sources every single day. This way, incidents that may have remained undetected can be brought to light to protect organizations from insidious attackers and the harm they entail. This data is available on demand and can be queried by the organization to be used internally, and for compliance purposes.

Playback Incident DetailsPlayback Incident Details

When you find an incident in the Lumu Portal with a tiny clock icon beside it as seen in the image above, this means that said incident was found by Lumu Playback. Below that, you will also find all detected contacts and activity related to this incident and the confirmed IoC. 

By going to the Highlights tab, you will be able to easily see the incident's summary. Here, you'll find relevant information about it such as the date when the incident was opened, the date of the first contact and the duration of the incident. 

Remember that these dates may vary vastly since the date when an incident is opened thanks to newly discovered intelligence can be fairly far from the date when the actual contact occurred. 

Playback Incident SummaryPlayback Incident Summary

How can I use Lumu Playback in my operation?

We will explore two particular use cases where Lumu Playback® can provide value to our customers.

Retrospective Threat Hunting

Previously undetected incidents translate into latent risks, and the longer they go on, the worse their consequences can be. Older data isn't necessarily obsolete data, and the incidents found by Lumu Playback must be operated on by your organization's cybersecurity team as they would any other confirmed incident.  

If Lumu Playback detects an incident retroactively, assume it as an active threat; any incident your organization hasn't taken action against can likely be an adversary causing harm to your organization from the date of the first contact.  

Ask yourself the following questions and operate the incident accordingly:

  1. Was this IoC on my organization's radar? 
  2. Has it been active recently according to the data on the Lumu Portal? 
  3. Which devices and endpoints have made contact with it and how often? 
  4. How much damage could it do if left unattended? 
  5. Is it a risk worth taking to ignore an incident found by playback? 

If after answering these questions, you conclude that your network has been, or even worse, is still in contact with an adversary, then Playback has already made a positive impact in your cybersecurity operation.

Network Log Retention

Lumu stores and logs up to two years of metadata from the organization’s network which are used for retroactive threat analysis; however, this isn’t its only use as this logged network metadata is available on demand and can be queried by the organization so they can use it for their own internal procedures. Here are some examples:
  1. Forensic investigations: When carrying out forensic investigations, the cybersecurity team can query Lumu for historical traffic to and from particular endpoints during specific time frames. This allows the team to drill down and investigate contacts made to and from affected devices during vulnerable periods, which can provide vital intelligence on the actual extent of the attack.
    To query data for this purpose: create a support ticket using the provided option that contains something along this lines:  “What was the traffic of endpoint A during the period between date B and date C.
  2. Threat Hunting Exercises: During threat-hunting exercises and procedures, it’s vital to understand which assets among the network have contacted affected endpoints. These types of lateral movements can reveal vital evidence of hidden threats and allow the organization to prevent further damage. To query data for this purpose: create a support ticket using the provided option that contains something along this lines:  “Which assets among my organization’s network contacted destination A during the period of time between date B and date C?
Bear in mind that only metadata stored and analyzed by Lumu during the last two years can be queried.

        • Related Articles

        • Lumu Portal

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. The Lumu ...
        • How to configure SSO in the Lumu Portal using Okta

          Single Sign-on (SSO) allows you to log in to the Lumu portal through Identity Providers using their current credentials. Instead of requiring users to manage multiple usernames and passwords, SSO allows you to log in to multiple applications using ...
        • Labels

          This article refers to the Labels system. If you want to learn more about the available Filters, please read this article . Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual ...
        • Lumu Portal Two-Factor Authentication

          The Lumu Portal offers secure login alternatives through the use of two-factor authentication (2FA), in this case, One-time Password (OTP) on top of your account password. You can use the Authenticator app you prefer, such as Google Authenticator and ...
        • Lumu Email Intelligence

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...