Lumu Playback

Lumu Playback

The cybersecurity industry has found many ways to defend against zero-day threats and emerging attacks; however, several attacks and techniques still manage to go undetected thanks to the cybercriminals' own advances in sophisticated evasion techniques, a good example of this are Advanced Persistent Threats (APTs).
According to IBM's 2022 breach report, the mean time to detect a breach was 207 days, that is almost 7 months. 

Attackers are very resourceful when it comes to finding new ways to infiltrate and compromise the networks of unsuspecting organizations. What if your network gets compromised by a technique so new that nobody in the cybersecurity industry knows any of its indicators of compromise (IoCs)? In that case, Lumu's real-time analysis of metadata might deliver different results than if we knew this attack's IoCs. This may allow adversaries to remain active and undetected. Luckily, this is when Lumu's Playback feature comes into effect, so your organization can take a proactive approach against insidious attackers and precursors, instead of reacting when the adversary reveals itself along with the damage it has caused. 

What is Lumu Playback? 

Lumu's Playback feature allows Lumu to analyze network metadata retroactively. This means that older data that  didn't show signs of compromise at the time can be analyzed later while considering new findings, information, and detected IoCs to reveal potential incidents and compromise.

How does Lumu Playback work? 

Lumu can store up to two years of metadata and run automated analysis on it to cross check with more recent intelligence and thousands of new IoCs confirmed and verified by various intelligence sources every single day. This way, incidents that may have remained undetected can be brought to light to protect organizations from insidious attackers and the harm they entail.

Playback Incident DetailsPlayback Incident Details

When you find an incident in the Lumu Portal with a tiny clock icon beside it as seen in the image above, this means that said incident was found by Lumu Playback. Below that, you will also find all detected contacts and activity related to this incident and the confirmed IoC. 

By going to the Highlights tab, you will be able to easily see the incident's summary. Here, you'll find relevant information about it such as the date when the incident was opened, the date of the first contact and the duration of the incident. 

Remember that these dates may vary vastly since the date when an incident is opened thanks to newly discovered intelligence can be fairly far from the date when the actual contact occurred. 

Playback Incident SummaryPlayback Incident Summary

How can I use Lumu Playback in my operation?

Previously undetected incidents translate into latent risks, and the longer they go on, the worse their consequences can be. Older data isn't necessarily obsolete data, and the incidents found by Lumu Playback must be operated on by your organization's cybersecurity team as they would any other confirmed incident.  

If Lumu Playback detects an incident retroactively, assume it as an active threat; any incident your organization hasn't taken action against can likely be an adversary causing harm to your organization from the date of the first contact.  

Ask yourself the following questions and operate the incident accordingly:

  1. Was this IoC on my organization's radar? 
  2. Has it been active recently according to the data on the Lumu Portal? 
  3. Which devices and endpoints have made contact with it and how often? 
  4. How much damage could it do if left unattended? 
  5. Is it a risk worth taking to ignore an incident found by playback? 

If after answering these questions, you conclude that your network has been, or even worse, is still in contact with an adversary, then Playback has already made a positive impact in your cybersecurity operation.

        • Related Articles

        • Lumu Portal

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. The Lumu ...
        • How to configure SSO in the Lumu Portal using Okta

          Single Sign-on (SSO) allows you to log in to the Lumu portal through Identity Providers using their current credentials. Instead of requiring users to manage multiple usernames and passwords, SSO allows you to log in to multiple applications using ...
        • Lumu Email Intelligence

          Lumu simplifies Continuous Compromise Assessment by consolidating its management, reporting, and related contextual intelligence within a single portal. Security teams no longer need to chase down data from multiple network monitoring tools. In this ...
        • Lumu Portal Two-Factor Authentication

          The Lumu Portal offers secure login alternatives through the use of two-factor authentication (2FA), in this case, One-time Password (OTP) on top of your account password. You can use the Authenticator app you prefer, such as Google Authenticator and ...
        • How to configure SSO in the Lumu Portal using Thales (Safenet Trusted Access)

          Prerequisites Before you can configure Single Sign-On (SSO) integration with the Lumu Portal using Thales, ensure that you have the following: Administrator access to your Thales account. Lumu Support has provided you with the necessary instructions ...