After first blocking the communications channel, HawkEye G examined the file and recorded everything that it was trying to achieve, something that could help later determine the level of threat and the attempted target of the offending program.
HawkEye G then automatically stopped the process from running on the host computer. The MD5 information on the file was recorded for later use. Once the process was stopped, the malicious file was encrypted and renamed with a .quarantine extension. Had HawkEye G been operating at cybercon one, the program could have been automatically deleted. However, since it was operating at cybercon three during the first test, it instead kept it encrypted and locked away.
In the event that a user actually needed that file to run for whatever reason, it could be restored by an operator. This would likely only take place in the event of a false positive, which this clearly wasn't, but the option is there as a security blanket for organizations that fear fully automatic control of their cyber security.
Because the malware was clearly identified as a threat, HawkEye G then scanned other clients on our test network, finding a matching MD5 file on another client which indicated that the program also existed there, but had not yet activated. It was automatically encrypted and quarantined as well, though again, it could have been automatically deleted outright depending on the cybercon level that HawkEye G was currently operating under.
Trying to install the same malware on any other system within the testbed resulted in its automatic deletion at high cybercon threat levels, and encryption and quarantine at more relaxed levels.
Other attacks were conducted against protected clients and all were turned away by HawkEye G. One interesting thing about the program is that the longer it's installed on a network, the smarter it becomes at emulating human interactions through automatic processes. Whenever an operator takes an action against malware, that action is recorded and automatically used each time a similar process or threat occurs. With multiple threat feeds and active operators helping to train the program by simply doing their jobs as it observes, it's difficult to conceive of a scenario where a network protected by HawkEye G could become compromised.
HawkEye G is a big leap forward for automated incident response. Unless it's forced to run at a cybercon level that hamstrings its automatic response capability, it does a great job of identifying threats, blocking, removing and then purging them from a network while also locking things down so that they can never return.
The only way to successfully combat the multitude of threats these days is with automation, and HawkEye G makes this possible in a safe way that keeps humans apprised of the situation, but doesn't require or need their approval to get the job done.
Sign up for CIO Asia eNewsletters.