Home  >  APT3  >  Results  >  F-Secure  >  Configuration

F-Secure Configuration

The following product description and configuration information was provided by the vendor and has been included in its unedited form. Any MITRE comments are included in italics.

Product Versions

F-Secure Countercept

  • Countercept Platform version: 1.0.486.0
  • Countercept Agent version: 1.0.1305.306


F-Secure Countercept was built to raise the bar of the managed detection and response (MDR) industry and empower businesses by defending them against targeted attacks.

At the core of F-Secure Countercept is the Detection & Response Team (DRT), comprised of threat hunters who are experienced in successfully defending organizations based on their knowledge and understanding of offensive security. Using a combination of detections, threat hunting, forensic investigation, and “first response” the DRT provide 24/7 detection and response across a customer’s estate.

Underpinning the DRT is our Continuous Response methodology, created collaboratively with Countercept and F-Secure Incident Response to develop the people and processes necessary to minimize the impact of an attack. By combining these with our response technology and expertise, we are able to misdirect live attackers, thereby buying time for responders to analyze, contain and remediate the threat.

F-Secure Countercept consists of the following key technology components -

  • Countercept Platform – Designed for the DRT and built around our proprietary data analytics capability, the Countercept Platform provides access to the telemetry, detections and response capabilities necessary for detection and response. All detected suspicious activity is linked to the MITRE ATT&CK framework to ensure there is a common taxonomy that can be used by threat hunters.
  • Countercept Agent – An endpoint agent for Windows, Linux or macOS, which includes the following modules:
    • Detection – Collects telemetry associated with process, network, registry, and in-memory activity.
    • Response – Remote response features including artefact retrieval, kill & block processes, host isolation and network degradation.
    • Cloud Detection Collectors – Collects telemetry associated with Microsoft Azure AD authentication activity, which is used to detect and investigate accounts that are suspected of being compromised.


  • Detection – All telemetry enabled (D3, xDR Sensor)
  • Response – Disabled
  • Ransomware Prevention – Blocking Mode Disabled
  • Cloud Detection - Disabled