Blue Team allows us to detect targeted attacks that are not detected by common tools and security software. Threat hunting is an evolving process, not a technology. We have a thorough knowledge of real-world attacks and exfiltration techniques. We dissect attackers’ methods so we can identify them independently of the tools used to carry them out. In addition, we can use the resulting data in line with our threat intelligence and CTI (Cyber Threat Intelligence).
- We know how to effectively detect signs of attack and intruder presence in an organization’s infrastructure. For a threat hunter, this means running a dedicated software (e.g. a HoneyPot) or monitoring DNS traffic and incoming logs within a network looking for malicious activity.
- It involves examining the entropy of various DNS requests and comparing domains with attack indicators (IoCs) obtained from threat intelligence, etc. Log analysis, on the other hand, is not limited to monitoring system events, but also means deep analysis into processes and examining the connection of processes to many resources, which can indicate a compromise of integrity.
- For active protection, existing security tests and measures should be used to identify weaknesses and security audits should be fully implemented, as well as existing vulnerabilities assessed through penetration testing services as a supplement. Newer items such as: cloud security reviews and social engineering and red team simulations will be more specific to establishing active protection.
- Security assessments based on active vulnerability discovery are another type of active protection, meaning that the blue team should always update the system reports on published vulnerabilities.
- Active detection means that the Blue Team expert manually designs active signatures for malicious files based on the discoveries of the event repositories and constantly updates the signature repositories of the detection mechanisms.
- Active detection also monitors communications and exploitation of protocols, and if the Exfiltration techniques found in the MITRE ATT&CK documentation are observed by experts, they will immediately intercept and data mine the communication and, if it is invalid, they will destroy the communication. This is always one of the most effective methods of hunting threats and easily reveals ambiguous transaction data.
- Active reporting is one of the effective factors in accurate and complete monitoring of event cluster collection, which can be used for any network service, endpoint, routers, firewalls, etc. These events can be filtered through a unified management by search engines such as Elasticsearch.
- In order to intelligently generate emergency messages, products such as Splunk, which is a security signature scanner, can be used, as well as the potential of the operating system, such as Event Tracing Windows, which is a kernel-level module, can be used to record and collect all operating system events.
Security Architecture and Engineering
An independent program maturity assessment provides your organization with cybersecurity across four key areas: security governance, security architecture, cyber defense, and security risk management. After an in-depth analysis of your current program, we provide best-practice recommendations for improving your security posture based on your specific risk profile and level of security maturity. A needs assessment and field assessment of your organization will determine the architecture and engineering design of your cybersecurity, based on service levels and communications.
Cyber Risk Management
Assess your existing cyber risk management program for security strengths and weaknesses. Identify the cyber risks relevant to your organization and anticipate your business approach to cyber risk management and effective decision-making and risk mitigation. Define appropriate guidelines for rapid response to manage risk and work to harden the cyberspace. Our experts take these findings to identify program deficiencies and in turn provide practical, technical, strategic and prioritized recommendations to create or improve your cyber risk management program and achieve a mature security posture, ultimately reducing future risks and the level of their impact on your business.
Cloud Security
Assess your existing security and hardware techniques for the most popular cloud-based assets, including Microsoft Office 365, Microsoft Azure, Amazon Web Services, and Google Cloud Platform. Understand the threats and security controls specific to your cloud environment. Demonstrate your ability to detect, investigate, and respond to attacker activity at all stages of the attack lifecycle. Review the configuration and security controls that are consistently implemented and identify potential weaknesses. Also, use reporting that includes detailed, actionable recommendations to harden the cloud, increase visibility, and identify and improve processes to mitigate potential risk.
Open-Source Intelligence
We use OSINT to gather significant information about the target organization on the Internet. The information obtained can be used to identify vulnerable assets and weaknesses that threat actors are targeting. The information retrieved using OSINT techniques includes details about employees, organizational structure, physical assets, IT infrastructure, and more.
Security Information and Event Management
CTI is used to continuously update information from an external source about a given organization. The service consists of two main parts: information for security teams and IOC (Indicator of Compromise) which is mostly used for automated data mining for internal monitoring with SIEM, IPS (Intrusion Prevention System) or IDS/NIDS/HIDS (Intrusion Detection System, Network) systems. The simplest example for such data mining could be obtaining information about IP addresses from a honeypot network used by attackers, or detecting changes in open ports in the company’s infrastructure. We use a proprietary software that automatically searches for potential threats depending on the customer’s needs. We support infrastructure monitoring with CTI data, which allows us to continuously detect targeted attacks.
