Defensive services cover a wide range of incident response techniques and methods, which are conducted with a defensive approach. Cyber security defensive services include methods like blue teaming, cyber range, hardening, detection capability development, and code reviewing.
The goal of these solutions is to identify the risk level of the organization’s infrastructure and create an effective incident response plan within the company itself. Based on the previously conducted assessments, we can create a successful defensive playbook in order to develop incident response capabilities and harden all of the assets of the organization.
Today, defensive techniques are as important as offensive methods, because allows the company to respond incidents faster and in a more effective way during a real attack, and also helps to prevent future attacks.
There are many similarities between the informatical infrastructure and human organism: both are based on a correct communication between connected units and both are sensitive to external impacts. Through these external impacts and attacks the organism can get sick and the computer park could become a botnet. The solution for the former would be reinforcing its immune system while preventing the latter a strong blue team is needed.
In today’s complex world of IT security, having a group of elite professionals – that helps the operation of various company IT security subteams (eg. network, OS, hardware) and provides them with the latest information and frameworks – becomes essential in every larger corporation.
Blue teaming is basically the development of an IT immune system. The blue team is capable of fast averting of various attacks due to the gained knowledge and experience of the team. Also with the help of the team it is possible to patch the various common security vulnerabilities by creating appropriate company IT security policies – in order to build an efficient security system.
With the efficient collaboration of our company’s blue and red team it is possible to identify the current security vulnerabilities of networks, webpages or mobile devices. That way, it is possible to draw a guarding net around the most important data and company infrastructure.
The Blue Team’s role also includes:
- Testing and developing an efficient internal communication
- Incident response
- Digital investigation (DFIR)
- IT security training
- Designing SIEM IT security response systems
- Examination of compliance regarding IT security standards (GDPR, PCI DSS, ISO27K)
WHOM DO WE RECOMMEND BLUE TEAMING?
Blue teaming is recommended to larger corporations, where a more complex approach is needed to create an effective defense plan.
During our cyber range service incident response teams can improve and test their incident handling capabilities in different environments. These environments are the miniaturized versions of complete real-life infrastructures complemented with specific tools such as programmable logical controllers. This training tests not only the participants’ technical preparedness but also their escalation procedure order, speed and processes.
The goal of the simulation is to test and improve the organisation’s incident response and detection capabilities, the use cases, playbooks, and configurations.
Its advantage is that the simulated environment is very similar or even the same as the client’s original organizational infrastrucutre, this way it is also possible to practice incident handling plans against destructive attacks.
During the simulation the client’s event handler groups (CERT, CSIRT, blue team, SOC, etc.) are constantly under attack on multiple front lines by our company’s dedicated hacker team (red team). The dedicated white team does the evaluation and regulates the processes. Based on our company’s values and experience, the most important part of incident handling is the person, then the processes and lastly the technology.
On our client’s demand we can:
- add custom industrial controller tools to the environment
- plan SIEM systems (testing ruleset and configuration)
- test other devices and configurations
WHOM DO WE RECOMMEND CYBER RANGE SERVICES?
Primarily for organizations who are planning to have or already have in place a local SOC (Security Operations Center), an IT-security team, CERT, CSIRT, or other infosec unit.
Hardening means the improvement of the informatical structure’s “immune system”. The goals of these processes are to create a clear policy in order to ensure that different operating systems and applications use only the privileges, services, and resources that are strictly necessary for their operation. With hardening, the systems’ exposure to cyberattacks and vulnerabilities can be substantially reduced.
The methodology of our service:
- Active reconnaissance and vulnerability scan
- Creating a dependency matrix of the dependant systems in order to get a holistic picture of how disabling or modifying services on different levels can affect the system
- Designing a hardening plan based on numerous benchmark systems available
- Creating backups (of the applications, the configurations and the operating system)
- Performing changes step-by-step and record these in a change tracker system
- Testing the availability and integrity of the services
- Executing remediation check
- Creating reports
It is highly important to administrate the constant change of the system and test it in order to keep up the productivity and prevent the system becoming a victim of an attack.
WHOM DO WE RECOMMEND HARDENING?
Primarily for those organisations and companies who want to enhance their preventive capabilities based on their IT-security strategy. The solution is able to substantially reduce the spread of ransomware, the intentional or unintentional data leakage as well a wide range of attack vectors. Hardening can also be a goal for a smaller business.
DETECTIONAL CAPABILITY DEVELOPMENT
The incident handler teams (CSIRT, CERT) focus on evolving their processes and developing, optimizing the quality and quantity of the information handed to their organization. The IR (incident responder) team must become aware of alerts and incidents as soon as possible and distinguish between true and false positives as fast as possible. In order to do this they need the proper tools, hardwares, softwares and know-how.
According to IT security surveys the most effective solutions are still the IDS/IPS and frontier defences and/or combined firewalls (UTM) that are integrated into the company’s infrastructure. In fact, it is not enough to dedicate personnel to a mainly signature based IDS/IPS in an 8/5 or a 24/7 duty, rather the security devices should be grouped in one centralised and transparent system.
Detection capabilities are mostly defined in proportion by the used tools and the professional’s experience (“skill-set”). Our company’s SOC/CSIRT Development portfolio provides clients a wide range of devices with deployment and training if needed.
In order to eliminate the blind spots in your organization’s infrastructure, we offer the below service packages and solutions:
|SIEM||RSA, IBM Qradar, Splunk (Enterprise), AlienVault USM|
|Log analyis and storage||Splunk, syslog-ng, ELK stack|
|Firewall, UTM||Sophos UTM, Fortigate, Palo Alto|
|Network packet captrue, sniffer||Riverbed, open-source stack,|
|HIDS, WIDS – host-based and wireless IDS||Aruba Wireless, OSSEC, EMET, Sophos|
|Network IDS, IPS||Proofpoint snort/suricata ruleset|
|Web application security||Imperva SecureSphere WAF, Modsecurity|
|NetFlow analysis and network anomaly detection||IBM Qflow, AlienVault USM, YAF, Silk,iSilk, Argus, Bro|
|Endpoint security||Sophos Endpoint, Sophos Intercept X, Carbonblack|
|IT infrastructure monitoring||Nagios, Zabbix, Sensu|
|Threat Intelligence (CTI), honeypot||Recorded future, Anomali, Proofpoint, HoneyBox, OSSINT|
|Network and user behaviour monitoring||Darktrace, Vectra AI, PatternEX|
|Privilidged user monitoring||Netwrix Auditor, CyberArk|
|Mobile device management (MDM)||Sophos MDM, Zimperium, Airwatch|
|File integrity monitoring||CarbonBlack, OSSEC|
|Forensic tools||NUIX, X-Ways, AccessData, IDA Pro,|
|Automated vulnerability scanners||Rapid7 Nexpose, Metasploit Pro, IBM AppScan, Burp Suite, Acunetix, Core Impact|
|SSL||Palo Alto, Entrust Datacard|
|Data Leakage Prevention (DLP)||DeviceLock, Sophos SafeGuard, DigitaGuardian|
WHOM DO WE RECOMMEND DETECTIONAL CAPABILITY DEVELOPMENT?
Detection capability development becomes essential for every company who would like to harden its information security defense system.
By code reviewing we mean the detailed investigation of the source code. Besides using automatic tools during the inspection, we also use manual techniques based on professional programmer knowledge and experience.
The main goals of source code reviewing are to find the flaws made by the programmers, identify vulnerabilities and numerous other critical points and security problems.
The vulnerabilities could be the following:
- Possible exploitation of formatting set
- Memory corruptions
- Buffer overflow
- Flaws in the authentication mechanism
WHOM DO WE RECOMMEND CODE REVIEWING?
Source code reviewing is recommended for smaller to larger organizations as well, because it is crucial to build and operate a truly secure system.
Ask for a personal consultation, or a custom quote!