Blog

Case study by Defensys – Energetic System operator

Challenge

The customer had some number of implemented systems not integrated between each other among them that logically caused frequent problems.

Moreover, there were 3 main types of information that were processed in the company:

  • Data on critical information infrastructure (CII) objects. During
    the work on the project, Defensys’s engineers along with
    colleagues from the partner’s side imported all CII objects into
    the Defensys SGRC and updated them
  • Trade secret type
  • “For internal use” type of Information

All cyber security audits were carried out in 3 areas:

  1. CII
  2. Trade secret
  3. Compliance with internal checklists

The hard challenge to find the right solution which could be flexible in settings and integrations and solve collected problems was set by the customer. After a careful search, the company has chosen Defensys SGRC solution.

Results

First of all, regulatory and physical security requirements were fetched between each other via control checks framework built in Defensys SGRC. This way the user receives only one list with all the requirements needed to be assessed depending on the type of an asset and his role in the process (not all the requirements).

More

Cybersecurity Digest #55: 25/07/2022 – 05/08/2022

Cybersecurity news

  • The Cybersecurity and Infrastructure Security Agency has added the Zimbra CVE-2022-27824 flaw to its ‘Known Exploited Vulnerabilities Catalog,’ indicating that it is actively exploited in attacks by hackers. This high-severity vulnerability allows an unauthenticated attacker to steal email account credentials in cleartext form from Zimbra Collaboration instances without user interaction.
  • Researchers at Trellix have discovered a critical unauthenticated remote code execution vulnerability impacting 29 models of the DrayTek Vigor series of business routers. The attacker does not need credentials or user interaction to exploit the vulnerability, with the default device configuration making the attack viable via the internet and LAN.
  • Security researchers have discovered a new vulnerability called ParseThru affecting Golang-based applications that could be abused to gain unauthorized access to cloud-based applications. The issue has to do with inconsistencies stemming from changes introduced to Golang’s URL parsing logic that’s implemented in the “net/url” library.
  • No More Ransom, the initiative launched to help victims of ransomware decrypt their files, celebrates its six-year anniversary. Since the launch, it has grown from four partners to 188 and has contributed 136 decryption tools covering 165 ransomware families.

More

Investigating the sources of Threat Intelligence

According to the 2021 SANS Cyber Threat Intelligence (CTI) Survey, 66.3% of companies use open sources to collect indicators of compromise and try to work with multiple sources simultaneously. It would seem that collecting indicators from open sources is a fairly simple task: you just need to download a txt or csv file from some web-site, and that’s it. In fact, there are many problems along this way. In this article, we will tell you what these difficulties can be, what the structure and format of the feed depend on, what metrics help to evaluate the usefulness of feeds, and also show what you can learn from the feed using a real example.

What are the pitfalls of open source TI

Let’s make a reservation right from the beginning: you cannot bypass problems when you are working with indicators from open sources. At the first loading of such indicators into security tools, you will receive thousands of positives per day. If you don’t even analyze the first 100 hits, you will most likely spit on this issue and just turn off the feed.

Let’s try to describe the main problems that will need to be resolved when collecting indicators from open sources:

  • Sources selection

Do not chase the number of indicators in the source and choose those with the most indicators.

More

Case study by Defensys – One of the largest industrial manufacturing and producing companies

Challenge

Each of the company’s subsidiaries and branches has its own IT and OT networks.

The OT Cyber security department’s main desire was to aggregate data on OT assets in one place because standing on this up-to-date data they could proceed with different compliance procedures: national and internal.

Inventory data was stored in absolutely different places:

  • Industrial IDS and AV system databases
  • Custom databases
  • Electronic documents
  • Paper documents etc

There was also one more complicated thing in this distributed chain of tenants – a lot of them were built based on one standard project, that’s why there were a lot of different subnets with the same addresses.

Colleagues felt the need for automation because it wasn’t at all efficient to try to gather all the information by email.

Results

After the PoC process, the Defensys SGRC solution was selected to close all the objectives.

The system works in multitenancy mode. With this functionality, all assets can be stored in the same location for future use in other cybersecurity processes, regardless of whether they have the same addresses.

More

Cybersecurity Digest #54: 11/07/2022 – 22/07/2022

Cybersecurity news

  • A threat actor is promoting a new version of their free-to-use ‘Redeemer’ ransomware builder on hacker forums, offering unskilled threat actors an easy entry to the world of encryption-backed extortion attacks. The author states that the new 2.0 release was written entirely in C++. It works on Windows Vista, 7,8,10, and 11, featuring multi-threaded performance and a medium AV detection rate.
  • A cryptomining gang known as 8220 Gang has been exploiting Linux and cloud app vulnerabilities to grow their botnet to more than 30,000 infected hosts. The group is a low-skilled, financially-motivated actor that infects AWS, Azure, GCP, Alitun, and QCloud hosts after targeting publicly available systems running vulnerable versions of Docker, Redis, Confluence, and Apache.
  • Atlassian has patched a critical hardcoded credentials vulnerability in Confluence Server and Data Center that could let remote, unauthenticated attackers log into vulnerable, unpatched servers. The hardcoded password is added after installing the Questions for Confluence app for a user account with the username disabledsystemuser — designed to help admins with the migration of data from the app to the Confluence Cloud.
  • Microsoft sounded the alarm on a threat actor using the H0lyGh0st ransomware in attacks targeting small and midsize businesses worldwide.

More