The Сompany’s cyber security specialists have been actively using Threat Intelligence tools in their daily routine for a long time. Nevertheless, the necessity to change the existing solution to another one arose due to new internal policies. Since the specialists had a lot of experience with TI, there were high demands for a new on-premises system.
It was especially important for the client to choose an alternative analogue with functionality and performance that would not be inferior to capabilities of the used platform. The second criterion was the ability to connect previously used feeds and integrate the software into existing systems.
At the same time, the transition had to be implemented without disrupting of the running processes for collecting forensic information, which is then used in incident response and retrospective data analysis.
After a range of demonstrations and a PoC project the Retailer has concluded, that the Defensys TIP platform meets all the requirements.
Defensys’s engineers have connected more than 15 commercial and open-source data sources (feeds) that provide IoCs and additional TI context. One more data source was the vendor’s own Threat Feed, which automatically extracts IoCs and related context from TI reports.
Cybersecurity news
An important role in data handling for Threat Intelligence plays knowledge for understanding of threats’ context and their interconnections to certain tactics or hacker groups. Therefore, the lack of necessary data leads to an incomplete understanding of different cybercriminals’ approaches for their attacks. Companies need context regarding indicators, interconnections between threats and attacks to easily identify more dangerous threats and prioritize the ways to eliminate them.
The Defensys TIP is integrated with the knowledge base MITRE ATT&CK®. Thanks to this, users can apply the information regarding hackers’ techniques and tactics to determine the possible ways of threats’ development and preventive protection of information infrastructure.
MITRE ATT&CK® (Adversarial Tactics, Techniques & Common Knowledge) is the knowledge base, that describes and classifies attackers’ behavior based on the analysis of their actions during real attacks. This is a structured list of known behavior types, that are united according to tactics and techniques and grouped in several matrices.
The matrix ATT&CK for Enterprise was created to classify attacks on corporate infrastructure and includes techniques and tactics for Windows, Linux and/or MacOS operating systems. The matrix also describes behavior types of cyber criminals while attacks against corporate systems.
Before the project launch, the Company already had its SIEM system and the implemented Defensys SOAR. During this project, our target was to update the system for cybersecurity compliance with the national state standards.
The SOAR is used for handling both IT and OT incidents and is integrated with the company’s CMDB.
Following purchasing of the new license, a part of the existing processes had to be reconsidered. According to the new role model, all company’s network segments were divided into critical and non-critical. Depending on the segment status, the responsible department receives an incident notification and gets involved in its processing.
After discussing of the new incident handling policy, Defensys modified asset cards to meet company’s demands and created 60 response instructions. They’re being automatically pulled into the incident card according to the certain incident parameters. Besides, these cards contain necessary fields for the cybersecurity authority notification and allow data mapping, when an incident occurs on the critical network segment.
The rich customization features of the Defensys SOARmade possible the notification of the cybersecurity authority in a report form by pushing a button.
All incidents in the company are categorized based on the state-approved hierarchy.