Challenge

The Telecommunication Operator, a company with multiple subsidiaries across the country, needed a solution for automation of cyber security processes in the SOCs. The Company demanded a lot of integrations with internal systems, easy access to information regarding all branches and multiple tools for information handling from software vendors.

The Operator chose Defensys products after a PoC project during which Defensys demonstrated the required functionality of software and additional managing options.

Among all Defensys products, the Company has purchased the SOAR, SGRC and TI platforms.

Implementation

Defensys has a great experience in working with companies, that provide different mobile services. That’s why we managed to avoid typical pitfalls and could concentrate on important tasks.

As mentioned above, Defensys software had to be integrated with several systems for data collection and transfer between tenants and the HQ according to certain attributes. Generally, the software was integrated with more than 40 systems with various functionalities.

Defensys has released a new version of the cyberthreat information analysis platform, the Defensys TIP 3.16. New release has a range of important updates. For example, the number of supported SIEM systems and firewalls has been extended. Defensys has also upgraded its own data source (Defensys Threat Feed), now Defensys Feed can independently identify links between entities, countries and industries of threat actors.

One of the Defensys Threat Intelligence Platform functions is reactive and retrospective search for indicators of compromise (IoC’s) within event flow coming from SIEM systems. The Defensys TIP platform can be integrated with famous SIEM and log management solutions, such as:

• IBM QRadar
• Arcsight ESM
• SPLUNK
• Arcsight logger
• Apache KAFKA

Additionally, Defensys expanded the list of supported third-party data security tools for IoC’s export. Detected IoC’s can be automatically exported to firewalls for further processing and protection of the network infrastructure.

Cybersecurity News

• The US Cybersecurity and Infrastructure Security Agency has added a new vulnerability to its Known Exploited Vulnerabilities catalog.

In the article we describe vulnerability management and challenges companies can face when setting this process, as well as share tips on how to overcome them.

At first, we would like to brief you with the main definitions:

Vulnerability is a flaw in information system or software which a hacker can use to penetrate the infrastructure, disrupt systems or access them. Vulnerabilities have several severity levels. One of the most widespread and serious risks is existence of an exploit for a vulnerability, especially if it`s already actively used by hackers. Exploit is a malware with data or executable code which uses vulnerabilities to conduct attacks.

Vulnerability management (VM) helps to lower the risks caused by infrastructure vulnerabilities. VM is a multi-step cyclical process of identifying, prioritizing and remediating vulnerabilities, followed by further monitoring. VM offers a choice of response way on issues connected to company’s assets: detected software vulnerabilities, configuration vulnerabilities, insecurely configured ports and other vulnerabilities that can be used by attackers. The main purpose of the process is risk minimization and systems protection from potential attacks, exploits and other forms of hacking or security breaches.

Vulnerability Management includes following steps:

Challenge

The bank has implemented the Service Desk solution. However, there was insufficient interaction with other systems, in particular, there was no interaction with TI tools and repositories.

The Bank wanted a comprehensive system overhaul and one of the key decisions in the global cybersecurity overhaul was the Defensys SOAR solution.

Results

Thanks to Defensys’s technologies, a number of key issues were resolved:

Defensys company announced the extension of Defensys Endpoint functionalities. New features are aimed at improving corporate network security from current cyber threats and raising efficiency of IT infrastructure monitoring process.

Defensys continues to upgrade the Endpoint technology by adding new functions for a better security level and monitoring of IT systems. In the new release Defensys has significantly upgraded technical audit section. Now users can view expertise results in a more comprehensive way, that makes vulnerabilities analysis easier and enables faster remedial action. Moreover, it’s now possible to add own policies and modify installed checks by adapting audits to particular requirements and company’s tasks.

Integration with the Defensys TDP has been added to the Defensys Endpoint v. 1.8. Due to this, lures which simulate vulnerabilities in the corporate network making it more attractive for hackers, can be placed in one click. For instance, the Defensys Endpoint helps to place such lures as false accounts, saved sessions, and SSH keys. This approach reduces the cost of deploying and updating simulated infrastructure.

Cybersecurity News

• Four vulnerabilities, one of which is rated critical, have been discovered in the Perforce Helix Core Server, with one of the vulnerabilities allowing the intruders to remotely execute commands from the LocalSystem account.
• VoIP communications company 3CX has warned its customers to disable SQL database integrations due to possible risks associated with what it describes as a potential vulnerability.
• Akamai has warned of a new Mirai-based DDoS botnet, named InfectedSlurs, actively exploiting two zero-day vulnerabilities to infect routers and video recording devices.
• A four-tier classification has been proposed in China to help with the response to data security incidents, highlighting Beijing’s concern with large-scale data leaks and hacking within its borders.
• 2023 has seen the emergence of ten new Android banking malware families, whic

Challenge

The Сompany’s cyber security specialists have been actively using Threat Intelligence tools in their daily routine for a long time. Nevertheless, the necessity to change the existing solution to another one arose due to new internal policies. Since the specialists had a lot of experience with TI, there were high demands for a new on-premises system.

It was especially important for the client to choose an alternative analogue with functionality and performance that would not be inferior to capabilities of the used platform. The second criterion was the ability to connect previously used feeds and integrate the software into existing systems.

At the same time, the transition had to be implemented without disrupting of the running processes for collecting forensic information, which is then used in incident response and retrospective data analysis.

After a range of demonstrations and a PoC project the Retailer has concluded, that the Defensys TIP platform meets all the requirements.

An important role in data handling for Threat Intelligence plays knowledge for understanding of threats’ context and their interconnections to certain tactics or hacker groups. Therefore, the lack of necessary data leads to an incomplete understanding of different cybercriminals’ approaches for their attacks. Companies need context regarding indicators, interconnections between threats and attacks to easily identify more dangerous threats and prioritize the ways to eliminate them.

The Defensys TIP is integrated with the knowledge base MITRE ATT&CK®. Thanks to this, users can apply the information regarding hackers’ techniques and tactics to determine the possible ways of threats’ development and preventive protection of information infrastructure.

Threat Intelligence with MITRE ATT&CK®

MITRE ATT&CK® (Adversarial Tactics, Techniques & Common Knowledge) is the knowledge base, that describes and classifies attackers’ behavior based on the analysis of their actions during real attacks. This is a structured list of known behavior types, that are united according to tactics and techniques and grouped in several matrices.

Cybersecurity News

• Lumma Stealer, the stealer malware, now features a new anti-sandbox technique that leverages the mathematical principle of trigonometry to evade detection and exfiltrate valuable information from infected hosts.
• The Tor Project has explained its recent decision to remove multiple network relays that represented a threat to the safety and security of all Tor network users.
• Google has officially announced plans to gradually eliminate third-party cookies, a key aspect of its Privacy Sandbox initiative.
• Threat actors are leveraging manipulated search results and bogus Google ads that trick users who are looking to download legitimate software such as WinSCP into installing malware instead.
• The Federal Communications Commission has revealed new rules to shield consumers from criminals who hijack their phone numbers in SIM swapping attacks and port-out fraud.