Challenge

Before the project launch, the Company already had its SIEM system and the implemented Defensys SOAR. During this project, our target was to update the system for cybersecurity compliance with the national state standards.

Implementation

The SOAR is used for handling both IT and OT incidents and is integrated with the company’s CMDB.

Following purchasing of the new license, a part of the existing processes had to be reconsidered. According to the new role model, all company’s network segments were divided into critical and non-critical. Depending on the segment status, the responsible department receives an incident notification and gets involved in its processing.

After discussing of the new incident handling policy, Defensys modified asset cards to meet company’s demands and created 60 response instructions. They’re being automatically pulled into the incident card according to the certain incident parameters. Besides, these cards contain necessary fields for the cybersecurity authority notification and allow data mapping, when an incident occurs on the critical network segment.

The rich customization features of the Defensys SOARmade possible the notification of the cybersecurity authority in a report form by pushing a button.

Cybersecurity News

• Cybersecurity researchers have discovered a stealthy backdoor named Effluencethat’s deployed following the successful exploitation of a recently disclosed security flaw in Atlassian Confluence Data Center and Server.
• WhatsApp is rolling out a new privacy feature that helps Android and iOS users hide their location during calls by relaying the connection through WhatsApp servers.
• Attackers are exploiting a recently patched and critical severity Atlassian Confluence authentication bypass flaw to encrypt victims’ files using Cerber ransomware.
• Threat actors infected more than 10,000 devices worldwide with the ‘PrivateLoader’ and ‘Amadey’ loaders to recruit them into the proxy botnet ‘Socks5Systemz.’
• Apple’s “Find My” location network can be abused by malicious actors to stealthily transmit sensitive information captured by keyloggers installed in ke

Cybersecurity news

• The APT36 hacking group has been observed using at least three Android apps that mimic YouTube to infect devices with their signature remote access trojan (RAT), ‘CapraRAT.’ Once the malware is installed on a victim’s device, it can harvest data, record audio and video, or access sensitive communication information, essentially operating like a spyware tool.
• Apple has released emergency patches for outdated versions of the iPhone and Mac. The update eliminates the CVE-2023-41064 vulnerability and eliminates the possibility of remote hacking of devices for the purpose of subsequent monitoring of users using spyware.
• A new vulnerability disclosed in GitHub could have exposed thousands of repositories at risk of repojacking attacks, new findings show.

Defensys has introduced an updated technology of Defensys Endpoint for data collecting, detection and response on endpoints. Among the key changes is the enhanced number of integrations with other Defensys products. The vendor has also improved events collecting and added new response techniques.

The Defensys Endpoint technology expands functionalities of other technologies and offers additional advantages for users. Thanks to the Defensys Endpoint each user is able to conduct detailed asset inventory, detect threats and respond directly on endpoints. Users now can also automatically conduct technical audit of all popular operation systems according to cyber security standards.

Due to these innovations the Defensys Endpoint can be used as a sensor for IoC detection on servers and users workstations in the company’s infrastructure. Now users can receive events independently from configurations of other security systems and also from the node’s location – inside or outside the organization. The feature was supplemented as a result of integration with the Defensys TIP.

Besides, the developer created a new integration with the Defensys SGRC Platform, which allows users to conduct technical audit of the node according to legislation and chosen security level. This way you can check correctness and optimality both of operating system and application software settings and make sure the node complies with the requirements.

Risk handling

The main purpose of a risk assessment is to form a strategy to avoid or mitigate the damage of potential cyber incidents.

But while audits are about the present (there is a certain requirement – it is not being met now, the picture is clear), in the context of future threats, it can be extremely difficult for CS staff to explain to management the purpose of allocating the budget. A risk assessment helps to translate the needs of the CS department into the language of the business and communicate the importance of the information received.

At the same time, SGRC solutions strengthen communication with the business, allowing the removal of higher-level risks from technical ones, as well as automatically generating understandable graphs and visual dashboards to simplify this communication without additional time expenditure on the part of employees.

Accumulating technical data about the state of CS is an important but not the last task. To make a breakthrough in the quality and effectiveness of the IS system, this data needs to be contextualized and properly analyzed.

Cybersecurity news

• Proof-of-concept exploit code has been released for a critical SSH authentication bypass vulnerability in VMware’s Aria Operations for Networks analysis tool (formerly known as vRealize Network Insight).
• Researchers took advantage of a weakness in the encryption scheme of Key Group ransomware and developed a decryption tool that lets some victims to recover their files for free.
• A vulnerability in Skype mobile apps can be exploited by attackers to discover a user’s IP address – a piece of information that may endanger individuals whose physical security depends on their general location remaining secret.
• U.S.

Cybersecurity news

• Ivanti warned customers that a critical Sentry API authentication bypass vulnerability is being exploited in the wild. Discovered and reported by researchers at cybersecurity company mnemonic, the critical vulnerability (CVE-2023-38035) enables unauthenticated attackers to gain access to sensitive admin portal configuration APIs exposed over port 8443, used by MobileIron Configuration Service (MICS).
• Researchers from Italy and the UK have discovered four vulnerabilities in the TP-Link Tapo L530E smart bulb and TP-Link’s Tapo app, which could allow attackers to steal their target’s WiFi password.
• An ongoing phishing campaign has been underway since at least April 2023 that attempts to steal credentials for Zimbra Collaboration email servers worldwide. Phishing emails are sent to organizations worldwide, with no specific focus on certain organizations or sectors.

Challenge

The Factory has purchased step by step all Defensys products: SOAR, Security GRC, Threat Intelligence, SENSE and Threat Deception platforms. As a part of large project on software installation and customization, our target was to build an ecosystem based on Defensys software which will cover all cybersecurity needs of the factory.

Implementation

Since each company has its own internal procedures, Defensys takes into account all customer requests and adapts software to specific requirements. The factory has 5 types of incidents to be detected, so there were tailored 5 SOAR playbooks that utilize different connectors during the response and investigation processes.

The company stored most of the assets data in a SIEM system and all incidents for further processing are being taken from the SIEM too. Besides, it’s connected with AD and antivirus solution.

At the moment, by using Defensys software, the company can do the following:

Defensys developed an updated Platform for assets behavior analysis and anomaly detection, the Defensys SENSE v. 1.14. The Platform now can be integrated with the Defensys Endpoint technology, which extends the function of endpoint data collection. The new Platform version provides cyber security analysts with more context while looking for the causes of anomalies due to the modified asset card.

With the new version, users get access to a wider range of events and telemetry from different operating systems, including Windows, Linux, and MacOS. This expands the data flow from endpoints, which delivers CS analysts incidents of higher quality for the following assessment. This process was implemented thanks to integration of the Defensys SENSE with the Defensys Endpoint technology.

The asset card was significantly updated. At the moment asset’s technical data and related entities are displayed on the asset card besides the basic information. Because of this, users can quickly access full context of the necessary asset and remarkably speed up the root cause search.

Therefore, Defensys added a new tab “Daily analytics” to the asset card, where you can find rating changes, anomalies, and involved equipment for the last 24 hours. After detection of equipment with a high rating, cyber analysts can research all users’ actions during the day with a single click and define, if investigation is needed in case of anomaly activities detection.

Cybersecurity news

• Thousands of Citrix Netscaler ADC and Gateway servers exposed online are vulnerable to attacks exploiting a critical remote code execution (RCE) bug that was previously abused in the wild as a zero-day.
• GitHub is warning of a social engineering campaign targeting the accounts of developers in the blockchain, cryptocurrency, online gambling, and cybersecurity sectors to infect their devices with malware.
• Two new critical severity vulnerabilities have been discovered in the MegaRAC Baseboard Management Controller (BMC) software made by hardware and software company American Megatrends International.
• Google is running a pilot program to limit employees’ access to the internet in an effort to reduce the risk of cyberattacks.