Challenge

The customer had a need to take in order internal IT & cyber security processes. So a large research across the market was made.

After the careful search Defensys ACP was preferred.

The customer has a huge infrastructure with a large number of servers, active network equipment and of course workstations.

During the project implementation several customer’s departments were involved. At the beginning, the work was established with IT department, further the cyber security department joined with their own requirements.

The main objective just from the beginning of the project was to make a single repository of assets and to put them in order there. Defensys ACP was tuned to receive data from different network segments. By working together with two Cyber security and IT departments, a lot of different types of systems were successfully integrated with the ACP system but of course there were some specific requirements during this process. For example the customer’s network has different segments that are not interconnected on a physical level. That’s why some part of data was uploaded to the system with the files integration capabilities, from custom databases and via specified questionnaires that were sent using built-in task manager of the ACP.

Cybersecurity news

• The Python Package Index (PyPI) has announced that it will require every account that manages a project on the platform to have two-factor authentication (2FA) turned on by the end of the year.
• A new ‘File Archivers in the Browser’ phishing kit abuses ZIP domains by displaying fake WinRAR or Windows File Explorer windows in the browser to convince users to launch malicious files.
• A team of researchers at Georgia Tech, the University of Michigan, and Ruhr University Bochum have developed a novel attack called “Hot Pixels,” which can retrieve pixels from the content displayed in the target’s browser and infer the navigation history.
• The QBot malware operation has started to abuse a DLL hijacking flaw in the Windows 10 WordPad program to infect computers, using the legitimate program to evade detection by security software.

We recently told you about the analytical tools implemented in Defensys SENSE.

Some of them are programmatic experts – algorhytms that use statistical analysis and machine learning methods to detect anomalies and threats in users and endpoints behaviors.

Today we’re going to continue the overview of Defensys SENSE capabilities and will take a look at behavioral models that are the basis of programmatic experts. In this article we’ll tell you in details about the processes of additional learning and relearning of behavioral models and how they can help to get rid of false positives and false negatives increasing the effectiveness of working with the detected anomalies.

Behavioral models and its learning

Behavioral models work is established on the processes of the knowledge extraction and updating related to the observation entities. This data is being processed from the event logs and this process is built on the complex mathematical models and calculations.

This helps to build observation entity profile and to detect the deviation in its behavior.

Picture 1– The process of the system’s initial learning

Cybersecurity news

• A new APT hacking group dubbed Lancefly uses a custom ‘Merdoor’ backdoor malware to target government, aviation, and telecommunication organizations in South and Southeast Asia. Lancefly has been deploying the stealthy Merdoor backdoor in highly targeted attacks since 2018 to establish persistence, execute commands, and perform keylogging on corporate networks.
• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned of a critical remote code execution (RCE) flaw in the Ruckus Wireless Admin panel actively exploited by a recently discovered DDoS botnet.
• Microsoft’s May 2023 Patch Tuesday, and security updates fix three zero-day vulnerabilities and a total of 38 flaws.

Challenge

The Oil company has a colossal infrastructure and its SOC contains 3 response lines. Undoubtedly, a new system should have been customized and adapted to all internal processes. After the PoC project, for incident orchestration the Company has chosen the Defensys SOAR.

Implementation

The Company already had a plenty of installed systems, such as SIEM, CMDB and others. Of course, the SOAR had to be integrated with all of them. Therefore, Defensys successfully set up several connectors for incidents receipt and their enrichment. Much information is taken into SOAR from antivirus and AD.

Cybersecurity news

• Apache Superset is vulnerable to authentication bypass and remote code execution at default configurations, allowing attackers to potentially access and modify data, harvest credentials, and execute commands.
• VMware has released security updates to address zero-day vulnerabilities that could be chained to gain code execution systems running unpatched versions of the company’s Workstation and Fusion software hypervisors.
• A new reflective Denial-of-Service amplification vulnerability in the Service Location Protocol allows threat actors to launch massive denial-of-service attacks with 2,200X amplification.
• A new side-channel hacking technique has been discovered affecting multiple generations of Intel processors.

Compliance as a right

It was discussed above how automating the typical stages of audits simultaneously results from and at the same time, helps to increase the maturity of the process as a whole. Having implemented the appropriate solution, some organizations may think that is the end of the matter – all that is left to do is keep the process running. Tasks are automated, monitoring is underway, and data is organized.

In fact, this is just the beginning. Organizations are moving to the next level of cyber security maturity when they stop doing audits “because the authority forces them to do this” and realize that this tool can be used to proactively respond to problems.

Internal audits can be organized in many different ways but quite often they begin with the fact that, as cyber security employees gain the experience they start to form their own, in-house, standards. As they learn the various regulatory requirements, they feel the need to formulate a metric for themselves that reflects the level of asset compliance without reference to specific external documents.

This is how internal standards and compliance assessment methodologies are born.

Cybersecurity news

• The Vice Society ransomware gang is deploying a new, rather sophisticated PowerShell script to automate data theft from compromised networks. Vice Society’s new data exfiltrator is fully automated and uses “living off the land” binaries and scripts that are unlikely to trigger alarms from security software, keeping their activities stealthy before the final step of the ransomware attack, the encrypting of data.
• Windows 11 is getting a new privacy setting that allows users to control whether applications can detect when actively interacting with the device. The new privacy setting is called ‘Presence sensing’ and allows you to configure whether applications can use APIs to determine if a user is active or inactive in Windows.
• SAP fixed two critical bugs that affect the Diagnostics Agent and the Business Objects Business Intelligence Platform.

Cybersecurity news

• Hackers are actively exploiting a high-severity vulnerability in the popular Elementor Pro WordPress plugin used by over eleven million websites. Elementor Pro is a WordPress page builder plugin allowing users to easily build professional-looking sites without knowing how to code, featuring drag and drop, theme building, a template collection, custom widget support, and a WooCommerce builder for online shops.
• A new modular toolkit called ‘AlienFox’ allows threat actors to scan for misconfigured servers to steal authentication secrets and credentials for cloud-based email services. The toolkit is sold to cybercriminals via a private Telegram channel, which has become a typical funnel for transactions among malware authors and hackers.
• Over 15 million publicly facing services are susceptible to at least one of the 896 vulnerabilities listed in CISA’s KEV catalog.

Challenge

One branch of the global presence telecom company used a primitive IRP system with a very limited functionality. Since the company is a managed security service provider, arose the need of a new, more flexible platform with a significantly greater range of functions. After a series of negotiations and the PoC project, the Defensys SOAR was chosen as a core solution.The Provider offers its SIEM and TI systems to each  customer and, depending on the customer infrastructure, one company can have several platforms. For that reason, Defensys software had to be integrated with all installed systems.

Implementation

The Provider’s client database was connected with the Defensys SOAR and stored information is being synchronized with custom assets. Due to this, when an incident occurs, the Provider has very exact information, which SIEM system it comes from, which company is involved, and all the data is already stored and up-to-date in the client’s card for further processing. It made possible a customized incident notification via, for example, ITSM systems or messengers. As a result, it became a very effective tool with the workflow for a particular incident type created exactly for the Provider’s needs.