Challenge

It was very difficult to locate a host when something wrong occurred within the network.

Typically, cybersecurity specialists would call a large number of colleagues from different regions before collecting all the necessary data.

In addition, different systems installed within the infrastructure provided different equipment statistics.

Results

Following the PoC process, there was a comprehensive implementation of the Defensys ACP solution that helped.

• Consolidate all inventory information into one location: equipment technical properties, locations, time zones, equipment personnel.
• Consolidate vulnerability data across infrastructure through automatic prioritization which has contributed to a much more efficient vulnerability management process.
• Aggregate data from more than 1,000 distributed antivirus solution management servers.

Defensys ACP does a healthcheck of the AV system giving the up-to-date reports weekly.

As a result, the Defensys ACP has become a source of reference for assets, not only for cybersecurity personnel, but also for other departments.

Some IT systems use the ACP’s API to enrich the required data with asset information.

The system’s metrics are distributed on the Cyber Security Office video wall where the Operations Center is located.

Challenge

It was very difficult to locate a host when something wrong occurred within the network.

Typically, cybersecurity specialists would call a large number of colleagues from different regions before collecting all the necessary data.

In addition, different systems installed within the infrastructure provided different equipment statistics.

Results

Following the PoC process, there was a comprehensive implementation of the Defensys ACP solution that helped.

• Consolidate all inventory information into one location: equipment technical properties, locations, time zones, equipment personnel.
• Consolidate vulnerability data across infrastructure through automatic prioritization which has contributed to a much more efficient vulnerability management process.
• Aggregate data from more than 1,000 distributed antivirus solution management servers.

Defensys ACP does a healthcheck of the AV system giving the up-to-date reports weekly.

As a result, the Defensys ACP has become a source of reference for assets, not only for cybersecurity personnel, but also for other departments.

Some IT systems use the ACP’s API to enrich the required data with asset information.

The system’s metrics are distributed on the Cyber Security Office video wall where the Operations Center is located.

In the previous article, we talked about a variety of traps and decoys. Now that the decoys are ready, there is very little left to do – to distribute them to the right hosts. This is where another criteria for selecting a Deception solution comes into play, namely how the decoys are delivered to the hosts.

Currently, the solutions fall into two main categories:

• Agent-based solutions: specialized software is installed on the endpoint host through which decoys can be delivered and updated;
• Agentless solutions: in this case, remote management tools, group policies, or third-party agents are used.

Each of these categories has its pros and cons:

The agent-based solution is more flexible, it allows monitoring the current state of the decoys on the host, and has quick access to all forensics but unfortunately can be detected by an attacker.

Agentless solutions offer more stealth because there is no software on the endpoint devices that can be detected by an attacker. However, local/domain administrator rights may be required to perform many actions.

Cybersecurity news

• Fortra has released an emergency patch to address an actively exploited zero-day vulnerability in the GoAnywhere MFT secure file transfer tool. The vulnerability allows attackers to gain remote code execution on vulnerable GoAnywhere MFT instances whose administrative console is exposed online.
• Taiwanese company QNAP has released updates to remediate a critical security flaw affecting its network-attached storage devices that could lead to arbitrary code injection. Tracked as CVE-2022-27596, the vulnerability is rated 9.8 out of a maximum of 10 on the CVSS scoring scale. It affects QTS 5.0.1 and QuTS hero h5.0.1.
• The development team behind the open-source password management software KeePass is disputing what is described as a newly found vulnerability that allows attackers to stealthily export the entire database in plain text.

The Defensys company announces the latest version of its Threat Intelligence Platform – Defensys TIP. In v. 2.20 the vendor expanded the list of integrations with security feeds providers and the list of IoC enrichment services. There are also some enhancements in the process of integration with Defensys SOAR.

One of the key features in v. 2.20 is related to the more comprehensive tuning of enrichment services. Now users can manually set the time-to-live for the enrichment data not only by days, but also by hours and minutes. This helps to update the IoC data and to analyze TI data more precisely. Also there is some redesign of the enrichment interface block to work with data from different sources with the unified approach. Furthermore, there was the update of the integration with OPSWAT Metadefender.

Besides the other updates there is an improved logics of the user interface. Alerting rules and integrations are combined into one block that make the delivery of data to the Defensys SOAR more easy enabling to do both of these actions simultaneously. Also a user can choose the way to group events: by the rule or by the IoC value before this data goes to the SOAR. One more improvement helps analysts to receive the information related to all the activities that took place during the particular incident: now there exist activity types related to the incident ID that came from the SOAR in the IoC card.

Challenge

The Bank suffered from a large number of security alerts from different security tools and anti-fraud system. Even after the implementation of the SIEM system, that number did not decrease significantly. With the size of the organization, there were so many alerts that it was physically impossible to hire as many analysts as needed to cover all the notifications. The approach to prioritizing incidents also needed to be reconsidered as several departments of the Bank would merge within the Security Operations Centre.

Defensys products

It was a classical PoC project with a playbook for automatic response on one type of incident that was designed and implemented. One of the results of this procedure was the reduction of false positives from security tools.
 

During the PoC was developed, structured and updated the Bank’s asset model. In fact, it was consolidated in one place from different sources as other departments only worked with a portion. Eventually the problem of continuously searching for affected device data was completely solved.

Implementation

The PoC project gave the opportunity to create a document to scale test results on other types of incidents. So it was only a matter of time to cover all the incidents registered daily in the Bank.

Cybersecurity news

• Threat actors now use OneNote attachments in phishing emails that infect victims with remote access malware which can be used to install further malware, steal passwords, or even cryptocurrency wallets.
• More than 4,000 public-facing Sophos firewalls remain vulnerable to a critical remote code execution bug disclosed last year and patched months later, according to security researchers. The vulnerability can be exploited to gain control of a device, which can then be commandeered to probe and attack the network or outside targets.
• A series of vulnerabilities affecting industrial routers made by InHand Networks could allow hackers to bypass security systems and gain access to internal operational technology networks from the internet.
• A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting governments and other large organizations.

Introduction

Many articles have been written about Deception. It is not surprising as deceptive technologies have been taking over the cyber security world in recent years. In the recent Gartner report Deception was named as one of the most effective information security technologies: according to experts, it is almost at its peak and is expected to reach the plateau in the horizon of 5-10 years. We decided to fantasize about what it would be like if there was some “ideal solution” in the market that combines all the features of modern cyber deception technologies.

In this series of articles, we have compiled a summary list of Deception’s features present in these or those solutions. And here we will not go into technical details, our goal is to help readers take a broader look at cyber deception technologies and their possibilities, especially in terms of a defensive strategy, and choose their own “golden standard” for themselves.

Architecture and delivery options

Let us start with the basics: the architecture and possible product delivery options. Architecturally, Deception solutions traditionally fall into several classes:

Cybersecurity news

• Security researchers have found a new exploit that allows attackers to remotely execute code through Outlook Web Access, on Microsoft Exchange Server. Crowdstrike said the new exploit method uses two vulnerabilities, and bypasses the URL or link rewrite mitigations for the ProxyNotShell bug that Microsoft provided and which affect on-premises Exchange servers.
• Chinese video surveillance company Hikvision has patched a critical vulnerability in some of its wireless bridge products. The flaw can lead to remote CCTV hacking, according to the researchers who found it.
• Corsair has confirmed that a bug in the firmware of K100 keyboards, and not malware, is behind previously entered text being auto-typed into applications days later.

Challenge

Most of the SOC analysts’ time was spent daily for manual prioritizing security alerts from the SIEM and then for manually generating IT tickets in SD. Between these two big processes were chaotic enquiries for colleagues to find out what equipment was involved in incidents and numerous attempts to reactively respond to these incidents.

There literally was no time for something else in terms of cybersecurity needs of the Organization.

When a new organization wanted to use SOC services, all the generated data during this process was stored in different shared folders and electronic documents. It was a great challenge to combine the whole picture of how the interaction with this specific organization was handled. Plus, there was a demand to keep the control not only of IT assets, but also cameras, physical control points, USB tokens and fetch them with the IT asset model.

Results

There is a structure of playbooks designed for every type of registered incidents and implemented in SOAR. All the correlation rules of the SIEM alert to the SOAR, where everything is instantly mapped and labeled with MITRE ATT&ACK tactics and technics.

There is a main playbook that contains subplaybooks that are launched depending on the conditions that are gathered during the playbook execution.