Cybersecurity news

• A new attack method named COVID-bit uses electromagnetic waves to transmit data from air-gapped systems, which are isolated from the internet, over a distance of at least two meters, where it’s captured by a receiver. The information emanating from the isolated device could be picked up by a nearby smartphone or laptop, even if a wall separates the two.
• A security researcher has found a way to exploit the data deletion capabilities of widely used endpoint detection and response and antivirus software from Microsoft, SentinelOne, TrendMicro, Avast, and AVG to turn them into data wipers.
• MuddyWater hackers, a group associated with Iran’s Ministry of Intelligence and Security (MOIS), used compromised corporate email accounts to deliver phishing messages to their targets.
• The Iranian Agrius APT hacking group is using a new ‘Fantasy’ data wiper in supply-chain attacks impacting organizations in Israel, Hong Kong, and South Africa.

Our colleagues from the Center of expertise at Defensys use MITRE quite often during our PoC and implementation projects. And we would like to share our thoughts about these very MITRE matrices and their application in this article.

Recently, we hear more and more often that developers actively use MITRE methodology when developing various cyber security products. In MITRE terms, these databases are called matrices, and the number of projects where they are used is constantly growing.

At the same time, we have been wondering for quite a long time now: what does MITRE support give to vendors and end users in the end? Why do we need it all, if we already have, say, some kind of “smart” SIEM or a specialist who constantly works with it?

Our article is designed to get to the bottom of these questions. And to begin with, we suggest to remember what MITREs are.

MITRE is an American non-profit organization that manages systems engineering research and development centers at the U.S. federal government and local government levels.

And then there’s MITRE, a manufacturer of sports equipment.

What is MITRE famous for?

MITRE ATT&CK

Today we’re going to tell you about the analytical features of Defensys SENSE – the core functional part of this security analytics platform which main aim is to detect security violations in the infrastructure, different anomalies, suspicious activity and to do the dynamic security scoring of all the objects related to your logs.

Defensys SENSE provides a comprehensive approach for the security events analysis when it studies objects (and similar groups of objects) behaviors, forms normal behavior patterns and detects suspicious activities when they don’t match these patterns.

This qualitative analysis is performed by using 2 types of instruments: simple rules and programmatic experts.

Simple rules

Simple rules is a basic mean to analyze security events and its main feature is a very easy tuning.

Information systems analysts can quickly tune the current rules of create their own ones. When you create a new rule it’s enough to just add criteria for events filtering and as a result all the found events will be marked as suspicious and related observation objects will collect some new number of threat points. Defensys works with the following observation objects: hosts, accounts and users. The overall threat points are aggregated for all the objects that come from logs.

Scoring is the mean to evaluate objects’ anomalies and the potential impact that can occur if this anomaly will become a threat.

Challenge

Initially, the incident response process was conducted by the SIEM system. The customer had about 7 instructions for different types of incidents with a brief description of what needs to be done in such situations. Also, colleagues did not have a response process. Security specialists used to look at the screen, and if they saw the incident in the SIEM they started working with it according to the instructions. If the incident was something not common, then it was processed randomly.

The Defensys company issues a new version of its platform for digital imitation of IT infrastructure elements Defensys Threat Deception Platform (TDP) v. 1.5. It has the expanded list of traps and lures templates, integration with the SOAR system from Defensys and the enhanced capabilities of working with security events.

In the Defensys TDP v. 1.5 vendor has complemented the list of traps and lures templates. There appeared HTTP traps, that imitate logon screens of network equipment and also lures for MacOS and Linux operating systems. One more new thing – lures for saved connections to SMB network sources.

One more significant new feature is related to the integration capabilities. Besides a standard syslog push integration with external systems Defensys TDP now has direct seamless integration with the Security Orchestration Automation and Response system Defensys SOAR. Now all the events related to the same trap detected by Defensys TDP are automatically transferred to the Defensys SOAR in a form of one aggregated incident. Furthermore, a user can manually tune a period of aggregating of these events from the required trap.

From time to time when researching product ideas and hypotheses, our team develops prototypes. We have an opinion that some of them could be useful to the cybersecurity community. Today we want to share a model for ranking indicators of compromise that we implemented based on the study “Scoring model for IoCs by combining open intelligence feeds to reduce false positives” by the University of Amsterdam. This model solves one of the key tasks of threat intelligence: ranking indicators of compromise according to a number of parameters in order to distinguish among them the most dangerous and narrow the focus of the search for threats.

The model operates with sufficiently clear parameters (coefficients), which are used in the calculation:

Defensys is proud to announce that current version of the SGRC now supports Shariah Governance Framework for Local Banks Operating in Saudi Arabia.

This framework is ready to be used in compliance procedures by all the organisations operating under the requirements regulated by SAMA along with the SAMA frameworks themselves.

“We rapidly responded on such a demand from mostly banks in the KSA where we currently doing projects with our partners. Now any institution that operates in the Kingdom can do all the audits using out-of-the box frameworks available right after the installation of our SGRC solution which is a part of the whole cyber security ecosystem by Defensys. Also there is an option to add local and internal frameworks, standards and check-lists fetching all the requirements into the one list to save time of our customers when assessing similar requirements from different standards”

The Defensys SGRC solution helps enterprise companies of different scales to control the state of cybersecurity and effectively evolve cybersecurity based not only on compliance procedures but also on automatic risk assessments and the ability of the system to merge all the needed inventory data from different sources to create a master assets source for the whole organisation.

As usual Defensys’s cyber security experts are ready to share all the trendy approaches to maximize the effect of the SGRC implementation.

On the 6th and 7th of September in Dubai, UAE there will be held the third annual conference dedicated to cyber security innovations – CSIS 2022 and the Defensys company is a partner of this respectful conference.

CSIS aggregates professionals in the area of IT and cybersecurity for the exchange of experience and competencies in order to counter the problems that companies from all over the world face on a daily basis: the growth of cyberattacks, data leaks, security problems related to cloud technologies etc. The main discussions will focus on artificial intelligence, machine learning, cybersecurity regulation and, of course, high-tech solutions for infrastructure protection. This conference is designed to help various businesses and governments maintain resilience and adapt to the ever-changing methods of cyberattacks.

Challenge

This is CERT, which main task is to collect information about incidents from its subordinates , as well as inform them about the main threats, attacks, vulnerabilities etc.

Before taking a look at the SOAR class systems almost all the procedures of interacting with different representatives of the regulated companies were manual. CERT communicated
with everyone via mailbox. For manual enrichment of IoCs delivered from subordinates, CERT analysts used various services, for example, WHOIS.

Also there was a demand from the regulated companies to have an electronic service to operate with this CERT with the possibility to automatically register incidents and IoCs.

Defensys products

The customer wanted to estimate comprehensively different types of building automation for their needs covered above:

• matured software from some vendor with features specially tailored for such needs
• ServiceDesk-like systems with some added programming and customization
• fully custom programmed software based just on the needs of this CERT

As a result a part of Defensys’s ecosystem: SOAR + TIP was chosen among other respectful vendors for building this selfservice cybersecurity portal.

Results

The following number of important issues was resolved after the implementation of Defensys SOAR+TIP:

Challenge

The customer had some number of implemented systems not integrated between each other among them that logically caused frequent problems.

Moreover, there were 3 main types of information that were processed in the company:

• Data on critical information infrastructure (CII) objects. During
  the work on the project, Defensys’s engineers along with
  colleagues from the partner’s side imported all CII objects into
  the Defensys SGRC and updated them
• Trade secret type
• “For internal use” type of Information

All cyber security audits were carried out in 3 areas:

1. CII
2. Trade secret
3. Compliance with internal checklists

The hard challenge to find the right solution which could be flexible in settings and integrations and solve collected problems was set by the customer. After a careful search, the company has chosen Defensys SGRC solution.

Results

First of all, regulatory and physical security requirements were fetched between each other via control checks framework built in Defensys SGRC. This way the user receives only one list with all the requirements needed to be assessed depending on the type of an asset and his role in the process (not all the requirements).