Challenge

With 5 independent regional SOCs connected to the main SOC in HQ the Company’s cybersecurity staff had to register incidents in service desk, that wasn’t connected to an IT SD but all the other data needed for the investigation was manually collected from multiple sources: security tools, data lakes, billing systems. Also, it was quite difficult to quickly find properties of the technical equipment involved in the cyber incident. Threat Intelligence data was processed semi-automatically without any connections to other systems.

Defensys products

After a comprehensive procedure of comparing different technologies for building the next version of SOC the Company have chosen Defensys as a leader in automating cybersecurity processes. The decision was to use SOAR and TIP to enhance capabilities of an existing SOC with a lot of systems not connected with each other.

Results

All the incidents from different security tools along with customers’ enquiries are processed in one system that helps to use the same investigation frameworks for different teams that is important when it comes to collect performance metrics. These incidents are automatically registered based on the MITRE ATT&CK framework so the whole team operates with the same terms when working during the response process.

Cybersecurity news

• Zyxel has published a security advisory to warn admins about multiple vulnerabilities affecting a wide range of firewall, AP, and AP controller products. While the vulnerabilities aren’t rated as critical, they are still significant on their own and can be abused by threat actors as part of exploit chains.
• A new ransomware named ‘Cheers’ has appeared in the cybercrime space and has started its operations by targeting vulnerable VMware ESXi servers.
• Cybersecurity researchers have disclosed details of the latest version of the Chaos ransomware line, dubbed Yashma.

Cybersecurity news

• HP has released BIOS updates to fix two high-severity vulnerabilities affecting a wide range of PC and notebook products, which allow code to run with Kernel privileges.
• Google announced a range of privacy measures that will help users retain more control over how their data is used by Google applications and displayed to the world through search.
• Microsoft has issued fixes for three zero-day vulnerabilities, including one being actively exploited in the wild, as part of its May monthly update round.
• Apple, Google and Microsoft have joined forces to expand support for passwordless logins across mobile, desktop and browsers.
• The National Institute of Standards and Technology (NIST) released an updated cybersecurity guidance for managing risks in the supply chain, as it increasingly emerges as a lucrative attack vector.
• Nozomi Networks

Cybersecurity news

• The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added seven vulnerabilities to its Known Exploited Vulnerabilities Catalog, including flaws affecting Microsoft, Linux, WSO2, and Jenkins systems.
• The Emotet malware phishing campaign is up and running again after the threat actors fixed a bug preventing people from becoming infected when they opened malicious email attachments.
• Atlassian has published a security advisory to alert that its Jira and Jira Service Management products are affected by a critical authentication bypass vulnerability in Seraph, the company’s web application security framework. The flaw is tracked as CVE-2022-0540 and comes with a severity rating of 9.9.
• Some popular virtual private networks (VPNs) may be leaving users exposed to a significant security risk.

Cybersecurity news

• Threat actors are abusing the popular Chocolatey Windows package manager in a new phishing campaign to install new ‘Serpent’ backdoor malware on systems of French government agencies and large construction firms.
• The Cybersecurity and Infrastructure Security Agency (CISA) has added a massive set of 66 actively exploited vulnerabilities to its catalog of ‘Known Exploited Vulnerabilities’. These flaws have been observed in real cyberattacks against organizations, so they are published to raise awareness to system administrations and serve as official advisories for applying the corresponding security updates.
• A new remote access trojan (RAT) named Borat has appeared on darknet markets, offering easy-to-use features to conduct DDoS attacks, UAC bypass, and ransomware deployment.

Cybersecurity news

• A phishing kit has been released that allows red teamers and wannabe cybercriminals to create effective single sign-on phishing login forms using fake Chrome browser windows. When signing into websites, it is common to see the option to sign with Google, Microsoft, Apple, Twitter, or even Steam.
• A new Linux vulnerability known as ‘Dirty Pipe’ allows local users to gain root privileges through publicly available exploits. The vulnerability is tracked as CVE-2022-0847 and allows a non-privileged user to inject and overwrite data in read-only files, including SUID processes that run as root.
• HP has disclosed 16 high-impact UEFI firmware vulnerabilities that could allow threat actors to infect devices with malware that gain high privileges and remain undetectable by installed security software.

Cybersecurity news

• The Cube ransomware operation is exploiting Microsoft Exchange vulnerabilities to gain initial access to corporate networks and encrypt devices. Cybersecurity firm Mandiant tracks the ransomware gang as UNC2596 and the ransomware itself as COLD DRAWN. However, the ransomware is more commonly known as Cuba.
• A notification from the U.S. Cybersecurity Infrastructure and Security Agency warns that threat actors are exploiting vulnerabilities in the Zabbix open-source tool for monitoring networks, servers, virtual machines, and cloud services.

Defensys has released a new version of the Defensys Security Orchestration Automation and Response Platform (SOAR), a platform that is designed to automate monitoring and responding to cybersecurity incidents.

The Defensys SOAR 4.7 platform allows incidents to be combined into groups. You can work with a chain of related or the same types of incidents. One parent incident is selected for the group, the others are considered as child incidents. By grouping them, the user can examine and analyze cybersecurity events all together, if they have a common cause. Besides working with groups of incidents from the user interface, it is now available for the users to use in playbooks and through the public API of the system.

Playbooks were also updated. In version 4.7, the incident card has a playbook launch timeline with the ability to control its display: the user can navigate to the selected playbook, as well as collapse the playbook diagram into a compact block. The start button for a particular playbook can now be placed in the incident card itself.

Defensys customer support will notify current users when updates are available for migration. If you would like to receive an update for pre-testing and to familiarize yourself with the functionality, send us an email to support@defensys.com

Cybersecurity news

• Security researchers warn that some attackers are compromising Microsoft Teams accounts to slip into chats and spread malicious executables to participants in the conversation. More than 270 million users are relying on Microsoft Teams every month, many of them trusting the platform implicitly, despite the absence of protections against malicious files.
• Users of Monzo, one of the UK’s most popular digital-only banking platforms, are being targeted by phishing messages supported by a growing network of malicious websites. If these details are provided, the threat actors now have everything needed to begin taking over victims’ Monzo accounts.
• After enabling two-factor authentication (2 SV) by default for 150 million users, Google claims to have seen a 50% decrease in accounts being compromised.
• The master encryption keys for the Maze, Egregor, and Sekhmet ransomware operations were released on the BleepingComputer forums by

Cybersecurity news

• Symphony Technology Group (STG) announced the launch of Trellix, a new business delivering extended detection and response (XDR) to organizations with a focus on accelerating technology innovation through machine learning and automation.