Cyberscope
CyberscopeCS-IRT
Cyber Security Incident Response Team (CS-IRT)
CyberScope's Cyber Security Perception
It is an unfair battle, and it is only a matter of time before a persistent hacker penetrates a typical organization, even the highly protected ones. This is because hackers only need one successful attempt while organizations need 100% success in their continuous defense against any malicious attempts.
At CyberScope, we assume that all of our customers, including those who have implemented our entire security recommendations, will eventually be breached.
Therefore, our proactive CS-IRT services start from day one, even before a real attack occurs. By doing this, we can respond faster and more effectively during an attack, and the potential damage is significantly minimized.
The Challenge
Given today’s threat landscape, most organizations will at some point encounter a cyber-attack that they will need to respond to and manage.
The speed, efficiency, and expertise, both technical and managerial, with which an incident is responded to are critical to avoid catastrophic losses in both technical and business operations, as well as direct and indirect costs associated with a breach.
Slow and tedious
Too many alerts from too many sources – how to prioritize & classify them.
Inefficient
Processes and customer communication are dificult.
Unaware
Typical IT engineer may face cyber-attack < twice a year and cannot gain required experience to be well prepared to efficiently face the next attack.
The Solution
Specialized Cyber-Security, Incident Response Team (CS-IRT) qualified to response to sophisticated cyber-attack and support the management while facing managerial strategic hard decisions to minimize business damages:
Speed
24/7 available team ready to act immediatly and communicate in English and Spanish.
Efficiency
Trained and prepared via understanding the customer network, it ́s strategic, sensitive and vulnerable business and IT assets and have a tailored PlayBook Plan.
Expertise
Proven both technical and managerial experience from sophisticated attacks in Israel and worldwide.
Key Differentiators
Proven Expertise
Our CS-IRT experts have proven experience to mitigate sophisticated attacks worldwide and in Israel.
Efficient Response
Via prepared PlayBooks tailored to face known and un-known complex attacks scenarios for each customer ́s unique risks.
Security Performance
Via deployed integrated-Security-Solutions that minimize Blind-Spots, maximize telematry and therefore, enable optimum secutiry.
Immediate Response
Via 24/7 availability of multi-National experts from Israel and Spain communicating with our multi-national reputable clients in Spanish and English.
Optimum Readliness
Via periodic readliness maturity reviews and attack simulation drills.
Crises Management
Services consulting to top management to take hard managerial decisions, manage responsible sensitive internal and external communications during and after the incident, considering remediations tactics while controlling reputational damage and legal liabilities.
Real Estate
Donec consequat nibh at urna tincidunt tempor. Integer quis lobortis felis. Nulla id quam vestibulum, aliquam mauris vitae, auctor ex. Aliquam augue nulla, faucibus sed lacus ac, placerat elementum nisi. Curabitur enim nunc, dictum et accumsan.
Wellness
Morbi ullamcorper tellus eu purus dictum convallis. Duis posuere dui sit amet pellentesque malesuada. Morbi ultrices tortor ut diam molestie, vel pharetra lectus lacinia. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Aenean varius lectus lectus.
The Importance of Selecting
SOC with CS-IRT Capabilities
When considering a provider of SOC services, it’s important to choose one that offers specialized and comprehensive services beyond just daily monitoring and limited incident response. This includes support for the entire organization, including top management, during a sophisticated attack.
However, customers can often get confused by similar names such as SOC, MDR, MSP, MSSP, and CS-IRT.
While SOC (or any of the others) typically refers to a provider that focuses on daily monitoring and limited incident response, CS-IRT is a specialized task force that is specifically trained to respond to sophisticated attacks from both technical and business operation and management perspectives.
Typical Scenario
CyberScope’s CS-IRT at Work
Scene 1
CyberScope typically deploys cloud-based security technologies to initiate an investigation of the attack indicators. Simultaneously, CyberScope analyzes logs to identify suspicious and malicious activities on Active Directory and firewalls, and correlate them with the reported attack indicators. Additionally, CyberScope validates the usage of new and old legitimate accounts, suspicious data exfiltration traffic on the network, and critical vulnerabilities that might have been exploited to enable the initial penetration, including suspicious phishing attempts that could have established the initial foothold.
Scene 2
CyberScope will meet with top management to provide updates on the status and alternative plans, as well as manage the crisis while ensuring all stakeholders understand the situation and coordinating responsible, controlled internal and external communication.
Scene 3
CyberScope will progress with the investigation to track the attacker's initial attack vector and possible propagation through the organization to understand the attacker's profile and motivation while using threat intelligence and historical information on similar attacks. If necessary, CyberScope will collect forensic evidence and traces to develop conclusions on the possible attacker profile to help understand their motivation and goals, in order to develop the best containment, eradication, and remediation strategy.
Case Study
CyberScope’s CS-IRT at Work
CERT Israel identified suspicious activities related to XXX.XXX.XXX.XXX
Between WED 27th 23:11 IL Time Zone and until THU 28th 12:02 IL Time Zone
An israeli company called CyberScope asking for support during a cyber attack
Installation of EDR sensor starts
nstallation of Agent for Vulnerability Analysis
There was high CPU usage of Powershell. Process Explorer was installed to review why. Traffic Analyser tool is installed
EDR Remote Terminal Session launched: Windows update manipulation execution was found.
Ask The client to check where DefaultAccount has login using powershell: Get - ADUser - Identity "username" - Properties "LastLogonDate"
Found that Security Event Log was cleared before we entered, so we don't have those logs
Cyberscope Teams meeting to prepare EDR for installation
Forensics investigation starts using Malware Scanner
Extraction of Logs for further investigation using a Windows Artifact Collector: Security, System, Windows Powershell, Powershell Operational
End Point investigation. No critical or high vulnerabilities were found. We found critical software was unpatched:
Failed login atempts from IP: XXX.XXX.XXX.XXX
Abnormal commands Query: A new user
DefaultAccount was created using a file named
user.bat at 10/27/2021 11:21:19 PM:
Found malicious IPs related with the *.exe and *.dll that launch the *.bat. Asked to block them in FW and see if can see connections
Malware Scan is finished: No malware found
SOC vs. Standard CS-IRT vs. Comprehensive CS-IRT
Service Category/Level
Description
SOC (MDR)
SOC (MDR) + Standard CS-IRT
SOC (MDR) + Comprehensive CS-IRT
Managed, Detections (Active Monitoring)
• Constant support to improve readiness to cyber attack • 24x7 Alerts Monitoring & Notifications • Triage: Qualifications & Validations of Alerts
Response
Block suspicious activities on specific compromised hosts; Response via remote access and explore via scripts; Quarantine suspicious message and network contain specific hosts
Threats Management
• Threat Hunting (Manuel/Semi-Automatic) • Threat Intelligence
Standard Incident Response (IR)
Network-wide attack vector investigation Including:
• Search for suspicious events, artifacts and IOAs.
• Remove planted persistence, malware artifacts and malware-less activities on all endpoints, servers and networking equipment including AD & FW.
Comprehensive Incident Response (IR)
Advisory to the top management regarding common dilemmas in multiple critical aspects during and after the attack I.e.
• Status and information sharing during and after the attack with Employees/Customers/Suppliers/Medi a/Law Enforcements...
• Operational decision if to shutdown part or whole the operation during the attack and in parallel to our IR process
• Ransomware negotiation with hackers