Proactive threat discovery
We know how to effectively identify attack symptoms and intruder presence in the organization infrastructure. A sample task for a threat hunter is to run a dedicated software (e.g. a honeypot) or monitor the DNS traffic inside a network looking for potentially malicious activity by e.g. checking entropy, types of DNS requests, comparison of domains with IOC (Indicator of Compromise) received from threat intelligence etc. On the other hand log analysis in this case is not only limited to monitoring base events, but means deep analysis by connecting many sources which can indicate that integrity has been compromised. Every solution is individually prepared to fit the customer needs in order to get best detection rates. Thanks to that type of approach there is a real possibility of detecting an attack, including the targeted ones which can help in reacting on time before real damage is done.
Threat Intelligence
Cyber Threat Intelligence (CTI) is used to get constant information updates from outside source about a given organization. The services consists of two main parts: information for security teams, mostly used to automatic data enrichment for internal monitoring SIEM systems, IPS (Intrusion Prevention System) or IDS/NIDS/HIDS (Intrusion Detection System, Network, Host). Simplest example of such enrichment might be acquiring IP addresses information from the honeypot network used by attackers or detecting changes of open ports in the company infrastructure. We use a dedicated proprietary software, which depending on customer needs automatically looks for potential threats or changes that might indicate a compromise. We support infrastructure monitoring with data from CTI which allows us to effectively detect targeted attacks. Our software collects information available on the Internet (OSINT) and actively monitors organization assets to look for changes inside both external (WAN) and internal (LAN) networks.
OSINT
We perform OSINT engagements (Open-Source Intelligence) where we gather significant amount of information about the target organization on the Internet.
SIEM rules
We create rules for SIEM (Security Information and Event Management) systems, especially for Windows systems. It is a part of our threat hunting service, like with extending logging capabilities, honeypot construction etc.
Security Operations Center (SOC)
Threat hunting service is usually delivered as the 3rd, last line in the Security Operations Center (SOC). Additionally with our partner we are able to offer full SOC outsourcing, consisting of 3 lines, working 24/7.
SOC3 service
We provide the last line of Security Operations Center (SOC). It can be offered directly to the customer, which only has 1st and 2nd line of support. Alternatively we offer this service as a partnership with other IT security companies which only offer first lines of support and are in need of professional threat hunting and incident response.