Managed Detection & Response
Intelligence services for early identification of sophisticated threats
Proactive defence based on information of emerging risks is both a necessity and a challenge for most organizations. Many have a reactive focus and others who already use intelligence feeds find themselves with outdated, barely reliable and unhelpful information. Threat Intelligence is about knowing, understanding and profiling our adversaries in order to anticipate and detect new attacks that escape our defensive solutions.
The commitment in Threat Intelligence has led to the creation of our proprietary Intelligence Feed, the implementation of Threat Intelligence Platforms (TIP) and the acquisition of a malware analysis company, Dinoflux.
We help any organization to proactively prepare, detect and respond to their adversaries:
- Strategic Intelligence: we provided the C-level (CISO, CIO, CDRO, etc.) with high-level information on the type of actors attacking their sector and regions, their motivation, and which business assets they tend to target, allowing them to define their risk profile and design an appropriate defence strategy.
- Operational intelligence: we provide SOC teams (Intel Analysts, Hunters, Red Teams, etc.) with all the latest actionable information about the specific techniques, tools and procedures that threat actors normally use. This knowledge adds the level of technical detail required to design and fortify your defences, train your personnel, as well as to proactively explore signs of ongoing breaches within your network.
- Tactical Intelligence (IoCs): We also provide our customers with technical information to search for the traces left by attackers during their activity outside or within their infrastructure: IP addresses, domains, URLs, file names, and in general, any data identifying new incidents and campaigns. This is what we call Indicators of Compromise (IoCs), pieces of information delivered in standard formats (STIX-TAXII, JSON-HTTP, etc.) so that they can be integrated and processed by security devices to enable better automated detection and threat contextualization and triage.
An organization’s journey towards modern intelligence-driven security operations involves the full operationalization of both high-level and low-level internal intelligence and external feeds within an organization’s core security processes. Threat Intelligence Platforms (TIPs) allow powerful ingestion and processing of a vast variety of threat sources, formats and protocols, leveraging advanced correlation and enrichment engines to contextualize and reduce the risk for targeted threats.
Once the intelligence is stored and processed, TIPs make it possible to:
- Push this intelligence to a SIEM in order to perform automated detection and hunting.
- Automate some of the incident response actions by integrating with other platforms and tools (Ticketing systems, Firewalls, IDS, Sandbox, MISP etc.).
- Provide SOC teams (intelligence teams, Incident Response teams, reversers, etc.) with a powerful and collaborative environment to better triage alerts, investigate incidents and exchange intelligence among them or other external parties.
We have already implemented a TIP within internal corporate security and customer SOCs. Combined with the field work carried out by our MDR Lab (over 10 different commercial and open source TIPs evaluated) and our agreements with the best-in-class TIP vendors, we can provide our customers with tailored-made projects aimed to fully deploy and implement TIP quickly and hassle free. We offer two delivery models:
- Fully Managed TIP: for those customers who wish to outsource their TIP implementation and exploitation, we can provide a TIP service that covers intelligence feed selection, fusion and scoring of threat intel, SIEM integration to enhance detection, managed TIP playbooks to accelerate response actions, consulting to help build the processes required to integrate such capabilities into a SOC, etc.
- Standalone TIP: for those customers who have sufficient capabilities to internally run a TIP, we offer bespoke consulting services to help with the TIP selection, the design of the operational processes and TIP integration and support.
- Dinoflux is an intelligence tool that leverages a multi-format and multi-sandbox approach (commercial, open-source and proprietary analysis frameworks), and provides both static and dynamic analysis to identify binary behaviour, capabilities and threat indicators (IoCs) associated.
- This tool leverages a proprietary clustering system, based on a similarity engine, yara rules matching and a multi-AV solution, that enables advanced relationships between unknown new threats and existing malware families, campaigns and threat actors, while optimizing the processing workload.
- Dinoflux is able to operationalize the intelligence generated by exporting associated IoCs and detection rules (Snort, yara, etc.) into third-party security devices (SIEM, IDS, etc.), via TAXII server, private API and other exporting means.
- We employ Dinoflux internally to improve the capabilities of our managed services and we also offer it as a standalone product for those customers who want to empower their analyst teams with the possibility to process malware on a large scale and leverage the intelligence generated by both the malware sources they have and the sources we provide as part of the tool.