Dawgen Cybersecurity Services : DETECT, RESPOND, and RECOVER !!

Now it’s more important than ever to ensure the highest security of your organization’s assets. Social engineering techniques, malware, supply chain attacks; cybercriminals are trying various tactics to infiltrate, expose and profit from valuable information.

However, you’re not defenceless. Professionally managed security audits can help you protect your critical data, assess the effectiveness of security strategies, and create new, improved security policies.

Dawgen Global , as part of its multidisciplinary practice now offers cyber security treat defense services .

Cybersecurity professionals face increased demand to acquire the knowledge and develop the skills required to keep citizens safe from cyberattacks, predict the latter with scientific methods, and advance citizens’ social awareness. A proactive multidisciplinary approach against cyberattacks is effective via the combination of multidisciplinary and multi-professional knowledge. Increased public awareness with total quality multi-domain knowledge and social computing skills is likely to decrease cyberattacks’ victims and improve cyber systems quality in general.

This is where Dawgen Cyber Threat Defence (DCTD) comes in ; We offer a comprehensive suit of Cybersecurity solutions in conjunction with our Global Partners that will :DETECT, RESPOND, and RECOVER !

Professional security audit will provide a roadmap of your organization’s security strategy and help identify any weaknesses and areas for improvement. By conducting audits, our experienced specialists can propose a cybersecurity strategy tailored to the specific needs and requirements of your organization and prepare risk assessment plans and mitigation procedures to ensure the highest security of your sensitive and confidential data, in accordance with the latest technologies.

Security audit underlies cybersecurity. As a systematic evaluation and assessment of the security of your organization, it covers different areas of your cybersecurity strategy, such as the system’s physical configuration and environment, software, information handling processes and user practices. With the help of our experts, you can strengthen your security strategy to protect your valuable information against any potential cyber threats.

Dawgen Cyber Threat Defense (DCTD)  provides a managed SOC (security operation center) service that leverages our Threat Monitoring Platform to detect malicious and suspicious activity across three critical attack vectors: Endpoint | Network | and Cloud. Our elite team of security analysts hunt, triage, and work with your team when actionable threats are discovered.

DCT Defense SOC team works on the IT PARTNER’s behalf to detect, respond, and remediate critical cybersecurity incidents via all tools and methods available. The arsenal of the DCT Defense’s incident response team is constantly adapting to global threat patterns by developing new apps and integrations that blend machine and human learning & actions. The dual automated and manual approach provides a redundant layer of action to effectively detect, investigate, contain, report, and recover.

We base our incident response model on the National Institute of Standards and Technology (NIST) Framework of Improving Critical Infrastructure Cybersecurity and the MITRE ATT&CK® Framework, among others. The frameworks enable organizations to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure. It provides organization and structure to today’s multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today.

We discuss below in more details , DCTD methodology in regards to :DETECT, RESPOND, and RECOVER !

Detections

A threat event has the potential for causing consequences or impact. Events include unauthorized access to computers, unauthorized use of system privileges and execution of malware that destroys, encrypts a system, or steals data. Think of an event as an observable occurrence, such as when a failed login to a computer occurs. While this could be either unintentional or intentional, both are considered events.

A security incident is a violation or imminent threat of security policies or industry best practices. Incident examples include:

• Denial of service – an attacker sends high volumes of connection requests to a server, resulting in a crash.
• Phishing – employees are enticed to click and open email attachments or links resulting in some form of malware or establishes a connection with external systems.
• Malware – Type of application designed to perform a variety of malicious tasks: create persistent access, spy on the user, create disruption, etc. The most notable form of Malware is Ransomware.
• Ransomware – an attacker obtains unauthorized access, encrypting the system and asking for a financial sum of money before the computer is decrypted and operational.
• RDP hijacking – involve the attacker “resuming” a previously disconnected RDP session. This allows the attacker
• to get into a privileged system without having to steal the user’s credentials.
• PowerShell – Attackers commonly use command and script interpreters such as PowerShell to execute malicious commands, run scripts, and binaries when carrying out an attack.
• PowerShell without PowerShell – PowerShell commands and scripts can be executed by loading the underlying System.Management.Automation namespace. As a result, this eliminates the need to spawn powershell.exe.
• Business Email Compromise (BEC) – an attacker has gained unauthorized access to an employee’s email.
• Man-in-the-middle attack (MITM) – attacker intercepts the communication between two parties to spy on the victims, steal personal information or credentials, or alter the conversation in some way.
• Zero-day exploit – Cyber-criminals learn of a vulnerability that has been discovered in certain widely-used software applications and operating systems, and then target organizations who are using that software to exploit the vulnerability before a fix becomes available.
• Cryptojacking – Cyber criminals compromise a user’s computer or device and use it to mine cryptocurrencies,
• such as Bitcoin.
• DNS Tunnelling – Is a sophisticated attack vector that is designed to provide attackers with persistent access to a given target. Since many organizations fail to monitor DNS traffic for malicious activity, attackers can insert or malware into DNS queries (DNS requests sent from the client to the server). The malware is used to create a persistent communication channel that most firewalls are unable to detect.
• Drive-by Attack – A ‘drive-by-download’ attack is where an unsuspecting victim visits a website which in turn infects their device with malware. The website in question could be one that is directly controlled by the attacker, or one that has been compromised. In some cases, the malware is served in content such as banners and advertisements. These days exploit kits are available which allow novice hackers to easily setup malicious websites or distribute malicious content through other means.
• Eavesdropping attack – Sometimes referred to as “snooping” or “sniffing”, an eavesdropping attack is where the attacker looks for unsecured network communications to intercept and access data that is being sent across the network. This is one of the reasons why employees are asked to use a VPN when accessing the company network from an unsecured public Wi-Fi hotspot.

Cyber Threat Intelligence

One of the approaches we follow is MITRE ATT&CK Mapping to help us understand the adversary behavior as a first step in protecting networks and data. The MITRE ATT&CK® framework is based on real-world observations and provides details on 100+ threat actor groups, including the techniques and software they use. It helps identify defensive gaps, assess security tool capabilities, organize detections, hunt for threats, or validate mitigation controls.

ATT&CK describes behaviors across the adversary lifecycle, commonly known as tactics, techniques, and procedures (TTPs). These behaviors correspond to four increasingly granular levels:

• Tactics represent the “what” and “why” of an ATT&CK technique or sub-technique. They are the adversary’s technical goals, the reason for performing an action, and what they are trying to achieve. For example, an adversary may want to achieve credential access to gain access to a target network. Each tactic contains an array of techniques that network defenders have observed being used in the wild by threat actors.
• Techniques represent how an adversary achieves a tactical goal by performing an action. For example, an adversary may dump credentials to achieve credential access. Techniques may also represent what an adversary gains by performing an action. A technique is a specific behavior to achieve a goal and is often a single step in a string of activities intended to complete the adversary’s overall mission.
• Sub-techniques provide more granular descriptions of techniques. For example, there are behaviors under the OS Credential Dumping technique that describe specific methods to perform the technique. Sub-techniques are often, but not always, operating system or platform specific. Not all techniques have sub-techniques.
• Procedures – how a technique or sub-technique has been used. They can be useful for replication of an incident with adversary emulation and for specifics on how to detect that instance in use.

The steps we follow are:

• Find the behavior. Searching for signs of adversary behavior is a paradigm shift from looking for Indicators of Compromise (IOCs), hashes of malware files, URLs, domain names, and other artifacts of previous compromise. The RocketCyber Agent is collecting signs of how the adversary interacted with specific platforms and applications to find a chain of anomalous or suspicious behavior prior to damage to the customers’ businesses.
• Research the Behavior. Additional research may be needed to gain the required context to understand suspicious adversary or software behaviors. Use additional resources integrated with RocketCyber’s platform and/or external resources when needed, to gain information on the potential threat.
• Identify the Tactics. Comb through the report to identify the adversary tactics and the flow of the attack. To identify the tactics, we focus on what the adversary was trying to accomplish and why. Was the goal to steal the data? Was it to destroy the data? Was it to escalate privileges?
• Identify the Techniques. After identifying the tactics, review the technical details associated with how the adversary tried to achieve their goals. For example, how did the adversary gain the Initial Access foothold? Was it through spear-phishing or through an external remote service? Drill down on the range of possible techniques by reviewing the observed behaviors in the report.
• Identify the Sub-techniques. Review sub-technique descriptions to see if they match the information in the report. Does one of them align? If so, this is probably the right sub-technique. Depending upon the level of detail in the reporting, it may not be possible to identify the sub-technique in all cases. Read the sub-technique descriptions carefully to understand the differences between them. For example, Brute Force includes four sub- techniques: Password Guessing, Password Cracking, Password Spraying, and Credential Stuffing.
• Take or recommend remediation steps depending on the identified threat(s).

Event Data Collection, Analysis and Triage (DETECT)

Triage is the investigation of a threat event, resulting in a verdict of malicious, suspicious, or benign. Events defined as malicious or suspicious are considered an incident. Events are generated throughout the day and span networks, endpoints (computers) and cloud applications.

The DCT Defense SOC utilizes multiple cyber intelligence feeds that help enhance many of the services below to detect new emerging threats. The agent provides continuous monitoring for suspicious or malicious behavior and presents these findings in data that can be actioned through automation or human analysts.

Below is a list of ever evolving services that the DCT Defense Platform and SOC team are constantly monitoring, triaging, and responding to. Should a serious threat be found, the agent can isolate the device from the rest of the network. This allows further investigations without exposing threats to the rest of the customer systems.

• ADVANCED BREACH DETECTION – The Agent identifies computers that are compromised where security defenses have been circumvented. Malicious activity reported by our SOC agent requires immediate investigation.
• CRYPTO MINING DETECTION – The Agent detects crypto mining activity form browser based crypto miners as well as common crypto mining client software.
• CYBER TERRORIST NETWORK CONNECTIONS – The Agent detects network connections to various nation states that have been known to engage in cyberterrorist activities and malicious network activity such as backdoor connections to C2 servers and malicious systems.
• ENDPOINT EVENT LOG MONITOR – The Agent monitors the Microsoft Windows or macOS Event Log for suspicious events. Detected events are security related activities such as failed logins, clearing security logs, unauthorized activity, etc.
• FIREWALL LOG ANALYZER – The Agent acts as a syslog server collecting log messages from edge devices on your network. Messages are parsed and analyzed for potential threat indicators. When a potential threat or security related event is detected, it will forward the detection to the Cloud Console.
• MALICIOUS FILE DETECTION – The Agent monitors and detects suspicious and malicious files that are written to disk or executed.
• MICROSOFT EXCHANGE HAFNIUM EXPLOIT DETECTION – The Agent will look for specific Indicators of compromise (IOCs) related to exploitation of Microsoft Exchange 2010, 2013, 2016 and 2019 via CVE CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. It will also report the patch status for mitigations against these vulnerabilities.
• OFFICE 365 LOGIN ANALYZER – Detects logins outside the expected countries or known malicious IP addresses
• OFFICE 365 LOG MONITOR – The SOC Platform ingests and reports on Microsoft Office 365 and Azure log data.
• OFFICE 365 RISK DETECTION – We focus on the riskiest accounts, users, and behaviors. Determined risk through a combination of industry heuristics and machine learning.
• OFFICE 365 SECURE SCORE – Overall description of cloud security posture with itemized remediation plans across all Office365 tenants.
• SUSPICIOUS NETWORK SERVICES – The Agent detects suspicious network services running on an endpoint. While there are 65,535 available network services for legitimate use, suspicious detections are defined as well-known ports and services that are leveraged for malicious intent.
• SUSPICIOUS TOOLS – The Agent detects programs that can negatively impact the security of the system and business network. Detected suspicious tools should be investigated and are categorized as hacking utilities, password crackers, or other tools used by attackers for malicious purposes.
• BITDEFENDER MONITOR – The SOC Platform ingests and reports on detections from BitDefender.
• CYLANCE MONITOR – The SOC Platform ingests and reports on detections from Cylance.
• DEEP INSTINCT MONITOR – The SOC Platform ingests and collects information from Deep Instinct.
• SENTINELONE MONITOR – The SOC Platform ingests and reports on detections from SentinelOne. The integration allows the SOC to trigger action from SentinelOne installed on endpoint to kill, quarantine, remediate, rollback, and to disconnect device from network.
• SOPHOS MONITOR –  The SOC Platform ingests and reports on detections from Sophos.
• WEBROOT MONITOR – The SOC Platform ingests and reports on detections from Webroot.

Incident Response (RESPOND)

The threat landscape and attacker’s techniques are constantly evolving. While it is not feasible to list every attack and response scenario, the tables below outline common attack techniques and the anticipated actions of the DCT Defense SOC team and the IT PARTNER. While the list is not exhaustive, please use this as a guideline of what to expect when incidents are detected via the SOC platform.

When calling, the SOC will call all available numbers in the Notifications section. If a critical threat to a business system is detected, the SOC manager will authorize taking the device offline to stop the spreading of the threat even in the event when no one can be reached, unless otherwise specified by the IT Partner. The SOC will continue to call the available numbers until a team member of our IT Partner is reached. We consider every Incident that requires a phone call from the SOC to the IT PARTNER a Severity 1 case.

Upon generation of an event that is classified as an incident, the RSOC team will begin investigation within minutes of detection and will provide update within the given timeframe. This is measured by taking the difference between creation of the incident as shown in the audit log and when the incident is either assigned to a RSOC analyst or manually escalated.

Automated Remediation (RESPOND)

Device Isolation – DCT Defense RSOC can isolate machines on a customer’s network that have an Agent installed. The RSOC uses host isolation to prevent the spread of malicious code by preventing a compromised machine from communicating to other network devices on the Internet or the Customer’s network. The isolated machine will maintain connectivity to RSOC and allow our analysts to continue investigation without risking other network devices to malicious code or active attacks. Unless the Customer opts-out, DCT Defense will isolate potentially compromised machines. DCT Defense will manually isolate the machine using the installed RocketAgent and notify the customer of the isolation via an incident for escalation. The machines will remain in isolation until the threat has been remediated or the customer has specifically said they accept the risk and request the RSOC to remove the isolation.

Automated Remediation – For certain incidents, the agent can perform automated remediation tasks. These remediation actions are visible in the Incident view by clicking the Remediate Action. Customers can opt-in to allow the SOC Analysts to execute the automated remediation actions on affected endpoints. The current remediation actions that can be performed are:

• Terminate Processes
• Remove Files
• Uninstall Programs
• Modify Registry Keys
• Stop Services
• Remove Scheduled Tasks

What Dawgen Cyber Threat Defense (DCTD) Offers

Reemphasizing our strategy to provide you with the best service possible, DCT Defense’s SOAR solution enables the SOC to provide a proactive constantly adapting solution to a cybersecurity landscape that is much too often reactive to the ever-evolving threats. The SOC combines cutting-edge artificial intelligence, machine learning, and the unique experience of our cybersecurity-certified analysts to provide you with the most effective and efficient package to address your cybersecurity needs.

The agent provides a secure, lightweight, and easy to deploy the capability to capture security telemetry from endpoints for the SOC to triage and log data. The capabilities go beyond log monitoring to incorporate breach detection, network activity and services, suspicious tools and malicious file detection to provide a comprehensive security solution enabling organizations to implement advanced detection and response capabilities to stop threats that have evaded traditional defenses.

We look forward to performing our part in protecting your networks and data. Contact us today at : [email protected] and lets have a conversation about your cybersecurity needs ! We will get you Protected

Next Step!

Our Service Video