CTM360 - DRP Stack
DIGITAL RISK SECURITY & MONITORING
A comprehensive set of systems, tools, threat intelligence and services that can detect and mitigate any & all cyber attack data points in cyberspace for all currently known and future unknown categorizes of cyber attacks
- Cataloging an organizations comprehensive digital footprint as visible on the internet
- Identifying security gaps within the digital footprint
- Recommending Fixes and Monitoring the digital footprint
- Identifying, Analyzing Threat attack data points specific to the organization
- Mitigating (Incident Response) and monitoring all aspects of attack data points
- Keeping abreast (situational awareness) with relevant and evolving cyber threats
DIGITAL RISK SCORECARD (DRS)- HACKER VIEW
A digital risk scorecard that provides an organization with the ability to gauge their Cybersecurity posture as visible over the internet. An inventory of the same is known as “Attack surface” that an attacker may exploit. Various subsets of an organization’s Cyber footprint (attack surface) allow the organization to know which aspect is weak and what requires an urgent attention due to the high severity of a specific vulnerability. The system monitors this footprint in real time for any degradation or update and accordingly adjusts the score. Furthermore a benchmark relevant to industry and regional peers provides measurement of progress and reassurance to Management and Board.
CYBERSECURITY OPERATION CENTER
The 24 x 7 x 365 system & operations that provides visibility and assistance to the organization’s Cyber Security Team. A complete process from detection, analysis and monitoring of suspicious data points to trigger of incident tickets and incident response with notification of each step upto the closure of each threat. With unlimited takedowns and where applicable incident response would only be upon consent from the organization.
CYBER THREAT INTELLIGENCE (CTI)
This is a very broad terminology and requires a clear context from the perspective of a consumer of CTI. It is essential to steer away from TIN (Threat Intelligence Noise) in order to focus on what really matters. The three major categories of CTI are IOCs (Compromise), IOAs (Attack) and IOWs (Warning). Furthermore we isolate what is very specific to an organization across all three categories. As all vendors that provide technology stack inside the network (Firewall, Endpoint Security, IPs etc) are focused on IOCs our focus is on IOAs and IOWs that are attack data points across cyberspace. Yet we do provide IOCs based on industry and attack campaigns for the purpose of an organization’s assessment of the effectiveness of updates on their internal security technology stack.
This allows them to make random checks to ensure their security products are updating IOCs in a timely manner. Moreover we also provide a comprehensive dataset on various aspects for analysis and research, such as all newly registered domains, who is database, all SSL certificates, MITRE catalog of threat actors & campaigns, all breached credentials etc etc.
THREAT HUNTING AND NEUTRALIZING
Cyber Threat landscape is always evolving where new attack techniques and innovative new attack types are being introduced continuously by threat actors. What is known can be fairly automated but what is new requires an intuitive mindset equipped with right tools. Once any new form targeting a specific organization is identified, a team of threat analysts formulates a strategy to detect all relevant data points of this attack. Next it maps and identifies all other organizations that may potentially already be a target as well. A semi-automated protocol is maintained upto the time a fully automated system is in place to continue detecting all new attacks in real time.
As a full member of FIRST we have a very comprehensive incident management system that maintains communication with global Registrars, ISPs, Social Media hosts, CERTs and all relevant stakeholders that participate in resolving attack data points by takedowns, shutdowns, account revoke, domain suspension, account reclaim etc. Specific attack types have a fully automated system from detection, incident ticket creation, Incident response communication up to incident resolution and closure of ticket.
Brand impersonation and leaked data may lead to online frauds such as advance fee fraud, Job scams, financial scams or CEO fraud. Our systems pivot from detected impersonations to detect all suspicious or malicious data points that may be participating in online frauds targeting the organization, their customers, partners or potential customers and job applicants. Where applicable we use the technique of ‘baiting’ to extract evidence and more data points to enable a holistic incident response that will take out all data points participating in an attack or a campaign.
ONLINE DATA LEAKAGE
A piece of confidential data exposed intentionally or unintentionally across the Surface, Deep or Dark web has the same consequences of risks. Staff or vendors may upload documents on data sharing platforms with access rights to the general public. Customer data including compromised card data of banks is exchanged in forums, deep or dark web. Email credentials of social media where the staff is using company Email as user ID being published on the internet. Staff giving away confidential information about internal systems in their public CVs. These are just some of the incident data points that our systems monitor for. Our threat analysts ensure avoiding noise such as CARDING sites in deep web and only report and mitigate what matters.
Phishing is the age old technique of credential harvesting that with time has evolved into very robust architecture and a very targeted audience. Detecting a Phish in early stage by monitoring registration of lookalike domains and newly issued certificates detects almost 50% of the Phish attacks. The remaining requires various other techniques detecting through passive DNS, threat hunting or by brute forcing attack strings on all malicious domains. Moreover our systems collect all phish feeds across the globe and tag it to its targeted brand. As a result we have the world’s largest data on Phish attacks and relevant data points tagged to brands being targeted by each Phish URL.
As for the response the first action is to fraud cast the attack URL to major security and browser vendors so they may blacklist the phish. Next, if the phish attack URL is on a malicious domain, resolving the attack URL is managed at four levels. Take down the phish page at the hosting site, have the name server provider revoke the DNS record, get the domain suspended by the registrar and continue monitoring the domain for next 120 days. If this phish was hosted on a compromised site/domain, the only possible resolution is to have the host takedown the phish page and monitor the same for the next 120 days.
Impersonation of organization, product brand names, Board & Executive management and Mobile Apps is very commonly used for various types of cyber attacks. Detecting any and all forms of such impersonation in real-time would mean that various attacks were detected at an early stage. If left unresolved they may lead to consequences of financial and reputation damages. Our Systems lerage from the known digital footprint to identify all suspicious and malicious data points that are first scored by machine where incidents with a high score are automated to be tagged as malicious and a lower score range is analyzed by a threat analyst to ensure quality of detection.
Information overload brings about anxiety and may hamper our ability to make the right decision at the right time. With the continuous flow of so much cyber attack news and intelligence it makes sense to distinguish what is an alert specific to your organization, industry or region that requires urgent attention whereas there may be alerts for others that may just be news for you. We strive to make that distinction on your behalf and provide you the relevant alert, news and where applicable our own research reports.