Investing in research: Taking security posture to the next level

We were challenged to quantify the real-world impact of a self-propagating worm-based ransomware attack like NotPetya, and help one customer to understand how its security investment could better deliver the intended resilience against such threats.

Working closely with the customer and bringing innovative technical expertise from across the Company together, we created EternalGlue – a safe, controllable and self-propagating malware simulator that could test an organisation's resilience against malware attacks in a live environment.

What we did

We reverse engineered NotPetya to create from scratch a new worm with clean exploits, a benign payload, detailed suicide logic, kill switches and telemetry information.

We launched this into our client's network, enabling them to run several scenarios from six user accounts.

When we triggered the kill switch at the end of the test a couple of hours later, our EternalGlue worm had safely infected a significant number of the client's hosts, using lateral movement vectors, including token impersonation and unpatched systems.

The results

The EternalGlue test identified a number of improvements in the customer's Windows Active Directory, which improved resilience against similar propagation attempts.

Most importantly, the results gave the customer's CISO and Board a unique, evidence-based insight into their security posture, and how they could materially improve their resilience by investing in the right areas.

This is a great example of challenging ourselves to create innovative cyber solutions through expert research putting our customers at the heart of everything we do.

Innovative solutions: A new perspective breeds better detection

Cyber is a 24/7 threat, making round-the-clock detection an essential component of any organisation's security strategy. By maintaining a holistic, 360-degree view of your business, you significantly improve your chances of detecting and responding to cyber-attacks before they can cause damage.

Our Security Operations Centre (SOC) keeps watch for our clients every minute of every day, combining world-leading technologies and expert analysis to deliver a comprehensive Managed Detection and Response service.

At the heart of this service is a commitment to providing a greater quality of detection to our clients that goes beyond recognised user case alerts.

We challenged ourselves to create a solution that could understand attacker behaviours and tradecraft in real-time, to enhance detection rates of real-world threats. The result was our Managed Detection Engine.

What we did

To create the best quality detection, we innovatively combined traditional techniques with our own leading threat detection services. We used our wealth of experience in thorough, research-based offensive attacks to improve the Engine's defensive ability and drive its detection rates up.

Drawing on our extensive threat intelligence network, we also created a constantly updated library of Cyber Threat Indicators with applied detection logic.

Every month, we collect and analyse billions of security events logged by our clients, and break these down to the few that matter to the organisations we work with.

We used the intelligence garnered from this practice to create a real-time library of reports on alert investigations and findings, using the recognised MITRE ATT&CK framework to classify detected attack tactics, techniques and procedures. We also used the MITRE framework to correlate detected activity to drive false positive rates down.

All of this data is fed into our Managed Detection Engine and interrogated in real-time, enabling us to identify the malicious and anomalous activity as it happens and work with our customers to mitigate risk more efficiently.

The results

By bringing together external content such as the MITRE ATT&CK framework and our own offensive threat hunting, intelligence framework, insights and more, the Managed Detection Engine has already improved detection rates, enhanced the quality of findings and reduced false positive rates for many of the customers we work with.

Importantly, this approach enabled us to apply our deep offensive expertise to improve our ability to defend our clients from real-world cyber-attacks.

Collaboration: giving businesses technology to thrive

Visibility is crucial when it comes to any comprehensive and robust security strategy. This means mapping out an IT estate and establishing where any potential risks lie – providing businesses with a clear understanding of any changes that need to be made, or any security issues that need to be addressed.

Security logging is an important part of this process. It is widely acknowledged across the industry that gathering and logging information on any installations and user behaviour across a system is an important practice that can help organisations to identify any potential risks, as well as ensuring compliance with a range of security standards.

However, knowing where to start can often be a challenge – particularly for small enterprises, or those that don't have large amounts of money to invest in a complex monitoring solution.

Simplicity is key

We've collaborated with the UK's National Cyber Security Centre (NCSC) and the Cabinet Office on the 'Logging Made Easy' project, building the guidance, scripts and tutorials needed to enable organisations to deploy an effective, scalable logging solution.

Built using open source and freely available software, the solution is based on tried and tested architectural design methods and best practice from real-life cyber investigations, enabling businesses to understand their IT estate in more detail.

Logging information across an IT estate, including user details, uninstalled software updates, and administrative privileges, can help organisations to monitor their systems and detect attacks quickly, as well as improving access to information for reporting purposes.

Building a strong cyber security strategy should be a priority for all businesses, regardless of size or sector. It's up to government and industry to work together to help businesses that may not have the resources to source their own incident investigation and protective monitoring tools. Making the monitoring process more simple for these companies is just one way to help work towards a safer society.