Detection and Response

Cyber Detection & Response Assessment (DARA)

Detection and response – The days where threats are contained at the perimeter is long gone. Through the pervasive nature of Mobile, Cloud and social media so it is more difficult for an organisation to guarantee absolutely confidence that their data is secure.

Looking to conduct Detection and Response Assessments (DARA)?

Many organisations have built assurance programs in to their cyber security assessment strategy. As part of these exercises, it is usual for organisations to conduct penetration testing and risk assessments against preventative controls that are technical in nature. For instance, servers, routers, firewalls and web applications might all be assessed as part of a technically focused assurance exercise.

Instead of focusing purely on defensive technical assurance, Nettitude urges organisations to think differently about their cyber security posture, and assume that malicious threat actors will eventually get access to their data. When an organisation takes this approach, their focus will evolve in to delivering assurance around their detection and response controls in addition to assuring defensive technology controls. This approach will allow an organistion to measure their effectiveness of detecting and responding to many types of malicious threat actors. It will provide assurance around logging, intrusion detection systems, SIEM, Security Operation Centres (SOCs) and incident escalation procedures. It will provide an organisation with visibility on whether they truly can detect known threat actors Tactics, Techniques and Procedures (TTPs),

Nettitude has a strong understanding of the cyber threat landscape. Not all threat actors will deliver the same types of attacks, and similarly, their levels of sophistication will vary significantly.

Through Nettitude’s technical threat intelligence gathering network, we gather real data on attackers’ Tactics Techniques and Procedures (TTPs). As a consequence, we have first hand visibility of what their behaviour looks like and what types of attack indicators that they generate.

Nettitude is able to simulate these types of events through the generation of benign attack traffic. Some of the types of TTPs and attack indicators that are used include:

Passive and active reconnaissance activity

Web based attacks, with known TTPs

Social engineering and spear phishing attacks, with pre-determined malware and implants

Infrastructure pivoting

 Creation of services and accounts in key assets

Techniques used to build attack persistence

Detection of beaconing, command and control and data exfiltration traffic

Ability to differentiate traffic generated from different geographies, and TOR exit nodes

Ability to correlate multiple events across assets and geographies

Ability to forensically contain an incident

Through identifying key threat actors, generating activities, events and traffic that is consistent with attackers TTPs, Nettitude is able to generate a highly customised assurance program. This approach helps an organisation measure their detection and response capabilities. Where key events, activities or traffic patterns remain undetected, Nettitude provides pragmatic advice and guidance on how to bridge the gaps.

After conducting a Detection and Response Assessment (DARA) you will receive a point in time measurement of your technical cyber attack detection capability. This will provide a graded comparison against your industry, and other similarly sized organisations. Nettitude can use this measurement in conjunction with your cyber security goals, to build a robust detection and response strategy.

Key elements of DARA

Review of technical security controls at the perimeter

Review of layered technical security inside the network

Review of core systems device monitoring

Review of end user device monitoring

Review of network traffic flows

Review of IDS, logging and SIEM capability

Review of ability to detect C&C, beaconing and data exfiltration to multiple external threat containers

Review of spear phishing awareness and user awareness training

Categorisation of organisation in to threat profile container

Point in time measurement of detection and response capability

Optional strategic guidance on how to bridge the gaps, and improve against industry norm

Senior management/ board level presentation of results

Key benefits of DARA

 Understand whether you can detect threat actor TTPs

 Determine if you have bling spots, and if so, where they are

 Measure the effectiveness of Security Awareness training and Incident Escalation procedures

 Determine what elements should be included in an incident response plan

 Build a framework for enhancing and maturing your detection incident response capability

 More easily achieve compliance against cyber security frameworks

 Reduce the likelihood of a breach going undetected

Click here to find out more about our Incident Response Maturity Assessments

Nettitude detection & response analysis with IRMAs

Nettitude delivers this service through two different types of IRMA assessments.

Detection & response analysis with IRMAs

Intelligent Cyber Security and Risk Management  0345 5200 085    solutions@nettitude.co.uk