Cyber-attacks are becoming more and more frequent. Recent events in Eastern Europe have forced governments and businesses into a heightened state of cyber security awareness.

With years of experience across several technology vendors, RiverSafe are helping customers protect their vital business assets from security breaches.

Our consultants are developing and implementing cyber security use cases, configuring technology expertly to protect organisations against specific threats. They are experts in Threat Intelligence, improving threat intelligence capabilities, increasing threat intelligence feeds and integrating technology across vendors. They bring long term Threat Hunting capabilities through customising existing security environments.

Use Case Development

Although use cases originate from software development, they were adopted during the rise of SIEM technologies. They can be a Rule, Report, Alert or Dashboard, solving a set of needs and requirements.

Here are the stages involved in Use Case Development:

The first stage is the “Objective” also referred to as the “Requirements” phase. It may have the following high-level requirements and is unique to every company:

• Business
• Compliance
• Regulatory
• Security

Once finalized, the next stage would be the “threat” phase. That would include what is necessary for defence, with a background as to why the use case may have been created.

Once the threat is finalized, we will sit down with “stakeholders”. Whom in this case are not necessarily the owners, but the analysts involved in detecting threats and responding to incidents.

The next step would be gathering  the “Data Requirements” needed in implementing this Use Case. This could be log data, configuration data, alert data, flows, metrics and more from IT Systems.

It is then ensured that the collected data goes through the data quality verification stage before use.

Often times, there may be data from a data source, but the required data to trigger the use case may not be available. If this occurs this  is then rectified before proceeding with the Use Case development.

Post validation, “Logic” is defined.  The Logic can be defined as something unique to the environment and needs to be identified accordingly. The Logic can be either Signature based, or behaviour based. It can be restricted to certain subsets of data (based on the Event Sources above) or expanded to be more generic

The following stage is “Testing”, where we configure the SIEM to do what it does best – Correlation and Alerting. During Implementation the definition of the desired output can also be done and the output can be one of the following:

• Report
• Real Time Notification
• Historical Notification

Once implementation is complete, the  “Case Response and Priority” is defined. Providing guidance to SOC Analysts procedures, helping make Use Cases Operational.

Finally, Use Case “Output”, this is a how the use case is presented. This can be Rule, Report, Alert or Dashboards.

Threat Intelligence

Threat Intelligence is essential to monitor your external attack surface, assess emerging risks, and deliver timely, actionable intelligence specific to your organisation and your supply chain. From phishing, fraudulent websites, multi-vector attacks, well-financed, agile threat actors outside your organisation are busy developing detailed, pre-planned attacks that generally go unnoticed by  traditional security measures. As most attacks are zero-day, exploiting a vulnerability discovered on same day.

Understanding the threat landscape is really important, it helps customers to make better risk based decisions. Here at RiverSafe we tend to follow the following methodology below.

Two critical points in any threat intelligence

1. Enrichment – Enrich your alerts with external threat intelligence which informs investigations and identifies attacker infrastructure, and this helps in prioritizing threats and eliminate those that put your business at the greatest risk.

2. Open Source Threat Intelligence – Generally open source threat intelligence is derived from data and information that is available to the general public. Use open source intelligence techniques to identify past, present and future attacks.

Threat Hunting

If your SOC team has reached the point where they are comfortable with alerts and incidents and you want to reach the next level of maturity for your SOC we provide training, best practices and expertise on Threat Hunting techniques to enable your team in that capability.

We follow the Threat hunting Model Sqrrel as well as the NIST incident handling Standard which ensures that you follow the steps necessary to weaponize your team with what is needed to perform structured Threat hunting and react to incidents accordingly.

Outcome of the service

Our experts partner with your team, connecting with the current state and knowledge of your team. Aiding us in identifying strengths and gaps of your team in Threat Hunting Maturity levels.

Following this we prepare a plan where we decide together of the objectives and results that you desire to achieve.

During the service we will train the analysts with hunting techniques, teach them the mentality of the hunters. We will draft weekly hunts over a certain period to cover the whole scope of the Attack Chain.

Benefits of the service

RiverSafe use the most valued Threat Hunting Framework in the industry, you will be ensured that everything is covered. By the end of our services you will have a team that can autonomously perform weekly hunts, deal with testing new data feeds and techniques. They will be armed with the tools required to boost your team into the final maturity level of an SOC.

Threat Hunting Maturity Levels & Hunting Loop applied to the Attack Chain