Detection and Compromise Assessment
Assess your Detection Architecture, Capabilities and Maturity Level
IT Minister performs an independent assessment of the current maturity level of detection architecture and detective capabilities in your organization. The assessment gives management and technical stakeholders an overview of the overall maturity level compared to industry best practices.
Detection Assessment Method
We analyse your current detection capabilities based on our extensive experience from both the defensive and the offensive side as well as industry best practices. We cover topics ranging from logging prerequisites, log collection, logging architecture, and governance to actual implemented detections/use cases.
Our assessment is based on information collected on an initial workshop with your key stakeholders as well as information exported from the SIEM tool, topology drawings,etc.
We use the CMMI Institute 5 Levels of Capability and Performance framework to measure the maturity level of the NIST Cybersecurity Framework detection categories (DE.AE - Detect Anomalies and Events, Detect Security Continuous Monitoring DE.CM and Detect Detection Processes DE.DP).
If detections are already in place, we will map them to MITRE ATT&CK framework.
Dection Assessment Involvement:
- The delivery requires minimal involvement of your technical staff. For the initial workshop, the detection service owner as well as a few technical resources are required.
Dection Assessment Value:
- Do you have a security log collection strategy that match current threat landscape?
- Do you have a resilient logging architecture?
- If having already implemented some detections/use cases, are they adequate?
- Do you have the necessary internal resources allocated?
Dection Assessment Product - A Written Report Containing:
A non-technical section with an Executive Summary for management and decision makers to help in their strategic planning, budgeting and prioritization.
A technical section covering:
- Log collection strategy and governance
- Suggestive improvements to logging architecture
- Recommended changes to your infrastructure to provide better visibility for detections
- If some detections/use cases are already in place, which techniques/phases of the MITRE ATT&CK framework are in scope and how do these match current threat landscape?
All technical sections will have suggestions for improvements, if applicable.
Design, Implement and Operate a SOC/SIEM Solution According to Industry Best-Practice
Whether you are just starting your log collection journey, looking to implement a SIEM solution, or considering if you should create a fully-fledged Security Operations Centre (SOC), IT Minister provides independent advice to guide you through the process.
Build Excellent Dection Method
We analyze and advise based on our extensive experience from both the defensive and the offensive side as well as industry best practices.
We utilize components from frameworks such as MITRE ATT&CK, CMMI Maturity Levels as well as recommendations from the National Cyber Security Centre, National Security Agency (NSA) and NIST.
Build Excellent Dection Involvement:
- The delivery requires minimal involvement of your technical staff. For the initial workshop, the detection service owner as well as a few technical resources are required.
Build Excellent Dection Value:
This service will help you plan your journey and find the answers to questions like:
- Where to begin?
- What is the roadmap to excellence?
- How can I avoid the common pitfalls on the way?
- How many resources are needed?
- Should we look for a managed service, or do we have the ability to design, implement and operate our own solution?
Build Excellent Dection Product
We run a workshop to discuss log collection best practices, SIEMs and the components of a Security Operation Center (SOC). The goal of the workshop is to give you an understanding of what it requires to implement and successfully operate a SIEM/SOC. We will cover three areas:
- People: How many people are required and what kind of skills and profiles should they have?
- Processes: Which processes are required? And which processes should you prioritize during the implementation?
- Technology: Which tools do you need? Cloud or on-premises? COTS (Commercial off-the-shelf) or Open Source? Integration to other components?
We will tailor the workshop to focus on SIEM, SOC or both, depending on your requirements.
The notes from the workshop can be used as a high-level plan for how you should proceed after the workshop - what you should do next.
Identify Adversaries and Malware that have Established Persistence in your Environment
IT Minister threat hunting team looks for malware and successful intrusions in your Windows environment. We focus on the persistence phase of the cyber kill chain and take advantage of the fact that modern adversaries and malware typically establish a persistent foothold once they have breached a target infrastructure. This leaves traces in the environment, which our hunt team seek to uncover.
Compromised Method
Using a deployed agent on the Windows hosts, we extract a selection of artifacts to conduct an analysis looking for indicators of compromise as well as abnormalities using statistical analysis.
The persistence techniques we hunt for include the following:
MITRE ATT&CK Technique ID & Descriptions
- 1053: Scheduled Tasks/Jobs
- 1137: Office Applications
- 1197: BITS Jobs
- 1546: Event Triggered Executions
- 1547: Boot or Logon Autostart Executions
These are just a few to list but we go much further with hunting if required. See the full Techniques Here
Compromise Assessment Involvement:
- We will provide an agent, which should be deployed on the Windows and Linux hosts within the scope of the delivery. Unless there are exiting capabilities within the environment.
Compromise Assessment Value :
- Have adversaries established persistence within your Windows environment?
- Are there back doors in your Windows environment undetected by your SOC team?
Compromise Assessment Product - A Written Report Containing:
A non-technical section with an Executive Summary for management and decision makers to help in their strategic planning, budgeting and prioritization.
A technical section covering:
- A technical section describing our findings, which you can hand over to your incident response team
Get in touch to learn more in detail about how we can support your cyber requirements.