CERT / CSIRT
REDTEAM.PL CERT (RFC 2350) is a member of the international organization Trusted Introducer associating recognized incident response teams. In addition, REDTEAM.PL is also listed on the official website of the European Network and Information Security Agency (ENISA) as the Polish incident response team (CERT / CSIRT).
We have competences in the field of digital forensics and incident response, the result of which is a recognized scientific publication entitled “Practical computer forensics analysis” (2017) published by Polish Scientific Publishers PWN. The leader of the third SOC line, Adam Ziaja is co-authored of several documents of the European Network and Information Security Agency (ENISA) for CERT / CSIRT teams published in 2013-2014, regarding computer forensics, threat hunting and threat intelligence among other topics.
We know how cybercriminals exploit vulnerabilities because for over a decade we have been conducting authorized whitehat attack simulations in the form of penetration tests and red teaming, aimed at finding the weakest points in the organization – just like real attackers do.
Thanks to the combination of offensive and defensive competence, we are able to offer the high quality cybersecurity services.
Threat hunting & threat intelligence
Threat hunting and threat intelligence are subjects that we have been dealing with for over a decade. We have technical competences and achievements related to proactive threat hunting as well as advanced incident response, including world-class APT (Advanced Persistent Threat).
In 2019, the REDTEAM.PL research team revealed a global badWPAD attack, which affected millions of computers around the world. Our study was observed by SANS institute and we received thanks from national incident response teams, incl. Poland (CERT Polska), Estonia (CERT-EE) and Latvia (CERT-LV). In 2020, we described TTPs (ang. Tactics, Techniques, and Procedures) and IOC of advanced APT attacks, which we identified and analyzed – incl. cybercriminal groups Sodinokibi / REvil and Black Kingdom. Our actions resulted in the extensive cooperation with international law enforcement agencies (also in the role of IT Expert Witness).
We are able not only to analyze 0-day vulnerabilities (software weakness for which there are no security patches yet) but also to identify them. Only at the turn of 2019/2020 we received numerous thanks from Google and a total award of $68,000 for identified and responsibly reported vulnerabilities in the Chrome browser. In addition, as a result of the vulnerability found by our researcher in Apple Safari for macOS/iOS, the world's media, including Forbes magazine, wrote about it and again we were observed by SANS institute – this time for offensive research. We also have a number of acknowledgments available on the official websites of entities to which we have responsibly reported security vulnerabilities over the course of many years, incl. Adobe (2014), Apple (2012), BlackBerry (2012), Deutsche Telekom, Google (2013), Harvard University, Netflix (2013), Nokia (2013), Reddit, SoundCloud, Yandex (2013). We are a team of IT security experts who have been successfully dealing with the technical aspects of cybersecurity for many years.
Network threats detection
Typical products for detecting network attacks monitor communication and use hundreds of predefined rules for detection. The main disadvantage of this approach is the lack of understanding of most of the alerts reported. Numerous alerts appear regardless of whether an attack is taking place or not. In this way, despite having security systems in place, an attack often goes unnoticed because it is not identified in the maze of hundreds of warnings that appear constantly in the production environment.
During attacks, hackers use native mechanisms of Windows enviroment to obtain credentials. Antivirus software does not detect the presence of an attacker who logs in as a legitimate user. Antivirus detection is an analysis of how the software, not the user, works. Cybercriminals take advantage of this and carry out attacks not only against vulnerable software, which could very likely be detected by EDR (Endpoint Detection and Response) or SOAR (Security Orchestration, Automation, and Response) systems, but against standard mechanisms of Windows enviroment. Such attacks are not detected by the software installed on the client stations because they are performed on the level of the internal network between stations located in the Windows domain. In this way, APT (Advanced Persistent Threat) groups are able to gain access to data despite the fact that the organization has various types of security mechanisms deployed on workstations.
REDTEAM.PL approach to threat hunting implemented in RedEye solution is based on the knowledge of attack techniques (TTPs) and tools used by advanced adversaries. It is the only solution that can detect advanced attacks against the Windows environment and Active Directory (AD) without the need for an agent. Thanks to the understanding of both the offensive and defensive aspects, RedEye software implements rules that allow detecting attacks that are not identified by EDR software. Therefore, RedEye complements antivirus and related solutions.
- Threat hunting using DNS firewalls and data enrichment – How to build a DNS firewall engine.
- Internal domain name collision – How to collide an internal DNS domain.
- Sodinokibi / REvil / Maze ransomware (TTPs & IOC) – We managed to secure and analyze the servers used in APT attacks.
- DNS for red team purposes – How to use DNS during attacks.
- Deceiving blue teams using anti-forensic techniques – How can you deceive blueteam.
- Bypassing LLMNR/NBT-NS honeypot – How to cheat a honeypot recommended by MITRE ATT&CK.
we combine expertise both in the field of attack and defense, and our cybersecurity research is widely recognized in the world.
The most important aspect of the SOC / CERT service is the competence of the technical team, because it is the level of knowledge of specialists that determines the cybersecurity of the organization. The so-called pyramid of pain that identifies which competence is the most difficult to obtain, in terms of both threat hunting and incident response is recognised worldwide. The top of the pyramid contains the most inaccessible and most desirable aspects of how cybercriminals (TTPs) work and what tools they use – this knowledge is more than covered by the REDTEAM.PL team. On the other hand, the knowledge of system artifacts results directly from the real experience in computer forensics and the performance of the functions of court experts – both by ForSec and REDTEAM.PL teams. Furthermore, ForSec has the largest digital forensics laboratory in Poland, where dozens of investigative analyzes, including expert opinions, are carried out each month. On the other hand, knowledge about network artifacts results directly from REDTEAM.PL's creation of IDS / NIDS (Network Intrusion Detection System) software called RedEye, which uniquely detects attacks carried out in the local network. Malicious domains, IP addresses and hashes (IOC) information is provided by our CTI (Cyber Threat Intelligence) system, which receives information in cooperation with other international incident response teams. We are the only SOC team in Poland that consists of the computer forensics and offensive cybersecurity experts.
ForSec has the largest digital forensics laboratory in Poland, in which we conduct several dozen cases per month. The laboratory consists of a number of professional and certified software (including FTK Forensic Toolkit and X-Ways Forensics) and computer forensics equipment (including hardware blockers, Logicube disk copiers, Cellebrite products), allowing to properly secure and analyze the evidence from multiple digital mediums simultaneously. The laboratory field team performs securing of digital evidence (binary copies) throughout Poland 24/7. We are able to secure evidence even in five locations simultaneously. For many years we have also been providing trainings in computer forensics and hacking techniques.
A hacker breach? Cybercriminals attack? Dishonest employee acting to damage the company? Personal data breach? We act as court experts and have over a dozen years of experience. Every day we help organizations to effectively counter cyber attacks. We deal with traces of activity, forensic analysis, incident analysis, analysis of logs, events and RAM memory.
In the event of an incident, the most important thing is to properly secure the traces. We do not recommend security measures taken by individuals not qualified in the field of computer forensics. Inefficient attempts to secure data leads to the overwriting of potentially important information and compromise the integrity of the evidence. Proper securing digital traces allows for an in-depth analysis of the incident and allows to determine the details of how it happened and what operations the attacker performed. In the event that the evidence material is not properly secured, system artifacts become obliterated over time – even if the user does not operate on it and the system is simply running. On the other hand, turning off the computer without prior proper protection leads to irretrievable loss of volatile data, which is stored in the operating system's memory, and which may contain important information for the incident analysis.
We are able to properly secure evidence by people who perform the functions of IT Expert Witnesses on a daily basis, as well as to properly analyze it using specialized equipment and software in conjunction with the highest competence in the field of computer forensics and incident response. We have the largest digital forensics laboratory in Poland, which analyzes dozens of cases each month for both law enforcement agencies and private organizations. We are able to physically, throughout Poland and not only, secure digital evidence by making binary copies properly with the use of specialized equipment that guarantees the integrity of the evidence.
IT environment monitoring
Nowadays, digital security is the basis for the functioning of virtually every company, and therefore the most important thing is reaction speed. In our SOC, we use dynamic defence technologies that are used to detect new, never-before-seen types of threats (unique samples in targeted attacks). Each new sample is automatically analyzed in a sandbox that simulates user behavior to trick techniques to avoid malware detection.
RedEye is our IDS / NIDS (Network Intrusion Detection System) software with a number of unique detection rules, which have been prepared on the basis of many years of experience in both offensive and defensive cybersecurity. RedEye makes it possible to detect the initial phases of an attack in an organization's local network before it escalates, including information leaks and covering the tracks of a breach. Our solution allows to detect attacks and activities that are not detected by any antivirus software and endpoint protection / EDR. We offer RedEye together with the service of constant monitoring of the IT environment in the form of SOC outsourcing.
If the Client has already implemented a SIEM solution, we will use it in our work (with particular emphasis on Splunk and ELK). However, if the Client does not have a SIEM system, we will implement it as part of the SOC service.
We also provide services such as: security testing (penetration testing), application security, cloud security assessments, vulnerability scans and vulnerability management as well as DLP.
We are focused not only on detecting external threats (e.g. economic espionage / industrial espionage) but also on internal intruders (e.g. a rogue employee).
SOC / CERT third line leader and REDTEAM.PL cybersecurity expert. He has extensive technical competence in the field of both defensive and offensive aspects of cybersecurity. He is the author of the book “Practical computer forensics analysis” and co-author of many ENISA publications. He has received recognized technical cybersecurity certificates: Offensive Security Certified Professional (OSCP) – since 2015, Offensive Security Wireless Professional (OSWP), eLearnSecurity Web application Penetration Tester (eWPT), Certificate X-Ways Forensics. He is a IT Expert Witness at the District Court in Warsaw.
The leader of the first and second line of SOC and ForSec computer forensics expert. For over 15 years he has been professionally involved in forensic IT and digital evidence analysis. He is an author of training courses in the field of computer forensics and hacking. He has received recognized technical certificates in the field of cybersecurity and computer forensics: EC-Council Certified Ethical Hacker (CEH), Cellebrite Certified Physical Analyst (CCPA), Cellebrite Certified Logical Operator (CCLO), Certificate X-Ways Forensics. He is a IT Expert Witness at the District Court in Katowice.