RedEye

Threat hunting

RedEye is our proprietary IDS / NIDS software used to implement the threat hunting service. It enables detection of attack symptoms that are not identified by other software (eg AV or EDR). It does not require agent installation and permissions, only connection to the internal organization network (LAN).

Get a quote

Threat hunting, proactive detection of cyber attacks

When creating RedEye, we used our extensive experience and designed mechanisms that are extremely difficult for an attacker to bypass. When designing detection variants, we thought like advanced attackers, looking for the possibility of detecting both the presence of an IDS system and methods of bypassing its intrusion detection mechanisms.

The Pyramid of Pain

In searching for threats at the tip of the widely recognized so-called The Pyramid of Pain which contains information on how attackers (TTPs) and what tools they use. It is this information that is most in demand in threat hunting, i.e. proactive threat hunting. First of all, we implemented this knowledge in RedEye, thanks to which we have created a unique solution on the market for monitoring potential threats related to unusual behaviors in the network and the detection of advanced APT attacks (Advanced Persistent Threat).

Detection of cyber attacks

Typical products for detecting network attacks listen for communication and use hundreds of predefined rules for detection. The main disadvantage of such solution is the lack of understanding of most of the alerts reported. Numerous alerts appear regardless of whether an attack is taking place or not. In this way, despite having security systems in place, an attack often goes unnoticed because it is not detected in the maze of hundreds of warnings that appear constantly in the production environment.

Active attack detection is not about identifying every step made by an adversary, but about detecting the key stages of an attack, without which the implementation of a successful attack is impossible. It is also important that warnings are displayed only when an attack actually takes place and the number of erroneous alerts should be as close as possible to zero. Otherwise, even if the system detects an attack, this information may be ignored.

Search for threats

RedEye software developed by REDTEAM.PL has a number of unique detection rules that have been created on the basis of many years of experience in both offensive and defensive cybersecurity. This experience is supported by real achievements such as working in leading technical positions in international companies, numerous certificates in the field of technical cybersecurity and references from well-known entities, as well as scientific publications and recognized publicly available research on cybersecurity. On a daily basis, REDTEAM.PL provides services such as penetration tests and simulations of real attack scenarios (red teaming). Having practical knowledge of both the implementation of attacks, as well as digital forensics and incident response allows you to create the best solutions for their detection.

One of the examples of detected attacks is badWPAD, the implementation of which on a large scale has affected millions of computers around the world for 10 years. This attack was detected by REDTEAM.PL in May 2019, for which we received thanks from the european national incident response teams, including CERT Polska, CERT Estonia and CERT Latvia. The study was also featured in the SANS Daily Network Security Podcast (Stormcast). Despite the attack that lasted many years, it could not be detected before using tens of thousands of popular rules for analyzing network traffic security. In detecting adversaries, it is not the quantity that counts, but the quality of the detection methods, which results directly from the experience and broad technical competence of the RedEye team.

Environment monitoring

The RedEye software, just like threat hunting, is not a standalone product, but only a tool for work in the hands of a specialist. The threat hunting service carried out with the use of RedEye tool requires constant access to its data by the team implementing the threat hunting service. RedEye is operated by the ForSec SOC team as part of the joint SOC-as-a-Service.

RedEye is more than a typical NIDS / IDS, our solution goes beyond similar software due to various types of detection of potentially harmful devices and software that is active in the internal network (LAN). Its operation also exceeds the capabilities of classic IDS types Snort, Suricata, Bro (Zeek) and similar mechanisms. Despite the fact that the software is not an IPS, it actively responds to selected packets to exclude the possibility of false-positive errors.

RedEye Case Study (anti-anti-sandbox)

Every day, antivirus companies automatically execute suspicious software on a massive scale in sandboxed environments, the purpose of which is to detect malicious activity. In order to protect itself against such automatic detection environments, malware authors often implement anti-sandbox mechanisms. The purpose of these mechanisms is to detect whether malware has run in a sandbox. If the sandbox is detected, the software will not be activated and will not perform any malicious activity.

RedEye software implements a number of original ideas, and one of them is the detection of anti-sandbox mechanisms and an attempt to deceive the malware that it was run in a sandbox environment. This approach allows not only to detect an infected computer, but also to block a ransomware attack, which may consist, for example, in encrypting data on the disk. Malware will not be activated as a result of the anti-sandbox mechanism, which is designed to avoid detection by automated malware analysis environments.

RedEye

This is just one example of the unique detection methods implemented in RedEye. Due to trade secrets, we do not provide detailed information on other methods of detecting cyber threats.

Our approach

We provide a wide range of advanced technical cybersecurity services, both in the field of defense and offense. Thanks to our diverse experience in many IT security specializations, we have a broader perspective on the implementation of each individual service. Our approach is based on many years of professional experience in the cybersecurity field and is based on three basic assumptions – prevention, detection and response.

Penetration Testing

Prevention

Prevention by testing existing security measures and detecting weaknesses, security audits, vulnerability assessment, application security, penetration tests, cloud security reviews, social engineering and red teaming exercises.

Threat Hunting & Threat Intelligence

Detection

Proactive threat detection, threat intelligence and threat hunting using our proprietary RedEye solution and renowned endpoint protection software to effectively identify threats.

Digital Forensics & Incident Response

Response

Incident response, malware analysis and computer forensics, including securing of evidence in accordance with standards. We have the status of a IT Expert Witness in Poland.

Copyright © 2017-2021 REDTEAM.PL All Rights Reserved