Detection of cyber attacks
Typical products for detecting network attacks listen for communication and use hundreds of predefined rules for detection. The main disadvantage of such solution is the lack of understanding of most of the alerts reported. Numerous alerts appear regardless of whether an attack is taking place or not. In this way, despite having security systems in place, an attack often goes unnoticed because it is not detected in the maze of hundreds of warnings that appear constantly in the production environment.
Active attack detection is not about identifying every step made by an adversary, but about detecting the key stages of an attack, without which the implementation of a successful attack is impossible. It is also important that warnings are displayed only when an attack actually takes place and the number of erroneous alerts should be as close as possible to zero. Otherwise, even if the system detects an attack, this information may be ignored.
Search for threats
RedEye software developed by REDTEAM.PL has a number of unique detection rules that have been created on the basis of many years of experience in both offensive and defensive cybersecurity. This experience is supported by real achievements such as working in leading technical positions in international companies, numerous certificates in the field of technical cybersecurity and references from well-known entities, as well as scientific publications and recognized publicly available research on cybersecurity. On a daily basis, REDTEAM.PL provides services such as penetration tests and simulations of real attack scenarios (red teaming). Having practical knowledge of both the implementation of attacks, as well as digital forensics and incident response allows you to create the best solutions for their detection.
One of the examples of detected attacks is badWPAD, the implementation of which on a large scale has affected millions of computers around the world for 10 years. This attack was detected by REDTEAM.PL in May 2019, for which we received thanks from the european national incident response teams, including CERT Polska, CERT Estonia and CERT Latvia. The study was also featured in the SANS Daily Network Security Podcast (Stormcast). Despite the attack that lasted many years, it could not be detected before using tens of thousands of popular rules for analyzing network traffic security. In detecting adversaries, it is not the quantity that counts, but the quality of the detection methods, which results directly from the experience and broad technical competence of the RedEye team.
The RedEye software, just like threat hunting, is not a standalone product, but only a tool for work in the hands of a specialist. The threat hunting service carried out with the use of RedEye tool requires constant access to its data by the team implementing the threat hunting service. RedEye is operated by the ForSec SOC team as part of the joint SOC-as-a-Service.
RedEye is more than a typical NIDS / IDS, our solution goes beyond similar software due to various types of detection of potentially harmful devices and software that is active in the internal network (LAN). Its operation also exceeds the capabilities of classic IDS types Snort, Suricata, Bro (Zeek) and similar mechanisms. Despite the fact that the software is not an IPS, it actively responds to selected packets to exclude the possibility of false-positive errors.
RedEye Case Study (anti-anti-sandbox)
Every day, antivirus companies automatically execute suspicious software on a massive scale in sandboxed environments, the purpose of which is to detect malicious activity. In order to protect itself against such automatic detection environments, malware authors often implement anti-sandbox mechanisms. The purpose of these mechanisms is to detect whether malware has run in a sandbox. If the sandbox is detected, the software will not be activated and will not perform any malicious activity.
RedEye software implements a number of original ideas, and one of them is the detection of anti-sandbox mechanisms and an attempt to deceive the malware that it was run in a sandbox environment. This approach allows not only to detect an infected computer, but also to block a ransomware attack, which may consist, for example, in encrypting data on the disk. Malware will not be activated as a result of the anti-sandbox mechanism, which is designed to avoid detection by automated malware analysis environments.
This is just one example of the unique detection methods implemented in RedEye. Due to trade secrets, we do not provide detailed information on other methods of detecting cyber threats.