The phia team has experience in threat hunting within large and complex environments such as IoT, ICS/SCADA, austere/hostile foreign travel, global deployments, and point of sale environments.
Our team leverages a structure to carry out scheduled threat hunts and the flexibility to execute ad-hoc hunts to address emerging threats and incident response. We focus on building repeatable hunt playbooks for threat actor techniques discovered through threat intelligence analysis, red teaming/penetration testing and incident response activities. Our method of tracking threat hunts – using industry frameworks (MITRE ATT&CK, NIST, Threat Box) – provides a visual representation of the team’s progress through actor tactics, techniques, and procedures (TTPs), while informing decision-makers about gaps in visibility and capabilities.
We work with clients to build mature cyber threat intelligence (CTI) programs, including the development of new threat intelligence frameworks, information sharing standards, and automated capabilities to detect and respond to emerging threats. At the strategic level, we provide executive leaders with a prioritized threat model that maps APTs’ intentions and capabilities to target their organization. Simultaneously, we work at the strategic level to inform engineers, project managers and business managers about best practices to mitigate threats across their programs. At the tactical level, our analysts leverage their history of past operations and contextualized threat information to conduct intrusion analysis, hunting for threat actors, and scoping large enterprises for high-fidelity indicators of compromise.
Our threat hunting methods aid our clients with:
- Detecting and eradicating previously undetected malware,
- Prioritizing vulnerability management efforts to close gaps identified in threat hunts,
- Increasing the organization’s visibility into critical areas of their network,
- and identifying and responding to high-risk systems
In a cybersecurity operations environment, it is critical for the team to be able to assess and investigate anomalous activities as “flagged” by a vast set of available tools. In an ideal scenario, analysts have access to a variety of network and endpoint data to validate the nature of intrusion activities and analyze threats.
From command-line kung fu to automated response leveraging Security Orchestration, Automation, and Response (SOAR) platforms, our team is experienced with correlating host and network events across multiple tools. We have worked with our clients to develop unique capabilities to correlate host events, network logs, and threat intelligence by leveraging integration and automation. This in turn decreases our analysts’ Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). We recognize that deploying “all the things” (i.e., tools and more tools) can lead to alert fatigue for the security operations analysts, so we focus on implementing risk-informed processes for triaging, enriching, and responding to network alerts. Our analysts provide support to detection and intrusion analysis in the following ways:
- Assess cyber threat intelligence reporting (e.g., indicators, observables, trends) and collaborate in the development of signatures, detection analytics, and active countermeasures.
- Recommend on development and deployment of detection and mitigation (countermeasure) strategies along with advisement on addressing capability gaps.
- Triage detection and countermeasure alerting by assessing the effectiveness of those mechanisms’ tuning to improve accuracy and precision.
- Perform analysis of network (pcap, netflow, network logs, etc.) and host (file, memory, logs, etc.) data as part of the incident response lifecycle.
- Develop analytics and visualization of data from network and host sources to inform analysis.
- Document key event details and analytic findings in threat intelligence platforms and incident management systems, thereby enhancing an organization’s future response capability.
We know that security incidents rarely follow established norms and plans
Because of this uncertainty, phia focuses on building agile incident response capabilities applying highly trained people and proven solutions. To prepare for the unexpected, we create flexible, trainable, and measurable processes that enable analysts to consider all aspects of a potential incident without getting lost in just one aspect of the activity. Our approach ensures that our clients have visibility into their teams’ successes and challenges with meaningful metrics and key performance indicators (KPIs), while analysts have effective playbooks critical to mission success.
In any incident response (IR) event, we work with the organization to identify the threat from available datasets (weblogs, device logs, pcap, alerts, system logs, etc.) and threat intelligence. Further, we help them to clearly communicate the scope and impact of the incident while coordinating across all the impacted teams to mitigate, respond, and recover from the activity. Where possible, details of the analysis are captured and rapidly shared with the relevant internal and external stakeholders. Once we’ve identified the threat, we can collaborate with various stakeholders to isolate the potential impacted resource (account, host, system, application) and adequately mitigate the threat. Based on the organizational priorities and business needs, phia can assist in determining the “what and when” of restoring operations. Our IR experience in supporting the government (fed/civ) and commercial space uniquely enables phia to assist in any complex IR and recovery engagement.
We recognize that cyber threats and adversaries continually evolve their toolsets (i.e., malware, code, and binaries) by adding sophistication to evade detection
Our experiences encompass analyzing a variety of malware families spanning the most significant cyber events and compromises of the last twenty years. We’ve aided our clients in conducting routine static and dynamic analysis using commercial and custom/GOTs tools. As part of this process, we aim to identify key attributes of the malware and provide insights to network defenders, incident responders, and threat hunters. In looking at a piece of malware, we apply a multitude of approaches to finding and documenting the correct answers (e.g., IOCs, detection string, heuristic):
- Reverse engineering (static and dynamic analysis for in-depth parsers, decryptors, C2 interdiction, or IR/hunt triage)
- Understanding exploitation techniques both common and new/0-day
- Tackling obfuscation
- Studying encryption methods
- Capturing C&C (C2) communication
- Assessing the potential “who” (i.e., attribution)
- Categorization/clustering in assessing how a particular malware can be related to other binaries
As the sophistication (anti-analysis or anti-debugging) of the malware dictates, phia can “break apart” malware to truly understand its capabilities. This unique ability, our insights and working knowledge gained through supporting large-scale and high-profile incidents are core to how we approach the most challenging malware analysis scenario.
The best intelligence and understanding will not stop an adversary until you act.
Mitigations can be tailored narrowly at a specific aspect of a threat, or they can be broad posture changes that will mitigate an entire category of threats. Some will be tactical actions taken during an active incident response engagement, while others will be incorporated in more considerable strategic efforts to evolve overall defensive posture. phia provides our clients with a range of options for countermeasures across all phases of the adversary lifecycle and all elements of an organization (from technical configurations to policy or cultural shifts). We help our clients assess and implement countermeasures that range from the simple to the complex and challenging. These are just a few of the considerations that phia experts take into account when developing mitigation plans or options for countermeasures:
- How effective will the action be in mitigating this threat or vulnerability? Does it fully address the current threat or only select aspects?
- How expensive, in time and resources, will this mitigation action be? Can the mitigation be fully applied in time for it to have the desired effect? Is the cost worth the benefit?
- What is the likelihood of unintended consequences (collateral damage) from this mitigation action? How “surgical” is this countermeasure? Will there be any negative impact on other mission or business functions?
- How resilient is this mitigation action? How resistant will it be to adversary TTP changes? Will this be trivial for the adversary to circumvent? What’s the longer-term return on investment (ROI) from this action?
Adversaries will adapt, new vulnerabilities will emerge, and threats will continue to change. phia stands ready to enable your security operations team to adapt with these changes.