Changing the game in MSS: an advanced cyber-command centre
11 February 2019
The notorious threat-actor Carbanak was on the offensive. It had sent a phishing email to a company’s reservation centre and tricked a reservation agent into executing the enclosed malware. The attacker was now moving laterally throughout the victim’s network, setting backdoors and targeting the corporation’s financial and payment card systems.
Suspecting that something was amiss, the company brought in Trustwave SpiderLabs®. The Trustwave team began investigating and recovered indicators of compromise showing that this was a new phishing attack vector completely unknown to the security community at that point.
Trustwave’s dark web specialists began combing the dark web to identify the source of the attack. At the same time, malware reverse-engineers set about analysing the malware recovered by the SpiderLabs Digital Forensics and Incident Response (DFIR) team, and the threat intelligence team integrated their findings into the Trustwave Intel Fusion Platform.
Armed with the intel, Trustwave SpiderLabs carried out threat-hunting across the global enterprise environment of its MSS clients, and was able to identify the point of entry and indicators of compromise, then recommended remedial actions needed to destroy Carbanak attackers on all their networks.
The scenario described above was an actual emergency which required an expert co-ordinated response – the kind of situation where the new Trustwave SpiderLabs Fusion Centre shines.
Assembling an elite force
Launched in September 2018, the Trustwave SpiderLabs Fusion Centre draws on these and other capabilities to power advanced managed security services for Trustwave, the cyber-security arm of Singtel. The facility is a cyber-security command centre that brings together cyber-security experts from different specialist fields such as computer forensics, malware reverse-engineering, data analytics, penetration testing, dark web research, threat intelligence, and threat hunting. This amalgamation of expertise in one location elevates the game in the MSS space by enabling rapid investigation, analysis and distribution of brand-new threat intelligence to the wider community of Trustwave’s enterprise clients.
“The realisation is that organisations today are under constant attack and require the ability to take swift action when facing certain compromise,” said Chris Schueler, senior vice president of managed security services at Trustwave. “The quantum leap of actionable threat intelligence achieved through Trustwave SpiderLabs Fusion Centre levels the playing field against cyber-criminals employing incredibly sophisticated means to breach networks and remain undetected.”
The 6,000ft2 facility serves as the global central hub for Trustwave’s global network of advanced security operation centres (ASOCs), which identify, track, and collect cyber-security threat intelligence while serving as the MSS delivery framework for businesses across the globe.
“The combination of the Trustwave SpiderLabs Fusion Centre and our global ASOC network is a game-changer that enhances an organisation’s security posture,” said Schueler. “We help enterprises minimise the time it takes to detect, address threats and eliminate attacks that are already in progress anywhere inside their environment, swiftly closing down the window of opportunity for attackers.”
A proprietary POD
The Trustwave SpiderLabs Fusion Centre operates as command and control for a proprietary point of delivery (POD) system that delivers actionable customer-centric threat intelligence. Trustwave security experts are grouped around specific customers, enabling them to build up intricate knowledge of the clients’ environments and response playbooks for any given threat situation.
The PODs make use of a three-tier threat model that includes:
- Continuous and proactive threat hunting:Trustwave’s threat hunters are adept at building a cohesive threat taxonomy which plots known attackers against the client’s industry and business. Using a combination of Trustwave’s threat intelligence, big data analytics and machine learning, they are able to identify and monitor anomalous activities for indicators of compromise, and initiate action when threats are detected.
- Advanced response and containment:when a threat is escalated, incident responders move quickly to conduct deeper technical analysis into malware signatures, payload delivery methods and threat trend correlation for threat containment and breach triage. Incident responders take action to identify threats anywhere in the client’s environment before the threats have a chance to spread or do serious damage.
- Forensic investigations and reverse engineering:for the most sophisticated levels of investigation and response, some of the most progressive minds in security are called in to perform deep forensic investigation, reverse-engineer malware or track down the highly elusive advanced persistent threats.
Trustwave SpiderLabs Fusion Centre also serves as a premier education and training centre for security practitioners, from entry-level IT professionals to accomplished chief information security officers running large enterprise operations. Through on-premise and remote training modules taught by renowned security experts, participants learn cutting-edge techniques for detecting threats and defending networks and can acquire industry-recognised certifications and accreditation in penetration testing, data forensics, incident response and many other fields. Regular industry gatherings and think-tank events are also held to delve into the practical and theoretical applications of new technologies and their potential impact on the security landscape.
“Top security programmes are built by combining the right people, advanced processes with the best technologies. Our new centre ensures all three,” said Schueler.
Interested in attending one of our upcoming TechTalks that takes a deep dive into security capabilities that will benefit your business? Drop us a note here.
Download our case study, Fueling a Healthy Security Diet