WHAT IS CDS:30?
The CDS:30 assessment is a layered approach using a synoptic stack of forensic network security monitoring combined with multiple threat detection engines on an onsite appliance that is monitored remotely by our security analysts. The output of the CDS:30 includes the addition of a comprehensive review, validation of security alerts, and threat hunting within the collected dataset.
Our expertise in network forensics is a key differentiation as this level of assessment is typically only available to larger organisations due to the technical specialism and associated costs. These assessments are a fixed engagement designed to fully technically assess an organisation’s current security standpoint and overall resilience against cyber threat.
The CDS:30 assessment is a specialist assessment with layered security monitoring, to provide unparalleled visibility and actionable insight. The list below details some typical findings from recent assessments performed:
- External data exposure through unencrypted mail Traffic (SNMP/POP3/IMAP).
- External credential exposure through Plaintext and weak encoded passwords to external services.
- External data exfiltration via non-corporate approved cloud storage (Dropbox/Google Drive/OneDrive).
- Internet exposed corporate and admin credentials through plaintext LDAP/AD authentication to/from external services.
- Compromised Mac/Windows/Android devices (both personal and corporate devices).
- Illegal downloads via Peer-to-Peer file sharing (BitTorrent).
- Detection of bloatware and Potentially unwanted programs (PUP’s/Lenovo Superfish).
- External data and credential exposure through unencrypted VoIP (SIP & RTP).
- External data exposure through misconfiguration of NAS storage replicating unencrypted data between corporate sites.
- External data exposure through unencrypted data sync to cloud platforms.
- Vulnerable and unsupported operating systems (XP/Vista/Win7/2003/2008).
- Vulnerable and unsupported software (Flash/Silver light/Quicktime).
- Bypass of corporate security through unapproved remote access software on user devices (TeamViewer/LogMeIn/GoToMyPC).
- Inappropriate business web browsing (Pornography/Gambling/Violence).
- Detection of vulnerable wired and wireless infrastructure devices that can be exploited to provide full network access.
- Detection of exposed “live” corporate credentials that can be used to remotely authenticate and access corporate remote access solutions.
- External open access to corporate CCTV systems.
- External credential exposure through unencrypted authentication to externally hosted websites.
WHAT DO WE ANALYSE?
- Network Traffic assessment:
- Implementation Deployment of a network sensor for inspection of all inbound/outbound traffic
- Full packet capture Forensic capture of all inbound/outbound network traffic.
- Threat Hunting Granular manual forensic threat hunting.
- Anomaly detection Profiling of user and network activity to identify trends and anomalies.
- Threat Intelligence Detection of communication with known bad (blacklisted) hosts.
- Intrusion Detection Threat detection using an IDS engine running commercial threat feeds.
- Unsecured Communications Detection of unencrypted Data-in-Motion.
- External Exposure Assessment:
- Dark/Open Web Analysis and reporting of compromised assets and leaked credentials that can be leveraged to launch an attack against organisations.
- Vulnerability Detection:
- Asset Discovery Identification of internal/external networks, systems, applications and infrastructure.
- Vulnerability Assessment Analysis of identified internal/external assets to detect weaknesses that can be leveraged by attackers to gain unauthorised access.
- Network Perimeter Assessment:
- Application & Web filtering Technical assessment to measure existing network security controls against potentially unwanted communication.
- Policy control Technical assessment to measure effectiveness of “acceptable use policy” against network security controls.
- Threat prevention Emulation of hacking techniques and tooling to measure effectiveness of network security controls
PROTECT YOUR BUSINESS WITH A NETWORK SECURITY ASSESSMENT
Speak to ConnectDS and discuss how our CDS:30 threat detection assessment can help your organisation gain deep visibility into your internal and external security posture validate your current policies, configurations and technical controls.
Frequently Asked Questions about our Threat Detection Assessment
WHAT IS NETWORK SECURITY MONITORING?
Network Security Monitoring (or NSM) is the collection and analysis of network traffic in order to identify potential policy misconfigurations, data leakage and vulnerabilities.
WHAT IS FULL PACKET CAPTURE?
Full Packet Capture (or FPC) is the term for intercepting and recording data travelling across a network in order to download and analyse it.
HOW IS THE ASSESSMENT DEPLOYED TO ENSURE SUCCESSFUL SECURITY MONITORING?
To ensure the capture of all inbound and outbound network traffic we deploy an onside network server to function as a network sensor. The security monitoring is completely passive and collects data from a network SPAN (network mirror) or a specialist network tap that forwards the data to the sensor. As the solution is not inline there is no risk of this being a single point of failure and ensures we can perform a granular network inspection without limiting the quantity of detection rules and impacting network performance.
WHY DID CT24 PUT TOGETHER A COMPREHENSIVE SECURITY ASSESSMENT BUNDLE?
With a background in security for global corporations, the team at CT24 identified a lack of vital security visibility for small and medium businesses in the UK. This is where the idea for CDS:30 was born.
WHAT TOOLS DO CONNECTDS USE FOR NETWORK SECURITY ANALYSIS?
ConnectDS use a variety of commercial and open source tooling, with the expertise to perform granular network forensic monitoring of inbound and outbound network traffic and identify security vulnerabilities and advanced security threats.
WHAT IS AN INTRUSION DETECTION SYSTEM?
An Intrusion Detection System or IDS is a security engine that inspects network traffic in order to detect inbound attacks and alert on them.
WHAT IS AN INTRUSION PREVENTION SYSTEM?
An Intrusion Prevention System or IPS is a security engine that inspects network traffic in order to detect inbound threats and block this traffic.
WHAT IS THE DIFFERENCE BETWEEN AN INTRUSION DETECTION SYSTEM AND AN INTRUSION PREVENTION SYSTEM?
An Intrusion Prevention System or IPS is a security engine that inspects network traffic in order to detect inbound threats and block this traffic, whereas an IDS only alerts on these threats.
WHAT IS CONTINUOUS MONITORING IN CYBER SECURITY?
Continuous monitoring allows a security operations centre full visibility on an ongoing basis in order to identify vulnerabilities and indicators of compromise immediately.
WHAT IS THREAT INTELLIGENCE IN CYBER SECURITY?
Threat intelligence is any information or context relating to cyber threats and malicious threat actors used to reduce the likelihood of cyber attacks. This can be found on the internet or dark web.