Cipher xMDR: Platform
The solution: Cipher xMDR Platform
Digital Adversary profiling
Knowing your enemy is crucial to combat them effectively. Our message concerns the importance of understanding your digital adversary.
With a deep understanding of their tactics and strategies, we can take highly effective actions, such as anticipating, preventing, detecting, and responding to their attacks.
Our adversary profiling exercise is based on a set of rules that specifically target the threat and are constantly updated with all the necessary details to mitigate and respond to any potential attacks effectively.
Dynamic Defense AI-driven
The adversary profiling triggers three modes of rule execution: "Full hunting," where all rules are executed; "Trend-based," where only trending rules are executed; and "Manual," where rules are available for manual execution.
By utilizing profiling, the x63 unit, and research-based learning, we achieve exceptional Mitre coverage with the goal of anticipating attacks.
Through the creation of threat-directed procedures, we can use our response capacity to prevent attacks and minimize execution and action times.
Hyper Queries
Advanced detection rules that can generate a response.
• We have implemented advanced rules to protect against both hidden and known threats.
• Easily conduct specific searches without the need to log in to external systems.
• Continuous hunting.
• The ability to identify the source of malicious activity (such as actors/APT, malware, CVE, TTP, etc.) allows for quick action to be taken.
• Possibility to edit the frequency of rule execution.
EDR Response:
• Isolated host.
• Blocked hash.
• Tracking entities.
**In order to ensure the proper functioning and full utilization of all features, it is necessary to fully integrate with the Detection & Response Engines and validate said integration during the Onboarding process.
MITRE Attack Flow
At MITRE, we track any malicious activity and use AI to generate possible paths that a threat might take. This allows us to validate malicious behavior and predict what might happen next.
Our system follows the research TTPs and automatically enforces their rules, resulting in faster detection times. Our approach involves predicting the threat's next move and taking preventative measures. To accomplish this, we utilize AI to execute the rules based on their probability of success. We carefully analyze the steps that the threat is likely to take, as outlined by MITRE.
To ensure accuracy, we verify the information using all relevant historical data and connect it to the present information. This allows us to determine which assets have been impacted and verify their authenticity
Trusted Telemetry
Thanks to the process emulation, we can predict the attack by learning techniques on the history of our database, linking the ability to relate entities, parameters, variables, indicators, etc. Generate detection rules specific to threats and eliminate false positives.
The goal is to detect the attack before the malicious evidence.
Detection
Detection
Creating a new detection rule specific to the threat and ensuring that it avoids false positives. The rule is now prepared for execution against the "Detection & Response Engine" as a "Hyper Query."
Threats
We keep an eye on the digital threat and prevailing trends.
Patterns
We emulate and simulate attacks, constantly searching for known and new patterns.
Analyze
Our objective is to analyze all malicious telemetry in order to locate the initial evidence.
Validate
It is important to validate all information using various methods to ensure accuracy and identify any potential evasions or detections.
Adversary Rule Risk
We believe that customers cannot be treated as equal threats.
Therefore, we focus our efforts on selecting detection rules that cover threats and techniques that most affect each customer.
To achieve this, we assign a unique score, Adversary Rule Risk, to customers' use cases.
This score is calculated using an algorithm that considers the customer profile, the adversaries that most affect it, and the quality of detection rules to reduce alerts that do not contribute to anything.
Smart Alert Processing
Our system intelligently processes all alerts generated by Hyper Queries and Detection & Response Engines.
During the investigation, we group alerts using various learning methods and apply "retro hunt" to search for past solutions or treatments.
We also provide complete visibility of all assets involved in the alert (past and present) and enrich the investigation with intelligent reputation data.
Our goal is to conduct a thorough investigation with high-quality information, free of any distractions.
Our system intelligently processes all alerts generated by Hyper Queries and Detection & Response Engines. During the investigation, we group alerts using various learning methods and apply "retro hunt" to search for past solutions or treatments. We also provide complete visibility of all assets involved in the alert (past and present) and enrich the investigation with intelligent reputation data.
Our goal is to conduct a thorough investigation with high-quality information, free of any distractions.
We highlight the importance of a summary of what has been automatically executed and focus on the traceability in past of how it has been done and on all assets.
Checking the reputation of the assets, apply IA in pass to possible malicious processes and know how they act. Highlight keywords that can trigger another investigation and not lose visibility. Enrich with as much information as possible everything related to the digital adversary to which it applies the alerts that are part of the investigation.
All information displayed is automatically generated and applies to the custom measurements that the analyst has been decided apply/edit on rule configuration.
It will show the result of the automatisms which are set in the rules, such as those directed to the endpoints (EDR), also all the related information that can originate a response, such as a relationship between different assets, relevant active directory information (integration is required) and the knowledge of the malicious activity on MITRE (Mitre Attack flow).
Finally, the recommendations for action on the investigation which will automatically review whether the result of the information displayed in the alert is sufficient for its resolution or will show the extra steps that should be taken to follow up and move forward with the investigation.
Threat investigation and response
At Capacity, we prioritize accurate investigations and efficient "Detection & Response Engines"
To achieve this, we utilize automation to adhere to protocols, prevent unnecessary actions, and minimize false positives.
Our goal is to equip experts with comprehensive information within the investigation's context, enabling them to make informed decisions and take prompt action to prevent security incidents.
We aim to increase efficiency and reduce response times by streamlining the process.
x63 Unit
The Cipherlabs x63 Unit provides the platform with valuable information about digital adversaries. This information is used to create rules and procedures, analyze trends, and generate documentation to help combat these adversaries. The unit's core values focus on understanding the adversary in order to overcome them.
Centralized Intelligence Portal
The portal provides an exceptional experience for every role and level of expertise due to its detailed roles and permissions.
It enables the analyst and the client to share the same vision seamlessly.
You can access a complete overview of the investigation, customize the handling of each case, monitor the status of assigned rules, and stay informed about potential digital threats all the time.
Additionally, the ability to report and follow up investigations.
AI is an essential part of our service and is integrated into all our functions
