Call us now Email a specialist
+353 1 6420100 | info@ward.ie
  • Resources
  • Blogs
    • News

    Ward Solutions – Helping you to Optimise your Threat…

    Ward Solutions – Helping you to Optimise your Threat Hunting Efficiency and Effectiveness

    Threat hunting, also known as cyberthreat hunting, is a proactive approach to identifying previously unknown, or ongoing non-remediated threats, within an organization’s network.

    In other words, threat hunting is the practice of looking through the network, endpoints, and datasets to hunt malicious, suspicious, or risky activities that have evaded detection by existing tools in order to neutralise or remove them and prevent them from getting in in the future.

    How threat hunting works

    Threat hunters are extremely qualified, experienced cybersecurity professionals who establish or require a hypothesis, examine the environment by searching for all accessible evidence to support their theory, and finally form an opinion that may verify or deny the hypothesis. 

    New intelligence, deviation from a baseline measure, a newly recognized TTP, an alarm from detection technologies like SIEM or EDR, or another sign in the network or the external environment are used to build hypotheses. Therefore we need to help ensure that whatever limited resources are available we need to help these resources to deliver valuable work as efficiently and effectively as possible.

    The following are some examples of hunting hypotheses:

    • In my connection, there might be APT29-related activities.
    • The Sunburst malware was initially published in April of last year. There might be some occurrences from April in our network that are relevant.
    • It’s possible that our terminals were used to visit this malicious URL.
    • Some of our hosting apps may have visited this rogue IP address.
    • A new Trickbot malware strain has been discovered in the wild. This new variation may already be in our database.

    What problems does Ward Solutions Detection Analytics (DA) address?                         

    -Choosing and developing the right hypothesis

    What is the best hypothesis to start with or try next? This choice is based on several factors, both external and internal, to the database server. Changes in the threat landscape, the latest knowledge on a breach that occurred elsewhere, suspicious activity such as a file discovered for the first time, changes in the database server, and other factors might all play a part in triggering a search. Such triggers are plentiful, but security analysts who can conduct hunting and their time are in short supply. With a high alternative cost, coming up with the most applicable hypothesis is a big issue. 

    -Data Accessibility

    No matter how skilled or experienced a threat hunter may be, they must rely on the data possible to find signs of a threat. Security analysts will be unable to conclude or provide a false-negative result if detection technologies such as SIEMs and EDRs do not include the relevant data or the logs do not have the requisite degree of information.

     How does Ward Solutions Detection Analytics help?

    Ward solutions delivers a breach attack simulation service in partnership with PICUS Security. PICUS Security toolset has a very sophisticated complete security control validation platform. This platform and Wards Service helps an organisation to identify the capacity, capabilities and limitations or weaknesses in an organisation’s security infrastructure. It also builds a baseline of their infrastructure security. Any low set baseline could indicate a network segment where malicious content or activity may be hiding or operating from. 

    Threat samples in the Picus Library are presented with their unique identifiers, such as the file name, MD5, or SHA256 hash information. More importantly, the information provided on attack campaigns contains all TTPs as mapped to MITRE ATT&CK. Using this rich threat information provided for more than ten thousand advanced threat samples, saving threat hunters from significant preparation time and can trace the indicators with precision and speed, thus making them more efficient and effective.

    Ward Solutions Detection Analytics aids in the maintenance of a strong log base and infrastructure. Ward Solutions Detection Analytics enables SOC teams to have a well-scoped and threat-aware log base on SIEMs and EDRs continually updated to reflect changes in the hostile landscape and technological infrastructure. This surveillance is crucial because security analysts rely on the information provided to them.

    Blue Team Content generated by Picus provides insight on TTPs used by adversaries. Adversaries change indicators of compromises (IoCs) frequently.

    To do successful and well-defined threat hunting, security analysts must go beyond IoCs and get a thorough understanding of TTPs, which represent the real nature of hostile actions. However, evaluating and creating queries based on TTPs takes a significant amount of time and work.

    Security analysts may acquire the TTP context simpler thanks to detection content created by Picus Labs’ specialized Blue Team Engineers. Detection Engineers develop, test, and verify:

     

    • SIGMA, a generic and open signature format for SIEM products,
    • Vendor-specific rules for SIEMs, IBM QRadar, Splunk, Micro Focus ArcSight, and the EDR VMware Carbon Black. This coverage continually widens. 

    Security analysts may get TTP knowledge from Sigma and vendor-specific rules, which saves time and effort by helping them to quickly grasp the opponents’ game strategy.

     

    Contact Ward Solutions Today to See How We Can Help You Conduct Efficient and Effective Threat Hunting:

     

    News

    Using Breach Attack Simulation to make your SIEM more…

    Security Information and Event Management (SIEM) is an important tool for reducing cyber risk. Enterprises have been investing substantial sums to SIEM solutions in both capital and operating budget lines for the past 15 years. Despite this, year after year, industry studies indicate that SIEM users are dissatisfied with their investments.

    SIEM solutions have been criticized for being difficult to handle, loud, and slow in detecting cyberattacks. Some of the problems are alleviated by concepts such as “intelligence-driven SOC,” “orchestration and automation,” and “managed SIEM,” but they miss the mark of assuring reliable, efficient, and prompt recognition rate.

    Proactive Validation: Only Sensible Way

    Proactive validation is the only certain approach to use SIEM platforms efficiently.                        Obtaining constant, consistent, and ad-hoc validation skills based on genuine cyber-attack emulations aids in the identification of holes in SIEM operations and opens up numerous possibilities for preventing real attacks.

    Enterprise-grade Breach and Attack Simulation (BAS) Platforms take adversary emulation to another level from this perspective. BAS platforms: 

    • Can use threat-centric analytics to identify detection gaps at the adversary behavior level;
    • They can automate and thus diversify emulation to thousands of scenarios;
    • They can provide detection and prevention content for immediate risk mitigation;
    • And they can make purple teaming a repeatable capability.

    BAS Empowered SIEM

    SIEM Powered by BAS is one of Gartner’s top eight technological trends for 2021. Enterprises should consider the use cases that BAS systems provide for increasing SIEM efficiency and return on investment. A BAS-enabled SIEM platform may be used by a wide range of users, including CIOs, CISOs, SOC managers, security analysts, and compliance teams, to construct resilient networks.

    In 2005, SIEM technology was designated as a new category, and much has happened in the realms of IT and cybersecurity since then. Networks are now larger, more interconnected, and more versatile. As a result, criminal actors take benefit of what these descriptors imply: more flexibility, the potential for greater effect, and expanded attack surface. Despite the fact that SIEM technology have advanced substantially, not every element of how SIEMs are used today meets the problems that current networks and business dynamics provide.

    SIEMs are Underutilized

    SIEMs aren’t being used to their full potential. The SANS report “Common and Best Practices for Security Operations Centers: Results of the 2019 Survey4” investigates how pleased users are with their technologies as they relate to the NIST Cybersecurity Framework areas of identification, protection, detection, response, and recovery. . In the identification category, the survey shows that only 22% of SIEM users are very satisfied, while 25.8% are not satisfied. In the detection category, these numbers are 20.5% and 34.8%, respectively:

     

    A study5 by Ponemon Institute supports the findings of the SANS survey. Even though organizations’ first choice is a SIEM technology to detect malicious activities, on average 25% of those detections are false positives, and 55% of alerts triggered by detections are not attended to.

    Because the amount of alerts is so large, many SOCs just delete the alert backlog at the end of each day to have a fresh start in the morning.

    En Route to Efficiency

    SIEM systems are the most popular detection solution for a variety of reasons. SIEMs are known for their speed in delivering findings. SIEM solutions gather and analyse data in a way that no other detection technology can. Advanced analytics capabilities are unrivaled by SIEMs. Maintaining high efficiency on this -expensive but necessary- equipment is a critical component of combating sophisticated cyber assaults. The question of how to get there, on the other hand, remains unanswered. There are several obstacles that SOC teams must overcome in order to achieve and maintain SIEM efficacy.

    CHALLENGES IN OPERATIONALIZING SIEMS EFFECTIVELY

    In the discussion of SIEM efficacy -or rather inefficacy-, three fundamental challenges put a strain on SIEM capabilities. Extensively debated SOC problems of false positives, alert noise, missing detections, long dwell time, and other issues that are related to the SIEM efficacy are the symptoms of not combating these three challenges effectively in the first place.

     

    1) The Large Volume of Data Modern Networks Generate

    Regardless of how advanced a SIEM technology may be, it fundamentally relies on the scope and quality of data it collects and processes. Even though “the more log, the better” sounds like a reasonable proposition, the massive volume of data modern networks generate today requires SOC teams to handle log management more creatively and selectively.

    2) Ever-Changing Adversarial and Internal Environments

    Data sets and detection rules on SIEMs are susceptible to being out of date due to the rapid changes happening in networks and the adversarial landscape. Each new application, network and user device may mean a new vulnerability and data source at the same time. New attack techniques and threats may also require new data sources to be ingested to detect them.

    3) Lack of Skill Set and Security Analysts

    While SIEMs heavily rely on human power for planning, setting processes and successful execution, Gartner ranks “SIEM expertise” among the most difficult to find skill sets in its 2020 IT Skills Roadmap report7.

    Assigning right priorities to alerts, managing log sources, quick and effective detection engineering, improving processes, ensuring collaboration between junior and senior team members and other key SIEM tasks require the right level of expertise to be in place. Organizations need to find ways to empower SIEM users by ways of training, automation, and taking a proactive approach to preempting repetitive tasks.

    Contact Ward Solutions to discuss how our Breach Attack Simulation services can help validate your current SIEM and to improve your SIEM effectiveness:

     

    News

    5 Requirements of Modern Cyber Testing Solutions

    Security testing should be the north star of successful security leadership, not simply a nice-to-have. On the other hand, our security validation tool should inform you in real-time if your security controls can withstand the most advanced contemporary attacks if either your existing investments are generating ROI and where you need to direct the organization next.

    Given the rapidity with which new attack strategies and tactics emerge, this is a lot of strain, which is why the security validation market is evolving fast. Today’s security testing methods range from vulnerability scanning to more advanced approaches like Breach and Attack Simulation (BAS), and practitioners frequently utilize frameworks like MITRE ATT&CK to help them get the job done.

    What, on the other hand, makes a good security testing solution? We’ve put up a list of five must-haves for CISOs when putting together a contemporary, threat-centric security validation program to help them navigate this fast-changing industry.

    Requirement 1: Ability to utilize imminent advanced threats

    One of the most difficult aspects of security testing is that new cyber threats emerge regularly. They utilize a broad range of complex strategies and techniques to accomplish their objectives. This covers tactics that are meant to avoid detection.

    As a result, standard vulnerability scanning solutions will assist security professionals in getting insight on new security risks as they are identified (which may or may not be exploited in the next wave of assaults). Still, they will lack the crucial context of what attackers are up to “in the wild.” They help security teams discover prospective “victims” in their organizations, but that’s not the same as responding to established enemy behavior patterns.

    Organizations may use red team activities to align their validation with real-world circumstances. On the other hand, red team testing is resource-intensive and time-consuming; therefore, it won’t meet our second major requirement: 24x7x365 preparedness on its own.

    Requirement 2: 24x7x365 validation

    In the world of cybersecurity, the enemy never sleeps. According to a 2020 Accenture research, new threats emerge at such a rapid pace that security stakeholders view it as a “continuous fight” to keep ahead of them.

    Red team exercises, which may take weeks or even months to design and execute, cannot provide the kind of round-the-clock threat preparedness that security teams require to thrive in this environment. While they play an important role in evaluating security measures against the most sophisticated approaches, companies will need to go elsewhere for continuous security validation 24 hours a day, seven days a week, 365 days a year.

    Requirement 3: Assessing existing control capabilities

    It may seem self-evident, but an effective security testing solution must account for the whole spectrum of security measures currently in place in a company’s IT infrastructure, no matter how sophisticated or multifarious. Security validation tools will struggle to give important information on the importance of individual security vulnerabilities and their priority if they can’t analyze current control capabilities.

    Requirement 4: Immediate mitigation

    In some cases, security validation tools will reveal security flaws that must be rectified immediately. As a result, we believe it’s critical that a successful security testing solution alerts security teams to areas of danger and provides them with the knowledge they need to mitigate those risks in minutes. This may include a thorough to-do list of mitigating ideas in some situations.

    Requirement 5: Enable team communication and collaboration

    Finally, a successful security testing solution must address the complete spectrum of risks, possible victims in the organization, current control capabilities, and the many diverse roles, departments, and personnel that must be engaged in reacting to security risk.

    Every security executive understands that getting security and business stakeholders to communicate and collaborate is easier said than done. Effective validation should enable all stakeholders to see and grasp the intricate links between threats, risks, mitigation action, and ROI safety and engage the whole team to work together for the same goal.

    Ward Solutions offers a comprehensive set of cyber testing services. If you are interested in any of the testing services described in this blog then please contact:

     

    News

    Over 90% Of Threats Are Initiated By Email

    Email Security Report has revealed that over 90% of all successful cyber attacks around the world begin with a phishing email.

    Cyber criminals are adopting and deploying increasingly sophisticated techniques to bypass spam filters and firewalls. Human nature and unaware or preoccupied users are considered contributing factors as they can often be tempted to download a file or click a malicious link that gives criminals access.

    Every business should take steps to protect itself against phishing email, by training employees to recognize the ‘red flags’ that communication may be part of a scheme, and immediately report any incident to aid recovery and help identify cyber criminals to protect other businesses from victimization.

    Keep in mind that anyone can be hacked: Businesses must know that their employees can be the victim of various email-based attacks like phishing, spear phishing, CEO Fraud/BEC, ransomware, malware attacks, other cyber attacks.

    Check your current security infrastructure and practises: Organisations should check their current cybersecurity infrastructure and security technology they use. Also, they should evaluate users’ cybersecurity awareness training programs, and incident response operations and other security policies.

    Consider multi-layered solutions for email security: The sophisticated cyber attacks like ransomware is evolving day by day and they need advanced solutions to be stooped, this is when Email Threat Simulation Solution play a significant role. Simulating attacks against a mail box will show how thorough your mail security platform is.

    Ward’s Breach & Attack Simulation solution is capable of simulating data exfiltration, a cyberattack on the company’s web application firewall, a phishing attack on an organisation’s email systems, a malware attack on an endpoint or even a lateral movement within networks.

    If we focus on Ransomware, BAS can very quickly identify what our residual risk is around threats that are not being blocked by our mail security platform. Now let’s have a look at the situation below:

    In figure 1 – we can highlight the current % of threats not being blocked as a total count – would 52% be efficient use of the current mail security protection provider?

    With 1720 malicious emails getting through to user’s mailboxes we have quite a challenge. If you look into the Malicious Code attacks category and the right to Ransomware you will see against all of the threat’s we are able to block only 54% of these.

    To drive into more detail, we can see exactly what is not being blocked. You will note 209 variations will make their way to the user’s mailbox – this is a lot of residual risk.

     

    The next way of uncovering residual risk is to identify a particular one we are worried about; By filtering for a particular type – BLACKKingdom below we can see how effective our mail security is at stopping all variants. We have 3 getting through.

     

    Now we can pivot on how all our security controls are dealing with this ransomware – by selecting the 3rd row (1st unblocked variant-2) we can see details and residual risk against our network path int the corporate environment as well as how Windows Defender is dealing with this.

     

     

     

     

    First the front door NGFW at our perimeter!

    We can see on the first row – our NGFW is blocking this attack as of today at 07:02.

    We can also see the Endpoints are also blocking the attacks so for now our only exposure is email route into our network.

     

     

    Ward’s Breach & Attack Simulation service offers customers a meaningful baseline of the effectiveness of your security infrastructure, measuring how many attacks got through your Prevent/Protect infrastructure or were picked up by your Detect infrastructure and how many were blocked. By using the PICUS toolset we offer customers not only the significantly increased scale of testing but also the possibility of continuous or more frequent testing and baselining.

    To discuss how Ward Solutions Breach Attack Simulation service can measure and help improve your security efficiency:

     

    News

    Security Advisory: REvil Ransomware Attack on Kaseya VSA

    On July 3rd, a malicious hotfix was released and pushed by Kaseya VSA servers that propagated to servers managed by Kaseya, resulting in the compromise and encryption of thousands of nodes at hundreds of different businesses.

    This attack appears to be the work of REvil (also known as Sodin/Sodinokibi). The recent attacks targeted a software supplier called Kaseya, using its network-management package as a conduit to spread the ransomware through cloud-service providers.

    Kaseya VSA is a popular piece of software for remote network management, used by many managed security providers, or MSPs, companies that provide IT services to other companies. Network management software is a perfect place to hide a back door because these systems usually have broad access and perform a lot of tasks, making them difficult to monitor.

    The attackers exploited vulnerable, internet-facing VSA servers commonly running upstream of many victims, in networks of MSPs, using them as backdoors, making it difficult or impossible for the victims to detect or prevent infection as the ransomware flowed ‘‘downstream.’’

    REvil is most famously associated with recent attacks on Travelex, Acer, and Apple supplier Quanta Computer. Acting as a RaaS, REvil relies on affiliates or partners to perform its attacks. The REvil developers receive a percentage of all proceeds from ransom payments. Because the ransomware is distributed by different entities, the initial infection vector can vary; typically, this is either via phishing campaigns, brute force attacks to compromise RDP, or through software vulnerabilities. REvil is also known to be distributed by other malware suas as IceID.

    The good news? BlackBerry Protect, BlackBerry Optics and BlackBerry Guard stop these attacks.

    Prevention first: Putting prevention first neutralizes malware before the exploitation stage of the kill-chain. By stopping malware at this stage, BlackBerry products help organizations increase their resilience to cyber attacks. This also reduces infrastructure complexity and streamlines security management to ensure that business, people, and endpoints are secure.

    BlackBerry cybersecurity solutions use the 7th generation Cylance® AI engine, trained on a threat dataset numbering in the billions, to identify and prevent attacks. The AI resides on the endpoint and in the cloud, offering holistic and multi-layered protection without requiring continuous Internet connectivity.

    Given the success of the REvil attacks, it is vital for organisations to learn how to safeguard themselves and their employees from ransomware threats in 2021.

    The Threat Research Team of our partner BlackBerry, has analyzed the attack methods used by this threat, and in addition to recommending basic cyber hygiene steps, strongly urges BlackBerry customers to ensure their systems have BlackBerry® Protect enabled with a blocking policy and BlackBerry® Optics enabled to detect threats.

    BlackBerry has additionally authored rules to identify several telemetry points of the REvil ransomware. These rules are available for BlackBerry customers to download here: https://support.blackberry.com/community/s/article/80059.

    Ward Solutions & BlackBerry Incident Response team can work together with organisations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure.

    Talk to a Specialist today:

     

    News

    Which is the Right Cyber Testing Solution to Use…

    Security testing is one of the single most important jobs an effective security department can do. Without it, security leaders have no way to make informed and pragmatic decisions about the areas of investment they need to prioritize – and no basis on which to make the argument for a bigger security budget. 

    The purpose of Security Tests is to identify all possible loopholes and weaknesses of the software system and  prevent network threats.

    While it’s uncommon nowadays to find a business without a form of security testing program in place, different organizations tend to be at very different levels of maturity when it comes to testing. This is often reflected in the techniques, tools, and processes they use for the purpose. That’s not to say that some security testing solutions are right and some are wrong – they all have their own strengths and weaknesses, and the most sophisticated security teams know how to use them in conjunction to achieve the desired outcome.

    The more extensive an organisation’s security testing approaches are, the better are its chances of succeeding in an increasingly threatening technology landscape.

    Today, we are going to talk about the four key security testing solutions and how they compare:

    Security testing solution 1: Vulnerability management

    The role of a vulnerability management solution is to scan your environment for network and application vulnerabilities that haven’t been patched yet, and to help you manage the process of getting them fixed.

    Vulnerability management is undoubtedly one of the best and oldest strategies to shield security testing solutions, and – on the surface – has a compelling use case: Many successful cyber attacks exploit vulnerabilities that have been known about to the security community for weeks or months, but haven’t been patched by their victims. If only they had been faster to identify and address those vulnerabilities.

    In reality, of course, vulnerability management isn’t the silver bullet it may sound like. The challenges of working with this 25-year-old technology are twofold:

    • Though, new vulnerabilities are bound to unveil with the real-time trajectory (and with some new solutions, prioritization of predictable), most security teams see patching as a burdensome and time-consuming route to securing the complex IT environment. If within the solution framework, there is no context on other control capabilities, the false assertions could complicate the vulnerabilities.
    • More importantly, vulnerability management focuses on vulnerabilities – not the outcome of threats propagators themselves. So, while they help draw attention to possible points of compromise, they can’t advise on whether there’s a real risk that one of those points of compromise will be targeted. This stops security teams from taking a pragmatic view of each vulnerability, and prioritizing patches based on the value to the business.

    Security testing solution 2: Pentesting

    Pentesting or penetration testing,  is another common and well-known security testing solution. In a penetration test, an organization hires a trusted third party to attempt to breach their IT environment using the same tools and techniques as a real threat actor.

    Pentesting provides a sophisticated approach and protection for a security system when it comes to cyber-attacks compared to vulnerability scans. Pentest also provides a valuable result and easy communication ideology to stakeholders, and many compliance structures such as PCI, DSS clearly states they should be done regularly.

    However, from a security standpoint, the major setback in pen testing is the one-time reflection of defense tactics. Most pen testers are time-based and are carried out within a limited period- could be monthly, quarterly, or annually which is substantial enough for a threat to crash up the system before the subsequent test is conducted.

    Besides, pentest usually looks for security breach in a predetermined security structure. If you set up a pentest to outline security gaps within a particular section of your card payment system, the result may not project the overall security control capabilities.

    Finally, while pentesters do normally report back on their findings, it’s not their job to give specific mitigation instructions. Establishing and coordinating the followup actions after a pentest are up to you.

    Security testing solution 3: Red teaming

    A red team exercise is essentially a much more sophisticated and comprehensive version of a pentest, taken a number of steps further in terms of replicating real-world threat behavior.

    As part of the process, a vast team of ethical hackers will attempt to invade your security in order to and achieve a specific outcome by any means necessary. Their job is not to pinpoint the weakness in a specific system or circumvent a particular defense measure, but to think and act the way a real threat actor would do. A skilled red team will offer a wider and deeper view of your threat readiness than almost any other security testing solution.

    Another pivotal part of a red team’s work scope is to work together with the in-house security team- or “blue team” – and proffer specific improvement instructions. This will ensure protection against the same security loophole by threat in the wild.

    On the other hand, do not forget that the red team exercise does not portray any significant shortcomings. You must know that planning, coordinating, and delivering this type of exercise requires a lot of time and resources. Thus, it is not the best when it comes to near real-time visibility into how prepared your security system is when it comes to new threats.

    Security testing solution 4: Breach and attack simulation (BAS)

    Finally, breach and attack simulation (BAS) is a relative newcomer to the security testing world.

    BAS is a software solution that follows the same threat-centric mindset as a red team exercise, where real and documented threat behavior is used as a starting point to identify and prioritize security gaps. However, the key difference is that BAS automatically simulates this behavior to provide 24-7 insight into your readiness to defend against new and emerging threats.

    As the BAS market is new and less mature than some of the other security testing solutions described above, there tend to be a few small differences in the way different vendors define BAS. We believe it should deliver on five key requirements:

    • It should keep up with the threat landscape and use the latest threat intelligence as it becomes available.
    • It should provide continuous security validation 24 hours a day, seven days a week, 365 days a year.
    • It should be able to assess existing control capabilities, ensuring security teams aren’t flooded with false positives.
    • It should provide mitigation instructions for each threat sample, linked back to existing detection and prevention technologies in use (such as detection rules for your SIEM system).
    • Like red and blue team testing, it should facilitate effective communication and collaboration between stakeholders.

    As BAS becomes more common, it should help solve some of the problems we discussed above around vulnerability management, pentesting and red team testing. 

    That’s not to say it’s a replacement for them, of course. Effective security testing has always been about using the right tools and techniques in the right context. BAS won’t, for example, offer the same depth of insight (or, say, social engineering capabilities) as a world-class red team.

    However, when it comes to balancing speed and coverage against real threat behavior, it makes for an extremely effective foundation to your overall security validation strategy.

    Ward Solutions offers a comprehensive set of cyber testing services. If you are interested in any of the testing services described in this blog,  please contact us:

    News

    Why BAS is the Best Solution To Improve the…

    To Maintain an Effective Security Posture, Today’s Organisations Must Gain Deeper Visibility into Potential Attacks Across Their Infrastructures.

    Ward Solutions Breach Attack Simulation (BAS)  is an innovative security technology solution which allows your organization to automatically find vulnerabilities in your infrastructure.

    By using a BAS solution,  organizations can see their networks through the eyes of their attackers while running 24/7 simulations that uncover the hidden attack vectors that so often remain undiscovered by more conventional solutions.

    This service offers customers a meaningful baseline of the effectiveness of your security infrastructure, measuring how many attacks got through your Prevent/Protect infrastructure or were picked up by your Detect infrastructure and how many were blocked.

    BAS platforms are especially effective at limiting one of the most serious threats faced by today’s security teams: The ability of an advanced persistent threat to penetrate a network, embed itself for weeks or months undetected, move laterally and steal an organization’s crown jewels.

    Why is the BAS Approach Superior to Conventional Penetration or Red Team Testing?

    It’s simple: Those approaches are largely manual and resource-intensive. This means such tests are scheduled weeks or even months apart, which means security professionals have very limited insight into the state of their environments during non-test periods.

    The Gap Between Penetration Testing and Red Teaming is Narrowing…

    For the most robust defense possible, it’s imperative to use tools that are highly automated and apply the power of continuous testing. By using BAS solution, organisations can see their networks through the eyes of their attackers while running 24/7 simulations that uncover the hidden attack vectors that so often remain undiscovered by more conventional solutions.

    BAS offers the chance to replicate real adversary behavior continuously, as it happens in real life.

    The agility that BAS offers, allows organisations to build additional capabilities to empower security stakeholders, align processes across different departments, maximize investment utilization and swiftly eliminate risks.

    To discuss how Ward Solutions’ Breach Attack Simulation service can measure and help improve your security efficiency:

     

    News

    Top 5 reasons to use Ward’s Breach Attack Simulation

    Top 5 reasons to use Ward Solutions’ Breach Attack Simulation

    Ward’s Breach Attack Simulation is the best approach for continuous and consistent validation of security control efficacy. A key difference when compared with other tools is that BAS gets tightly integrated into security operations due to its automated architecture for continuous visibility and its focus on quick mitigation.

    Breach Attack Simulation,  offers the chance to replicate real adversary behavior continuously, as it happens in real life. The agility that BAS offers, allows organizations to build additional capabilities to empower security stakeholders, align processes across different departments, maximize investment utilization and swiftly eliminate risks.

    Here are the Top 5 Reasons to integrate Ward’s Breach Attack Simulation as part of your overall cyber test strategy:

    • BAS service offers you an immediate opportunity to assess your vulnerability to immediate concerns such as general or specific Ransomware attacks – You can use this service as a Ransomware readiness assessment.
    •  On a more strategic basis, our BAS service offers you a comprehensive measurable baseline and trend of your security infrastructure’s effectiveness and efficiency against a possible 10,000 plus threats, allowing you to target improvements, updated regularly.
    • BAS offers a very compelling assessment, identifying in raw percentage and numerical terms the efficiency and effectiveness of your Protect/Prevention security infrastructure. Wards BAS service also offers customers a similarly compelling assessment identifying the efficiency and effectiveness of your Detect infrastructure including Endpoint and SIEM.

     

    • Our BAS report can provide you with specific mitigations such as recommended vendor-specific signatures and configurations to block attacks that get through gateways, firewalls, endpoints, or were undetected by Endpoints or SIEM. 
    •  Ward’s BAS test automation allows our customers to run much more cost-effective, frequent and
      comprehensive testing, up to and including continuous testing against their security infrastructure,
      driving more immediate mitigation, therefore, reducing vulnerabilities and exposure time.

     

    To discuss how Ward Solutions Breach Attack Simulation service can measure and help improve your security efficiency:

    News

    How does Wards Breach Attack Simulation Service work?

    Cyber Security testing is a really important tool in your overall security strategy to help identify weaknesses in your security posture and track progress towards mitigating these weaknesses. Customers typically want their cyber testing to address the following:

    There are 4 significant challenges with the current use of cybersecurity testing solutions: 

    • They tend to be used infrequently, offering a point-in-time view, often due to the cost, disruption, and risks of running the test.
    • A lot of organizations take a one-dimensional approach to testing using the same single testing solution such as vulnerability assessment or penetration testing each time.
    • Organisations tend to test the same scope each time, e.g. my network perimeter.
    • Manual testing provides the flexibility and value from the skill offered by an experienced penetration tester but is hard to scale and deliver continuously. Automated testing provides scale, efficiency, and the opportunity for continuous testing but is typically more regimented and doesn’t think laterally the way a human adversary might.

    In a landscape where the threats and exploits arise and evolve weekly, organisations need to test more comprehensively and more frequently to get the best value in terms of identifying weaknesses in a timely fashion, baselining in a quantifiable way their security effectiveness and mitigation progress. 

     

    Ward Solutions Breach Attack Simulation (BAS) is an innovative addition to our comprehensive suite of cyber testing. Ward Breach Attack Simulation Service offers customers a solution to the challenges of traditional cyber testing. We offer our Breach Attack Simulation Service flexibly to our customers as an engagement or as a continuous service.

    What is Breach Attack Simulation?

    Breach Attack Simulation is the latest Cyber Security Testing technology that allows enterprises to simulate complex cyber attacks on demand and to scale using industry frameworks such as the MITRE attack framework. Our BAS services allow our testing consultants to use their expertise and augment this expertise with the latest uses of breach attack simulation technology from our partner PICUS to test, measure, interpret and recommend mitigations of your protection and detection security infrastructure. It allows the possible testing of over 10,000 readily available threats. 

    How does Wards Breach Attack Simulation Service work?

    Our experienced cyber testing consultants work with you to determine how you want to test and exercise, offering one of the following models:

    • Red Team Testing using BAS
    • An initial assessment using BAS
    • Continuous Testing using BAS

    We then assess the vectors you want to test such as email, firewalls, gateways, endpoints, SIEM, etc. We then deploy agents from PICUS on your infrastructure to test the vectors you want to be tested – firewalls, gateways, email, endpoint, SIEM, etc. 

    We conduct the tests, produce and review the report and work with you to transfer the knowledge to your teams and vendors as to what we have found and what we recommend to mitigate.

    If we are providing continuous testing we then retest at the agreed frequency producing updated findings and noting trends. 

    What are the Benefits of Wards Breach Attack Simulation service to you?

    The Ward BAS service offers customers a meaningful baseline of the effectiveness of your security infrastructure, measuring how many attacks got through your Prevent/Protect infrastructure or were picked up by your Detect infrastructure and how many were blocked. By using the PICUS toolset we offer customers not only the significantly increased scale of testing but also the possibility of continuous or more frequent testing and baselining.

    Where does Ward Solutions Breach Attack Simulation Service fit with my other cyber testing?

    Ward Solutions Breach Attack Simulation is part of your overall cyber test strategy. It provides a rapid, highly automated test coverage of security Prevent/Protect and Detect infrastructure offering a numerical measure of security efficiency. 

    Breach Attack Simulation should be part of an appropriate mix of cyber testing to gain more complete coverage of your total risk and vulnerability status.

    • You should conduct continuous vulnerability assessment/testing and run vulnerability management to mitigate risks from known and prioritized vulnerabilities to your software and infrastructure
    • You should conduct regular physical penetration testing or social engineering to cover the cyber-physical risks and vulnerabilities.
    • You should conduct manual penetration testing to test for the risks, vulnerabilities, and exploits that the human adversary, the lateral thinker in conjunction with their use TTP’s – can uncover. Manual penetration testing should cover both infrastructure and applications penetration testing in the cloud and on-premises.
    • You should use Red Team advance penetration testing to exercise your teams collaboratively with our team of adversaries, which may include the use of Wards Breach Attack Simulation Service to cover their security operations and organisational incident response processes.
    • You should conduct regular security audits to verify compliance with security processes and procedures.
    • You should conduct regular risk assessments to ensure your risk register is up to date and relevant. Your risk register will help prioritize what and how you test and how often.

    Ward Solutions partnering with PICUS

    At Ward, we believe in employing the best people and using the best technologies to help deliver on our mission of securing our customer’s systems, people, and data. When we want to develop a new cyber testing service to address the challenges that our customers we having we researched the best technology provider for the service we envisaged. 

    One vendor’s technology stood out from our market research and our technology due to diligence –  PICUS Security. We trialled the technology in our solutions development and the results were outstanding.

    We signed  partnership agreement with PICUS as Ireland’s only PICUS partner, allowing us to use in our consulting engagements, in our managed services, and in our resale to customer the PICUS technology.

    To discuss how Ward Solutions Breach Attack Simulation service can measure and help improve your security efficiency:

          

    News

    We need a Radically Different Approach to Ransomware

    The CEO Pat Larkin, of Ward Solutions was invited to present at an Oireachtas Committee on National Cyber Security

    ”We need a Radically Different Approach to Ransomware and Cybercrime”

    – Pat Larkin, CEO of Ward Solutions

    As we recover from the wake-up call of the largest cyber-attack in our history we need to focus on the priority of helping recover our healthcare systems.

    The apparent partial climb-down by the HSE attackers needs to be treated with caution, but points to an opportunity to adopt a radically different approach to securing Ireland from future attacks.

    There is some important context to the threats we face. We are one of several countries whose healthcare systems and other critical services have and continue to suffer significant cyber-attacks. Attacking a healthcare system regardless of actor or motivation is a very insidious and repugnant activity, with a high potential impact on patient care and mortality outcomes, says Pat.

    Aside from damage to business and citizens there is the potential, based on suffering further crippling attacks on critical services of increasing brand damage to Ireland Inc. This could lead to a perception that we don’t take national security seriously and therefore are not a safe place to do business or invest in.

    Well-intentioned approaches to date nationally and globally are failing by any objective measure.

    The solution lies in full-blooded, visionary commitment to a new international consensus on cybercrime, and leadership to build and enforce this consensus.

    We have some cards to play that may have been a factor in the recent events. We have a vibrant, emerging cybersecurity sector, good non-aligned international relationships, a seat at the UN Security Council, and recent street-cred of being a relatively innocent victim to a crippling attack.

    We now need to lead a reshaping of our national and the global approach to this online terrorism, crime, and warfare. Doing so will project a strong message of our commitment to securing our country and its services, undoing any brand damage to Ireland Inc. resulting from this attack.

    ”We need to Stop Blaming victimsit Makes the Attackers’ Job Easier.”

    Industry, customers, regulators often focus their blame on the victim organisations citing inadequate security on their part as reasons for the attack. This incorrect focus adds pressure to the organisation under attack.

    Fear of loss of customers, regulatory fines etc. increases pressure on organisations to pay ransoms or not to disclose attacks. Instead, our collective efforts should be to support the victim, relentlessly pursue and neutralise the perpetrators, shamelessly disclose the attack so we all can learn.

    The debate as to whether current international law is adequate for cyberspace needs to end. Ireland can help establish a clear Digital Geneva Convention and definitive international cyber norms governing international behaviour in cyberspace, covering cyber-warfare, cyber-weaponisation and cyber-crime. Microsoft President Brad Smith first proposed the idea of a Digital Geneva convention in 2017.

    Once consensus is established We need a structure to effectively govern, regulate and enforce this new norm. The United Nations seems to be the obvious organisation, but long standing questions as to the effectiveness of the UN Security Council in relation to current international crises as well as cybercrime, cyber warfare would suggest that a change of modus operandi is required. Some of the alleged malevolent and ambivalent states with respect to cyber warfare and cybercrime currently sit on the UN Security Council with a veto.

    If the UN cannot be fixed, then we should seek alternatives.

    We then need to establish the treatment of cyber-attacks on healthcare and critical national infrastructure as a higher order of international crime. Attacking critical national infrastructure or health systems is effectively a combination of potential offences. If nation states are involved then it is a potential act of war and a breach of the Geneva Convention.

    If cyber criminals are solely involved, given the scale and cost of destruction and inevitable impact on citizens and patients in terms of poorer patient outcomes, increased mortality, effectively the offence is a combination international terrorism, arguably reckless endangerment and potentially large scale manslaughter or murder. Lastly it is a traditional financial crime. New offence definitions may be needed to cover the cyber realm.

    We should seek to make the cybercrime ecosystem pariahs in the international community. They need to be brought to trial with suitable agreed substantial common punishment.  If necessary we may need to bring them to trial using the International Criminal court, particularly from ambivalent of malevolent states.

    The consensus would also treat nation states that are ambivalent to or supportive of cyber-crime or cyber warfare as pariahs. We need to advocate for and lead in the construction of coordinated and sustained use of all global policy tools such as trade and digital sanctions, isolation, including internet isolation in a graduated fashion until they either cease their support or their support becomes ineffective.

    Consensus allows states to invest in and focus our local and global intelligence, policing, defence and industry resources on a coordinated, collaborative and fully committed effort in pursuing, harassing, attacking and eliminating the attackers and their safe havens.  This response should also ruthlessly pursue the attacker’s assets. We should regulate the crypto currency and related payment systems that shield and launder the attacker’s ill-gotten gains.

    Cyber weapons have equivalent potential societal disruptive effect as controlled weapons such as chemical, nuclear, cluster mines etc. We have seen examples of nation state stockpiling of vulnerabilities, cyber weapons co-development with questionable 3rd parties. We need international consensus, legislation and control of their production, distribution and use.

    We need to appropriately task and fully resource all National Defence, Policing, Intelligence and Foreign policy resources to make cyber security one of our top priorities in our national and global security.

    We need to be more innovative, eliminating traditional internal silos and legacy mind-sets within our collective national security apparatus. Every soldier should be a cyber-soldier in addition to their skills in land, sea and air.

    An Garda Síochána has made innovative investments in adding cyber skills and tools to their personnel, and work innovatively with academic and research institutions nationally and internationally in cyber policing. We need to build national and global capabilities collaboratively between government, industry, and academia to develop new tools and capabilities to constantly outgun the bad guys in cyber policing.

    Unfortunately, in the absence of consensus and an improved coordinated global response in the digital world, the only alternative may be to enter a cyber arms race with cartels and nations states with a zero-sum position of Mutually Assured Digital Destruction (MADD) as a deterrent to cyberattacks. Ireland should lead such an alternative path.

    Published by: