They鈥檙e saying what about us?!
We鈥檝e seen some pretty interesting points of view on how we do what we do and why, specifics around our technology and the capabilities we possess.
With all the time we spend investigating intrusions, reverse engineering malware, hunting for bad actors and generally trying to make the security world a safer place, it may be hard 鈥 especially if you鈥檙e new here 鈥 to put your finger on what 杏吧传媒 does and how we do it.
We wanted to set the record straight in true 杏吧传媒 fashion 鈥 complete transparency 鈥 so here we go!
In the interest of fair play, we鈥檇 like to note some of the misconceptions and myths floating around to provide clarity on what we actually do.
杏吧传媒 exists to help secure the 99% 鈥 the small and medium-sized businesses that lack the resources to properly defend themselves against today鈥檚 cyber threats.
杏吧传媒 provides managed endpoint protection in The 杏吧传媒 Managed Security Platform by leveraging endpoint detection and response (EDR).
We use human operators who investigate cybersecurity threats and categorize the threats. Then, our 24/7 Security Operations Center (SOC) provides granular, tailored remediation guidance that often consists of a single click of a button within the 杏吧传媒 dashboard. Finally, we send a report to our partners and customers detailing the incident at hand.
We also recently acquired a security awareness training platform to protect 鈥 and educate 鈥 the 99%.
Now you鈥檝e got a good idea of what it is we do, let鈥檚 take a look at some of the things we鈥檝e heard through the grapevine.
One component of the 杏吧传媒 suite of tools 鈥 Managed Antivirus 鈥 leverages Microsoft Defender to notify analysts of threats that have been quarantined. The other tools in our arsenal don鈥檛 have the same contingency, but let鈥檚 not sleep on Managed AV. how 杏吧传媒鈥 Managed AV has thwarted advanced threat actors.
Whilst Managed AV is pretty good, it isn鈥檛 perfect. Having antivirus by itself isn鈥檛 enough; monitoring and detecting capabilities are essential in today鈥檚 security landscape. With the addition of Managed EDR 鈥 杏吧传媒鈥 own EDR solution鈥攊nto our platform, we can see all types of attacks and follow a threat actor as they (attempt to) progress along the cyber kill chain. Whether an adversary is in their discovery phase and attempting to enumerate the Active Directory or trying to escalate their privileges, Managed EDR聽sees it all.聽聽
In a Summer 2022 webinar, Ed Murphy, Josh Lambert and Sharon Martin shared the Managed EDR journey. For the curious reader, you鈥檒l also find that this webinar shines the light on real security intrusions that Managed EDR has empowered the 杏吧传媒 SOC team to solve.
And moreover, the 杏吧传媒 bread and butter was and is our footholds tooling. Our detections, alerts and reports for persistence are homegrown with no dependencies on other security products. This is also true for our Ransomware Canary 迟辞辞濒蝉.听
Our External Recon tooling reveals an organization's external network perimeter, highlighting external ports and services. Analysts can gently nudge a partner or customer when they maybe have an undesirable port open to the internet they maybe don鈥檛 want exposed (I鈥檓 looking at you, RDP!).
We served as a helping hand in a particularly nasty RMM tool vulnerability in July 2021, identifying first and working with the vendor and the MSP community to help keep systems safe.聽
Now, this isn鈥檛 something our toolset does as a standard. This was a moment of 杏吧传媒 seeing an issue and deciding we should step in and help out as we had the expertise to do so.
One thing we pride ourselves on is our community-driven mindset, so just because our tools aren鈥檛 specifically built to look into vulnerabilities in RMM/IT tools, you can bet that we鈥檒l be right there should any future issues like the one we saw happen again. That鈥檚 just 杏吧传媒; we can鈥檛 help ourselves鈥 Living in the shadows so you don鈥檛 have to! #ShadyByNature
Ransomware is all the way at the end of the cyber kill chain. A ransomware actor has to pull a ton of prior moves in a network before they make this impact. And the entire time they鈥檙e doing that, 杏吧传媒 is monitoring, working with you to neutralize the security threat. Host Isolation allows us to undermine an adversarial campaign before it can materialize into a business risk.
Isolation can scale easily to include a single machine or the entire organization. In addition, partners and customers can tag specific machines so that mass isolation does not affect those tagged machines. To prevent a threat actor in the midst of deploying ransomware, for example, it has been incredibly useful to mass-isolate all machines in the domain, denying the adversary their goal of extortion.聽
As part of our ransomware-related suite of tools, we deploy canary files to alert us to a malicious encryption event (think of the analogy 'canary in a coal mine'鈥攕ame principle).
We don鈥檛 allow anything to automatically trigger isolation. This is always instigated by a SOC analyst, who will have assessed the validity of the canary alert before quarantining the machine. Isolation denies the ransomware further propagation and ejects the threat actor from connecting to that machine.
For the curious reader, we do not automate isolation for various reasons, the chief being that false positives can trigger from the activities of legitimate, authorized encryption solutions (like Microsoft EFS). We aren鈥檛 in the business of quarantining machines for no good reason!聽
杏吧传媒 Managed EDR once again can work on both file-based and fileless malwares, like Kovter malware, for example. Nearly everything a computer does has to be initiated through a process; we cast a wide net with Managed EDR. But let's take a step back and get a little nerdy and specific here about the fileless myth.
Whether something 'touches disk' in the form of a file, or stays in memory, it's immaterial to Managed EDR. Managed EDR is monitoring the computer's processes聽and doesn't rely on Windows event logs, or file system monitoring, or anything else of the kind.聽
And, whilst we're at it, what do members of the community mean when they say fileless?
Fileless malware may compile once it reaches the machine, or never compile and stay in memory, or use the Windows Registry as a staging ground. , a leading practitioner of digital forensics and incident response, has noted that when some in the community discuss supposed 鈥榝ileless鈥 malware, they often do not realize the contradiction that the Windows Registry is still a file on the operating system.聽
All of this is to say, 杏吧传媒 Managed EDR has your back regardless of the file form of the threat. 馃槈
What in tarnation!聽
杏吧传媒 definitely deploys infrastructure automation to streamline detections and evidence collection鈥攍ike when we have a really complex investigation.
However, for all of our streamlining, the 24/7 SOC team still investigates, contextualizes, drafts and sends reports. The 杏吧传媒 team consists of analysts based in America, Australia and the UK, and many of the team share their very manual, very non-machine-learning approaches to security investigations:
This isn鈥檛 to say that ML, AI or other automations are bad. They're just not how 杏吧传媒 rolls. We鈥檝e been proud to share the behind-the-scenes for the very manual, human-led investigations that 杏吧传媒 is all about.
***
I hope this clears the air about some myths and misconceptions about us swirling around in the wild. Got questions? Drop us a line 鈥 we鈥檙e happy to help!聽
If you鈥檙e curious to gather some more technical security details from 杏吧传媒, These technical webinars show how hackers hack, defenders defend, and are garnished with some spicy takes from the team.聽聽
Get insider access to 杏吧传媒 tradecraft, killer events, and the freshest blog updates.
