Control Room & SOC
cgd / portfolio
• Real-Time Monitoring, prioritization analysis and event escalation up to the opening of security incidents.
• Real-time logging of system logs and alarms on potential intrusion detection. In case of need, incidents are assigned to a team of analysis and a team response for a more in-depth study of the event.
• Cyber Intel Collection and Analysis.
• Tips, accident reports, customer requests, received by phone, e-mail, website from the Control Room.
• Collecting and analyzing cyber intelligence reports, cyber intrusion, and information security related news that help you discover new threats, vulnerabilities and products. All the material is carefully reviewed and processed for the submission of formal bulletins to the customer.
• Long-term analysis of events, malware and accidental data for a better understanding of abnormal activity and more in-depth knowledge of attackers. Extensive and lengthy analysis of potential intrusions withthe aimof determining who, what, when, how and why of an intrusion, its extension, how to limit the damage caused and possibly how to remedy it.
• Incident Response Coordination, gathering information about an accident, understanding the impact, and organizing response and reporting actions. Actual implementation of real actionto respond to an accident to discourage or block the attacker. Possible countermeasures include physical or logical isolation of affected systems, firewall blocking, DNS blocking, IP blocking, patch application, and account deactivation.
• On-site Incident Response, a service that is based on responding to an accident through SOC members directly on-site. Recovery of affected systems is performed with the collaboration of system administrators.
• Remote Incident Response consisting of remotely recovering compromised systems. It involves the same procedures for handling incident response on-site but may involveless direct intervention due to support provided through phone, email, or in rare cases via remote terminals such as Secure Shell (SSH) or Microsoft Terminal Services.
• Forensic Artifact Handling consisting in the collection and retention of forensic finds (such as hard drives or removable media) related to accidents, so that they can be used in legal proceedings.
• Reverse Engineering on Different Types of Malware: Viruses, Trojans, etc. Analysis of the nature of the malware to determine the vector of infection, behavior and attack area affected. The analysis is carried out both statically by code decompilation and runtime during malicious software execution.
• Analysis of forensic finds (storage devices, network traffic, mobile devices) for determining the attack area by defining detailed timelines. Analysis is often carried out using processes and procedures such that the results obtained can support legal proceedings against the subjects involved.
• Sensor Tuning and Maintenance, ie maintenance of sensor platforms managed by the SOC: IDS,IPS, SIEM, etc. Platform updates with new signatures, tuning the volume of monitored events, reducing false positives, andcontrolling the health of the sensors.
•Based on what emerged from the Threat Intelligence phase and source analysis, specifi newsletters are generated containing, where possible:
1. A legend for the interpretation of the content and metrics used in the bulletin; a risk assessment according to standard metrics;
2. A technical description ofthe threat found and of possible attack scenarios;
3. A list of systems atrisk;
4. Mitigation actionsto be taken.
• In addition to communications from the Early Warning service, there are periodic comunications about the list of IPs in blacklist and compromised or badly reputed url (reputation feed).
CyberGate Defense Europe 2022